[context] Should catch windows BF target username

[LaurenceJJones]

Currently windows bruteforce stores the username under username which misses the context for target_username

either we updated the content to an OR statement or we modify the windows bf scenario to set the correctly meta?!

[Zetanova]

The context could be extended with the information if the user exists or is unknown.

In the windows-auth event the field SubStatus defines:
0xC0000064 => user unknown (does not exists)
0xC000006A => user exists and password invalid

The windows-bf scenario could trigger faster on unknown usernames,
instead of only on failed auth. count.

[LaurenceJJones]

The context could be extended with the information if the user exists or is unknown.

In the windows-auth event the field SubStatus defines: 0xC0000064 => user unknown (does not exists) 0xC000006A => user exists and password invalid

The windows-bf scenario could trigger faster on unknown usernames, instead of only on failed auth. count.

It could but also having different counts if user is known or unknown can lead to sort of information disclosure EG: I can failed 3 times with unknown but 5 with known hence known is a valid username so I can narrow down my search based on this info.

[Zetanova]

@LaurenceJJones yes, good point.

An other idea would be:

• if an user is getting BF from multiple sources then an alert could be generated.
• if an existing user is getting BF then a notification could be created.