Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Password Compromise

Simple_Search
Path Finder
‎07-13-2023 04:44 AM

Hey Ya'll -

Wanted to see if anyone has a simplified solution for locating potential password compromises in a Windows AD Environment. For example, in an Active Directory domain structure, when a user accidentally types their password in the username field and presses enter, the information is sent to the security log. The user will then see they failed their logon and then attempt to logon in again. The following SPL is what I can use to pull the events but is not the best method. I have a manual method where I can pass a token from 1 panel to another but would like an automated method.


index=wineventlog source="wineventlog:security" EventCode=4625 OR (EventCode=4624 Logon_Type=2)
|  eval Account = mvindex(Account_Name,1)  <- the default pulls the computer name, using 1 for user name
| transaction maxspan=1m startswith="EventCode=4625"  endswith="EventCode=4624"
| table _time host EventCode Account

* From the SPL above I would like to have the multivalue Account field from the table require no null fields for the Account name (1 field will be the compromised password, and the other will be the user name, sometimes no name will show with the 4625 event) and also require one of the multivalue account fields length be greater than 13

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 03:04 AM

@Simple_Search - You could start here:

index=wineventlog source="wineventlog:security" (EventCode=4625 OR (EventCode=4624 Logon_Type=2))
| eval Account = mvindex(Account_Name, 1)
| transaction src maxspan=2m startswith="EventCode=4625" endswith="EventCode=4624"
| where isnotnull(Account) AND mvcount(Account) > 0 AND len(mvindex(Account, 1)) > 13

 

transaction might not be the best command to use, but this is your starting point.

 

I hope this helps!! Consider upvoting!!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...