Hello everyone
several users over the course of a month have attempted to log in to patchadmin, which is the fake account that creates rapid 7.
- How can I tell if a service or other has attempted to log in?
- Is there an appropriate query for my problem?
I leave a copy of the evidence
source_asset": “Pippo”,
“destination_asset”: “Pippo”,
“source_asset_address”: “1.1.1.1”,
“destination_asset_address”: “1.1.1.1”,
“destination_user”: “patchadmin”,
“destination_account”: “patchadmin”,
“logon_type”: “NETWORK”,
“result”: “FAILED_BAD_LOGIN”,
“new_authentication”: “true”,
“service”: “ntlmssp”,
“source_json”: {
“sourceName”: “Microsoft-Windows-Security-Auditing”,
“insertionStrings”: [
“S-1-0-0”,
“-”,
“-”,
“0x0”,
“S-1-0-0”,
“patchadmin”,
“MUDDOLONPORT”,
“0xc000006d”,
“%%2313”,
“0xc0000064”,
“3”,
"NtLmSsp ",
“NTLM”,
“PIPPO”,
“-”,
“-”,
“0”,
“0x0”,
“-”,
“1.1.1.1”,
“50339”
],
“eventCode”: 4625,
“computerName”: “Pippo”,
“sid”: “”,
“isDomainController”: true,
“timeWritten”: “2024-03-06T06:51:47.141560200Z”
},
“r7_context”: {
“destination_user”: {
“type”: “user”,
“rrn”: “rrn:uba:eu:XXXXXXXXXXXXXX”,
“name”: “patchadmin”
},
“destination_account”: {
“type”: “account”,
“rrn”: “rrn:uba:euXXXXXXXXXXXXXXXXXXXXXXXXXXXX”,
“name”: “patchadmin”
},
“source_asset”: {
“type”: “asset”,
“rrn”: “rrn:uba:eu:9XXXXXXXXXXXXXXXXXXXXXXXXXXXX”,
“name”: “pippo”
},
“destination_asset”: {
“type”: “asset”,
“rrn”: “rrn:uba:eu:XXXXXXXXXXXXXXXXXXXXXXXXXXX”,
“name”: “Pippo”
}
}
}