How to blacklist EventCode 5145 with Wineventlog?

sun1000 · ‎04-15-2021

I am trying to blacklist EventCode 5145 with specific message and it is not working.

Example Event:

LogName=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=5145
EventType=4
Type=Success Audit
ComputerName=xxxx
Category=11111
CategoryString=none
RecordNumber=xxxx
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
Security ID:
Account Name:
Account Domain:
Logon ID:

Network Information:
Object Type: File
Source Address:
Source Port:

Share Information:
Share Name:
Share Path: \
Relative Target Name: x.dxmdg.com\Policies\{123456789456456456454654464546464558655}\Machine\Preferences\Registry\Registry.xml

Access Request Information:
Access Mask:
Accesses:

Access Check Results:

With below blacklist and it is not working
blacklist4 = EventCode="5145" Message="Relative Target Name:\s.+Registry.xml"

Please provide some suggestions

scelikok · ‎09-14-2022

Hi,

Could you please try below? I used the filter as blacklist3 because Windows TA already has blacklist1 ve blacklist2.

blacklist3= EventCode="4662" Message="(?ms)Account\sName:[\s\S]+\$.*Access\sMask:[\s\S]+0x100"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

bursteinb · ‎09-15-2022

I appreciate the assistance but unfortunately that's not working. When applied, it looks like it's blocking only Access Mask 0x100 which is what the LAPS events fall under.

I had been considering compromising and allowing all 0x100 though, and I tried that a few different ways, but it seems like no matter what I try if I do ANY blacklisting of EventCode 4662 of any kind, the LAPS logs won't show up. When allowing 0x100, other 0x100 logs show up but the LAPS ones do not for some reason. When I remove any 4662 blacklists, they start showing up again.

gcusello · ‎04-15-2021

Hi @sun1000,

in blacklist and whitelist options, you have to use a regex not only insert your conditions.

So please find the correct regex and try something like this:

| rex "(?ms)EventCode\=5145.*Message\=Relative Target Name:\s.+Registry\.xml"

You can see a similar regex at https://regex101.com/r/7HVoS2/1

Ciao.

Giuseppe

despoilerr · ‎03-14-2022

hi @gcusello i have a similar issue and i am trying to Blacklist the eventCode 4662 on universal forwarder except when AccountName!=*$ Accessmask= 0x100

Sample Log
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4662
EventType=0
Type=Information
ComputerName=xxxxxxxxxxxxxxxxxxxxxxxx
TaskCategory=Directory Service Access
OpCode=Info
RecordNumber=1079080612
Keywords=Audit Success
Message=An operation was performed on an object.

Subject :
Security ID: xx\Axxxxx
Account Name: Axxxxx
Account Domain: xxxx
Logon ID: xxxxxxxx

Object:
Object Server: DS
Object Type: computer
Object Name: CN=YDxxxx,OU=xxxxx,OU=xxxx,OU=xxxxx,DC=xxxx,DC=xxxx,DC=xxx
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Control Access

Access Mask: 0x100
Properties: Control Access
Default Property Set
ms-Mcs-AdmPwd
computer

Additional Information:
Parameter 1: -
Parameter 2:

I tried multiple regex and didnt work in my inputs.conf

1) blacklist1 = EventCode="4662" Message="(Object Type:(?=\s*groupPolicyContainer))
[\s\S]*((Properties:(?=[\s\S]*Default Property Set(.*)\s*ms-Mcs-AdmPwd))(Access Mask:(?=[\s\S]*0x100)))"

2) blacklist1 = EventCode="4662" Message="(?ms)Account\sName:[\s\S]*\$*Access\sMask:[\s\S]+0x(0$|1$|2$|20$)"

bursteinb · ‎09-14-2022

Were you ever able to figure this out? I'm having the exact same issue trying to filter 4662 while allowing the group policy AND LAPS logs.

How to blacklist EventCode 5145 with Wineventlog?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...