Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Password Compromise

Simple_Search
Path Finder
‎07-13-2023 04:44 AM

Hey Ya'll -

Wanted to see if anyone has a simplified solution for locating potential password compromises in a Windows AD Environment. For example, in an Active Directory domain structure, when a user accidentally types their password in the username field and presses enter, the information is sent to the security log. The user will then see they failed their logon and then attempt to logon in again. The following SPL is what I can use to pull the events but is not the best method. I have a manual method where I can pass a token from 1 panel to another but would like an automated method.


index=wineventlog source="wineventlog:security" EventCode=4625 OR (EventCode=4624 Logon_Type=2)
|  eval Account = mvindex(Account_Name,1)  <- the default pulls the computer name, using 1 for user name
| transaction maxspan=1m startswith="EventCode=4625"  endswith="EventCode=4624"
| table _time host EventCode Account

* From the SPL above I would like to have the multivalue Account field from the table require no null fields for the Account name (1 field will be the compromised password, and the other will be the user name, sometimes no name will show with the 4625 event) and also require one of the multivalue account fields length be greater than 13

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 03:04 AM

@Simple_Search - You could start here:

index=wineventlog source="wineventlog:security" (EventCode=4625 OR (EventCode=4624 Logon_Type=2))
| eval Account = mvindex(Account_Name, 1)
| transaction src maxspan=2m startswith="EventCode=4625" endswith="EventCode=4624"
| where isnotnull(Account) AND mvcount(Account) > 0 AND len(mvindex(Account, 1)) > 13

 

transaction might not be the best command to use, but this is your starting point.

 

I hope this helps!! Consider upvoting!!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...