Security

Missing attributes from eventid 4738, correlation of 4738, 4768 and PIV CA CN

Havealoha
New Member

We disable User Principal Name Mapping, enable User Name Hints and modify altsecurityidenties attribute with the same PIV properties for multiple user objects, IT privileged, IT less privileged and for assuming a users identity instead of asking for their password or resetting it.

Because we do this, we audit whenever a ticket is granted based on smartcard and whenever anyone edits the altsecurity attribute. We also audit processes so we know what processes were launched by the IT staff member that has assumed an identity.

Even after enabling advanced account management auditing, when a users object altsecurityidentities attribute is modified, there is an event but the event does not contain that attribute. You have to use repadmin to see if that attribute was the one modified.

We also enable advanced Kerberos Authentication Service auditing but the only data that relates to the smartcard certificate is issuer, serial number, and thumbprint. It is not readily apparent whos certificate was used without cross referencing the PIV CA.

Is there a way to add additional attributes to security event ID 4738? Is there a way to get the CN/Subject into Security event ID 4768? We need to be able to tie this all together so that we can be better informed,

Tags (2)
0 Karma

Havealoha
New Member

I've got a good start on 4738 at SO https://stackoverflow.com/questions/50083944/powershell-how-to-use-findonecontext-locatoroptions-fla...

For additional 4768 data, the original smart card login event, task xml, powershell and ultimate event are below. Similar methods were used for 4738 as posted on SO above. Feel free to make any code contributions in the comments. The code could use some error handling and try catches.

<System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4768</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14339</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2018-05-01T05:01:26.527879000Z" /> 
  <EventRecordID>588856793</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="460" ThreadID="1364" /> 
  <Channel>Security</Channel> 
  <Computer>workstation.contoso.com</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data Name="TargetUserName">havealoha</Data> 
  <Data Name="TargetDomainName">contoso.com</Data> 
  <Data Name="TargetSid">S-1-5-21-##</Data> 
  <Data Name="ServiceName">krbtgt</Data> 
  <Data Name="ServiceSid">S-1-5-21-##</Data> 
  <Data Name="TicketOptions">0x40810010</Data> 
  <Data Name="Status">0x0</Data> 
  <Data Name="TicketEncryptionType">0x12</Data> 
  <Data Name="PreAuthType">15</Data> 
  <Data Name="IpAddress">::ffff:##</Data> 
  <Data Name="IpPort">35665</Data> 
  <Data Name="CertIssuerName">CONTOSO-CA</Data> 
  <Data Name="CertSerialNumber">##</Data> 
  <Data Name="CertThumbprint">##</Data> 
  </EventData>
  </Event>

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2018-04-29T22:28:37.297254</Date>
    <Author>Contoso\havealoha</Author>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[(EventID=4768)]]
    and
    *[EventData[Data[@Name='PreAuthType'] and (Data='15')]]
    or
    *[EventData[Data[@Name='PreAuthType'] and (Data='16')]]
    &lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="certIssuerName">Event/EventData/Data[@Name="CertIssuerName"]</Value>
        <Value name="certSerialNumber">Event/EventData/Data[@Name="CertSerialNumber"]</Value>
        <Value name="eventRecordID">Event/System/EventRecordID</Value>
        <Value name="eventTimeCreated">Event/System/TimeCreated/@SystemTime</Value>
        <Value name="targetUserName">Event/EventData/Data[@Name="TargetUserName"]</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell.exe</Command>
      <Arguments>C:\Windows\AuditSecurityEventID4768.ps1 -targetUserName $(targetUserName) -eventTimeCreated $(eventTimeCreated) -eventRecordID $(eventRecordID) -certIssuerName $(certIssuerName) -certSerialNumber $(certSerialNumber)</Arguments>
    </Exec>
  </Actions>
</Task>

Param(
   [string]$targetUserName,
   [string]$eventTimeCreated,
   [string]$eventRecordID,
   [string]$certIssuerName,
   [string]$certSerialNumber
)
$nl = [Environment]::NewLine
if ($certIssuerName -like "*Contoso-CA*") {
$cert = certutil -view -restrict "Serial Number=$($certSerialNumber)" -out "upn,serialnumber,distinguishedname,commonname" | Select-String "Row 1" -Context 0,5
$cert = $cert -replace "> Row 1:", "Smart Card Certificate Information:"
}
if ($cert -like "*$($targetUserName)*") {
$entryType = "Information"
}
else {
$entryType = "Warning"
}

if ([System.Diagnostics.EventLog]::SourceExists("Contoso Security") -eq $False) {
    New-EventLog –LogName "Application" –Source "Contoso Security"
   }
Write-EventLog -LogName "Application" -Source "Contoso Security" -EntryType $entryType -EventID 64768 -Message "$nl Target User Name: $targetUserName $nl Event Date: $eventTimeCreated $nl Referring Event ID: $eventRecordID $nl $cert"


<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Contoso Security" /> 
  <EventID Qualifiers="0">64768</EventID> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2018-05-01T05:01:22.000000000Z" /> 
  <EventRecordID>1115534</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>workstation.contoso.com</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data>Target User Name: havealoha Event Date: 2018-05-01T05:01:19.168Z Referring Event ID: 588856789 Smart Card Certificate Information: User Principal Name: "havealoha@Contoso.com" Serial Number: "##" Issued Distinguished Name: "CN=havealoha, OU=Accounts, DC=contoso, DC=com" Issued Common Name: "havealoha"</Data> 
  </EventData>
  </Event>
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...