NOBODY Did It

Event ID 4625 - a Windows audit event for logon failure. What could be more simple than a denied logon? Turns out, just about everything.

As I continue on this epic journey of logging the right logs and killing the noise, I have happened upon something that seems like it begs for understanding, because at presnt it absolutely baffles me.

Grinding Away With Graylog

Too Many Logs

The sheer volume of these events was unreal, it didn’t take much time to pivot around in Graylog and get to the bottom of things and find the worst offenders and craft a useful query.

Graylog query:

EventID:4625 AND SubjectUserSid:S\-1\-0\-0

That should get you on the right page at least. I have tons of these and what is significant here is that the SID translates to NOBODY and I seem to get more usable alerts if I negate the SID with a NOT condition, but in the current form what I end up with is something I want to write off as some kind of Microsoft weirdness and declare it noise, drop the messages and move on. However, I would like to understand things a bit better.

A closer inspection of the event details gives me these tantalizing tidbits:

  • WorkstationName: hostnamexyz
  • TargetUserName: hostnamexyz$
  • Status: 0xC000006D
  • SubStatus: 0x0
  • SubjectUserName: -
  • LogonType: 3

There are never any EventID 4624 (logon success) events for this SID, which is likely a good thing.

So what I have is a Network logon from a host, ostensibly to itself using the self-same computer account, and it is failing? I’m not sure how else to read this.

I had to consult with the Windows pros at my $WORK, they seem to be equally perplexed. Additionally, no one seemed to think that these logs were providing any actionable information, so I went to work on a Graylog pipeline rule to drop these.

Graylog Magic

rule "PCI Tuning"
when
//only concerned with Windows logs
    has_field("EventID") AND
    (
    // Special privileges assigned to SYSTEM
    contains(to_string($message.EventID),"4672") AND
    contains(to_string($message.SubjectUserSid),"S-1-5-18")
    )
    OR
    (
    // NOBODY logon failures
        contains(to_string($message.EventID),"4625") AND
        contains(to_string($message.SubjectUserSid),"S-1-0-0") AND
        contains(to_string($message.IpAddress),"-")
    )
then
    drop_message();
end

You get a little bonus there as my other rule for 4672 events is in the same rule. You’re welcome.

That’s another million logs a week that I don’t have to deal with and store somewhere forever. Just remember, I’m gambling that these noisy, seemingly low value logs won’t be the linchpin of a year long APT investigation five years down the road. Do your homework.

If you think I’ve made an egregious error, or if you can shed some light onto the nature of these event logs, shoot me a message on twitter - I’d love to hear your thought on this.