Excessive logons from domain controllers

I am quite new to analyzing the windows logs. I have been seeing excessive logons with 4624 and 4625 with the Subject/account name: DomainController(actual name of the domaincontroller is different) to user accounts.

I understand that it makes sense to have logons requests from user machine to the Domain controller. But why there would be excessive logon requests from domain controllers to user accounts that too with misspelled usernames and passwords as Failure reason and the process name as lsass.exe?

(Relatively) Fresh install of Ubuntu 18.04 excessive amount of RAM used at stand still

I recently installed 18.04 (because I wasn’t able to easily update from 17.04), and I’ve been having some problems lately, all revolving around RAM getting full and causing the system to slow down, even if the swap is barely being used. I’ve tried a few different solutions on this site, however that isn’t relevant to this question:

When I boot up Ubuntu and log in I open System Monitor. And when I do, I can see that I already have 1.3 (out of my 4) GB of RAM being used. That’s a huge amount to be using with only System Monitor open (granted I don’t think the number would lower very much if at all with Sys Monitor closed).

I only have 4 startup applications, 1 of which is disabled. Of the other 3, 2 of them are system related things.

The two most memory intensive things I see in the processes list are gnome-software and gnome-shell, which collectively use ~230MB. that still leaves one gig unaccounted for. And every other process is using <100MB, so there must be a lot of things running - and to be fair there are, but I don't know what 99% of the things are, so I assume they are all system processes.

What can I do to fix this problem, and subsequently in my case does anyone have any recommendations for prevent my system from locking up when using a lot of RAM (or preventing it from using a lot of RAM). For my greatest example: looking at system monitor I see 1.3 GB of RAM being used, if I then open Atom, and Firefox (with even 2 or 3 tabs), the RAM starts going up, up, up, until it gets nearly to the max (and often times it does get to max!!!).

I really need to get these problems taken care of, because I only started using Ubuntu to get away from how slow my laptop is when using Windows (10). The laptop is from 2009, 4GB DDR3 RAM, Intel Core 2 Duo at 2.20GHz. Ubuntu Partition ~100GB, Swap Partition ~750MB.

Manage Logs of Excessive Member and Server Authentication Failures

Currently, in our SIEM environment, we are attempting to reduce noise and any non-actionable items. One of the most frequent items we receive on a weekly basis is a report based on excessive member and server authentication failures.

The overall concept is to inform us of any accounts that consistently fail authentication on a host over a 24hr period, where no successful events are seen within the same 24hr period. We often determine the type of failure based on the event code that it is producing as well as the signature/signature ID.

Our standard process is to contact the account or server owner and have he/she investigate what is causing the excessive failures. This process can be rather lengthy and time-consuming and is dependent on analyst communication to the account owner. I’d say 95% of these alerts are not actionable or they are closed after a follow-up SIEM search.

To avoid a possible brute force attack we do monitor these logs. My question is; is there an additional layer of filtering or rules that be tweaked to reduce these logs.

Common Event Codes:

4625 
4776

Also is there perhaps a different process that can be utilized for monitoring and reporting such excessive accounts. At, the moment we need to create a new tracking ticket for each and every account that meets our current standard and/or threshold.

Through analysis, I would believe that if an analyst can determine if the failure is indeed a brute-force is actionable than we would then complete the required steps. Otherwise, these excessive failures can be reviewed and forwarded to the respected account owner as needed.

Any thoughts on the matter? Thank you!

What do you use to mark questions that need editing when you want to avoid excessive bumping?

As far as I can tell, on many sites there is a consensus that it is better to avoid bumping too many questions at the same time. (At least on the sites I visit frequently I have seen some discussions about this – of course, depending on the size of the site, there can be a substantial difference in what actually constitutes “bumping too many old questions”. There are also some feature requests on this site which seem related to this problem, for example: Allow non-bumping minor edits, but review them on /review.)

On the other hand, it is quite often relatively easy to find many questions that can be improved by some edit. And there are some situations where large numbers of such questions arise naturally. (To list some examples: A new tag was created and it is being added at least to the old questions most relevant to the topic. A tag with many question is being removed by community effort.)

Typically when a user finds many questions that can be edited, they stop after certain number of questions as not to inconvenience others by filling the frontpage by many old questions. Still, it might be useful to mark somewhere the questions which need editing – to do them later as the “next batch”.

I’d imagine that many users have this problem. (At last some discussions I had on per-site-metas and in chat suggests so.) Therefore I thought that some suggestions how to approach this might be useful for users from various Stack Exchange sites.

Question: What tools do you use to mark question which you intent to edit in future (possibly with marking also the type of edit.)

Boost regulator current draw seems excessive

Recently I obtained this setup-regulator module (archive link) from Ali Express for a 3.3V project to be powered by two 1.5V AA alkaline batteries.

The seller had this to say about the module:

Input voltage 0.8 ~ 3.3V,output 3.3V
Maximum output current: 500 MA,

Start Voltage 0.8V, Output Current 10MA

INPUT 1-1.5V, OUTPUT 3.3V 50-110MA;

INPUT 1.5-2V, OUTPUT 3.3V 110-160MA;

INPUT 2-3V, OUTPUT 3.3V 160-400MA;

INPUT above 3V, OUTPUT 3.3V 400-500MA;

DC-DC Boost module working frequency 150KHZ. efficiency is normal 85% .
2.54mm pin pitch, Arduiuo Breadboard friendly.
Excluding Pin Size 11mm x 10.5mm x 7.5mm(Very small)
Weight : about 1.2g( Very light)

The seller does not specify the regulator used. I can read the numbers 2108A 1515/33 off the chip.

Photo of regulator IC

Based on the wave symbol I expect it to be the ME2108A of the DC/DC Step up Converter ME2108 Series (archive). The characteristics seem to match, as do the example circuits.

My application draws about 75mA when on, and about 100uA in sleep mode, which would seem to be in-spec. However, upon connecting everything I found out it was drawing significantly more current than I was expecting, even with the device in sleep mode. To troubleshoot the issue, I made a minimal linear test circuit.

schematic

simulate this circuit – Schematic created using CircuitLab

Here M1 is the regulator module mentioned in the listing above. The diode D1 drops the voltage just a bit, so it’s clearly under the desired 3.3V. The regulator should boost the voltage to 3.3V, which when passed through a 47R resistor should result in about 70 mA of current, which is similar to the draw of my project. Between the lower input voltage (I measure about 2.65V) and the regulator effciency (which is advertised as 85%), I would expect to see about 100mA going into the regulator. Instead I measure over 230mA going through R_sense.

The second graph on page 8 of the datasheet suggests that for an output current of 70mA and an input voltage of 2.65V, I should be seeing an efficiency of between 85% (@3V) and 77% (@1.5V). Instead I’m seeing about half that.

What’s going on here?

Manage Logs of Excessive Member and Server Authentication Failures

Currently, in our SIEM environment, we are attempting to reduce noise and any non-actionable items. One of the most frequent items we receive on a weekly basis is a report based on excessive member and server authentication failures.

The overall concept is to inform us of any accounts that consistently fail authentication on a host over a 24hr period, where no successful events are seen within the same 24hr period. We often determine the type of failure based on the event code that it is producing as well as the signature/signature ID.

Our standard process is to contact the account or server owner and have he/she investigate what is causing the excessive failures. This process can be rather lengthy and time-consuming and is dependent on analyst communication to the account owner. I’d say 95% of these alerts are not actionable or they are closed after a follow-up SIEM search.

To avoid a possible brute force attack we do monitor these logs. My question is; is there an additional layer of filtering or rules that be tweaked to reduce these logs.

Common Event Codes:

4625 
4776

Also is there perhaps a different process that can be utilized for monitoring and reporting such excessive accounts. At, the moment we need to create a new tracking ticket for each and every account that meets our current standard and/or threshold.

Through analysis, I would believe that if an analyst can determine if the failure is indeed a brute-force is actionable than we would then complete the required steps. Otherwise, these excessive failures can be reviewed and forwarded to the respected account owner as needed.

Any thoughts on the matter? Thank you!