I am currently working on searching for failed "computer accounts" in windows event ID 4776.
Data
2018 Jun 14 16:21:31 WinEvtLog: Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing: (no user): no domain: somedoman.com: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: CCOMPUTERNAME$ Source Workstation: CCOMPUTERNAME Error Code: 0xc0000064
Basicly I am just trying to do
data.id:4776 AND full_log: "Account: CC*$"
or computers that start with CC.
The system is configured to receive messages from OSSEC, so all the documents are just windows event logs.
Windows uses a $ sign at the end of the computer name to signify that it is a computer account.
So a normal user would have an account like "CoreyH" and the computer that is joined to the domain would have account like COMPUTER$
I am trying to search for computers that start with CC and end with $ so that I can send the request to the correct team.
SO a single doc is:
2018 Jun 14 16:21:31 WinEvtLog: Security: AUDIT_FAILURE(4776): Microsoft-Windows-Security-Auditing: (no user): no domain: somedoman.com: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: CCOMPUTERNAME$ Source Workstation: CCOMPUTERNAME Error Code: 0xc0000064
That "$" is no supposed to be a special character, but for the life of me, I cant seem to use it in a search.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
