Re: ms-Mcs-AdmPwd Plaintext in Splunk

v0c1 · ‎08-09-2021

Hi 🙂

We use the Splunk Cloud which gets logs from two HFs, which get logs from many UFs.
A few of those UFs live on our Domain Controllers, which interact to some extend with the LDAP-API and get notifications, everytime an AD-Object changes (https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-...).

What now happens is, every time LAPS changes the passwords, the Computer-Object gets updated, the UF gets ahold of those Passwords and we can see them plaintext in Splunk Cloud.

After discovering this, i added this to props.conf (Splunk\etc\system\local) on the HF and restarted the HF :

[ActiveDirectory]
SEDCMD-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/########/g

And since this hasn't worked, I tried this :

[ActiveDirectory]
SEDCMD-anonymiseLaps = 's/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g'
(Source: https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/ - this describes the problem pretty well.)

...which hasn't worked either.
We still see those Passwords.

Has anybody encountered similar problems and/or has hints or possible solutions?

Thanks in advance.

gitingua · ‎11-22-2021

@v0c1

did you solve the problem?

janlindmnemonic · ‎09-02-2021

[ActiveDirectory]
SEDCMD-anonymisePWD = s/ms-Mcs-AdmPwd=.*/ms-Mcs-AdmPwd=<redacted>/g

Observed the same in our env. the above sedcmd works for us.

ms-Mcs-AdmPwd Plaintext in Splunk

heavy forwarder

props.conf

Windows

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?