Enterprise Log Analysis

August 7, 2023 0 Comments

This is another Antisyphon Training lab and this one focuses on examining Active Directory logs produced during a domain password spray attack.

I am going to use DeepBlueCLI in order to analyse the domain logs’ logon patterns.

First, I am going to open a command prompt as administrator and I am going to go to the DeepBlueCLI directory:

Using one of the checks of this tool, I am going to take a look at the DC2 Password spray file:

When I run the script, I see an alert that catches my attention right away:

I see a very high number of logon failures for multiple accounts being alerted (240 total logon failures). This seems abnormal and to confirm this, I am going to go directly into these logs to do a deeper analysis.

Then I double click on DC2-secLogs-3-26-DomainPasswordSpray.evtx to open Windows Event Viewer

Now I need to scroll down to the DC2-secLogs-3-26-DomainPasswordSpray.evtx file under Saved Logs and click it:

It will open the Domain Controller logs.

Now, I need to click on the header column called Event ID on the top panel. This will sort the logs by ID number. There are several Logs ID number in Windows Event Logs that warrant special attention:

4624: Success Logon

4625: Logon failure

4768: A Kerberos Authentication Ticket was requested

4769: A Kerberos Service Ticket was requested

4776: NTLM Authentication

4672: Assigns special privileges

In this lab, I am going to look particularly at event 4776:

I see a list of all the ‘4776’ Credential Validation Event log:

I click through several of these logs and notice a large number of login attempts from a single system named WINLABV2WKSRL_9. This same workstation is trying to logon to different account in what looks like password spraying:

I can also see at the bottom of the General tab that these are mostly Audit Failures:

Going through these logs, it is now clear that the workstation WINLABV2WKSRL-9 was trying to authenticate to a large number of Logon Accounts in a very short period of time in what looks like a password spraying attack.

The next step for a SOC analyst would be to do endpoint analysis on this given system.

Leave a Reply

Your email address will not be published. Required fields are marked *