hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

[context] Should catch windows BF target username

Open LaurenceJJones opened this issue 1 year ago • 3 comments

Currently windows bruteforce stores the username under username which misses the context for target_username

either we updated the content to an OR statement or we modify the windows bf scenario to set the correctly meta?!

LaurenceJJones avatar Jan 25 '25 14:01 LaurenceJJones

The context could be extended with the information if the user exists or is unknown.

In the windows-auth event the field SubStatus defines: 0xC0000064 => user unknown (does not exists) 0xC000006A => user exists and password invalid

The windows-bf scenario could trigger faster on unknown usernames, instead of only on failed auth. count.

Zetanova avatar Jan 28 '25 16:01 Zetanova

The context could be extended with the information if the user exists or is unknown.

In the windows-auth event the field SubStatus defines: 0xC0000064 => user unknown (does not exists) 0xC000006A => user exists and password invalid

The windows-bf scenario could trigger faster on unknown usernames, instead of only on failed auth. count.

It could but also having different counts if user is known or unknown can lead to sort of information disclosure EG: I can failed 3 times with unknown but 5 with known hence known is a valid username so I can narrow down my search based on this info.

LaurenceJJones avatar Jan 28 '25 16:01 LaurenceJJones

@LaurenceJJones yes, good point.

An other idea would be:

  • if an user is getting BF from multiple sources then an alert could be generated.
  • if an existing user is getting BF then a notification could be created.

Zetanova avatar Jan 28 '25 16:01 Zetanova