topic Re: [Windows] Blacklisting Event 4656 for system accounts only in Splunk Search

[Windows] Blacklisting Event 4656 for system accounts only

Rhin0Crash — Wed, 09 May 2018 13:23:14 GMT

Good morning everyone, having a bit of a tough time with this, as my blacklists and whitelists aren't working properly. Windows Event 4656 is noisy, and I'm looking to ingest ONLY the events tied to a peron's account, and not the system account. Within Windows, the system account name is denoted by a literal "$" appended to the system name (i.e. COMPUTER$). I've tried various forms of regex within a blacklist, and tried a negative whitelist (i.e. accept all 4656 (?!Account Name:\s+\w+\$)). I've also noticed that if I activate the negative whitelist, the regex also blocks events from EventCode 4670 from showing up.

Splunk Enterprise 7.0.2
Splunk Forwarder 7.0.2

05/08/2018 04:16:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=91946348
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       COMPUTER$
    Account Domain:     DOMAIN
    Logon ID:       0x3E7

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\application
    Handle ID:      0x290
    Resource Attributes:    -

Process Information:
    Process ID:     0x4adc
    Process Name:       C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe

Access Request Information:
    Transaction ID:     {00000000-0000-0000-0000-000000000000}
    Accesses:       READ_CONTROL
                SYNCHRONIZE
                WriteData (or AddFile)
                AppendData (or AddSubdirectory or CreatePipeInstance)
                WriteEA
                ReadAttributes
                WriteAttributes

    Access Reasons:     READ_CONTROL:   Granted by Ownership
                SYNCHRONIZE:    Granted by  D:(A;;FA;;;SY)
                WriteData (or AddFile): Granted by  D:(A;;FA;;;SY)
                AppendData (or AddSubdirectory or CreatePipeInstance):  Granted by  D:(A;;FA;;;SY)
                WriteEA:    Granted by  D:(A;;FA;;;SY)
                ReadAttributes: Granted by  D:(A;;FA;;;SY)
                WriteAttributes:    Granted by  D:(A;;FA;;;SY)

    Access Mask:        0x120196
    Privileges Used for Access Check:   -
    Restricted SID Count:   0

Regex used and currently Working for Similar Events (4663,4670):

blacklist2 = EventCode="(4663|4670)" Message="Account Name:\W+\w+\$"
blacklist3 = EventCode="(5447)" Message="Account Name:\s+\S+LOCAL SERVICE"

Regex attempted and currently failing for event 4656

blacklist4 = EventCode="(4656)" Message="Account Name:\W+\w+\$"
#Results in all 4656 being blacklisted, not just the COMPUTER$ account events
whitelist1 = EventCode="(4656)" Message="Account Name:(?!\W+\w+\$)"
#Results in 4656 being filtered, and 4670, and 4663 not showing up.

Confirmed both 4656 blacklist and whitelist regex pull proper events while in SPL search by using | regex Message=

Where do I go from here?

Re: [Windows] Blacklisting Event 4656 for system accounts only

Rhin0Crash — Wed, 09 May 2018 14:03:43 GMT

I'm realizing now that the whitelist approach won't be the way to go.

Events with the same regex working, but 4656 still failing:

blacklist2 = EventCode="(4656|4670|4663|4703|4658)" Message="Account Name:(\W+\w+\$)"
#results in 4670,4663,4658 coming through with no COMPUTER$ events, but 4656 still doesn't show up

Re: [Windows] Blacklisting Event 4656 for system accounts only

FrankVl — Wed, 09 May 2018 14:10:25 GMT

For completeness sake, can you share an example of a 4656 event without a $ that should come through?

Really weird that it works for other events, but not for this one...

Re: [Windows] Blacklisting Event 4656 for system accounts only

Rhin0Crash — Wed, 09 May 2018 14:13:46 GMT

Added below

Re: [Windows] Blacklisting Event 4656 for system accounts only

Rhin0Crash — Wed, 09 May 2018 14:20:37 GMT

05/08/2018 04:16:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer.domain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=91946924
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
    Security ID:        DOMAIN\t-rex
    Account Name:       t-rex
    Account Domain:     DOMAIN
    Logon ID:       0x93270A40

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\Program Files\SplunkUniversalForwarder\etc\apps
    Handle ID:      0x1f4
    Resource Attributes:    -

Process Information:
    Process ID:     0x50d4
    Process Name:       C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

Access Request Information:
    Transaction ID:     {00000000-0000-0000-0000-000000000000}
    Accesses:       READ_CONTROL
                SYNCHRONIZE
                ReadData (or ListDirectory)

    Access Reasons:     READ_CONTROL:   Granted by  D:(A;;FA;;;BA)
                SYNCHRONIZE:    Granted by  D:(A;;FA;;;BA)
                ReadData (or ListDirectory):    Granted by  D:(A;;FA;;;BA)

    Access Mask:        0x120001
    Privileges Used for Access Check:   -
    Restricted SID Count:   0

Re: [Windows] Blacklisting Event 4656 for system accounts only

FrankVl — Thu, 10 May 2018 08:18:31 GMT

The behaviour described doesn't make much sense, so I'm wondering if you maybe have some config lingering around from an earlier attempt or so that messes up the results?

Can you try running btool on the respective forwarder to see what input config is getting applied?

./splunk btool inputs list --debug

And just to be sure: you don't have any props and transforms config that is also doing some filtering/routing that could affect this?

Re: [Windows] Blacklisting Event 4656 for system accounts only

alastor — Thu, 06 Jun 2019 13:04:37 GMT

You may have figured this out already, but the blacklist you are using is looking for a match in the Message for Account Name, but in this event you've posted that doesn't show up.

You might want to filter out Splunk processes logging events so you could add a new copy of the blacklist line but change the
Message="Account Name:(\W+\w+\$)"
to
Message="%SplunkUniversalForwarder%"

That might work.