Microsoft Active Directory¶
Description¶
Constructor: Microsoft
Product: Active Directory
Log type: sys
Theoretical injector performance : 11227 EPS
Log samples¶
Snare / WinRM¶
1 | MSWinEventLog 1 Security 14380538 Fri Feb 3 15:46:43 2017 567 Security SYSTEM User Success Audit PALERME Object Access {"EventTime":"2017-02-03 15:46:43","Hostname":"PALERME","Keywords":45035996273704960,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":567,"SourceName":"Security","Task":3,"RecordNumber":5928366,"ProcessID":0,"ThreadID":0,"Channel":"Security","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"User","ERROR_EVT_UNRESOLVED":true,"Category":"Object Access","Opcode":"Info","EventData":"<Data>Security</Data><Data>2372</Data><Data>File</Data><Data>512</Data><Data>C:\WINDOWS\system32\winlogon.exe</Data><Data>%%4417\r\n\t\t\t%%4418\r\n\t\t\t</Data><Data>0x6</Data>","EventReceivedTime":"2017-02-03 15:47:21","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} 5928366"
|
1 | MSWinEventLog 1 Security 35470294 Fri Feb 3 16:25:07 2017 4688 Microsoft-Windows-Security-Auditing N/A N/A Success Audit fake.host.name N/A {"EventTime":"2017-02-03 16:25:07","Hostname":"fake.host.name","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4688,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{25-814-4-A5A-328C30D}","Version":1,"Task":13312,"OpcodeValue":0,"RecordNumber":557524019,"ProcessID":4,"ThreadID":76,"Channel":"Security","SubjectUserSid":"S-1-5-21-2350369662-2148904956-1289801824-1000","SubjectUserName":"oracle","SubjectDomainName":"AAAAAAPP01P","SubjectLogonId":"0x1aca4","NewProcessId":"0x1728","NewProcessName":"D:\\cygwin\\bin\\sed.exe","TokenElevationType":"%%1936","EventReceivedTime":"2017-02-03 16:25:09","SourceModuleName":"in2008","SourceModuleType":"im_msvistalog"} 557524019 |
1 | MSWinEventLog 1 System 313328 Fri Feb 3 16:00:29 2017 7036 Service Control Manager N/A N/A Information fake.host.name N/A {"EventTime":"2017-02-03 16:00:29","Hostname":"fake.host.name","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{D1-714-4-8EE-22012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":264984,"ProcessID":672,"ThreadID":2960,"Channel":"System","param1":"WinHTTP Web Proxy Auto-Discovery Service","param2":"running","EventReceivedTime":"2017-02-03 16:01:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} 264984 |
Splunk¶
1 | LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4662 EventType=0 Type=Information ComputerName=FRHPhost.marvellouscompany.com TaskCategory=Directory Service Access OpCode=Info RecordNumber=5191930203 Keywords=Audit Success Message=An operation was performed on an object. Subject : \tSecurity ID:\tS-1-5-21-1935655697-861567501-725345543-84522 \tAccount Name:\tFRHPARDC02$ \tAccount Domain:\tEU \tLogon ID:\t0x3E5A8933 Object: \tObject Server:\tDS \tObject Type:\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9} \tObject Name:\t%{299918e0-20a4-41c0-843b-f9fa2b96252d} \tHandle ID:\t0x0 Operation: \tOperation Type:\tObject Access \tAccesses:\tControl Access \t \tAccess Mask:\t0x100 \tProperties:\tControl Access \t{89e95b76-444d-4c62-991a-0facbeda640c} \t{19195a5b-6da0-11d0-afd3-00c04fd930c9} Additional Information: \tParameter 1:\t- \tParameter 2:
|
Parsing strategy¶
Snare / WinRM¶
Let's take the first sample log above to explain the process.
1 - First, the csv() operator is applied. Those leads us
to this result:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | "UserName": "SYSTEM", "EventLogType": "Success Audit", "ms_header": "MSWinEventLog", "SourceName": "Security", "SubmitTime": "Fri Feb 3 15:46:43 2017", "SnareCounter": "14380538", "DataString": "{}", "SIDType": "User", "ExpandedString": "5928366", "ComputerName": "PALERME", "EventID": "567", "CategoryString": "Object Access", "EventLogSource": "Security", "Criticality": "1" |
2 - We validate the input data. If one of the following condition is not reached, an exception is raised:
- The
ms_headeris not equals toMSWinEventLog - A CSV field is missing
- The CSV contains to much fields
3 - Secondly, we parse the DataString field as Json. We also remove
undesired fields containing the value -. Which returns:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | "AccountName": "SYSTEM", "AccountType": "User", "Category": "Object Access", "Channel": "Security", "Domain": "NT AUTHORITY", "ERROR_EVT_UNRESOLVED": true, "EventData": "<Data>Security</Data><Data>2372</Data><Data>File</Data><Data>512</Data><Data>C:\u0000INDOWS\u0000ystem32\u0000inlogon.exe</Data><Data>%%4417\r\n\t\t\t%%4418\r\n\t\t\t</Data><Data>0x6</Data>", "EventID": 567, "EventReceivedTime": "2017-02-03 15:47:21", "EventTime": "2017-02-03 15:46:43", "EventType": "AUDIT_SUCCESS", "Hostname": "PALERME", "Keywords": 45035996273704960, "Opcode": "Info", "ProcessID": 0, "RecordNumber": 5928366, "Severity": "INFO", "SeverityValue": 2, "SourceModuleName": "eventlog", "SourceModuleType": "im_msvistalog", "SourceName": "Security", "Task": 3, "ThreadID": 0, "UserID": "SYSTEM" |
4 - Then, if an another parsing level is needed, we retrieve all useful
information. For example, if the key UserData is found, we parse it
as "XML".
5 - Finally, we apply the binding between those fields and the normalized ones.
Splunk¶
- First, we split the log between the : the left part is the Splunk one, the right the raw Windows part.
- We then split each and every line assuming escaped lines as follows
:
t\*. - The first line of windows will be the description in
[alarm][description]. - The remaining lines are split in key: value format and then normalized.
Normalization¶
For SNARE part:
| Field | Normalization | Reason |
|---|---|---|
| [alcatel] | Tuple | Tuple that is used to save any other data specific to the vendor Alcatel. |
| Criticality | discard | (real value into DataString) |
| EventLogSource | discard | (useless) |
| SnareCounter | discard | (prefer ExpandedString) |
| SubmitTime | [rep][ts] | |
| EventID | [alarm][id] | |
| SourceName | [alarm][name] | |
| UserName | [obs][usr][name] | |
| SIDType | discard | (real value into DataString) |
| EventLogType | discard | (useless) |
| ComputerName | [rep][ts] | |
| CategoryString | discard | (no data) |
| DataString | (detailed | after, JSON-style format here) |
| ExpandedString | [session][id] |
For WinRM Part:
| Field | EventIDs | Normalization | Reason |
|---|---|---|---|
| AccessList | [1] 4663 | These are permissions were actually exercised | |
| AccessMask | [1] 4663 | (discard) | bitmap of AccessList |
| AccountName | [24] 12 104 528 529 531 534 537 539 | [init][usr][name] | the account initiating the event: bootstrap of |
| 567 592 602 636 672 673 675 865 866 4720 | a process, ticket query etc. | ||
| 4727 4735 4737 4738 4741 7045 | |||
| AccountType | [19] 12 104 528 529 531 534 537 539 | (discard) | user or system, whatever |
| 567 592 602 636 672 673 675 680 865 866 | |||
| 7045 | |||
| AuthenticationPackageName | [3] 4610 4624 4625 | [target][process][name] | Which AP has been loaded |
| bcdCCID | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| bMaxSlotIndex | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| bNumClockSupported | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| bNumDataRateSupported | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| BootMode | [1] 12 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| BuildVersion | [1] 12 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| bVoltageSupport | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| Category | [21] 528 529 531 534 537 539 567 592 | [alarm][name] | Overlapping Snare's alarm Name |
| 602 636 672 673 675 680 4697 4719 4722 | |||
| 4725 4728 4732 4735 | |||
| Channel | ALL | (discard) | in the most interesting cases |
| Domain | [43] 12 104 528 529 531 534 537 539 | [init][group][domain] | |
| 567 592 602 636 672 673 675 865 866 4611 | |||
| 4616 4624 4625 4663 4688 4697 4698 4699 | |||
| 4700 4702 4719 4720 4722 4725 4727 4728 | |||
| 4732 4735 4737 4738 4741 4768 4780 7045 | |||
| 4769 | |||
| dwDataRate | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwDefaultClock | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwFeatures | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwMaxDataRate | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwMaxIFSD | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwMaximumClock | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwMechanical | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwProtocols | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| dwSyncProtocols | [1] 104 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| ERROR_EVT_UNRESOLVED | [11] 528 529 531 534 537 539 567 592 | (discard) | useless obviously |
| 672 675 865 | |||
| EventData | [15] 528 529 531 534 537 539 567 592 | NOW USED | Converted XML to CSV |
| 602 636 672 673 675 680 865 | |||
| EventID | ALL | (discard) | see above, no remapping it's useless |
| EventReceivedTime | [49] 12 13 104 528 529 531 534 537 539 | (discard) | = [rep][ts] w/ snare & WinRM |
| 567 592 602 636 672 673 675 680 865 866 | |||
| 4608 4610 4611 4614 4616 4622 4624 4625 | |||
| 4663 4688 4697 4719 4720 4722 4725 4727 | |||
| 4728 4732 4735 4737 4738 4741 4768 4776 | |||
| 4780 5024 7023 7036 7045 4769 | |||
| EventTime | ALL | [obs][ts] | when the event occured in the |
| WinEventLogger == obs | |||
| EventType | ALL | (discard) | too few information regardig EventID & |
| alarm description | |||
| FailureReason | [1] 4625 | [alarm][description] | the reason of the failure |
| HandleId | [1] 4663 | [target][process][id] | opened object ID |
| Hostname | ALL | [obs][host][name] | where the event spawned |
| ImpersonationLevel | [1] 4624 | (discard) | policy-ensured, set at which impersonation the |
| went | |||
| IpAddress | [4] 4624 4625 4768 4769 | [init][host][ip] | not in the doc, but supposedly Client IP |
| IpPort | [4] 4624 4625 4768 4769 | [init][host][port] | see above |
| KeyLength | [2] 4624 4625 | (discard) | useless |
| Keywords | ALL | (discard) | Integer ?? |
| LmPackageName | [2] 4624 4625 | (discard) | verion of NTLM |
| LogonGuid | [2] 4624 4769 | [target][usr][id] | the UUID of the user logging in, event |
| across ADs | |||
| LogonProcessName | [3] 4611 4624 4625 | (discard) | the login process |
| LogonType | [3] 4624 4625 4702 | [target][process][status] | map which way the login was attempted |
| MajorVersion | [1] 12 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| Message | [13] 602 636 673 680 865 4697 4702 | see Section parsing | |
| 4722 4725 4728 4732 4735 7023 | below | ||
| MinorVersion | [1] 12 | (discard) | no documentation, out code concerning |
| voltage and stuff | |||
| NewProcessId | [1] 4688 | [target][process][id] | the new Process ID that spawns |
| NewProcessName | [1] 4688 | [target][process][name] | the name associated |
| NewTime | [1] 4616 | (discard) | yet the event is important, the time gap isn't |
| NotificationPackageName | [1] 4614 | [target][process][name] | the package name that has been loaded by |
| the SAM | |||
| ObjectName | [1] 4663 | [target][process][name] | Name of object |
| accessed | |||
| ObjectServer | [1] 4663 | (discard) | always "Security", what's the point ? |
| ObjectType | [1] 4663 | (discard) | Type of object, File Folder, SERVICE OBJECT... |
| (useless) | |||
| Opcode | ALL | (discard) | yet another operational severity, stick to |
| the Severity field | |||
| OpcodeValue | [37] 12 13 104 866 4608 4610 4611 4614 | (discard) | yet another operational severity, stick to |
| 4616 4622 4624 4625 4663 4688 4697 4698 | the Severity field | ||
| 4699 4700 4702 4719 4720 4722 4725 4727 | |||
| 4728 4732 4735 4737 4738 4741 4768 4776 | |||
| 4780 5024 7036 7045 4769 | |||
| PreviousTime | [1] 4616 | (discard) | yet the event is important, the time gap isn't |
| ProcessID | ALL | (discard) | useless, another process ID |
| ProcessName | [6] 4611 4616 4624 4625 4663 4688 | [init][process][name] | |
| ProviderGuid | [37] 12 13 104 866 4608 4610 4611 4614 | [obs][group][id] | the true one |
| 4616 4622 4624 4625 4663 4688 4697 4698 | |||
| 4699 4700 4702 4719 4720 4722 4725 4727 | |||
| 4728 4732 4735 4737 4738 4741 4768 4776 | |||
| 4780 5024 7036 7045 4769 | |||
| QfeVersion | [1] 12 | (discard) | no documentation, some software versions |
| RecordNumber | ALL | (discard) | the number of the log generated by WinEventLog |
| ResourceAttributes | [1] 4663 | [target][process][status] | tags associated to the object |
| SecurityPackageName | [1] 4622 | [target][process][name] | no override, the only arg for 4622 |
| ServiceAccount | [1] 4697 | [target][usr][name] | the account name the service runs under |
| ServiceFileName | [1] 4697 | [target][process][path] | the file name of the service |
| ServiceName | [4] 4697 4768 7045 4769 | [target][process][name] | the name of the service |
| ServiceStartType | [1] 4697 | (discard) | for forensics only; boot system MAPTABLE |
| ServiceType | [2] 4697 7045 | [target][process][id] | MAPTABLE |
| ServiceVersion | [1] 12 | (discard) | no documentation, some software versions |
| Severity | ALL | [alarm][sev] | severity of the alarm |
| SeverityValue | ALL | (discard) | bijection w/ Severity |
| SourceModuleName | ALL | (discard) | useless |
| SourceModuleType | ALL | (discard) | useless |
| SourceName | ALL | (discard) | equiv. to Channel |
| StartTime | [1] 12 | (discard) | no documentation, some time resync for AD |
| Status | [4] 4625 4768 4776 4769 | [rule][name] | MAPTABLE, the = reason why the action was |
| taken by the AD | |||
| StopTime | [1] 13 | (discard) | no documentation, some time resync for AD |
| SubjectDomainName | [22] 4611 4616 4624 4625 4663 4688 | [init][usr][domain] | The user asking for the login |
| 4697 4698 4699 4700 4719 4720 4722 4725 | |||
| 4727 4728 4732 4735 4737 4738 4741 4780 | |||
| SubjectLogonId | [22] 4611 4616 4624 4625 4663 4688 | [init][usr][id] | the user id asking for the login |
| 4697 4698 4699 4700 4719 4720 4722 4725 | |||
| 4727 4728 4732 4735 4737 4738 4741 4780 | |||
| SubjectUserName | [22] 4611 4616 4624 4625 4663 4688 | [init][usr][name] | the user name asking for the login, allow |
| 4697 4698 4699 4700 4719 4720 4722 4725 | override for 4720 4722 4725 4727 4728 | ||
| 4727 4728 4732 4735 4737 4738 4741 4780 | 4732 4735 4737 4738 4741 | ||
| SubjectUserSid | [22] 4611 4616 4624 4625 4663 4688 | [init][usr][sid] | the user sid asking for the login |
| 4697 4698 4699 4700 4719 4720 4722 4725 | |||
| 4727 4728 4732 4735 4737 4738 4741 4780 | |||
| SubStatus | [1] 4625 | [rule][name] | APPENDED to Status if present |
| TargetDomainName | [15] 4624 4625 4720 4722 4725 4727 | [target][usr][domain] | the user queried in the AD |
| 4728 4732 4735 4737 4738 4741 4768 4780 | |||
| 4769 | |||
| TargetLogonId | [1] 4624 | (discard) | useless regarding UUID of LogonGuid |
| TargetUserName | [16] 4624 4625 4720 4722 4725 4727 | [target][usr][name] | |
| 4728 4732 4735 4737 4738 4741 4768 4776 | |||
| 4780 4769 | |||
| TargetUserSid | [2] 4624 4625 | [target][usr][sid] | |
| Task | ALL | [obs][process][id] | useless |
| TaskName | [3] 4698 4700 4702 | [target][process][name] | Attempted process executed |
| ThreadID | ALL | (discard) | even more useless |
| TokenElevationType | [1] 4688 | (discard) | get if wrapped in an undelying admin process |
| TransmittedServices | [3] 4624 4625 4769 | (discard) | svcs that have privilege with the process. |
| Same risk as process | |||
| UserData | [1] 866 | See UserData Values | XML-gibberished information about the user. |
| UserID | [19] 12 104 528 529 531 534 537 539 | [init][usr][id] | name of the user |
| 567 592 602 636 672 673 675 680 865 866 | |||
| 7045 | |||
| Version | [37] 12 13 104 866 4608 4610 4611 4614 | [app][version] | version of Windows Audit |
| 4616 4622 4624 4625 4663 4688 4697 4698 | |||
| 4699 4700 4702 4719 4720 4722 4725 4727 | |||
| 4728 4732 4735 4737 4738 4741 4768 4776 | |||
| 4780 5024 7036 7045 4769 | |||
| Workstation | [1] 4776 | [target][host][name] | the true initiator of the request |
| WorkstationName | [1] 4625 | [init][host][name] | the true initiator of the request |
For Splunk Part:
| Name | Normalization |
|---|---|
| LogName | [alarm][facility] |
| SourceName | - |
| SourceType | - |
| EventCode | [alarm][id] |
| EventType | - |
| Type | [alarm][sev] |
| ComputerName | [obs][host][name] |
| TaskCategory | [alarm][name] |
| OpCode | - |
| RecordNumber | - |
| Keywords | [action] |