Getting Data In

How to filter out Windows Event Logs that have passwords sent in cleartext?

vanderaj2
Path Finder

Hello Splunkers,

In my environment, we currently send C:\windows\system32\winevt\Logs*.evtx on our windows servers over to Splunk to get indexed.

Recently I was made aware that apparently somewhere within these .evtx files are cleartext passwords. I performed the following search and sure enough, it produced a table of accounts and cleartext passwords:

index=windows sourcetype=ActiveDirectory sAMAccountType=805306369  ms_Mcs_AdmPwd=* | rename ms_Mcs_AdmPwd as "Local Admin PWD" name as Hostname | dedup Hostname | table Hostname,"Local Admin PWD"

What is the best way to filter out the cleartext passwords so either those events don't get indexed OR don't show up in the clear as search results?

Thanks in advance!

0 Karma
1 Solution

rphillips_splun
Splunk Employee
Splunk Employee

@vanderaj2 filtering the clear text events out of Splunk would still expose the account at the host machine if they are being written to disk / log file in clear text. I would suggest you look at the source of the application writing the events and have them removed or hashed from the source.

Until then, you can anonymize new data coming into Splunk
https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata

or mask the data at search time
https://answers.splunk.com/answers/235405/how-do-i-partially-mask-or-anonymize-a-field-value.html

View solution in original post

rphillips_splun
Splunk Employee
Splunk Employee

@vanderaj2 filtering the clear text events out of Splunk would still expose the account at the host machine if they are being written to disk / log file in clear text. I would suggest you look at the source of the application writing the events and have them removed or hashed from the source.

Until then, you can anonymize new data coming into Splunk
https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Anonymizedata

or mask the data at search time
https://answers.splunk.com/answers/235405/how-do-i-partially-mask-or-anonymize-a-field-value.html

View solution in original post

vanderaj2
Path Finder

Thank you for the response! I'll pass that on to the Windows Admin team and take a look at the links on how to anonymize or mask that data as well.....

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@vanderaj2 - Did the answer provided by rphillips help provide a solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.