{"id":325,"date":"2007-01-31T04:11:00","date_gmt":"2007-01-31T04:11:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=325"},"modified":"2020-07-03T04:12:33","modified_gmt":"2020-07-03T04:12:33","slug":"multiple-577-entries-in-the-eventlog-from-windows","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/01\/multiple-577-entries-in-the-eventlog-from-windows\/","title":{"rendered":"Multiple 577 entries in the eventlog (from Windows)"},"content":{"rendered":"\n<p>I was monitoring the Windows logs from a client network and I noticed that a few boxes were constantly generating&nbsp;<a href=\"http:\/\/www.microsoft.com\/technet\/support\/ee\/transform.aspx?ProdName=Windows%20Operating%20System&amp;ProdVer=5.0&amp;EvtID=577&amp;EvtSrc=Security&amp;LCID=1033\">audit failure 577<\/a>&nbsp;events:<\/p>\n\n\n\n<p><em>WinEvtLog: Security: AUDIT_FAILURE(577): Security: xxx: XX-HQ: YY-HQ: Privileged Service Called: Server: Security Primary User Name: abc Primary Domain: XX-HQ Privileges: SeIncreaseBasePriorityPrivilege<\/em><\/p>\n\n\n\n<p>To make it worse, ossec was alerting me by e-mail every time of&nbsp;<em>\u201cRule: 18151 fired (level 10) -&gt; \u201cMultiple failed attempts to perform a privileged operation by the same user.\u201d&#8221;<\/em>. My initial thought was that these machines were infected by spyware or something similar, so I went investigating them. I didn\u2019t want to disable this rule on ossec, because it is fairly important for \u201cnormal\u201d systems.<\/p>\n\n\n\n<p>After some research, I found out that their problem was having Windows XP installed \ud83d\ude42 (without the latest Service pack). Basically there is a bug on Windows that causes this behavior.. If you ever experience this problem, check the following link:&nbsp;<a href=\"http:\/\/support.microsoft.com\/kb\/831905\">http:\/\/support.microsoft.com\/kb\/831905<\/a>&nbsp;and make sure to install the latest updates.<\/p>\n\n\n\n<p>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was monitoring the Windows logs from a client network and I noticed that a few boxes were constantly generating&nbsp;audit failure 577&nbsp;events: WinEvtLog: Security: AUDIT_FAILURE(577): Security: xxx: XX-HQ: YY-HQ: Privileged Service Called: Server: Security Primary User Name: abc Primary Domain: XX-HQ Privileges: SeIncreaseBasePriorityPrivilege To make it worse, ossec was alerting me by e-mail every time [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/325"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=325"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/325\/revisions"}],"predecessor-version":[{"id":326,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/325\/revisions\/326"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}