UCF STIG Viewer Logo

Systems must be monitored for attempts to use local accounts to log on remotely from other systems.


Overview

Finding ID Version Rule ID IA Controls Severity
V-43713 AD.AU.0002 SV-56534r1_rule ECAT-1 Medium
Description
Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a Pass-the-Hash attack.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-04-01

Details

Check Text ( C-49403r6_chk )
Verify attempts to use local accounts to log on remotely from other systems are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below. If these events are not monitored, this is a finding.

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 3 (Network)
Authentication Package Name = NTLM
Not a domain logon and not the ANONYMOUS LOGON account

Windows Vista and later:
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.

Windows 2003:
Successful Network Login (Logon Events)
540 - A user successfully logged on to a network.
Failed Login (Logon Events)
529 - Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
Fix Text (F-49314r8_fix)
Monitor for attempts to use local accounts to log on remotely from other systems. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below.

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 3 (Network)
Authentication Package Name = NTLM
Not a domain logon and not the ANONYMOUS LOGON account

Windows Vista and later:
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.
Failed User Account Login (Subcategory: Logon)
4625 - An account failed to log on.

Windows 2003:
Successful Network Login (Logon Events)
540 - A user successfully logged on to a network.
Failed Login (Logon Events)
529 - Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.

The "Pass the Hash Detection" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides a sample query for filtering.
http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf.