Re: ms-Mcs-AdmPwd Plaintext in Splunk

v0c1 · ‎08-09-2021

Hi 🙂

We use the Splunk Cloud which gets logs from two HFs, which get logs from many UFs.
A few of those UFs live on our Domain Controllers, which interact to some extend with the LDAP-API and get notifications, everytime an AD-Object changes (https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-...).

What now happens is, every time LAPS changes the passwords, the Computer-Object gets updated, the UF gets ahold of those Passwords and we can see them plaintext in Splunk Cloud.

After discovering this, i added this to props.conf (Splunk\etc\system\local) on the HF and restarted the HF :

[ActiveDirectory]
SEDCMD-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/########/g

And since this hasn't worked, I tried this :

[ActiveDirectory]
SEDCMD-anonymiseLaps = 's/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g'
(Source: https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/ - this describes the problem pretty well.)

...which hasn't worked either.
We still see those Passwords.

Has anybody encountered similar problems and/or has hints or possible solutions?

Thanks in advance.

gitingua · ‎11-22-2021

@v0c1

did you solve the problem?

janlindmnemonic · ‎09-02-2021

[ActiveDirectory]
SEDCMD-anonymisePWD = s/ms-Mcs-AdmPwd=.*/ms-Mcs-AdmPwd=<redacted>/g

Observed the same in our env. the above sedcmd works for us.

ms-Mcs-AdmPwd Plaintext in Splunk

heavy forwarder

props.conf

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation