Skip to content

Microsoft Active Directory

Description

Constructor: Microsoft
Product: Active Directory
Log type: sys

Theoretical injector performance : 11227 EPS

Log samples

Snare / WinRM

1
MSWinEventLog   1   Security    14380538    Fri Feb  3 15:46:43 2017    567 Security    SYSTEM  User    Success Audit   PALERME Object Access       {"EventTime":"2017-02-03 15:46:43","Hostname":"PALERME","Keywords":45035996273704960,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":567,"SourceName":"Security","Task":3,"RecordNumber":5928366,"ProcessID":0,"ThreadID":0,"Channel":"Security","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"User","ERROR_EVT_UNRESOLVED":true,"Category":"Object Access","Opcode":"Info","EventData":"<Data>Security</Data><Data>2372</Data><Data>File</Data><Data>512</Data><Data>C:\WINDOWS\system32\winlogon.exe</Data><Data>%%4417\r\n\t\t\t%%4418\r\n\t\t\t</Data><Data>0x6</Data>","EventReceivedTime":"2017-02-03 15:47:21","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} 5928366"
1
MSWinEventLog   1   Security    35470294    Fri Feb  3 16:25:07 2017    4688    Microsoft-Windows-Security-Auditing N/A N/A Success Audit   fake.host.name  N/A     {"EventTime":"2017-02-03 16:25:07","Hostname":"fake.host.name","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4688,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{25-814-4-A5A-328C30D}","Version":1,"Task":13312,"OpcodeValue":0,"RecordNumber":557524019,"ProcessID":4,"ThreadID":76,"Channel":"Security","SubjectUserSid":"S-1-5-21-2350369662-2148904956-1289801824-1000","SubjectUserName":"oracle","SubjectDomainName":"AAAAAAPP01P","SubjectLogonId":"0x1aca4","NewProcessId":"0x1728","NewProcessName":"D:\\cygwin\\bin\\sed.exe","TokenElevationType":"%%1936","EventReceivedTime":"2017-02-03 16:25:09","SourceModuleName":"in2008","SourceModuleType":"im_msvistalog"}   557524019
1
MSWinEventLog   1   System  313328  Fri Feb  3 16:00:29 2017    7036    Service Control Manager N/A N/A Information fake.host.name  N/A     {"EventTime":"2017-02-03 16:00:29","Hostname":"fake.host.name","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{D1-714-4-8EE-22012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":264984,"ProcessID":672,"ThreadID":2960,"Channel":"System","param1":"WinHTTP Web Proxy Auto-Discovery Service","param2":"running","EventReceivedTime":"2017-02-03 16:01:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}    264984

Splunk

1
LogName=Security  SourceName=Microsoft Windows security auditing.  EventCode=4662  EventType=0  Type=Information  ComputerName=FRHPhost.marvellouscompany.com  TaskCategory=Directory Service Access  OpCode=Info  RecordNumber=5191930203  Keywords=Audit Success  Message=An operation was performed on an object.      Subject :   \tSecurity ID:\tS-1-5-21-1935655697-861567501-725345543-84522   \tAccount Name:\tFRHPARDC02$   \tAccount Domain:\tEU   \tLogon ID:\t0x3E5A8933      Object:   \tObject Server:\tDS   \tObject Type:\t%{19195a5b-6da0-11d0-afd3-00c04fd930c9}   \tObject Name:\t%{299918e0-20a4-41c0-843b-f9fa2b96252d}   \tHandle ID:\t0x0      Operation:   \tOperation Type:\tObject Access   \tAccesses:\tControl Access   \t   \tAccess Mask:\t0x100   \tProperties:\tControl Access   \t{89e95b76-444d-4c62-991a-0facbeda640c}   \t{19195a5b-6da0-11d0-afd3-00c04fd930c9}         Additional Information:   \tParameter 1:\t-   \tParameter 2:

Parsing strategy

Snare / WinRM

Let's take the first sample log above to explain the process.

1 - First, the csv() operator is applied. Those leads us to this result:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
"UserName": "SYSTEM",
"EventLogType": "Success Audit",
"ms_header": "MSWinEventLog",
"SourceName": "Security",
"SubmitTime": "Fri Feb  3 15:46:43 2017",
"SnareCounter": "14380538",
"DataString": "{}",
"SIDType": "User",
"ExpandedString": "5928366",
"ComputerName": "PALERME",
"EventID": "567",
"CategoryString": "Object Access",
"EventLogSource": "Security",
"Criticality": "1"

2 - We validate the input data. If one of the following condition is not reached, an exception is raised:

  • The ms_header is not equals to MSWinEventLog
  • A CSV field is missing
  • The CSV contains to much fields

3 - Secondly, we parse the DataString field as Json. We also remove undesired fields containing the value -. Which returns:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
"AccountName": "SYSTEM",
"AccountType": "User",
"Category": "Object Access",
"Channel": "Security",
"Domain": "NT AUTHORITY",
"ERROR_EVT_UNRESOLVED": true,
"EventData": "<Data>Security</Data><Data>2372</Data><Data>File</Data><Data>512</Data><Data>C:\u0000INDOWS\u0000ystem32\u0000inlogon.exe</Data><Data>%%4417\r\n\t\t\t%%4418\r\n\t\t\t</Data><Data>0x6</Data>",
"EventID": 567,
"EventReceivedTime": "2017-02-03 15:47:21",
"EventTime": "2017-02-03 15:46:43",
"EventType": "AUDIT_SUCCESS",
"Hostname": "PALERME",
"Keywords": 45035996273704960,
"Opcode": "Info",
"ProcessID": 0,
"RecordNumber": 5928366,
"Severity": "INFO",
"SeverityValue": 2,
"SourceModuleName": "eventlog",
"SourceModuleType": "im_msvistalog",
"SourceName": "Security",
"Task": 3,
"ThreadID": 0,
"UserID": "SYSTEM"

4 - Then, if an another parsing level is needed, we retrieve all useful information. For example, if the key UserData is found, we parse it as "XML".

5 - Finally, we apply the binding between those fields and the normalized ones.

Splunk

  • First, we split the log between the : the left part is the Splunk one, the right the raw Windows part.
  • We then split each and every line assuming escaped lines as follows : t\*.
  • The first line of windows will be the description in [alarm][description].
  • The remaining lines are split in key: value format and then normalized.

Normalization

For SNARE part:

Field Normalization Reason
[alcatel] Tuple Tuple that is used to save any other data specific to the vendor Alcatel.
Criticality discard (real value into DataString)
EventLogSource discard (useless)
SnareCounter discard (prefer ExpandedString)
SubmitTime [rep][ts]
EventID [alarm][id]
SourceName [alarm][name]
UserName [obs][usr][name]
SIDType discard (real value into DataString)
EventLogType discard (useless)
ComputerName [rep][ts]
CategoryString discard (no data)
DataString (detailed after, JSON-style format here)
ExpandedString [session][id]

For WinRM Part:

Field EventIDs Normalization Reason
AccessList [1] 4663 These are permissions were actually exercised
AccessMask [1] 4663 (discard) bitmap of AccessList
AccountName [24] 12 104 528 529 531 534 537 539 [init][usr][name] the account initiating the event: bootstrap of
567 592 602 636 672 673 675 865 866 4720 a process, ticket query etc.
4727 4735 4737 4738 4741 7045
AccountType [19] 12 104 528 529 531 534 537 539 (discard) user or system, whatever
567 592 602 636 672 673 675 680 865 866
7045
AuthenticationPackageName [3] 4610 4624 4625 [target][process][name] Which AP has been loaded
bcdCCID [1] 104 (discard) no documentation, out code concerning
voltage and stuff
bMaxSlotIndex [1] 104 (discard) no documentation, out code concerning
voltage and stuff
bNumClockSupported [1] 104 (discard) no documentation, out code concerning
voltage and stuff
bNumDataRateSupported [1] 104 (discard) no documentation, out code concerning
voltage and stuff
BootMode [1] 12 (discard) no documentation, out code concerning
voltage and stuff
BuildVersion [1] 12 (discard) no documentation, out code concerning
voltage and stuff
bVoltageSupport [1] 104 (discard) no documentation, out code concerning
voltage and stuff
Category [21] 528 529 531 534 537 539 567 592 [alarm][name] Overlapping Snare's alarm Name
602 636 672 673 675 680 4697 4719 4722
4725 4728 4732 4735
Channel ALL (discard) in the most interesting cases
Domain [43] 12 104 528 529 531 534 537 539 [init][group][domain]
567 592 602 636 672 673 675 865 866 4611
4616 4624 4625 4663 4688 4697 4698 4699
4700 4702 4719 4720 4722 4725 4727 4728
4732 4735 4737 4738 4741 4768 4780 7045
4769
dwDataRate [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwDefaultClock [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwFeatures [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwMaxDataRate [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwMaxIFSD [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwMaximumClock [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwMechanical [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwProtocols [1] 104 (discard) no documentation, out code concerning
voltage and stuff
dwSyncProtocols [1] 104 (discard) no documentation, out code concerning
voltage and stuff
ERROR_EVT_UNRESOLVED [11] 528 529 531 534 537 539 567 592 (discard) useless obviously
672 675 865
EventData [15] 528 529 531 534 537 539 567 592 NOW USED Converted XML to CSV
602 636 672 673 675 680 865
EventID ALL (discard) see above, no remapping it's useless
EventReceivedTime [49] 12 13 104 528 529 531 534 537 539 (discard) = [rep][ts] w/ snare & WinRM
567 592 602 636 672 673 675 680 865 866
4608 4610 4611 4614 4616 4622 4624 4625
4663 4688 4697 4719 4720 4722 4725 4727
4728 4732 4735 4737 4738 4741 4768 4776
4780 5024 7023 7036 7045 4769
EventTime ALL [obs][ts] when the event occured in the
WinEventLogger == obs
EventType ALL (discard) too few information regardig EventID &
alarm description
FailureReason [1] 4625 [alarm][description] the reason of the failure
HandleId [1] 4663 [target][process][id] opened object ID
Hostname ALL [obs][host][name] where the event spawned
ImpersonationLevel [1] 4624 (discard) policy-ensured, set at which impersonation the
went
IpAddress [4] 4624 4625 4768 4769 [init][host][ip] not in the doc, but supposedly Client IP
IpPort [4] 4624 4625 4768 4769 [init][host][port] see above
KeyLength [2] 4624 4625 (discard) useless
Keywords ALL (discard) Integer ??
LmPackageName [2] 4624 4625 (discard) verion of NTLM
LogonGuid [2] 4624 4769 [target][usr][id] the UUID of the user logging in, event
across ADs
LogonProcessName [3] 4611 4624 4625 (discard) the login process
LogonType [3] 4624 4625 4702 [target][process][status] map which way the login was attempted
MajorVersion [1] 12 (discard) no documentation, out code concerning
voltage and stuff
Message [13] 602 636 673 680 865 4697 4702 see Section parsing
4722 4725 4728 4732 4735 7023 below
MinorVersion [1] 12 (discard) no documentation, out code concerning
voltage and stuff
NewProcessId [1] 4688 [target][process][id] the new Process ID that spawns
NewProcessName [1] 4688 [target][process][name] the name associated
NewTime [1] 4616 (discard) yet the event is important, the time gap isn't
NotificationPackageName [1] 4614 [target][process][name] the package name that has been loaded by
the SAM
ObjectName [1] 4663 [target][process][name] Name of object
accessed
ObjectServer [1] 4663 (discard) always "Security", what's the point ?
ObjectType [1] 4663 (discard) Type of object, File Folder, SERVICE OBJECT...
(useless)
Opcode ALL (discard) yet another operational severity, stick to
the Severity field
OpcodeValue [37] 12 13 104 866 4608 4610 4611 4614 (discard) yet another operational severity, stick to
4616 4622 4624 4625 4663 4688 4697 4698 the Severity field
4699 4700 4702 4719 4720 4722 4725 4727
4728 4732 4735 4737 4738 4741 4768 4776
4780 5024 7036 7045 4769
PreviousTime [1] 4616 (discard) yet the event is important, the time gap isn't
ProcessID ALL (discard) useless, another process ID
ProcessName [6] 4611 4616 4624 4625 4663 4688 [init][process][name]
ProviderGuid [37] 12 13 104 866 4608 4610 4611 4614 [obs][group][id] the true one
4616 4622 4624 4625 4663 4688 4697 4698
4699 4700 4702 4719 4720 4722 4725 4727
4728 4732 4735 4737 4738 4741 4768 4776
4780 5024 7036 7045 4769
QfeVersion [1] 12 (discard) no documentation, some software versions
RecordNumber ALL (discard) the number of the log generated by WinEventLog
ResourceAttributes [1] 4663 [target][process][status] tags associated to the object
SecurityPackageName [1] 4622 [target][process][name] no override, the only arg for 4622
ServiceAccount [1] 4697 [target][usr][name] the account name the service runs under
ServiceFileName [1] 4697 [target][process][path] the file name of the service
ServiceName [4] 4697 4768 7045 4769 [target][process][name] the name of the service
ServiceStartType [1] 4697 (discard) for forensics only; boot system MAPTABLE
ServiceType [2] 4697 7045 [target][process][id] MAPTABLE
ServiceVersion [1] 12 (discard) no documentation, some software versions
Severity ALL [alarm][sev] severity of the alarm
SeverityValue ALL (discard) bijection w/ Severity
SourceModuleName ALL (discard) useless
SourceModuleType ALL (discard) useless
SourceName ALL (discard) equiv. to Channel
StartTime [1] 12 (discard) no documentation, some time resync for AD
Status [4] 4625 4768 4776 4769 [rule][name] MAPTABLE, the = reason why the action was
taken by the AD
StopTime [1] 13 (discard) no documentation, some time resync for AD
SubjectDomainName [22] 4611 4616 4624 4625 4663 4688 [init][usr][domain] The user asking for the login
4697 4698 4699 4700 4719 4720 4722 4725
4727 4728 4732 4735 4737 4738 4741 4780
SubjectLogonId [22] 4611 4616 4624 4625 4663 4688 [init][usr][id] the user id asking for the login
4697 4698 4699 4700 4719 4720 4722 4725
4727 4728 4732 4735 4737 4738 4741 4780
SubjectUserName [22] 4611 4616 4624 4625 4663 4688 [init][usr][name] the user name asking for the login, allow
4697 4698 4699 4700 4719 4720 4722 4725 override for 4720 4722 4725 4727 4728
4727 4728 4732 4735 4737 4738 4741 4780 4732 4735 4737 4738 4741
SubjectUserSid [22] 4611 4616 4624 4625 4663 4688 [init][usr][sid] the user sid asking for the login
4697 4698 4699 4700 4719 4720 4722 4725
4727 4728 4732 4735 4737 4738 4741 4780
SubStatus [1] 4625 [rule][name] APPENDED to Status if present
TargetDomainName [15] 4624 4625 4720 4722 4725 4727 [target][usr][domain] the user queried in the AD
4728 4732 4735 4737 4738 4741 4768 4780
4769
TargetLogonId [1] 4624 (discard) useless regarding UUID of LogonGuid
TargetUserName [16] 4624 4625 4720 4722 4725 4727 [target][usr][name]
4728 4732 4735 4737 4738 4741 4768 4776
4780 4769
TargetUserSid [2] 4624 4625 [target][usr][sid]
Task ALL [obs][process][id] useless
TaskName [3] 4698 4700 4702 [target][process][name] Attempted process executed
ThreadID ALL (discard) even more useless
TokenElevationType [1] 4688 (discard) get if wrapped in an undelying admin process
TransmittedServices [3] 4624 4625 4769 (discard) svcs that have privilege with the process.
Same risk as process
UserData [1] 866 See UserData Values XML-gibberished information about the user.
UserID [19] 12 104 528 529 531 534 537 539 [init][usr][id] name of the user
567 592 602 636 672 673 675 680 865 866
7045
Version [37] 12 13 104 866 4608 4610 4611 4614 [app][version] version of Windows Audit
4616 4622 4624 4625 4663 4688 4697 4698
4699 4700 4702 4719 4720 4722 4725 4727
4728 4732 4735 4737 4738 4741 4768 4776
4780 5024 7036 7045 4769
Workstation [1] 4776 [target][host][name] the true initiator of the request
WorkstationName [1] 4625 [init][host][name] the true initiator of the request

For Splunk Part:

Name Normalization
LogName [alarm][facility]
SourceName -
SourceType -
EventCode [alarm][id]
EventType -
Type [alarm][sev]
ComputerName [obs][host][name]
TaskCategory [alarm][name]
OpCode -
RecordNumber -
Keywords [action]