Getting Data In

Anonymize clear text credentials in Powershell logs using SEDCMD

geoffmx
Explorer

I am attempting to anonymize clear-text credentials passed via PowerShell referring to the splunk documentation
to Anonymize_data_with_a_sed_script

In the inputs.conf I have...
sourcetype = WinEventLog:Microsoft-Windows-PowerShell/Operational

In props.conf I have...

[WinEventLog:Microsoft-Windows-PowerShell/Operational]
SEDCMD-ps_logs_mask_cred = s/-ScriptBlock*/xxxxxx/g

I have attempted to mask just the password and the credential, but could not get it to work. I am able to do this partially via sed or perl on a linux command line, but have not been able to replicate on splunk.

Sample data

Invoke-Command -computername somePC -ScriptBlock {get-something -password 'som3_verY-Long_Pa$$w0rd'} -Credential somedomain\someuser

Expected output (masking the entire ScriptBlock)

Invoke-Command -computername somePC xxxxxx

Or more appropriately, masking only the password and Credential

Invoke-Command -computername somePC -ScriptBlock {get-something -password 'xxxxxx'} -Credential xxxxxx

Any help will be much appreciated!

0 Karma
1 Solution

gcusello
Legend

Hi geoffmx,
with SEDCMD you replace the regex you have in the first part with the one in the second part, so try something like this in props.conf:

SEDCMD-ps_logs_mask_cred = s/-ScriptBlock\s.*/xxxxxx/g

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
Legend

Hi geoffmx,
with SEDCMD you replace the regex you have in the first part with the one in the second part, so try something like this in props.conf:

SEDCMD-ps_logs_mask_cred = s/-ScriptBlock\s.*/xxxxxx/g

Bye.
Giuseppe

0 Karma

geoffmx
Explorer

Thanks gcusello! This helps with masking everything after -ScriptBlock. I am also attempting to mask the text just after -password and -Credential.

0 Karma

gcusello
Legend

Hi geoffmx,
you have work in the same way:

SEDCMD-ps_logs_mask_cred = s/-password\s+.*\s+-Credential\s+.*/-password\sxxxxxx-Credential\sxxxxxx/g

Bye.
Giuseppe

0 Karma

geoffmx
Explorer

Thanks again!

I finally got it to work with this.

SEDCMD-ps_logs_mask_cred = s/-password\s[[:alnum:][:punct:]]*/-password xxxxx/g s/-Credential\s[[:alnum:][:punct:]]*/-Credential xxxxx/g

I like your method too. Thanks again for pointing me in the right direction.

0 Karma

dstaulcu
Builder

Gotta love positional based strategies for masking passwords. We have something like 200 masking rules which process against every event for sourcetypes where passwords are probable. Next strat is user education. Hopefully Stream processor will give more logic control for sensitive data masking.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...