WELCOME
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Can you tell me if a source domain uuu having user name sss attempts to log in to domain mmm having user name nnn and has made event 4625 with sub status 0xc000006A? Now the nnn user is the network admin and the sss is the domain standard user. I can’t understand why the uuu domain failed logs are coming on mmm domain and the SIEM solution showing that nnn made failed login whereas nnn’s event viewer has zero failed login attempts when I see physically it on their computer. Please let me know what the concept behind this is and why AD logs are so complex to understand.
Please give your explanation but do let me know my few questions with a brief explanation, my questions are:
For your information, my SIEM solution is Elastic Security
It sounds like you are experiencing some confusion with respect to Active Directory (AD) logs and SIEM solutions. Let me try to explain what might be happening in your specific scenario and answer your questions:
First, the reason why the uuu domain failed logs are coming on the mmm domain is likely due to a trust relationship between the two domains. A trust relationship allows one domain to authenticate users from another domain. When a user from one domain attempts to log in to another domain, the authentication request is forwarded to the trusted domain. The trusted domain then checks if the user exists and if their credentials are correct. If the authentication fails, the trusted domain logs the event with the relevant details, including the user’s domain and username.
Regarding your first question, it depends on how the SIEM agent/sensor is configured. If it is configured to collect and forward logs from all domains in the forest, then failed logon attempts by domain users will be shown with the username of the domain admin. This is because the domain admin account is typically used to configure the trust relationship between domains, and is therefore responsible for handling authentication requests between domains.
As for your second question, it is possible that the SIEM solution is misinterpreting the event logs. One possibility is that the SIEM is incorrectly associating the failed logon attempt with the wrong username. Another possibility is that the failed logon attempt was part of a larger attack campaign, where the attacker is attempting to impersonate the network admin user. In such cases, the attacker may be using different techniques to evade detection, such as modifying the source IP address or using a different user agent. It is important to carefully review the event logs and any other relevant information to determine the root cause of the issue.
Overall, AD logs can be complex to understand due to the sheer volume of data that is generated, as well as the complex interactions between different domains, trusts, and authentication mechanisms. SIEM solutions can help to centralize and analyze these logs, but it is important to configure them correctly and to carefully review any alerts or anomalies to ensure that they are not false positives.