Notify of
Newest Most Voted
Inline Feedbacks
View all comments
1 year ago

Can you tell me if a source domain uuu having user name sss attempts to log in to domain mmm having user name nnn and has made event 4625 with sub status 0xc000006A? Now the nnn user is the network admin and the sss is the domain standard user. I can’t understand why the uuu domain failed logs are coming on mmm domain and the SIEM solution showing that nnn made failed login whereas nnn’s event viewer has zero failed login attempts when I see physically it on their computer. Please let me know what the concept behind this is and why AD logs are so complex to understand.

Please give your explanation but do let me know my few questions with a brief explanation, my questions are:

  1. if a SIEM agent/sensor is deployed at a server where domain admins have made different domains in it, will any failed login by the domain user be shown as the domain admin made the failed attempt?
  2. The second question is that if the user sss made a failed login why I am getting the failed logon attempts showing nnn user made a failed logon in the SIEM solution?

For your information, my SIEM solution is Elastic Security

GCBSecure Support
1 year ago
Reply to  CyberSAG

It sounds like you are experiencing some confusion with respect to Active Directory (AD) logs and SIEM solutions. Let me try to explain what might be happening in your specific scenario and answer your questions:

First, the reason why the uuu domain failed logs are coming on the mmm domain is likely due to a trust relationship between the two domains. A trust relationship allows one domain to authenticate users from another domain. When a user from one domain attempts to log in to another domain, the authentication request is forwarded to the trusted domain. The trusted domain then checks if the user exists and if their credentials are correct. If the authentication fails, the trusted domain logs the event with the relevant details, including the user’s domain and username.
Regarding your first question, it depends on how the SIEM agent/sensor is configured. If it is configured to collect and forward logs from all domains in the forest, then failed logon attempts by domain users will be shown with the username of the domain admin. This is because the domain admin account is typically used to configure the trust relationship between domains, and is therefore responsible for handling authentication requests between domains.
As for your second question, it is possible that the SIEM solution is misinterpreting the event logs. One possibility is that the SIEM is incorrectly associating the failed logon attempt with the wrong username. Another possibility is that the failed logon attempt was part of a larger attack campaign, where the attacker is attempting to impersonate the network admin user. In such cases, the attacker may be using different techniques to evade detection, such as modifying the source IP address or using a different user agent. It is important to carefully review the event logs and any other relevant information to determine the root cause of the issue.
Overall, AD logs can be complex to understand due to the sheer volume of data that is generated, as well as the complex interactions between different domains, trusts, and authentication mechanisms. SIEM solutions can help to centralize and analyze these logs, but it is important to configure them correctly and to carefully review any alerts or anomalies to ensure that they are not false positives.

Would love your thoughts, please comment.x