EventCode 4672 extraction prob?

ndcl — Tue, 14 Feb 2017 13:27:54 GMT

Hi,

did anyone also figure out that the 4672 Windows Event is not completly extracted by splunk?

4672 is a importent Event because it shows the previlegs of a logon account. It´s raw looks like this:

Special privileges assigned to new logon.

Subject:

Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x4b842

Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

Ok, hard to format here, but the section Privileges has a tabstop in every row. What happend if you do a stats list on the Privileges Field is that it only shows the first row: SeSecurityPrivilege. If you use mvindex(Privileges,0) every index bigger than 0 is empty. This means to me that only the first row was extracted and the rest is skipped... To bad because this are some very valuable information.
Can someone confirm this?

Re: EventCode 4672 extraction prob?

gcusello — Tue, 14 Feb 2017 13:56:32 GMT

Hi dcl,
you have to extract field from "Privileges:" to the end and then divide them.
But to help you I need an event log: insert it as Code sample so it will remain the same.
Bye.
Giuseppe

Re: EventCode 4672 extraction prob?

skalliger — Tue, 14 Feb 2017 14:41:49 GMT

Nevermind. Our field also only extracts the first line.

Re: EventCode 4672 extraction prob?

gcusello — Tue, 14 Feb 2017 14:52:15 GMT

Hi dcl,
use a regex like (see https://regex101.com/r/bqvXJI/1)

Privileges:\s(?<Privilege>[^ ]*)

to have all privileges in the same field.
If in addition you want to separate each value in a row use mvexpand command.
Bye.
Giuseppe

Re: EventCode 4672 extraction prob?

ndcl — Tue, 14 Feb 2017 14:56:41 GMT

Giuseppe, Thanks for offering me your Help... but I only want to proof that I´m right... because this would have a much bigger impact if this happend to all the win event that have Tabstops in their massage field...

Re: EventCode 4672 extraction prob?

gcusello — Tue, 14 Feb 2017 15:02:06 GMT

Ok, if you're satisfied accept my answer.
Bye.
Giuseppe

Re: EventCode 4672 extraction prob?

ndcl — Tue, 25 Apr 2017 10:31:57 GMT

OK,
based on Giuseppes Regex, there is this possible solution to get the lost fields reportable. There are of cause much more ways but I choosed this one. Adding an extraction and calculated fields to the props.conf.

EXTRACT-467_en = Privileges:\s(?<Privilege>[^ ]*) in _raw

EVAL-SeNetworkLogonRight= if(match(Privilege,".+SeNetworkLogonRight"),"Access this Computer from the Network","X")
EVAL-SeBatchLogonRight= if(match(Privilege,".+SeBatchLogonRight"),"Log on as a batch job","X")
EVAL-SeInteractiveLogonRight= if(match(Privilege,".+SeInteractiveLogonRight"),"Log on locally","X")
EVAL-SeServiceLogonRight= if(match(Privilege,".+SeServiceLogonRight"),"Logon as a service","X")
EVAL-SeDenyNetworkLogonRight= if(match(Privilege,".+SeDenyNetworkLogonRight"),"Deny Access to this computer from the network","X")
EVAL-SeDenyInteractiveLogonRight= if(match(Privilege,".+SeDenyInteractiveLogonRight"),"Deny local logon","X")
EVAL-SeDenyBatchLogonRight= if(match(Privilege,".+SeDenyBatchLogonRight"),"Deny logon as a batch file","X")
EVAL-SeDenyServiceLogonRight= if(match(Privilege,".+SeDenyServiceLogonRight"),"Deny logon as a service","X")
EVAL-SeTcbPrivilege= if(match(Privilege,".+SeTcbPrivilege"),"Act as part of the operating system","X")
EVAL-SeMachineAccountPrivilege= if(match(Privilege,".+SeMachineAccountPrivilege"),"Add workstations to the domain","X")
EVAL-SeBackupPrivilege= if(match(Privilege,".+SeBackupPrivilege"),"Backup files and directories","X")
EVAL-SeChangeNotifyPrivilege= if(match(Privilege,".+SeChangeNotifyPrivilege"),"Bypass traverse checking","X")
EVAL-SeSystemTimePrivilege= if(match(Privilege,".+SeSystemTimePrivilege"),"Change the system time","X")
EVAL-SeCreateTokenPrivilege= if(match(Privilege,".+SeCreateTokenPrivilege"),"Create a token object","X")
EVAL-SeCreatePermanentPrivilege= if(match(Privilege,".+SeCreatePermanentPrivilege"),"Create permanent shared objects","X")
EVAL-SeCreatePagefilePrivilege= if(match(Privilege,".+SeCreatePagefilePrivilege"),"Create a pagefile","X")
EVAL-SeDebugPrivilege= if(match(Privilege,".+SeDebugPrivilege"),"Debug programs","X")
EVAL-SeEnableDelegationPrivilege= if(match(Privilege,".+SeEnableDelegationPrivilege"),"Enable computer and user accounts to be trusted for delegation","X")
EVAL-SeRemoteShutdownPrivilege= if(match(Privilege,".+SeRemoteShutdownPrivilege"),"Force shutdown from a remote system","X")
EVAL-SeAuditPrivilege= if(match(Privilege,".+SeAuditPrivilege"),"Generate security audits","X")
EVAL-SeIncreaseQuotaPrivilege= if(match(Privilege,".+SeIncreaseQuotaPrivilege"),"Increase quotas","X")
EVAL-SeIncreaseBasePriorityPrivilege= if(match(Privilege,".+SeIncreaseBasePriorityPrivilege"),"Increase scheduling priority","X")
EVAL-SeLoadDriverPrivilege= if(match(Privilege,".+SeLoadDriverPrivilege"),"Load and unload device drivers","X")
EVAL-SeLockMemoryPrivilege= if(match(Privilege,".+SeLockMemoryPrivilege"),"Lock pages in memory","X")
EVAL-SeSecurityPrivilege= if(match(Privilege,".+SeSecurityPrivilege"),"Manage auditing and security log","X")
EVAL-SeSystemEnvironmentPrivilege= if(match(Privilege,".+SeSystemEnvironmentPrivilege"),"Modify firmware environment values","X")
EVAL-SeProfileSingleProcessPrivilege= if(match(Privilege,".+SeProfileSingleProcessPrivilege"),"Profile a single process","X")
EVAL-SeSystemProfilePrivilege= if(match(Privilege,".+SeSystemProfilePrivilege"),"Profile system performance","X")
EVAL-SeUndockPrivilege= if(match(Privilege,".+SeUndockPrivilege"),"Remove computer from docking station","X")
EVAL-SeAssignPrimaryTokenPrivilege= if(match(Privilege,".+SeAssignPrimaryTokenPrivilege"),"Replace a process-level token","X")
EVAL-SeRestorePrivilege= if(match(Privilege,".+SeRestorePrivilege"),"Restore files and directories","X")
EVAL-SeShutdownPrivilege= if(match(Privilege,".+SeShutdownPrivilege"),"Shut down the system","X")
EVAL-SeSyncAgentPrivilege= if(match(Privilege,".+SeSyncAgentPrivilege"),"Synchronize directory service data","X")
EVAL-SeTakeOwnershipPrivilege= if(match(Privilege,".+SeTakeOwnershipPrivilege"),"Take ownership of files or other objects","X")
EVAL-SeUnsolicitedInputPrivilege= if(match(Privilege,".+SeUnsolicitedInputPrivilege"),"Read unsolicited data from a terminal device","X")

this will create fields nemed like the Shortcut in the event. If this right is not set then there is an "X". Otherwise there is an Userfriendly discription.
Btw: this will work with every latin language just create an alias to Privileges.

topic Re: EventCode 4672 extraction prob? in Splunk Search

EventCode 4672 extraction prob?

Re: EventCode 4672 extraction prob?

Re: EventCode 4672 extraction prob?

Re: EventCode 4672 extraction prob?

Re: EventCode 4672 extraction prob?

Re: EventCode 4672 extraction prob?

Re: EventCode 4672 extraction prob?