Getting Data In

Splunk Blacklist DesktopExtension.exe addition inputs.conf

EiffelPalace
Engager

Hello all,

I am trying to blacklist this app that is generating a ton of Windows Event logs; till I find what app it is and uninstall it. This is for HP's DesktopExtension.exe. The weird thing is that it is only running on about 30 devices. 

Here is the current section in inputs.conf :

 [WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode=4673 ProcessName="*\\DesktopExtension.exe*"
renderXml=false
index=oswinsec

However even after restarting the splunk forwarder the events still appear. I verified one of the hosts has the correct inputs.conf. I have also tried
blacklist3 = EventCode=4673 ProcessName="C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe""

Here is an example of the log/event:

LogName=Security
EventCode=4673
EventType=0
ComputerName=*********
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=10115718
Keywords=Audit Failure
TaskCategory=Sensitive Privilege Use
OpCode=Info
Message=A privileged service was called.
 
Subject:
Security ID: *****************
Account Name: ****************
Account Domain: ***********
Logon ID: ****************
 
Service:
Server: Security
Service Name: -
 
Process:
Process ID: 0x6604
Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe
 
Service Request Information:


Any tips?
Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, that should work.

blacklist = EventCode=4673 message="DesktopExtension\.exe"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

EiffelPalace
Engager

I see that the desktopexetension.exe is also in the message so would something like this work?

blacklist = EventCode=4673 message="DesktopExtension.exe"

 

Here is an example message:
A privileged service was called. Subject: Service: Server: Security Service Name: - Process: Process ID: 0x2fcc Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Privileges: SeTcbPrivilege

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, that should work.

blacklist = EventCode=4673 message="DesktopExtension\.exe"
---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

"ProcessName" is not a valid key for a blacklist setting.  Valid keys are "Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, and User".

Also, the RHS must be a valid regular expression.  A valid regex cannot begin with "*".  If you're trying to specify a wildcard at the beginning and end of the match then there's no need - that's implied with most regexes.

---
If this reply helps you, Karma would be appreciated.

dtburrows3
Builder

Did not know about the valid key entries. Thanks for sharing!
Came across this documentation after reading your comment.
https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/MonitorWindowseventlogdata

Oof and this right in inputs.conf docs

dtburrows3_0-1704229620202.png

 

dtburrows3
Builder

Give this a try

blacklist3 = EventCode="4673" Process_Name=".*\\DesktopExtension\.exe.*"

 From what I'm reading on Splunk docs it seems that it needs to be a valid regex to work.

dtburrows3_0-1704228189002.png

This regex seems to match properly

dtburrows3_1-1704228253623.png


The original regex you posted doesn't seem to valid according to regex101

dtburrows3_2-1704228307816.png


Also noticed that the Key you posted "ProcessName" is different then the field I see extracted on windows data on my local machine which is extracted as "Process_Name" but maybe that is how it is coming over in your environment. If that is the case then maybe this could work.

blacklist3 = EventCode="4673" ProcessName=".*\\DesktopExtension\.exe.*"
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...