IBM Security QRadar

Often times I see that the Destination Port value is 0 what does this signify? Sometimes Source Port and Destination Port both have 0 as a value. What does this mean?

Below is the Payload Information from both: 

Source Port:  59157 and Destination Port: 0 - Src and Dst are different. 

xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.3.1.22    Source=Microsoft-Windows-Security-Auditing    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=    Domain=    EventID=4624    EventIDCode=4624    EventType=8    EventCategory=12544    RecordNumber=1217234333    TimeGenerated=1678292511    TimeWritten=1678292511    Level=Log Always    Keywords=Audit Success    Task=SE_ADT_LOGON_LOGON    Opcode=Info    Message=An account was successfully logged on.  Subject:  Security ID:  NULL SID  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Information:  Logon Type:  3  Restricted Admin Mode: -  Virtual Account:  No  Elevated Token:  No  Impersonation Level:  Impersonation  New Logon:  Security ID:  NT AUTHORITY\ANONYMOUS LOGON  Account Name:  ANONYMOUS LOGON  Account Domain:  NT AUTHORITY  Logon ID:  XXXXXXX  Linked Logon ID:  0x0  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: XXXXX-XXX  Source Network Address: xxxx58.89  Source Port:  59157  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): NTLM V1  Key Length:  128  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Source Port:  0 and Destination Port: 0 - Src and Dst IP are same. 

 xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Directory Service    PluginVersion=7.3.1.22    Source=Microsoft-Windows-ActiveDirectory_DomainService    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=ANONYMOUS LOGON    Domain=NT AUTHORITY    EventID=2147486688    EventIDCode=3040    EventType=2    EventCategory=16    RecordNumber=21110    TimeGenerated=1677788421    TimeWritten=1677788421    Level=Warning    Keywords=Classic    Task=LDAP_INTERFACE_CATEGORY    Opcode=Info    Message=During the previous 24 hours period, 2 unprotected LDAPS binds were performed.     This directory server is not currently configured to enforce validation of Channel Binding Tokens.  The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even  if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel  Binding Tokens will improve the security of this server.    For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.

Paul, its quite simple. If source and dest port are the same the message is comminf from the server itself (cae 2) rather than hitting the server over the network (case 1).

In your sample case 1 is a network logon (type 3). In your case 2 the ananymous logon is being executed on the AD server itself. Pls also notify the hint at the end of log record 2: 

 The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections.

NTLM authentication should be minimized for security reasons and whenever possible replaced by LDAP.

Often times I see that the Destination Port value is 0 what does this signify? Sometimes Source Port and Destination Port both have 0 as a value. What does this mean?

Below is the Payload Information from both: 

Source Port:  59157 and Destination Port: 0 - Src and Dst are different. 

xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.3.1.22    Source=Microsoft-Windows-Security-Auditing    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=    Domain=    EventID=4624    EventIDCode=4624    EventType=8    EventCategory=12544    RecordNumber=1217234333    TimeGenerated=1678292511    TimeWritten=1678292511    Level=Log Always    Keywords=Audit Success    Task=SE_ADT_LOGON_LOGON    Opcode=Info    Message=An account was successfully logged on.  Subject:  Security ID:  NULL SID  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Information:  Logon Type:  3  Restricted Admin Mode: -  Virtual Account:  No  Elevated Token:  No  Impersonation Level:  Impersonation  New Logon:  Security ID:  NT AUTHORITY\ANONYMOUS LOGON  Account Name:  ANONYMOUS LOGON  Account Domain:  NT AUTHORITY  Logon ID:  XXXXXXX  Linked Logon ID:  0x0  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: XXXXX-XXX  Source Network Address: xxxx58.89  Source Port:  59157  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): NTLM V1  Key Length:  128  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Source Port:  0 and Destination Port: 0 - Src and Dst IP are same. 

 xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Directory Service    PluginVersion=7.3.1.22    Source=Microsoft-Windows-ActiveDirectory_DomainService    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=ANONYMOUS LOGON    Domain=NT AUTHORITY    EventID=2147486688    EventIDCode=3040    EventType=2    EventCategory=16    RecordNumber=21110    TimeGenerated=1677788421    TimeWritten=1677788421    Level=Warning    Keywords=Classic    Task=LDAP_INTERFACE_CATEGORY    Opcode=Info    Message=During the previous 24 hours period, 2 unprotected LDAPS binds were performed.     This directory server is not currently configured to enforce validation of Channel Binding Tokens.  The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even  if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel  Binding Tokens will improve the security of this server.    For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.

We often see the 2^nd case but around 100's of events is populating on Qradar. The source IP and Destination IP Involved are same but Multiple events with different IP's are generated under one username within 30 sec Network logon type is 3 and Event name is User/admin login successful. What kind of activity done by the user in this case kindly explain thanks in advance waiting for your reply

Paul, its quite simple. If source and dest port are the same the message is comminf from the server itself (cae 2) rather than hitting the server over the network (case 1).

In your sample case 1 is a network logon (type 3). In your case 2 the ananymous logon is being executed on the AD server itself. Pls also notify the hint at the end of log record 2: 

 The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections.

NTLM authentication should be minimized for security reasons and whenever possible replaced by LDAP.

Often times I see that the Destination Port value is 0 what does this signify? Sometimes Source Port and Destination Port both have 0 as a value. What does this mean?

Below is the Payload Information from both: 

Source Port:  59157 and Destination Port: 0 - Src and Dst are different. 

xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.3.1.22    Source=Microsoft-Windows-Security-Auditing    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=    Domain=    EventID=4624    EventIDCode=4624    EventType=8    EventCategory=12544    RecordNumber=1217234333    TimeGenerated=1678292511    TimeWritten=1678292511    Level=Log Always    Keywords=Audit Success    Task=SE_ADT_LOGON_LOGON    Opcode=Info    Message=An account was successfully logged on.  Subject:  Security ID:  NULL SID  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Information:  Logon Type:  3  Restricted Admin Mode: -  Virtual Account:  No  Elevated Token:  No  Impersonation Level:  Impersonation  New Logon:  Security ID:  NT AUTHORITY\ANONYMOUS LOGON  Account Name:  ANONYMOUS LOGON  Account Domain:  NT AUTHORITY  Logon ID:  XXXXXXX  Linked Logon ID:  0x0  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: XXXXX-XXX  Source Network Address: xxxx58.89  Source Port:  59157  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): NTLM V1  Key Length:  128  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Source Port:  0 and Destination Port: 0 - Src and Dst IP are same. 

 xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Directory Service    PluginVersion=7.3.1.22    Source=Microsoft-Windows-ActiveDirectory_DomainService    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=ANONYMOUS LOGON    Domain=NT AUTHORITY    EventID=2147486688    EventIDCode=3040    EventType=2    EventCategory=16    RecordNumber=21110    TimeGenerated=1677788421    TimeWritten=1677788421    Level=Warning    Keywords=Classic    Task=LDAP_INTERFACE_CATEGORY    Opcode=Info    Message=During the previous 24 hours period, 2 unprotected LDAPS binds were performed.     This directory server is not currently configured to enforce validation of Channel Binding Tokens.  The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even  if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel  Binding Tokens will improve the security of this server.    For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.

Paul, its quite simple. If source and dest port are the same the message is comminf from the server itself (cae 2) rather than hitting the server over the network (case 1).

In your sample case 1 is a network logon (type 3). In your case 2 the ananymous logon is being executed on the AD server itself. Pls also notify the hint at the end of log record 2: 

 The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections.

NTLM authentication should be minimized for security reasons and whenever possible replaced by LDAP.

Often times I see that the Destination Port value is 0 what does this signify? Sometimes Source Port and Destination Port both have 0 as a value. What does this mean?

Below is the Payload Information from both: 

Source Port:  59157 and Destination Port: 0 - Src and Dst are different. 

xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.3.1.22    Source=Microsoft-Windows-Security-Auditing    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=    Domain=    EventID=4624    EventIDCode=4624    EventType=8    EventCategory=12544    RecordNumber=1217234333    TimeGenerated=1678292511    TimeWritten=1678292511    Level=Log Always    Keywords=Audit Success    Task=SE_ADT_LOGON_LOGON    Opcode=Info    Message=An account was successfully logged on.  Subject:  Security ID:  NULL SID  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Information:  Logon Type:  3  Restricted Admin Mode: -  Virtual Account:  No  Elevated Token:  No  Impersonation Level:  Impersonation  New Logon:  Security ID:  NT AUTHORITY\ANONYMOUS LOGON  Account Name:  ANONYMOUS LOGON  Account Domain:  NT AUTHORITY  Logon ID:  XXXXXXX  Linked Logon ID:  0x0  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: XXXXX-XXX  Source Network Address: xxxx58.89  Source Port:  59157  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): NTLM V1  Key Length:  128  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Source Port:  0 and Destination Port: 0 - Src and Dst IP are same. 

 xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Directory Service    PluginVersion=7.3.1.22    Source=Microsoft-Windows-ActiveDirectory_DomainService    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=ANONYMOUS LOGON    Domain=NT AUTHORITY    EventID=2147486688    EventIDCode=3040    EventType=2    EventCategory=16    RecordNumber=21110    TimeGenerated=1677788421    TimeWritten=1677788421    Level=Warning    Keywords=Classic    Task=LDAP_INTERFACE_CATEGORY    Opcode=Info    Message=During the previous 24 hours period, 2 unprotected LDAPS binds were performed.     This directory server is not currently configured to enforce validation of Channel Binding Tokens.  The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even  if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel  Binding Tokens will improve the security of this server.    For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.

Paul, its quite simple. If source and dest port are the same the message is comminf from the server itself (cae 2) rather than hitting the server over the network (case 1).

In your sample case 1 is a network logon (type 3). In your case 2 the ananymous logon is being executed on the AD server itself. Pls also notify the hint at the end of log record 2: 

 The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections.

NTLM authentication should be minimized for security reasons and whenever possible replaced by LDAP.

Often times I see that the Destination Port value is 0 what does this signify? Sometimes Source Port and Destination Port both have 0 as a value. What does this mean?

Below is the Payload Information from both: 

Source Port:  59157 and Destination Port: 0 - Src and Dst are different. 

xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.3.1.22    Source=Microsoft-Windows-Security-Auditing    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=    Domain=    EventID=4624    EventIDCode=4624    EventType=8    EventCategory=12544    RecordNumber=1217234333    TimeGenerated=1678292511    TimeWritten=1678292511    Level=Log Always    Keywords=Audit Success    Task=SE_ADT_LOGON_LOGON    Opcode=Info    Message=An account was successfully logged on.  Subject:  Security ID:  NULL SID  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Information:  Logon Type:  3  Restricted Admin Mode: -  Virtual Account:  No  Elevated Token:  No  Impersonation Level:  Impersonation  New Logon:  Security ID:  NT AUTHORITY\ANONYMOUS LOGON  Account Name:  ANONYMOUS LOGON  Account Domain:  NT AUTHORITY  Logon ID:  XXXXXXX  Linked Logon ID:  0x0  Network Account Name: -  Network Account Domain: -  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: XXXXX-XXX  Source Network Address: xxxx58.89  Source Port:  59157  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): NTLM V1  Key Length:  128  This event is generated when a logon session is created. It is generated on the computer that was accessed.  The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.  The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).  The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.  The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.  The impersonation level field indicates the extent to which a process in the logon session can impersonate.  The authentication information fields provide detailed information about this specific logon request.  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.  - Transited services indicate which intermediate services have participated in this logon request.  - Package name indicates which sub-protocol was used among the NTLM protocols.  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Source Port:  0 and Destination Port: 0 - Src and Dst IP are same. 

 xxxx6.15 AgentDevice=WindowsLog    AgentLogFile=Directory Service    PluginVersion=7.3.1.22    Source=Microsoft-Windows-ActiveDirectory_DomainService    Computer=xxxx.xxxx    OriginatingComputer=xxxx6.15    User=ANONYMOUS LOGON    Domain=NT AUTHORITY    EventID=2147486688    EventIDCode=3040    EventType=2    EventCategory=16    RecordNumber=21110    TimeGenerated=1677788421    TimeWritten=1677788421    Level=Warning    Keywords=Classic    Task=LDAP_INTERFACE_CATEGORY    Opcode=Info    Message=During the previous 24 hours period, 2 unprotected LDAPS binds were performed.     This directory server is not currently configured to enforce validation of Channel Binding Tokens.  The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even  if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel  Binding Tokens will improve the security of this server.    For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.