topic Re: How to mask password in Windows event logs ? in Security

How to mask password in Windows event logs ?

kamaljagga — Fri, 04 Jun 2021 22:28:13 GMT

Hello,

I am trying to mask the password in the Windows event logs at index time but somehow my config is not working. Kindly advise.

Configuration that I am trying :

1. Changes made in Props
Password extraction
[data]
password = (?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P<password>.*)\"\s+\/active:yes\s+\/passwordchg:yes$
TRANSFORMS-anonymize = password-anonymizer

2. Changes made in Tranforms
[password-anonymizer]
FORMAT = ################
DEST_KEY = _raw

Logs:

Process Information:
New Process ID: xyzabc
New Process Name: C:\Windows\System32\net.exe
Token Elevation Type: abcdabcd
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 12345
Creator Process Name: C:\Program Files\BMC Software\Client Management\Client\bin\mtxproxy.exe
Process Command Line: net user "abcd" "password12345" /active:yes /passwordchg:yes /passwordreq:yes

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Documentation Link: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Anonymizedata

Any advise would be appreciated.

Re: How to mask password in Windows event logs ?

richgalloway — Sat, 05 Jun 2021 12:22:02 GMT

The transform needs a REGEX attribute that tells Splunk where to find the field to anonymize.

Re: How to mask password in Windows event logs ?

kamaljagga — Sat, 05 Jun 2021 20:23:50 GMT

Isn't it already there. Could you provide more details.

Re: How to mask password in Windows event logs ?

richgalloway — Sun, 06 Jun 2021 00:36:28 GMT

It's not in the quoted transforms.conf stanza

2. Changes made in Tranforms [password-anonymizer] FORMAT = ################ DEST_KEY = _raw

It usually looks something like this:

2. Changes made in Tranforms [password-anonymizer] REGEX = %%%%%%%%%%%% FORMAT = ################ DEST_KEY = _raw

Have you tried using SEDCMD in props.conf? That's usually the easier way to mask data.

Re: How to mask password in Windows event logs ?

kamaljagga — Mon, 07 Jun 2021 01:20:42 GMT

I had initially put REGEX in transform but it didn't work. Giving SEDCMD a try now.

Updated props

splunk $ cat props.conf
[data]
SEDCMD-Anon = s/(?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P.*)\"\s+\/active:yes\s+\/passwordchg:yes/##############/g
#password = (?m)^(.*)Process Command Line:.*\"\w+\".*\"(?P<password>.*)\"\s+\/active:yes\s+\/passwordchg:yes$
#TRANSFORMS-anonymize = password-anonymizer
#TRANSFORMS-anonymize = pass-anonymizer

Re: How to mask password in Windows event logs ?

kamaljagga — Mon, 07 Jun 2021 18:27:08 GMT

This didn't work.

splunk $ cat props.conf
[data]
SEDCMD-Anon = s/(?m)^(.*)Process Command Line:.*\"\w+\".*\"(.*)\"\s+\/active:yes\s+\/passwordchg:yes/##############/g

Re: How to mask password in Windows event logs ?

lilredcrawfish — Mon, 07 Jun 2021 19:54:34 GMT

Is this being done on a UF or HF?

Re: How to mask password in Windows event logs ?

lilredcrawfish — Mon, 07 Jun 2021 19:55:40 GMT

I think it has to be done on a HF -
"Universal forwarders can only parse structured data"

https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/Anonymizedata

Re: How to mask password in Windows event logs ?

kamaljagga — Mon, 07 Jun 2021 20:29:42 GMT

Thanks for mentioning that, Missed paying attention to HF note in docs.

I am trying it through UF. For Configuring it on HF, I will have to change the flow of windows logs, which won't be also easy.

Is there a way it can be done on UF?

Re: How to mask password in Windows event logs ?

lilredcrawfish — Mon, 07 Jun 2021 20:33:04 GMT

Dont think so. Try putting it on the indexer/indexers. Should work first place data is cooked..

Re: How to mask password in Windows event logs ?

kamaljagga — Tue, 08 Jun 2021 00:22:58 GMT

Yes. Had already put there, was waiting for off hours for pushing it to the cluster. Moving it to indexers removed the whole line, so still have to work what kind of regex to put there.

Updated logs after the changes.

Process Information:

New Process ID: abcd

New Process Name: C:\Windows\System32\net1.exe

Token Elevation Type: %%1234

Mandatory Label: Mandatory Label\System Mandatory Level Creator

Process ID: abcd

Creator Process Name: C:\Windows\System32\net.exe

############## /passwordreq:yes

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Re: How to mask password in Windows event logs ?

kamaljagga — Tue, 08 Jun 2021 20:12:38 GMT

Thanks all for the reply. Here is the complete solution.

According to docs, config should be done on HF but for that the data flow has to be changed. Parsing can't be done on UF, however this can be pushed to the indexers via the Cluster Master similar to field extractions.

Steps:

1. Write the regex to extract the password and use that regex along with the sed command (format /s/<password>/<replacement>/g) to test the masking of the password in the search.

index=main sourcetype=data source="C:\\testdata\\TestDataMasking5.txt"
| rex mode=sed "s/\"\w+\".*\"(.*)\"\s+/##############/g"
| table _raw

2. Create a new app in the master-apps of CM and then put the above regex in props.conf and push the bundle.

[data]

SEDCMD-masking=s/\"\w+\".*\"(.*)\"\s+/##############/g

The success of above solution depends a lot on the regex.