ms-Mcs-AdmPwd Plaintext in Splunk

v0c1 — Tue, 10 Aug 2021 06:28:10 GMT

Hi 🙂

We use the Splunk Cloud which gets logs from two HFs, which get logs from many UFs.
A few of those UFs live on our Domain Controllers, which interact to some extend with the LDAP-API and get notifications, everytime an AD-Object changes (https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-forwarders.html).

What now happens is, every time LAPS changes the passwords, the Computer-Object gets updated, the UF gets ahold of those Passwords and we can see them plaintext in Splunk Cloud.

After discovering this, i added this to props.conf (Splunk\etc\system\local) on the HF and restarted the HF :

[ActiveDirectory]
SEDCMD-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/########/g

And since this hasn't worked, I tried this :

[ActiveDirectory]
SEDCMD-anonymiseLaps = 's/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g'
(Source: https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/ - this describes the problem pretty well.)

...which hasn't worked either.
We still see those Passwords.

Has anybody encountered similar problems and/or has hints or possible solutions?

Thanks in advance.

Re: ms-Mcs-AdmPwd Plaintext in Splunk

janlindmnemonic — Thu, 02 Sep 2021 11:41:31 GMT

[ActiveDirectory] SEDCMD-anonymisePWD = s/ms-Mcs-AdmPwd=.*/ms-Mcs-AdmPwd=<redacted>/g

Observed the same in our env. the above sedcmd works for us.

Re: ms-Mcs-AdmPwd Plaintext in Splunk

gitingua — Mon, 22 Nov 2021 12:11:05 GMT

@v0c1

did you solve the problem?

topic Re: ms-Mcs-AdmPwd Plaintext in Splunk in Getting Data In

ms-Mcs-AdmPwd Plaintext in Splunk

Re: ms-Mcs-AdmPwd Plaintext in Splunk

Re: ms-Mcs-AdmPwd Plaintext in Splunk