Title: Sharing of experience in SMB login event troubleshooting

1. Overview

1.1 Case

Let’s take a look at two pictures first: the first impression when you see these two pictures should be that this is a successful login, its type is 3, which represents network login, and 4624 means successful login, which may be the case for most people. So what about it in fact? There is a certain ambiguity here. Today I will synchronize the detailed details here.

1.2 Principle

When the user connects using the SMB protocol, before prompting the user for a password, it will use anonymous user (that is, anonymous user) to connect the SMB network, and once the network is recorded as a successful connection. The following conditions will cause this log to be generated:

Login user is anonymous

The login process is NTLMssp

The usage protocol is NTLM V1

Login protocol is SMB

2. Test

2.1 SMB connection failure

2.1.1 Network name not found/access denied

Directly use net use to initiate a connection for non-existent aaa$, and an error will be reported that the network name cannot be found. Using net use can also see that its connection is not successful:

But let’s look at the log and we can see that it generates a log of 4624 type 3 for successful login. This only means that the user of anonymouse successfully logged into the network

Using the correct directory path, but not entering the user will report an error and deny access. This status will also cause an anonymous user to log in successfully. Type 3

2.1.2 Incorrect username or password

When logging in with incorrect account password, the user name or password is reported incorrect.

In this case, there will be no anonymous login success log in the log, but the 4625 log will be displayed directly, and of course the logged-in user name will also be displayed.

2.2 SMB login successfully

How does it perform in the log if you use the correct account secret for logging in?

In addition to successful login for type 3, there will be 4776 (verification credentials) and 4672 (login permission allocation) shijian

3. Summary

When an attacker uses SMB to connect, if the access path does not exist or the account does not exist, a 4624 log of anonymous user (anonymous user) will be generated, which does not mean that the machine has been logged in.

4624 does not necessarily mean that the attacker logs in successfully. It is necessary to combine the IP field, targetuser field, user and many other fields and look at the log context. System authorization sometimes generates a high alarm of 4624 (the above fields only represent the meaning, but the specific field name is complicated and cannot be remembered clearly)