Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Correlation support - No authentication success event #131

Open
AvrumFeldman opened this issue Apr 1, 2024 · 1 comment
Open

[Enhancement] Correlation support - No authentication success event #131

AvrumFeldman opened this issue Apr 1, 2024 · 1 comment
Assignees
@devnulli
Labels
feature request an idea that could improve the software

Comments

@AvrumFeldman
Copy link

AvrumFeldman commented Apr 1, 2024
edited

Hi,

I recall seeing you mention somewhere you plan on implementing correlation but cannot find now where.

It would be a great feature addition to add some correlation support, at least for TerminalServices-Gateway event logs, which only report authentication success and not authentication failures.

I've written up a basic script (see blow) that I planned on running on an RD Gateway to create event logs to be parsed by EvlWatcher. I ran into a challenge on how to handle events that happened during an extended period my script didn't run, where it can introduce a condition where EvlWatcher will ban an IP only because my script reported at once multiple failed authentication request even though in reality these failed events happened over a span of time but are reported at once just because my script processed all of those now since it is now catching up.

I figure if the correlation can be somehow added into EvlWatcher it would solve the whole challenge, since EvlWatcher internally would compare the time ranges between the events.

Very simple script I wrote. It's still missing the Windows EventLog creation but that should be trivial to add. As we can see, the correlation code is all 4 lines long.

$LastEventPath = ".\LastEvent.txt"

if (Test-Path $LastEventPath) {
    $EventFilter_TimeStart = ([datetime](Get-Content $LastEventPath)).AddSeconds(1)
} else {
    $EventFilter_TimeStart = (Get-Date).AddDays(-100)
}

$Events = Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-Gateway/operational'; StartTime=$EventFilter_TimeStart; EndTime=(get-date).AddMinutes(-1) } -ErrorAction:SilentlyContinue

# This is the code that actually does the correlation, it returns the events that don't have a follow up authentication success. 
$FailedAuth = $Events | group ActivityId |  % {
    if (($_.group.id -match "\b312\b") -and ($_.group.Count -eq 1)) {
        $_.group
    }
}

# Save to disk last event datetime to be used for next script run event filter starttime.
if ($events) {
    $LastEventTime = ($events | sort timecreated)[-1].timecreated
} else {
    $LastEventTime = get-date
}
$LastEventTime.ToString() | Out-File $LastEventPath -Encoding utf7 -Force

Edit: The reason we need to monitor this event log is because on a RD Gateway event 4625 doesn't get generated when the username is correct but the password is incorrect.
@devnulli devnulli self-assigned this Apr 2, 2024
@devnulli devnulli added the feature request an idea that could improve the software label Apr 2, 2024
@devnulli
Copy link
Owner

devnulli commented Apr 2, 2024

that is indeed very interesting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devnulli devnulli

Labels
feature request an idea that could improve the software
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@devnulli @AvrumFeldman