Honey credential information

Hello everyone
several users over the course of a month have attempted to log in to patchadmin, which is the fake account that creates rapid 7.

1. How can I tell if a service or other has attempted to log in?
2. Is there an appropriate query for my problem?
   I leave a copy of the evidence

source_asset": “Pippo”,
“destination_asset”: “Pippo”,
“source_asset_address”: “1.1.1.1”,
“destination_asset_address”: “1.1.1.1”,
“destination_user”: “patchadmin”,
“destination_account”: “patchadmin”,
“logon_type”: “NETWORK”,
“result”: “FAILED_BAD_LOGIN”,
“new_authentication”: “true”,
“service”: “ntlmssp”,
“source_json”: {
“sourceName”: “Microsoft-Windows-Security-Auditing”,
“insertionStrings”: [
“S-1-0-0”,
“-”,
“-”,
“0x0”,
“S-1-0-0”,
“patchadmin”,
“MUDDOLONPORT”,
“0xc000006d”,
“%%2313”,
“0xc0000064”,
“3”,
"NtLmSsp ",
“NTLM”,
“PIPPO”,
“-”,
“-”,
“0”,
“0x0”,
“-”,
“1.1.1.1”,
“50339”
],
“eventCode”: 4625,
“computerName”: “Pippo”,
“sid”: “”,
“isDomainController”: true,
“timeWritten”: “2024-03-06T06:51:47.141560200Z”
},
“r7_context”: {
“destination_user”: {
“type”: “user”,
“rrn”: “rrn:uba:eu:”,
“name”: “patchadmin”
},
“destination_account”: {
“type”: “account”,
“rrn”: “rrn:uba:eu:”,
“name”: “patchadmin”
},
“source_asset”: {
“type”: “asset”,
“rrn”: “rrn:uba:eu:”,
“name”: “pippo”
},
“destination_asset”: {
“type”: “asset”,
“rrn”: “rrn:uba:eu:”,
“name”: “Pippo”
}
}
}

Did that computer happen to update to WInodws 11 during this time?

no update

Hi,

does the happen on a regular basis?

If you search for destination_account = patchadmin

How often do you see this? When you say several users have attempted, I am not so sure this is caused by a user, note the NETWORK logon type as opposed to interactive. I would suspect this to be related to software.

Our own agent has a known issue where it appears to (sometimes) cause failed 4625 patchadmin logins when attempting to run the Honey Credential memory injection job. I’d recommend raising a support case if this is ongoing so that we can take a closer look

David