On Windows RDP seeming to ignore Status 0xc000006d on EventID 4625?

[cavalierfh]

Hi there! What a great piece of helpful software and I have enjoyed it for quite some time, however was surprised recently to see a lot of user sniffing/enumeration in EventViewer that was not being caught by regex. I have tried to RTFM and experimented with a few ideas, but so far no joy.

What I have observed is if an RDP connection is attempted with a bad password for a known/good user account, it events as EventID 4625 and gets tracked by IPBAN. This is SubStatus 0xc000006a.

If an RDP connection is attempted with a bad/unknown user account, it events as EventID 4625 but does not seem to get tracked by IPBAN. This is SubStatus 0xc000006d.

This is confusing to me because the stock recipe for expressions calls for tracking EventID 4625, and I swear I used to see this working fine with all types of 4625 events. Did I miss a change somewhere?

Attaching example of IPBan ignoring an attempt in Ignored.xml,txt contrast with one IPBan tracks in Tracked.xml.txt

Tracked.xml.txt
Ignored.xml.txt

[jjxtra]

I can write a unit test for this next week.

[cavalierfh]

Oh, goodness! That's kind of you - is there anything else I can do to support this effort? I have a steady stream of attacks coming in so happy to try any other modifications. I just swear this used to be caught -- unknown users - but it's been awhile since I had checked the logs on this machine. I am running the default configuration with 1.8.

[jjxtra]

I added these entries to my unit tests and they were both picked up as failed logins

[cavalierfh]

Huh! So weird. I checked on the box and sure enough it was still getting ah, solicited, by bots and meanwhile the logs were empty. Thinking I might have done something with the config I deleted all and pulled down a fresh install.

I don't get it. I compare these two events side by side and they are identical to me save for the username and the ip address. The local ip address (sharkbait) was logged (rather, logged that it was being ignored). The other..? Ignored.

Maybe the machine is compromised somewhere else. Weird.

Sharkbait4625.xml.txt
Ignored4625.xml.txt

[cavalierfh]

So doing a Windows firewall audit I verified the IPBAN_0 firewall looked and smelled like it should but just for giggles I turned it off and on again...

From the previous logfile looks like the app HAD noticed the attempts AND had added them to the blocked IP's, but firewall wasn't enforcing it apparently.

I am presuming at this point that the application was ignoring events already associated with a bad IP address even though they were still happening? That's my guess at least. Will advise but so far this reads like "problem at end user's installation".

[jjxtra]

Maybe an issue with windows firewall?

[cavalierfh]

That's what I'm thinking. I'll watch for these banned IP's to expire by time and check to see if the behavior continues.

Does that sound possible to you, though?

IPBan added a firewall entry for 555.555.555.555 (obviously bad/fake IP for example)
If for whatever reason the firewall did not actually block 555.555.555.555
Would IPBan continue to evaluate/log/track new log instances of 555.555.5555.555?

With the firewall reset there are for now no more attempts but my assumption is once the firewall entry expires it will be logged again
I'm assuming attempts weren't being logged because logically "I'm ignoring 555.555.555.555 because I already have a firewall entry for it"

[jjxtra]

Yes, if events still come in for supposedly blocked ips, it will continue to log them.

[cavalierfh]

There goes that theory.

From the attachments above - Sharkbait event was logged, Ignored was not, and they are matching except for IP address and user. :(

[jjxtra]

I'm not sure what is wrong with both xml you sent. They both pass the unit tests and get flagged as a failed login.

[cavalierfh]

Oh geez! I did the comment about a thing then disappear bit! I'm sorry!

By September I ruled out IPBan as having an issue. I took the exact same IPBan configuration on a new Win10 image and put it on the same network and it worked perfectly fine. Ruled this out as "something" off with the Windows firewall / network configuration of the box this seemingly did not work on.

Thank you kindly for digging into this. Problem was user...

[jjxtra]

No worries. Post again if you see any other issues :)