From 9c6a86219d06bd13b3b4f864f34d1044d8140fcb Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Tue, 11 Jan 2022 15:15:53 -0600 Subject: [PATCH] [System] Add routing pipeline to security data_stream, limit to specific providers - Added a routing pipeline to the security data_stream and limited the providers to Microsoft-Windows-Eventlog and Microsoft-Windows-Security-Auditing. Events that do not have these providers will still be indexed, but won't receive additional enrichment (which would likely lead to invalid data). --- packages/system/changelog.yml | 5 + .../elasticsearch/ingest_pipeline/default.yml | 3315 +---------------- .../ingest_pipeline/standard.yml | 3311 ++++++++++++++++ packages/system/manifest.yml | 2 +- 4 files changed, 3321 insertions(+), 3312 deletions(-) create mode 100644 packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index ec934cea504..da86b7a26d3 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.8.0" + changes: + - description: Add routing pipeline to security data_stream, limit to specific providers. + type: enhancement + link: https://github.com/elastic/integrations/pull/2344 - version: "1.7.0" changes: - description: Expose winlog input language option. diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml index cc02ddc2d98..6b3e4241b65 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for Windows Security events +description: Pipeline for Security events processors: - set: field: event.ingested @@ -8,2963 +8,14 @@ processors: field: event.code type: string ignore_missing: true - - script: - lang: painless - ignore_failure: false - tag: Set ECS categorization fields - description: Set ECS categorization fields - params: - "1100": - category: - - process - type: - - end - action: logging-service-shutdown - "1102": - category: - - iam - type: - - admin - - change - action: audit-log-cleared - "1104": - category: - - iam - type: - - admin - action: logging-full - "1105": - category: - - iam - type: - - admin - action: auditlog-archieved - "1108": - category: - - iam - type: - - admin - action: logging-processing-error - "4610": - category: - - configuration - type: - - access - action: authentication-package-loaded - "4611": - category: - - configuration - type: - - change - action: trusted-logon-process-registered - "4614": - category: - - configuration - type: - - access - action: notification-package-loaded - "4616": - category: - - configuration - type: - - change - action: system-time-changed - "4622": - category: - - configuration - type: - - access - action: security-package-loaded - "4624": - category: - - authentication - type: - - start - action: logged-in - "4625": - category: - - authentication - type: - - start - action: logon-failed - "4634": - category: - - authentication - type: - - end - action: logged-out - "4647": - category: - - authentication - type: - - end - action: logged-out - "4648": - category: - - authentication - type: - - start - action: logged-in-explicit - "4657": - category: - - registry - - configuration - type: - - change - action: registry-value-modified - "4670": - category: - - iam - - configuration - type: - - admin - - change - action: permissions-changed - "4672": - category: - - iam - type: - - admin - action: logged-in-special - "4673": - category: - - iam - type: - - admin - action: privileged-service-called - "4674": - category: - - iam - type: - - admin - action: privileged-operation - "4688": - category: - - process - type: - - start - action: created-process - "4689": - category: - - process - type: - - end - action: exited-process - "4697": - category: - - iam - - configuration - type: - - admin - - change - action: service-installed - "4698": - category: - - iam - - configuration - type: - - creation - - admin - action: scheduled-task-created - "4699": - category: - - iam - - configuration - type: - - deletion - - admin - action: scheduled-task-deleted - "4700": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-enabled - "4701": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-disabled - "4702": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-updated - "4706": - category: - - configuration - type: - - creation - action: domain-trust-added - "4707": - category: - - configuration - type: - - deletion - action: domain-trust-removed - "4713": - category: - - configuration - type: - - change - action: kerberos-policy-changed - "4714": - category: - - configuration - type: - - change - action: encrypted-data-recovery-policy-changed - "4715": - category: - - configuration - type: - - change - action: object-audit-policy-changed - "4716": - category: - - configuration - type: - - change - action: trusted-domain-information-changed - "4717": - category: - - iam - - configuration - type: - - admin - - change - action: system-security-access-granted - "4718": - category: - - iam - - configuration - type: - - admin - - deletion - action: system-security-access-removed - "4719": - category: - - iam - - configuration - type: - - admin - - change - action: changed-audit-config - "4720": - category: - - iam - type: - - user - - creation - action: added-user-account - "4722": - category: - - iam - type: - - user - - change - action: enabled-user-account - "4723": - category: - - iam - type: - - user - - change - action: changed-password - "4724": - category: - - iam - type: - - user - - change - action: reset-password - "4725": - category: - - iam - type: - - user - - deletion - action: disabled-user-account - "4726": - category: - - iam - type: - - user - - deletion - action: deleted-user-account - "4727": - category: - - iam - type: - - group - - creation - action: added-group-account - "4728": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4729": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4730": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4731": - category: - - iam - type: - - group - - creation - action: added-group-account - "4732": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4733": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4734": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4735": - category: - - iam - type: - - group - - change - action: modified-group-account - "4737": - category: - - iam - type: - - group - - change - action: modified-group-account - "4738": - category: - - iam - type: - - user - - change - action: modified-user-account - "4739": - category: - - configuration - type: - - change - action: domain-policy-changed - "4740": - category: - - iam - type: - - user - - change - action: locked-out-user-account - "4741": - category: - - iam - type: - - creation - - admin - action: added-computer-account - "4742": - category: - - iam - type: - - change - - admin - action: changed-computer-account - "4743": - category: - - iam - type: - - deletion - - admin - action: deleted-computer-account - "4744": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4745": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4746": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4747": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4748": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4749": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4750": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4751": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4752": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4753": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4754": - category: - - iam - type: - - group - - creation - action: added-group-account - "4755": - category: - - iam - type: - - group - - change - action: modified-group-account - "4756": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4757": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4758": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4759": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4760": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4761": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4762": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4763": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4764": - category: - - iam - type: - - group - - change - action: type-changed-group-account - "4767": - category: - - iam - type: - - user - - change - action: unlocked-user-account - "4768": - category: - - authentication - type: - - start - action: kerberos-authentication-ticket-requested - "4769": - category: - - authentication - type: - - start - action: kerberos-service-ticket-requested - "4770": - category: - - authentication - type: - - start - action: kerberos-service-ticket-renewed - "4771": - category: - - authentication - type: - - start - action: kerberos-preauth-failed - "4776": - category: - - authentication - type: - - start - action: credential-validated - "4778": - category: - - authentication - - session - type: - - start - action: session-reconnected - "4779": - category: - - authentication - - session - type: - - end - action: session-disconnected - "4781": - category: - - iam - type: - - user - - change - action: renamed-user-account - "4798": - category: - - iam - type: - - user - - info - action: group-membership-enumerated - "4799": - category: - - iam - type: - - group - - info - action: user-member-enumerated - "4817": - category: - - iam - - configuration - type: - - admin - - change - action: object-audit-changed - "4902": - category: - - iam - - configuration - type: - - admin - - creation - action: user-audit-policy-created - "4904": - category: - - iam - - configuration - type: - - admin - - change - action: security-event-source-added - "4905": - category: - - iam - - configuration - type: - - admin - - deletion - action: security-event-source-removed - "4906": - category: - - iam - - configuration - type: - - admin - - change - action: crash-on-audit-changed - "4907": - category: - - iam - - configuration - type: - - admin - - change - action: audit-setting-changed - "4908": - category: - - iam - - configuration - type: - - admin - - change - action: special-group-table-changed - "4912": - category: - - iam - - configuration - type: - - admin - - change - action: per-user-audit-policy-changed - "4950": - category: - - configuration - type: - - change - action: windows-firewall-setting-changed - "4954": - category: - - configuration - type: - - change - action: windows-firewall-group-policy-changed - "4964": - category: - - iam - type: - - admin - - group - action: logged-in-special - "5024": - category: - - process - type: - - start - action: windows-firewall-service-started - "5025": - category: - - process - type: - - end - action: windows-firewall-service-stopped - "5033": - category: - - driver - type: - - start - action: windows-firewall-driver-started - "5034": - category: - - driver - type: - - end - action: windows-firewall-driver-stopped - "5037": - category: - - driver - type: - - end - action: windows-firewall-driver-error - source: |- - if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { - return; - } - def hm = new HashMap(params.get(ctx.event.code)); - hm.forEach((k, v) -> ctx.event[k] = v); - - script: - lang: painless - ignore_failure: false - tag: Set Logon Type - description: Set Logon Type -# Logon Types -# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - params: - "2": Interactive - "3": Network - "4": Batch - "5": Service - "7": Unlock - "8": NetworkCleartext - "9": NewCredentials - "10": RemoteInteractive - "11": CachedInteractive - source: |- - if (ctx?.winlog?.event_data?.LogonType == null) { - return; - } - def t = params.get(ctx.winlog.event_data.LogonType); - if (t == null) { - return; - } - if (ctx?.winlog?.logon == null ) { - Map map = new HashMap(); - ctx.winlog.put("logon", map); - } - ctx.winlog.logon.put("type", t) - - script: - lang: painless - ignore_failure: false - tag: Set User Account Control - description: Set User Account Control - # User Account Control Attributes Table - # https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties - params: - "0x00000001": SCRIPT - "0x00000002": ACCOUNTDISABLE - "0x00000008": HOMEDIR_REQUIRED - "0x00000010": LOCKOUT - "0x00000020": PASSWD_NOTREQD - "0x00000040": PASSWD_CANT_CHANGE - "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED - "0x00000100": TEMP_DUPLICATE_ACCOUNT - "0x00000200": NORMAL_ACCOUNT - "0x00000800": INTERDOMAIN_TRUST_ACCOUNT - "0x00001000": WORKSTATION_TRUST_ACCOUNT - "0x00002000": SERVER_TRUST_ACCOUNT - "0x00010000": DONT_EXPIRE_PASSWORD - "0x00020000": MNS_LOGON_ACCOUNT - "0x00040000": SMARTCARD_REQUIRED - "0x00080000": TRUSTED_FOR_DELEGATION - "0x00100000": NOT_DELEGATED - "0x00200000": USE_DES_KEY_ONLY - "0x00400000": DONT_REQ_PREAUTH - "0x00800000": PASSWORD_EXPIRED - "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION - "0x04000000": PARTIAL_SECRETS_ACCOUNT - source: |- - if (ctx?.winlog?.event_data?.NewUacValue == null) { - return; - } - Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); - ArrayList uacResult = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { - uacResult.add(entry.getValue()); - } - } - if (uacResult.length == 0) { - return; - } - ctx.winlog.event_data.put("NewUACList", uacResult); - if (ctx?.winlog?.event_data?.UserAccountControl == null) { - return; - } - ArrayList uac_array = new ArrayList(); - for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) { - if (elem.trim().length() > 0) { - uac_array.add(elem.trim()); - } - } - ctx.winlog.event_data.UserAccountControl = uac_array; - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Ticket Options - description: Set Kerberos Ticket Options -# Kerberos TGT and TGS Ticket Options -# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 -# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - params: - "0x40000000": Forwardable - "0x20000000": Forwarded - "0x10000000": Proxiable - "0x08000000": Proxy - "0x04000000": Allow-postdate - "0x02000000": Postdated - "0x01000000": Invalid - "0x00800000": Renewable - "0x00400000": Initial - "0x00200000": Pre-authent - "0x00100000": Opt-hardware-auth - "0x00080000": Transited-policy-checked - "0x00040000": Ok-as-delegate - "0x00020000": Request-anonymous - "0x00010000": Name-canonicalize - "0x00000020": Disable-transited-check - "0x00000010": Renewable-ok - "0x00000008": Enc-tkt-in-skey - "0x00000002": Renew - "0x00000001": Validate - source: |- - if (ctx?.winlog?.event_data?.TicketOptions == null) { - return; - } - Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); - ArrayList tDescs = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { - tDescs.add(entry.getValue()); - } - } - if (tDescs.length == 0) { - return; - } - ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Encryption Types - description: Set Kerberos Encryption Types - # Kerberos Encryption Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - params: - "0x1": DES-CBC-CRC - "0x3": DES-CBC-MD5 - "0x11": AES128-CTS-HMAC-SHA1-96 - "0x12": AES256-CTS-HMAC-SHA1-96 - "0x17": RC4-HMAC - "0x18": RC4-HMAC-EXP - "0xffffffff": FAIL - source: |- - if (ctx?.winlog?.event_data?.TicketEncryptionType == null) { - return; - } - ctx.winlog.event_data.put("TicketEncryptionTypeDescription", - params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Ticket Status Codes - # Kerberos Result Status Codes - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - description: Set Kerberos Ticket Status Codes - params: - "0x0": KDC_ERR_NONE - "0x1": KDC_ERR_NAME_EXP - "0x2": KDC_ERR_SERVICE_EXP - "0x3": KDC_ERR_BAD_PVNO - "0x4": KDC_ERR_C_OLD_MAST_KVNO - "0x5": KDC_ERR_S_OLD_MAST_KVNO - "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN - "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN - "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE - "0x9": KDC_ERR_NULL_KEY - "0xA": KDC_ERR_CANNOT_POSTDATE - "0xB": KDC_ERR_NEVER_VALID - "0xC": KDC_ERR_POLICY - "0xD": KDC_ERR_BADOPTION - "0xE": KDC_ERR_ETYPE_NOTSUPP - "0xF": KDC_ERR_SUMTYPE_NOSUPP - "0x10": KDC_ERR_PADATA_TYPE_NOSUPP - "0x11": KDC_ERR_TRTYPE_NO_SUPP - "0x12": KDC_ERR_CLIENT_REVOKED - "0x13": KDC_ERR_SERVICE_REVOKED - "0x14": KDC_ERR_TGT_REVOKED - "0x15": KDC_ERR_CLIENT_NOTYET - "0x16": KDC_ERR_SERVICE_NOTYET - "0x17": KDC_ERR_KEY_EXPIRED - "0x18": KDC_ERR_PREAUTH_FAILED - "0x19": KDC_ERR_PREAUTH_REQUIRED - "0x1A": KDC_ERR_SERVER_NOMATCH - "0x1B": KDC_ERR_MUST_USE_USER2USER - "0x1F": KRB_AP_ERR_BAD_INTEGRITY - "0x20": KRB_AP_ERR_TKT_EXPIRED - "0x21": KRB_AP_ERR_TKT_NYV - "0x22": KRB_AP_ERR_REPEAT - "0x23": KRB_AP_ERR_NOT_US - "0x24": KRB_AP_ERR_BADMATCH - "0x25": KRB_AP_ERR_SKEW - "0x26": KRB_AP_ERR_BADADDR - "0x27": KRB_AP_ERR_BADVERSION - "0x28": KRB_AP_ERR_MSG_TYPE - "0x29": KRB_AP_ERR_MODIFIED - "0x2A": KRB_AP_ERR_BADORDER - "0x2C": KRB_AP_ERR_BADKEYVER - "0x2D": KRB_AP_ERR_NOKEY - "0x2E": KRB_AP_ERR_MUT_FAIL - "0x2F": KRB_AP_ERR_BADDIRECTION - "0x30": KRB_AP_ERR_METHOD - "0x31": KRB_AP_ERR_BADSEQ - "0x32": KRB_AP_ERR_INAPP_CKSUM - "0x33": KRB_AP_PATH_NOT_ACCEPTED - "0x34": KRB_ERR_RESPONSE_TOO_BIG - "0x3C": KRB_ERR_GENERIC - "0x3D": KRB_ERR_FIELD_TOOLONG - "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED - "0x3F": KDC_ERR_KDC_NOT_TRUSTED - "0x40": KDC_ERR_INVALID_SIG - "0x41": KDC_ERR_KEY_TOO_WEAK - "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED - "0x43": KRB_AP_ERR_NO_TGT - "0x44": KDC_ERR_WRONG_REALM - source: |- - if (ctx?.winlog?.event_data?.Status == null || - ctx?.event?.code == null || - !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { - return; - } - ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); - - script: - lang: painless - ignore_failure: false - tag: Set Service Type and Name - description: Set Service Type and Name - # Services Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - params: - "0x1": Kernel Driver - "0x2": File System Driver - "0x8": Recognizer Driver - "0x10": Win32 Own Process - "0x20": Win32 Share Process - "0x110": Interactive Own Process - "0x120": Interactive Share Process - source: |- - if (ctx?.winlog?.event_data?.ServiceName != null) { - if (ctx?.service == null) { - HashMap hm = new HashMap(); - ctx.put("service", hm); - } - ctx.service.put("name", ctx.winlog.event_data.ServiceName); - } - if (ctx?.winlog.event_data?.ServiceType != null) { - if (ctx?.service == null) { - HashMap hm = new HashMap(); - ctx.put("service", hm); - } - ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); - } - - script: - lang: painless - ignore_failure: false - tag: Set Audit Information - description: Set Audit Information - # Audit Categories Description - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d - params: - "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] - "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] - "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] - "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] - "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] - "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] - "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] - "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] - "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] - "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] - "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] - "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] - "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] - "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] - "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] - "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] - "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] - "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] - "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] - "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] - "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] - "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] - "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] - "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] - "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] - "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] - "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] - "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] - "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] - "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] - "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] - "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] - "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] - "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] - "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] - "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] - "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] - "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] - "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] - "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] - "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] - "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] - "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] - "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] - "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] - "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] - "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] - "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] - "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] - "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] - "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] - "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] - "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] - "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] - "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] - "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] - "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] - source: |- - if (ctx?.winlog?.event_data?.SubcategoryGuid == null) { - return; - } - def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); - if (!params.containsKey(subCatGuid)) { - return; - } - ctx.winlog.event_data.put("Category", params[subCatGuid][1]); - ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); - - script: - lang: painless - ignore_failure: false - tag: Decode message table - description: Decode message table - # Message table extracted from msobjs.dll on Windows 2019. - # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - params: - descriptions: - "279": "Undefined Access (no effect) Bit 7" - "1536": "Unused message ID" - "1537": "DELETE" - "1538": "READ_CONTROL" - "1539": "WRITE_DAC" - "1540": "WRITE_OWNER" - "1541": "SYNCHRONIZE" - "1542": "ACCESS_SYS_SEC" - "1543": "MAX_ALLOWED" - "1552": "Unknown specific access (bit 0)" - "1553": "Unknown specific access (bit 1)" - "1554": "Unknown specific access (bit 2)" - "1555": "Unknown specific access (bit 3)" - "1556": "Unknown specific access (bit 4)" - "1557": "Unknown specific access (bit 5)" - "1558": "Unknown specific access (bit 6)" - "1559": "Unknown specific access (bit 7)" - "1560": "Unknown specific access (bit 8)" - "1561": "Unknown specific access (bit 9)" - "1562": "Unknown specific access (bit 10)" - "1563": "Unknown specific access (bit 11)" - "1564": "Unknown specific access (bit 12)" - "1565": "Unknown specific access (bit 13)" - "1566": "Unknown specific access (bit 14)" - "1567": "Unknown specific access (bit 15)" - "1601": "Not used" - "1603": "Assign Primary Token Privilege" - "1604": "Lock Memory Privilege" - "1605": "Increase Memory Quota Privilege" - "1606": "Unsolicited Input Privilege" - "1607": "Trusted Computer Base Privilege" - "1608": "Security Privilege" - "1609": "Take Ownership Privilege" - "1610": "Load/Unload Driver Privilege" - "1611": "Profile System Privilege" - "1612": "Set System Time Privilege" - "1613": "Profile Single Process Privilege" - "1614": "Increment Base Priority Privilege" - "1615": "Create Pagefile Privilege" - "1616": "Create Permanent Object Privilege" - "1617": "Backup Privilege" - "1618": "Restore From Backup Privilege" - "1619": "Shutdown System Privilege" - "1620": "Debug Privilege" - "1621": "View or Change Audit Log Privilege" - "1622": "Change Hardware Environment Privilege" - "1623": "Change Notify (and Traverse) Privilege" - "1624": "Remotely Shut System Down Privilege" - "1792": "" - "1794": "" - "1795": "Enabled" - "1796": "Disabled" - "1797": "All" - "1798": "None" - "1799": "Audit Policy query/set API Operation" - "1800": "" - "1801": "Granted by" - "1802": "Denied by" - "1803": "Denied by Integrity Policy check" - "1804": "Granted by Ownership" - "1805": "Not granted" - "1806": "Granted by NULL DACL" - "1807": "Denied by Empty DACL" - "1808": "Granted by NULL Security Descriptor" - "1809": "Unknown or unchecked" - "1810": "Not granted due to missing" - "1811": "Granted by ACE on parent folder" - "1812": "Denied by ACE on parent folder" - "1813": "Granted by Central Access Rule" - "1814": "NOT Granted by Central Access Rule" - "1815": "Granted by parent folder's Central Access Rule" - "1816": "NOT Granted by parent folder's Central Access Rule" - "1817": "Unknown Type" - "1818": "String" - "1819": "Unsigned 64-bit Integer" - "1820": "64-bit Integer" - "1821": "FQBN" - "1822": "Blob" - "1823": "Sid" - "1824": "Boolean" - "1825": "TRUE" - "1826": "FALSE" - "1827": "Invalid" - "1828": "an ACE too long to display" - "1829": "a Security Descriptor too long to display" - "1830": "Not granted to AppContainers" - "1831": "..." - "1832": "Identification" - "1833": "Impersonation" - "1840": "Delegation" - "1841": "Denied by Process Trust Label ACE" - "1842": "Yes" - "1843": "No" - "1844": "System" - "1845": "Not Available" - "1846": "Default" - "1847": "DisallowMmConfig" - "1848": "Off" - "1849": "Auto" - "1872": "REG_NONE" - "1873": "REG_SZ" - "1874": "REG_EXPAND_SZ" - "1875": "REG_BINARY" - "1876": "REG_DWORD" - "1877": "REG_DWORD_BIG_ENDIAN" - "1878": "REG_LINK" - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" - "1880": "REG_RESOURCE_LIST" - "1881": "REG_FULL_RESOURCE_DESCRIPTOR" - "1882": "REG_RESOURCE_REQUIREMENTS_LIST" - "1883": "REG_QWORD" - "1904": "New registry value created" - "1905": "Existing registry value modified" - "1906": "Registry value deleted" - "1920": "Sunday" - "1921": "Monday" - "1922": "Tuesday" - "1923": "Wednesday" - "1924": "Thursday" - "1925": "Friday" - "1926": "Saturday" - "1936": "TokenElevationTypeDefault (1)" - "1937": "TokenElevationTypeFull (2)" - "1938": "TokenElevationTypeLimited (3)" - "2048": "Account Enabled" - "2049": "Home Directory Required' - Disabled" - "2050": "Password Not Required' - Disabled" - "2051": "Temp Duplicate Account' - Disabled" - "2052": "Normal Account' - Disabled" - "2053": "MNS Logon Account' - Disabled" - "2054": "Interdomain Trust Account' - Disabled" - "2055": "Workstation Trust Account' - Disabled" - "2056": "Server Trust Account' - Disabled" - "2057": "Don't Expire Password' - Disabled" - "2058": "Account Unlocked" - "2059": "Encrypted Text Password Allowed' - Disabled" - "2060": "Smartcard Required' - Disabled" - "2061": "Trusted For Delegation' - Disabled" - "2062": "Not Delegated' - Disabled" - "2063": "Use DES Key Only' - Disabled" - "2064": "Don't Require Preauth' - Disabled" - "2065": "Password Expired' - Disabled" - "2066": "Trusted To Authenticate For Delegation' - Disabled" - "2067": "Exclude Authorization Information' - Disabled" - "2068": "Undefined UserAccountControl Bit 20' - Disabled" - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" - "2070": "Undefined UserAccountControl Bit 22' - Disabled" - "2071": "Undefined UserAccountControl Bit 23' - Disabled" - "2072": "Undefined UserAccountControl Bit 24' - Disabled" - "2073": "Undefined UserAccountControl Bit 25' - Disabled" - "2074": "Undefined UserAccountControl Bit 26' - Disabled" - "2075": "Undefined UserAccountControl Bit 27' - Disabled" - "2076": "Undefined UserAccountControl Bit 28' - Disabled" - "2077": "Undefined UserAccountControl Bit 29' - Disabled" - "2078": "Undefined UserAccountControl Bit 30' - Disabled" - "2079": "Undefined UserAccountControl Bit 31' - Disabled" - "2080": "Account Disabled" - "2081": "Home Directory Required' - Enabled" - "2082": "Password Not Required' - Enabled" - "2083": "Temp Duplicate Account' - Enabled" - "2084": "Normal Account' - Enabled" - "2085": "MNS Logon Account' - Enabled" - "2086": "Interdomain Trust Account' - Enabled" - "2087": "Workstation Trust Account' - Enabled" - "2088": "Server Trust Account' - Enabled" - "2089": "Don't Expire Password' - Enabled" - "2090": "Account Locked" - "2091": "Encrypted Text Password Allowed' - Enabled" - "2092": "Smartcard Required' - Enabled" - "2093": "Trusted For Delegation' - Enabled" - "2094": "Not Delegated' - Enabled" - "2095": "Use DES Key Only' - Enabled" - "2096": "Don't Require Preauth' - Enabled" - "2097": "Password Expired' - Enabled" - "2098": "Trusted To Authenticate For Delegation' - Enabled" - "2099": "Exclude Authorization Information' - Enabled" - "2100": "Undefined UserAccountControl Bit 20' - Enabled" - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" - "2102": "Undefined UserAccountControl Bit 22' - Enabled" - "2103": "Undefined UserAccountControl Bit 23' - Enabled" - "2104": "Undefined UserAccountControl Bit 24' - Enabled" - "2105": "Undefined UserAccountControl Bit 25' - Enabled" - "2106": "Undefined UserAccountControl Bit 26' - Enabled" - "2107": "Undefined UserAccountControl Bit 27' - Enabled" - "2108": "Undefined UserAccountControl Bit 28' - Enabled" - "2109": "Undefined UserAccountControl Bit 29' - Enabled" - "2110": "Undefined UserAccountControl Bit 30' - Enabled" - "2111": "Undefined UserAccountControl Bit 31' - Enabled" - "2304": "An Error occured during Logon." - "2305": "The specified user account has expired." - "2306": "The NetLogon component is not active." - "2307": "Account locked out." - "2308": "The user has not been granted the requested logon type at this machine." - "2309": "The specified account's password has expired." - "2310": "Account currently disabled." - "2311": "Account logon time restriction violation." - "2312": "User not allowed to logon at this computer." - "2313": "Unknown user name or bad password." - "2314": "Domain sid inconsistent." - "2315": "Smartcard logon is required and was not used." - "2432": "Not Available." - "2436": "Random number generator failure." - "2437": "Random number generation failed FIPS-140 pre-hash check." - "2438": "Failed to zero secret data." - "2439": "Key failed pair wise consistency check." - "2448": "Failed to unprotect persistent cryptographic key." - "2449": "Key export checks failed." - "2450": "Validation of public key failed." - "2451": "Signature verification failed." - "2456": "Open key file." - "2457": "Delete key file." - "2458": "Read persisted key from file." - "2459": "Write persisted key to file." - "2464": "Export of persistent cryptographic key." - "2465": "Import of persistent cryptographic key." - "2480": "Open Key." - "2481": "Create Key." - "2482": "Delete Key." - "2483": "Encrypt." - "2484": "Decrypt." - "2485": "Sign hash." - "2486": "Secret agreement." - "2487": "Domain settings" - "2488": "Local settings" - "2489": "Add provider." - "2490": "Remove provider." - "2491": "Add context." - "2492": "Remove context." - "2493": "Add function." - "2494": "Remove function." - "2495": "Add function provider." - "2496": "Remove function provider." - "2497": "Add function property." - "2498": "Remove function property." - "2499": "Machine key." - "2500": "User key." - "2501": "Key Derivation." - "4352": "Device Access Bit 0" - "4353": "Device Access Bit 1" - "4354": "Device Access Bit 2" - "4355": "Device Access Bit 3" - "4356": "Device Access Bit 4" - "4357": "Device Access Bit 5" - "4358": "Device Access Bit 6" - "4359": "Device Access Bit 7" - "4360": "Device Access Bit 8" - "4361": "Undefined Access (no effect) Bit 9" - "4362": "Undefined Access (no effect) Bit 10" - "4363": "Undefined Access (no effect) Bit 11" - "4364": "Undefined Access (no effect) Bit 12" - "4365": "Undefined Access (no effect) Bit 13" - "4366": "Undefined Access (no effect) Bit 14" - "4367": "Undefined Access (no effect) Bit 15" - "4368": "Query directory" - "4369": "Traverse" - "4370": "Create object in directory" - "4371": "Create sub-directory" - "4372": "Undefined Access (no effect) Bit 4" - "4373": "Undefined Access (no effect) Bit 5" - "4374": "Undefined Access (no effect) Bit 6" - "4375": "Undefined Access (no effect) Bit 7" - "4376": "Undefined Access (no effect) Bit 8" - "4377": "Undefined Access (no effect) Bit 9" - "4378": "Undefined Access (no effect) Bit 10" - "4379": "Undefined Access (no effect) Bit 11" - "4380": "Undefined Access (no effect) Bit 12" - "4381": "Undefined Access (no effect) Bit 13" - "4382": "Undefined Access (no effect) Bit 14" - "4383": "Undefined Access (no effect) Bit 15" - "4384": "Query event state" - "4385": "Modify event state" - "4386": "Undefined Access (no effect) Bit 2" - "4387": "Undefined Access (no effect) Bit 3" - "4388": "Undefined Access (no effect) Bit 4" - "4389": "Undefined Access (no effect) Bit 5" - "4390": "Undefined Access (no effect) Bit 6" - "4391": "Undefined Access (no effect) Bit 7" - "4392": "Undefined Access (no effect) Bit 8" - "4393": "Undefined Access (no effect) Bit 9" - "4394": "Undefined Access (no effect) Bit 10" - "4395": "Undefined Access (no effect) Bit 11" - "4396": "Undefined Access (no effect) Bit 12" - "4397": "Undefined Access (no effect) Bit 13" - "4398": "Undefined Access (no effect) Bit 14" - "4399": "Undefined Access (no effect) Bit 15" - "4416": "ReadData (or ListDirectory)" - "4417": "WriteData (or AddFile)" - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" - "4419": "ReadEA" - "4420": "WriteEA" - "4421": "Execute/Traverse" - "4422": "DeleteChild" - "4423": "ReadAttributes" - "4424": "WriteAttributes" - "4425": "Undefined Access (no effect) Bit 9" - "4426": "Undefined Access (no effect) Bit 10" - "4427": "Undefined Access (no effect) Bit 11" - "4428": "Undefined Access (no effect) Bit 12" - "4429": "Undefined Access (no effect) Bit 13" - "4430": "Undefined Access (no effect) Bit 14" - "4431": "Undefined Access (no effect) Bit 15" - "4432": "Query key value" - "4433": "Set key value" - "4434": "Create sub-key" - "4435": "Enumerate sub-keys" - "4436": "Notify about changes to keys" - "4437": "Create Link" - "4438": "Undefined Access (no effect) Bit 6" - "4439": "Undefined Access (no effect) Bit 7" - "4440": "Enable 64(or 32) bit application to open 64 bit key" - "4441": "Enable 64(or 32) bit application to open 32 bit key" - "4442": "Undefined Access (no effect) Bit 10" - "4443": "Undefined Access (no effect) Bit 11" - "4444": "Undefined Access (no effect) Bit 12" - "4445": "Undefined Access (no effect) Bit 13" - "4446": "Undefined Access (no effect) Bit 14" - "4447": "Undefined Access (no effect) Bit 15" - "4448": "Query mutant state" - "4449": "Undefined Access (no effect) Bit 1" - "4450": "Undefined Access (no effect) Bit 2" - "4451": "Undefined Access (no effect) Bit 3" - "4452": "Undefined Access (no effect) Bit 4" - "4453": "Undefined Access (no effect) Bit 5" - "4454": "Undefined Access (no effect) Bit 6" - "4455": "Undefined Access (no effect) Bit 7" - "4456": "Undefined Access (no effect) Bit 8" - "4457": "Undefined Access (no effect) Bit 9" - "4458": "Undefined Access (no effect) Bit 10" - "4459": "Undefined Access (no effect) Bit 11" - "4460": "Undefined Access (no effect) Bit 12" - "4461": "Undefined Access (no effect) Bit 13" - "4462": "Undefined Access (no effect) Bit 14" - "4463": "Undefined Access (no effect) Bit 15" - "4464": "Communicate using port" - "4465": "Undefined Access (no effect) Bit 1" - "4466": "Undefined Access (no effect) Bit 2" - "4467": "Undefined Access (no effect) Bit 3" - "4468": "Undefined Access (no effect) Bit 4" - "4469": "Undefined Access (no effect) Bit 5" - "4470": "Undefined Access (no effect) Bit 6" - "4471": "Undefined Access (no effect) Bit 7" - "4472": "Undefined Access (no effect) Bit 8" - "4473": "Undefined Access (no effect) Bit 9" - "4474": "Undefined Access (no effect) Bit 10" - "4475": "Undefined Access (no effect) Bit 11" - "4476": "Undefined Access (no effect) Bit 12" - "4477": "Undefined Access (no effect) Bit 13" - "4478": "Undefined Access (no effect) Bit 14" - "4479": "Undefined Access (no effect) Bit 15" - "4480": "Force process termination" - "4481": "Create new thread in process" - "4482": "Set process session ID" - "4483": "Perform virtual memory operation" - "4484": "Read from process memory" - "4485": "Write to process memory" - "4486": "Duplicate handle into or out of process" - "4487": "Create a subprocess of process" - "4488": "Set process quotas" - "4489": "Set process information" - "4490": "Query process information" - "4491": "Set process termination port" - "4492": "Undefined Access (no effect) Bit 12" - "4493": "Undefined Access (no effect) Bit 13" - "4494": "Undefined Access (no effect) Bit 14" - "4495": "Undefined Access (no effect) Bit 15" - "4496": "Control profile" - "4497": "Undefined Access (no effect) Bit 1" - "4498": "Undefined Access (no effect) Bit 2" - "4499": "Undefined Access (no effect) Bit 3" - "4500": "Undefined Access (no effect) Bit 4" - "4501": "Undefined Access (no effect) Bit 5" - "4502": "Undefined Access (no effect) Bit 6" - "4503": "Undefined Access (no effect) Bit 7" - "4504": "Undefined Access (no effect) Bit 8" - "4505": "Undefined Access (no effect) Bit 9" - "4506": "Undefined Access (no effect) Bit 10" - "4507": "Undefined Access (no effect) Bit 11" - "4508": "Undefined Access (no effect) Bit 12" - "4509": "Undefined Access (no effect) Bit 13" - "4510": "Undefined Access (no effect) Bit 14" - "4511": "Undefined Access (no effect) Bit 15" - "4512": "Query section state" - "4513": "Map section for write" - "4514": "Map section for read" - "4515": "Map section for execute" - "4516": "Extend size" - "4517": "Undefined Access (no effect) Bit 5" - "4518": "Undefined Access (no effect) Bit 6" - "4519": "Undefined Access (no effect) Bit 7" - "4520": "Undefined Access (no effect) Bit 8" - "4521": "Undefined Access (no effect) Bit 9" - "4522": "Undefined Access (no effect) Bit 10" - "4523": "Undefined Access (no effect) Bit 11" - "4524": "Undefined Access (no effect) Bit 12" - "4525": "Undefined Access (no effect) Bit 13" - "4526": "Undefined Access (no effect) Bit 14" - "4527": "Undefined Access (no effect) Bit 15" - "4528": "Query semaphore state" - "4529": "Modify semaphore state" - "4530": "Undefined Access (no effect) Bit 2" - "4531": "Undefined Access (no effect) Bit 3" - "4532": "Undefined Access (no effect) Bit 4" - "4533": "Undefined Access (no effect) Bit 5" - "4534": "Undefined Access (no effect) Bit 6" - "4535": "Undefined Access (no effect) Bit 7" - "4536": "Undefined Access (no effect) Bit 8" - "4537": "Undefined Access (no effect) Bit 9" - "4538": "Undefined Access (no effect) Bit 10" - "4539": "Undefined Access (no effect) Bit 11" - "4540": "Undefined Access (no effect) Bit 12" - "4541": "Undefined Access (no effect) Bit 13" - "4542": "Undefined Access (no effect) Bit 14" - "4543": "Undefined Access (no effect) Bit 15" - "4544": "Use symbolic link" - "4545": "Undefined Access (no effect) Bit 1" - "4546": "Undefined Access (no effect) Bit 2" - "4547": "Undefined Access (no effect) Bit 3" - "4548": "Undefined Access (no effect) Bit 4" - "4549": "Undefined Access (no effect) Bit 5" - "4550": "Undefined Access (no effect) Bit 6" - "4551": "Undefined Access (no effect) Bit 7" - "4552": "Undefined Access (no effect) Bit 8" - "4553": "Undefined Access (no effect) Bit 9" - "4554": "Undefined Access (no effect) Bit 10" - "4555": "Undefined Access (no effect) Bit 11" - "4556": "Undefined Access (no effect) Bit 12" - "4557": "Undefined Access (no effect) Bit 13" - "4558": "Undefined Access (no effect) Bit 14" - "4559": "Undefined Access (no effect) Bit 15" - "4560": "Force thread termination" - "4561": "Suspend or resume thread" - "4562": "Send an alert to thread" - "4563": "Get thread context" - "4564": "Set thread context" - "4565": "Set thread information" - "4566": "Query thread information" - "4567": "Assign a token to the thread" - "4568": "Cause thread to directly impersonate another thread" - "4569": "Directly impersonate this thread" - "4570": "Undefined Access (no effect) Bit 10" - "4571": "Undefined Access (no effect) Bit 11" - "4572": "Undefined Access (no effect) Bit 12" - "4573": "Undefined Access (no effect) Bit 13" - "4574": "Undefined Access (no effect) Bit 14" - "4575": "Undefined Access (no effect) Bit 15" - "4576": "Query timer state" - "4577": "Modify timer state" - "4578": "Undefined Access (no effect) Bit 2" - "4579": "Undefined Access (no effect) Bit 3" - "4580": "Undefined Access (no effect) Bit 4" - "4581": "Undefined Access (no effect) Bit 5" - "4582": "Undefined Access (no effect) Bit 6" - "4584": "Undefined Access (no effect) Bit 8" - "4585": "Undefined Access (no effect) Bit 9" - "4586": "Undefined Access (no effect) Bit 10" - "4587": "Undefined Access (no effect) Bit 11" - "4588": "Undefined Access (no effect) Bit 12" - "4589": "Undefined Access (no effect) Bit 13" - "4590": "Undefined Access (no effect) Bit 14" - "4591": "Undefined Access (no effect) Bit 15" - "4592": "AssignAsPrimary" - "4593": "Duplicate" - "4594": "Impersonate" - "4595": "Query" - "4596": "QuerySource" - "4597": "AdjustPrivileges" - "4598": "AdjustGroups" - "4599": "AdjustDefaultDacl" - "4600": "AdjustSessionID" - "4601": "Undefined Access (no effect) Bit 9" - "4602": "Undefined Access (no effect) Bit 10" - "4603": "Undefined Access (no effect) Bit 11" - "4604": "Undefined Access (no effect) Bit 12" - "4605": "Undefined Access (no effect) Bit 13" - "4606": "Undefined Access (no effect) Bit 14" - "4607": "Undefined Access (no effect) Bit 15" - "4608": "Create instance of object type" - "4609": "Undefined Access (no effect) Bit 1" - "4610": "Undefined Access (no effect) Bit 2" - "4611": "Undefined Access (no effect) Bit 3" - "4612": "Undefined Access (no effect) Bit 4" - "4613": "Undefined Access (no effect) Bit 5" - "4614": "Undefined Access (no effect) Bit 6" - "4615": "Undefined Access (no effect) Bit 7" - "4616": "Undefined Access (no effect) Bit 8" - "4617": "Undefined Access (no effect) Bit 9" - "4618": "Undefined Access (no effect) Bit 10" - "4619": "Undefined Access (no effect) Bit 11" - "4620": "Undefined Access (no effect) Bit 12" - "4621": "Undefined Access (no effect) Bit 13" - "4622": "Undefined Access (no effect) Bit 14" - "4623": "Undefined Access (no effect) Bit 15" - "4864": "Query State" - "4865": "Modify State" - "5120": "Channel read message" - "5121": "Channel write message" - "5122": "Channel query information" - "5123": "Channel set information" - "5124": "Undefined Access (no effect) Bit 4" - "5125": "Undefined Access (no effect) Bit 5" - "5126": "Undefined Access (no effect) Bit 6" - "5127": "Undefined Access (no effect) Bit 7" - "5128": "Undefined Access (no effect) Bit 8" - "5129": "Undefined Access (no effect) Bit 9" - "5130": "Undefined Access (no effect) Bit 10" - "5131": "Undefined Access (no effect) Bit 11" - "5132": "Undefined Access (no effect) Bit 12" - "5133": "Undefined Access (no effect) Bit 13" - "5134": "Undefined Access (no effect) Bit 14" - "5135": "Undefined Access (no effect) Bit 15" - "5136": "Assign process" - "5137": "Set Attributes" - "5138": "Query Attributes" - "5139": "Terminate Job" - "5140": "Set Security Attributes" - "5141": "Undefined Access (no effect) Bit 5" - "5142": "Undefined Access (no effect) Bit 6" - "5143": "Undefined Access (no effect) Bit 7" - "5144": "Undefined Access (no effect) Bit 8" - "5145": "Undefined Access (no effect) Bit 9" - "5146": "Undefined Access (no effect) Bit 10" - "5147": "Undefined Access (no effect) Bit 11" - "5148": "Undefined Access (no effect) Bit 12" - "5149": "Undefined Access (no effect) Bit 13" - "5150": "Undefined Access (no effect) Bit 14" - "5151": "Undefined Access (no effect) Bit 15" - "5376": "ConnectToServer" - "5377": "ShutdownServer" - "5378": "InitializeServer" - "5379": "CreateDomain" - "5380": "EnumerateDomains" - "5381": "LookupDomain" - "5382": "Undefined Access (no effect) Bit 6" - "5383": "Undefined Access (no effect) Bit 7" - "5384": "Undefined Access (no effect) Bit 8" - "5385": "Undefined Access (no effect) Bit 9" - "5386": "Undefined Access (no effect) Bit 10" - "5387": "Undefined Access (no effect) Bit 11" - "5388": "Undefined Access (no effect) Bit 12" - "5389": "Undefined Access (no effect) Bit 13" - "5390": "Undefined Access (no effect) Bit 14" - "5391": "Undefined Access (no effect) Bit 15" - "5392": "ReadPasswordParameters" - "5393": "WritePasswordParameters" - "5394": "ReadOtherParameters" - "5395": "WriteOtherParameters" - "5396": "CreateUser" - "5397": "CreateGlobalGroup" - "5398": "CreateLocalGroup" - "5399": "GetLocalGroupMembership" - "5400": "ListAccounts" - "5401": "LookupIDs" - "5402": "AdministerServer" - "5403": "Undefined Access (no effect) Bit 11" - "5404": "Undefined Access (no effect) Bit 12" - "5405": "Undefined Access (no effect) Bit 13" - "5406": "Undefined Access (no effect) Bit 14" - "5407": "Undefined Access (no effect) Bit 15" - "5408": "ReadInformation" - "5409": "WriteAccount" - "5410": "AddMember" - "5411": "RemoveMember" - "5412": "ListMembers" - "5413": "Undefined Access (no effect) Bit 5" - "5414": "Undefined Access (no effect) Bit 6" - "5415": "Undefined Access (no effect) Bit 7" - "5416": "Undefined Access (no effect) Bit 8" - "5417": "Undefined Access (no effect) Bit 9" - "5418": "Undefined Access (no effect) Bit 10" - "5419": "Undefined Access (no effect) Bit 11" - "5420": "Undefined Access (no effect) Bit 12" - "5421": "Undefined Access (no effect) Bit 13" - "5422": "Undefined Access (no effect) Bit 14" - "5423": "Undefined Access (no effect) Bit 15" - "5424": "AddMember" - "5425": "RemoveMember" - "5426": "ListMembers" - "5427": "ReadInformation" - "5428": "WriteAccount" - "5429": "Undefined Access (no effect) Bit 5" - "5430": "Undefined Access (no effect) Bit 6" - "5431": "Undefined Access (no effect) Bit 7" - "5432": "Undefined Access (no effect) Bit 8" - "5433": "Undefined Access (no effect) Bit 9" - "5434": "Undefined Access (no effect) Bit 10" - "5435": "Undefined Access (no effect) Bit 11" - "5436": "Undefined Access (no effect) Bit 12" - "5437": "Undefined Access (no effect) Bit 13" - "5438": "Undefined Access (no effect) Bit 14" - "5439": "Undefined Access (no effect) Bit 15" - "5440": "ReadGeneralInformation" - "5441": "ReadPreferences" - "5442": "WritePreferences" - "5443": "ReadLogon" - "5444": "ReadAccount" - "5445": "WriteAccount" - "5446": "ChangePassword (with knowledge of old password)" - "5447": "SetPassword (without knowledge of old password)" - "5448": "ListGroups" - "5449": "ReadGroupMembership" - "5450": "ChangeGroupMembership" - "5451": "Undefined Access (no effect) Bit 11" - "5452": "Undefined Access (no effect) Bit 12" - "5453": "Undefined Access (no effect) Bit 13" - "5454": "Undefined Access (no effect) Bit 14" - "5455": "Undefined Access (no effect) Bit 15" - "5632": "View non-sensitive policy information" - "5633": "View system audit requirements" - "5634": "Get sensitive policy information" - "5635": "Modify domain trust relationships" - "5636": "Create special accounts (for assignment of user rights)" - "5637": "Create a secret object" - "5638": "Create a privilege" - "5639": "Set default quota limits" - "5640": "Change system audit requirements" - "5641": "Administer audit log attributes" - "5642": "Enable/Disable LSA" - "5643": "Lookup Names/SIDs" - "5648": "Change secret value" - "5649": "Query secret value" - "5650": "Undefined Access (no effect) Bit 2" - "5651": "Undefined Access (no effect) Bit 3" - "5652": "Undefined Access (no effect) Bit 4" - "5653": "Undefined Access (no effect) Bit 5" - "5654": "Undefined Access (no effect) Bit 6" - "5655": "Undefined Access (no effect) Bit 7" - "5656": "Undefined Access (no effect) Bit 8" - "5657": "Undefined Access (no effect) Bit 9" - "5658": "Undefined Access (no effect) Bit 10" - "5659": "Undefined Access (no effect) Bit 11" - "5660": "Undefined Access (no effect) Bit 12" - "5661": "Undefined Access (no effect) Bit 13" - "5662": "Undefined Access (no effect) Bit 14" - "5663": "Undefined Access (no effect) Bit 15" - "5664": "Query trusted domain name/SID" - "5665": "Retrieve the controllers in the trusted domain" - "5666": "Change the controllers in the trusted domain" - "5667": "Query the Posix ID offset assigned to the trusted domain" - "5668": "Change the Posix ID offset assigned to the trusted domain" - "5669": "Undefined Access (no effect) Bit 5" - "5670": "Undefined Access (no effect) Bit 6" - "5671": "Undefined Access (no effect) Bit 7" - "5672": "Undefined Access (no effect) Bit 8" - "5673": "Undefined Access (no effect) Bit 9" - "5674": "Undefined Access (no effect) Bit 10" - "5675": "Undefined Access (no effect) Bit 11" - "5676": "Undefined Access (no effect) Bit 12" - "5677": "Undefined Access (no effect) Bit 13" - "5678": "Undefined Access (no effect) Bit 14" - "5679": "Undefined Access (no effect) Bit 15" - "5680": "Query account information" - "5681": "Change privileges assigned to account" - "5682": "Change quotas assigned to account" - "5683": "Change logon capabilities assigned to account" - "5684": "Change the Posix ID offset assigned to the accounted domain" - "5685": "Undefined Access (no effect) Bit 5" - "5686": "Undefined Access (no effect) Bit 6" - "5687": "Undefined Access (no effect) Bit 7" - "5688": "Undefined Access (no effect) Bit 8" - "5689": "Undefined Access (no effect) Bit 9" - "5690": "Undefined Access (no effect) Bit 10" - "5691": "Undefined Access (no effect) Bit 11" - "5692": "Undefined Access (no effect) Bit 12" - "5693": "Undefined Access (no effect) Bit 13" - "5694": "Undefined Access (no effect) Bit 14" - "5695": "Undefined Access (no effect) Bit 15" - "5696": "KeyedEvent Wait" - "5697": "KeyedEvent Wake" - "5698": "Undefined Access (no effect) Bit 2" - "5699": "Undefined Access (no effect) Bit 3" - "5700": "Undefined Access (no effect) Bit 4" - "5701": "Undefined Access (no effect) Bit 5" - "5702": "Undefined Access (no effect) Bit 6" - "5703": "Undefined Access (no effect) Bit 7" - "5704": "Undefined Access (no effect) Bit 8" - "5705": "Undefined Access (no effect) Bit 9" - "5706": "Undefined Access (no effect) Bit 10" - "5707": "Undefined Access (no effect) Bit 11" - "5708": "Undefined Access (no effect) Bit 12" - "5709": "Undefined Access (no effect) Bit 13" - "5710": "Undefined Access (no effect) Bit 14" - "5711": "Undefined Access (no effect) Bit 15" - "6656": "Enumerate desktops" - "6657": "Read attributes" - "6658": "Access Clipboard" - "6659": "Create desktop" - "6660": "Write attributes" - "6661": "Access global atoms" - "6662": "Exit windows" - "6663": "Unused Access Flag" - "6664": "Include this windowstation in enumerations" - "6665": "Read screen" - "6672": "Read Objects" - "6673": "Create window" - "6674": "Create menu" - "6675": "Hook control" - "6676": "Journal (record)" - "6677": "Journal (playback)" - "6678": "Include this desktop in enumerations" - "6679": "Write objects" - "6680": "Switch to this desktop" - "6912": "Administer print server" - "6913": "Enumerate printers" - "6930": "Full Control" - "6931": "Print" - "6948": "Administer Document" - "7168": "Connect to service controller" - "7169": "Create a new service" - "7170": "Enumerate services" - "7171": "Lock service database for exclusive access" - "7172": "Query service database lock state" - "7173": "Set last-known-good state of service database" - "7184": "Query service configuration information" - "7185": "Set service configuration information" - "7186": "Query status of service" - "7187": "Enumerate dependencies of service" - "7188": "Start the service" - "7189": "Stop the service" - "7190": "Pause or continue the service" - "7191": "Query information from service" - "7192": "Issue service-specific control commands" - "7424": "DDE Share Read" - "7425": "DDE Share Write" - "7426": "DDE Share Initiate Static" - "7427": "DDE Share Initiate Link" - "7428": "DDE Share Request" - "7429": "DDE Share Advise" - "7430": "DDE Share Poke" - "7431": "DDE Share Execute" - "7432": "DDE Share Add Items" - "7433": "DDE Share List Items" - "7680": "Create Child" - "7681": "Delete Child" - "7682": "List Contents" - "7683": "Write Self" - "7684": "Read Property" - "7685": "Write Property" - "7686": "Delete Tree" - "7687": "List Object" - "7688": "Control Access" - "7689": "Undefined Access (no effect) Bit 9" - "7690": "Undefined Access (no effect) Bit 10" - "7691": "Undefined Access (no effect) Bit 11" - "7692": "Undefined Access (no effect) Bit 12" - "7693": "Undefined Access (no effect) Bit 13" - "7694": "Undefined Access (no effect) Bit 14" - "7695": "Undefined Access (no effect) Bit 15" - "7936": "Audit Set System Policy" - "7937": "Audit Query System Policy" - "7938": "Audit Set Per User Policy" - "7939": "Audit Query Per User Policy" - "7940": "Audit Enumerate Users" - "7941": "Audit Set Options" - "7942": "Audit Query Options" - "8064": "Port sharing (read)" - "8065": "Port sharing (write)" - "8096": "Default credentials" - "8097": "Credentials manager" - "8098": "Fresh credentials" - "8192": "Kerberos" - "8193": "Preshared key" - "8194": "Unknown authentication" - "8195": "DES" - "8196": "3DES" - "8197": "MD5" - "8198": "SHA1" - "8199": "Local computer" - "8200": "Remote computer" - "8201": "No state" - "8202": "Sent first (SA) payload" - "8203": "Sent second (KE) payload" - "8204": "Sent third (ID) payload" - "8205": "Initiator" - "8206": "Responder" - "8207": "No state" - "8208": "Sent first (SA) payload" - "8209": "Sent final payload" - "8210": "Complete" - "8211": "Unknown" - "8212": "Transport" - "8213": "Tunnel" - "8214": "IKE/AuthIP DoS prevention mode started" - "8215": "IKE/AuthIP DoS prevention mode stopped" - "8216": "Enabled" - "8217": "Not enabled" - "8218": "No state" - "8219": "Sent first (EM attributes) payload" - "8220": "Sent second (SSPI) payload" - "8221": "Sent third (hash) payload" - "8222": "IKEv1" - "8223": "AuthIP" - "8224": "Anonymous" - "8225": "NTLM V2" - "8226": "CGA" - "8227": "Certificate" - "8228": "SSL" - "8229": "None" - "8230": "DH group 1" - "8231": "DH group 2" - "8232": "DH group 14" - "8233": "DH group ECP 256" - "8234": "DH group ECP 384" - "8235": "AES-128" - "8236": "AES-192" - "8237": "AES-256" - "8238": "Certificate ECDSA P256" - "8239": "Certificate ECDSA P384" - "8240": "SSL ECDSA P256" - "8241": "SSL ECDSA P384" - "8242": "SHA 256" - "8243": "SHA 384" - "8244": "IKEv2" - "8245": "EAP payload sent" - "8246": "Authentication payload sent" - "8247": "EAP" - "8248": "DH group 24" - "8272": "System" - "8273": "Logon/Logoff" - "8274": "Object Access" - "8275": "Privilege Use" - "8276": "Detailed Tracking" - "8277": "Policy Change" - "8278": "Account Management" - "8279": "DS Access" - "8280": "Account Logon" - "8448": "Success removed" - "8449": "Success Added" - "8450": "Failure removed" - "8451": "Failure Added" - "8452": "Success include removed" - "8453": "Success include added" - "8454": "Success exclude removed" - "8455": "Success exclude added" - "8456": "Failure include removed" - "8457": "Failure include added" - "8458": "Failure exclude removed" - "8459": "Failure exclude added" - "12288": "Security State Change" - "12289": "Security System Extension" - "12290": "System Integrity" - "12291": "IPsec Driver" - "12292": "Other System Events" - "12544": "Logon" - "12545": "Logoff" - "12546": "Account Lockout" - "12547": "IPsec Main Mode" - "12548": "Special Logon" - "12549": "IPsec Quick Mode" - "12550": "IPsec Extended Mode" - "12551": "Other Logon/Logoff Events" - "12552": "Network Policy Server" - "12553": "User / Device Claims" - "12554": "Group Membership" - "12800": "File System" - "12801": "Registry" - "12802": "Kernel Object" - "12803": "SAM" - "12804": "Other Object Access Events" - "12805": "Certification Services" - "12806": "Application Generated" - "12807": "Handle Manipulation" - "12808": "File Share" - "12809": "Filtering Platform Packet Drop" - "12810": "Filtering Platform Connection" - "12811": "Detailed File Share" - "12812": "Removable Storage" - "12813": "Central Policy Staging" - "13056": "Sensitive Privilege Use" - "13057": "Non Sensitive Privilege Use" - "13058": "Other Privilege Use Events" - "13312": "Process Creation" - "13313": "Process Termination" - "13314": "DPAPI Activity" - "13315": "RPC Events" - "13316": "Plug and Play Events" - "13317": "Token Right Adjusted Events" - "13568": "Audit Policy Change" - "13569": "Authentication Policy Change" - "13570": "Authorization Policy Change" - "13571": "MPSSVC Rule-Level Policy Change" - "13572": "Filtering Platform Policy Change" - "13573": "Other Policy Change Events" - "13824": "User Account Management" - "13825": "Computer Account Management" - "13826": "Security Group Management" - "13827": "Distribution Group Management" - "13828": "Application Group Management" - "13829": "Other Account Management Events" - "14080": "Directory Service Access" - "14081": "Directory Service Changes" - "14082": "Directory Service Replication" - "14083": "Detailed Directory Service Replication" - "14336": "Credential Validation" - "14337": "Kerberos Service Ticket Operations" - "14338": "Other Account Logon Events" - "14339": "Kerberos Authentication Service" - "14592": "Inbound" - "14593": "Outbound" - "14594": "Forward" - "14595": "Bidirectional" - "14596": "IP Packet" - "14597": "Transport" - "14598": "Forward" - "14599": "Stream" - "14600": "Datagram Data" - "14601": "ICMP Error" - "14602": "MAC 802.3" - "14603": "MAC Native" - "14604": "vSwitch" - "14608": "Resource Assignment" - "14609": "Listen" - "14610": "Receive/Accept" - "14611": "Connect" - "14612": "Flow Established" - "14614": "Resource Release" - "14615": "Endpoint Closure" - "14616": "Connect Redirect" - "14617": "Bind Redirect" - "14624": "Stream Packet" - "14640": "ICMP Echo-Request" - "14641": "vSwitch Ingress" - "14642": "vSwitch Egress" - "14672": "" - "14673": "[NULL]" - "14674": "Value Added" - "14675": "Value Deleted" - "14676": "Active Directory Domain Services" - "14677": "Active Directory Lightweight Directory Services" - "14678": "Yes" - "14679": "No" - "14680": "Value Added With Expiration Time" - "14681": "Value Deleted With Expiration Time" - "14688": "Value Auto Deleted With Expiration Time" - "16384": "Add" - "16385": "Delete" - "16386": "Boot-time" - "16387": "Persistent" - "16388": "Not persistent" - "16389": "Block" - "16390": "Permit" - "16391": "Callout" - "16392": "MD5" - "16393": "SHA-1" - "16394": "SHA-256" - "16395": "AES-GCM 128" - "16396": "AES-GCM 192" - "16397": "AES-GCM 256" - "16398": "DES" - "16399": "3DES" - "16400": "AES-128" - "16401": "AES-192" - "16402": "AES-256" - "16403": "Transport" - "16404": "Tunnel" - "16405": "Responder" - "16406": "Initiator" - "16407": "AES-GMAC 128" - "16408": "AES-GMAC 192" - "16409": "AES-GMAC 256" - "16416": "AuthNoEncap Transport" - "16896": "Enable WMI Account" - "16897": "Execute Method" - "16898": "Full Write" - "16899": "Partial Write" - "16900": "Provider Write" - "16901": "Remote Access" - "16902": "Subscribe" - "16903": "Publish" - AccessMaskDescriptions: - "0x00000001": Create Child - "0x00000002": Delete Child - "0x00000004": List Contents - "0x00000008": SELF - "0x00000010": Read Property - "0x00000020": Write Property - "0x00000040": Delete Treee - "0x00000080": List Object - "0x00000100": Control Access - "0x00010000": DELETE - "0x00020000": READ_CONTROL - "0x00040000": WRITE_DAC - "0x00080000": WRITE_OWNER - "0x00100000": SYNCHRONIZE - "0x00F00000": STANDARD_RIGHTS_REQUIRED - "0x001F0000": STANDARD_RIGHTS_ALL - "0x0000FFFF": SPECIFIC_RIGHTS_ALL - "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY - "0x10000000": ADS_RIGHT_GENERIC_ALL - "0x20000000": ADS_RIGHT_GENERIC_EXECUTE - "0x40000000": ADS_RIGHT_GENERIC_WRITE - "0x80000000": ADS_RIGHT_GENERIC_READ - source: |- - if (ctx?.winlog?.event_data?.FailureReason != null) { - def code = ctx.winlog.event_data.FailureReason.replace("%%",""); - if (params.descriptions.containsKey(code)) { - if (ctx?.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx?.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("reason", params.descriptions[code]); - } - } - if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { - ArrayList results = new ArrayList(); - for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { - def code = elem.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - results.add(params.descriptions[code]); - } - } - if (results.length > 0) { - ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); - } - } - if (ctx?.winlog?.event_data?.AccessList != null) { - ArrayList results = new ArrayList(); - for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) { - def code = elem.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - results.add(params.descriptions[code]); - } - } - if (results.length > 0) { - ctx.winlog.event_data.put("AccessListDescription", results); - } - } - if (ctx?.winlog?.event_data?.AccessMask != null) { - ArrayList results = new ArrayList(); - Long accessMask = Long.decode(ctx.winlog.event_data.AccessMask); - for (entry in params.AccessMaskDescriptions.entrySet()) { - Long accessFlag = Long.decode(entry.getKey()); - if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) { - results.add(entry.getValue()); - } - } - if (results.length > 0) { - ctx.winlog.event_data.put("AccessMaskDescription", results); - } - } - - script: - lang: painless - ignore_failure: false - tag: 4625 and 4776 Set Status and SubStatus - description: 4625 and 4776 Set Status and SubStatus - # Descriptions of failure status codes. - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - params: - "0xc000005e": "There are currently no logon servers available to service the logon request." - "0xc0000064": "User logon with misspelled or bad user account" - "0xc000006a": "User logon with misspelled or bad password" - "0xc000006d": "This is either due to a bad username or authentication information" - "0xc000006e": "Unknown user name or bad password." - "0xc000006f": "User logon outside authorized hours" - "0xc0000070": "User logon from unauthorized workstation" - "0xc0000071": "User logon with expired password" - "0xc0000072": "User logon to account disabled by administrator" - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." - "0xc0000133": "Clocks between DC and other computer too far out of sync" - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." - "0xc0000193": "User logon with expired account" - "0xc0000224": "User is required to change password at next logon" - "0xc0000225": "Evidently a bug in Windows and not a risk" - "0xc0000234": "User logon with account locked" - "0xc00002ee": "Failure Reason: An Error occurred during Logon" - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." - "0xc0000371": "The local account store does not contain secret material for the specified account" - "0x0": "Status OK." - source: |- - if (ctx?.winlog?.event_data?.Status == null || - ctx?.event?.code == null || - !["4625", "4776"].contains(ctx.event.code)) { - return; - } - if (params.containsKey(ctx.winlog.event_data.Status)) { - if (ctx?.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx?.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); - } - if (ctx?.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { - return; - } - if (ctx?.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx?.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Type - description: Set Trust Type - # Trust Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "1": "TRUST_TYPE_DOWNLEVEL" - "2": "TRUST_TYPE_UPLEVEL" - "3": "TRUST_TYPE_MIT" - "4": "TRUST_TYPE_DCE" - source: |- - if (ctx?.winlog?.event_data?.TdoType == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoType)) { - return; - } - ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Direction - description: Set Trust Direction - # Trust Direction - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "0": "TRUST_DIRECTION_DISABLED" - "1": "TRUST_DIRECTION_INBOUND" - "2": "TRUST_DIRECTION_OUTBOUND" - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - source: |- - if (ctx?.winlog?.event_data?.TdoDirection == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { - return; - } - ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Attributes - description: Set Trust Attributes - # Trust Attributes - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "0": "UNDEFINED" - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - source: |- - if (ctx?.winlog?.event_data?.TdoAttributes == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { - return; - } - ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); - - script: - lang: painless - ignore_failure: false - tag: Add Session Events - description: Add Session Events - source: |- - if (ctx?.event?.code == null || - !["4778", "4779"].contains(ctx.event.code)) { - return; - } - //AccountName to user.name and related.user - if (ctx?.winlog?.event_data?.AccountName != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.event_data.AccountName); - if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { - ctx.related.user.add(ctx.winlog.event_data.AccountName); - } - } - - //AccountDomain to user.domain - if (ctx?.winlog?.event_data?.AccountDomain != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); - } - - //ClientAddress to source.ip and related.ip - if (ctx?.winlog?.event_data?.ClientAddress != null && - ctx.winlog.event_data.ClientAddress != "-") { - if (ctx?.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.ip == null) { - ArrayList al = new ArrayList(); - ctx.related.put("ip", al); - } - ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); - if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { - ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); - } - } - - //ClientName to source.domain - if (ctx?.winlog?.event_data?.ClientName != null) { - if (ctx?.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("domain", ctx.winlog.event_data.ClientName); - } - - //LogonID to winlog.logon.id - if (ctx?.winlog?.event_data?.LogonID != null) { - if (ctx?.winlog?.logon == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User - description: Copy Target User - source: |- - if (ctx?.event?.code == null || - !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", - "4771", "4776", "4964"].contains(ctx.event.code)) { - return; - } - - def targetUserId = ctx?.winlog?.event_data?.TargetUserSid; - if (targetUserId == null) { - targetUserId = ctx?.winlog?.event_data?.TargetSid; - } - - //TargetUserSid to user.id or user.target.id - if (targetUserId != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.id == null) { - ctx.user.put("id", targetUserId); - } else { - if (ctx?.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("id", targetUserId); - } - } - - //TargetUserName to related.user and user.name or user.target.name - if (ctx?.winlog?.event_data?.TargetUserName != null) { - def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.name == null) { - ctx.user.put("name", tun[0]); - } else { - if (ctx?.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("name", tun[0]); - } - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(tun[0])) { - ctx.related.user.add(tun[0]); - } - } - //TargetUserDomain to user.domain or user.target.domain - if (ctx?.winlog?.event_data?.TargetDomainName != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.domain == null) { - ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); - } else { - if (ctx?.user?.target == null){ - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); - } - } - - script: - lang: painless - ignore_failure: false - tag: Copy MemberName to User and User to Group - description: Copy MemberName to User and User to Group - source: |- - if (ctx?.event?.code == null || - !["4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", - "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751", - "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760", - "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) { - return; - } - if (ctx?.winlog?.event_data?.MemberName != null) { - def memberNameParts = ctx.winlog.event_data.MemberName.splitOnToken(","); - def memberName = memberNameParts[0].replace("CN=","").replace("cn=",""); - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.target == null){ - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("name", memberName); - if (!ctx.related.user.contains(memberName)) { - ctx.related.user.add(memberName); - } - if (memberNameParts.length >= 4) { - def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); - ctx.user.target.put("domain", domain); - } - } - if (ctx?.winlog?.event_data?.TargetUserSid != null) { - if (ctx?.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); - } - if (ctx?.winlog?.event_data?.TargetSid != null) { - if (ctx?.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("id", ctx.winlog.event_data.TargetSid); - } - if (ctx?.winlog?.event_data?.TargetUserName != null) { - if (ctx?.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("name", ctx.winlog.event_data.TargetUserName); - } - if (ctx?.winlog?.event_data?.TargetDomainName != null) { - if (ctx?.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); - ctx.group.put("domain", domain); - } - if (ctx?.user?.target != null) { - if (ctx?.user?.target?.group == null) { - HashMap hm = new HashMap(); - ctx.user.target.put("group", hm); - } - if (ctx?.group?.id != null) { - ctx.user.target.group.put("id", ctx.group.id); - } - if (ctx?.group?.name != null) { - ctx.user.target.group.put("name", ctx.group.name); - } - if (ctx?.group?.domain != null) { - ctx.user.target.group.put("domain", ctx.group.domain); - } - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Computer Object - description: Copy Target User to Computer Object - source: |- - if (ctx?.event?.code == null || - !["4741", "4742", "4743"].contains(ctx.event.code)) { - return; - } - if (ctx?.winlog?.event_data?.TargetSid != null) { - if (ctx?.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); - } - if (ctx?.winlog?.event_data?.TargetUserName != null) { - if (ctx?.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); - } - if (ctx?.winlog?.event_data?.TargetDomainName != null) { - if (ctx?.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); - } - - - set: - field: winlog.logon.id - copy_from: winlog.event_data.TargetLogonId - ignore_failure: false - if: ctx?.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) - - - script: - lang: painless - ignore_failure: false - tag: Copy Subject User from Event Data - description: Copy Subject User from Event Data - source: |- - if (ctx?.event?.code == null || - !["4657", "4670", "4672", "4673", "4674", "4688", "4689", "4697", - "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", - "4716", "4717", "4718", "4719", "4720", "4722", "4723", "4724", - "4725", "4726", "4727", "4728", "4729", "4730", "4731", "4732", - "4733", "4734", "4735", "4737", "4738", "4739", "4740", "4741", - "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", - "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", - "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767", - "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912", - "4648"].contains(ctx.event.code)) { - return; - } - if (ctx?.winlog?.event_data?.SubjectUserSid != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); - } - if (ctx?.winlog?.event_data?.SubjectUserName != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); - if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { - ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); - } - } - if (ctx?.winlog?.event_data?.SubjectDomainName != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Target - description: Copy Target User to Target - source: |- - if (ctx?.event?.code == null || - !["4670", "4720", "4722", "4723", "4724", "4725", - "4726", "4738", "4740", "4767", "4798", "4817", - "4907"].contains(ctx.event.code)) { - return; - } - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - def userId = ctx?.winlog?.event_data?.TargetSid; - if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; - def userName = ctx?.winlog?.event_data?.TargetUserName; - if (userName != null && userName != "" && userName != "-") { - ctx.user.target.name = userName; - def parts = userName.splitOnToken("@"); - if (parts.length > 1) { - ctx.user.target.name = parts[0]; - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.user.target.name)) { - ctx.related.user.add(ctx.user.target.name); - } - } - def userDomain = ctx?.winlog?.event_data?.TargetDomainName; - if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; - if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Effective - description: Copy Target User to Effective - source: |- - if (ctx?.event?.code == null || - !["4648", "4688"].contains(ctx.event.code)) { - return; - } - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.effective == null) { - HashMap hm = new HashMap(); - ctx.user.put("effective", hm); - } - def userId = ctx?.winlog?.event_data?.TargetUserSid; - if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; - def userName = ctx?.winlog?.event_data?.TargetUserName; - if (userName != null && userName != "" && userName != "-") { - ctx.user.effective.name = userName; - def parts = userName.splitOnToken("@"); - if (parts.length > 1) { - ctx.user.effective.name = parts[0]; - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.user.effective.name)) { - ctx.related.user.add(ctx.user.effective.name); - } - } - def userDomain = ctx?.winlog?.event_data?.TargetDomainName; - if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; - if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); - - - script: - lang: painless - ignore_failure: false - tag: Copy Subject User from user_data - description: Copy Subject User from user_data - source: |- - if (ctx?.event?.code == null || - !["1102"].contains(ctx.event.code)) { - return; - } - if (ctx?.winlog?.user_data?.SubjectUserSid != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); - } - if (ctx?.winlog?.user_data?.SubjectUserName != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); - if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { - ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); - } - } - if (ctx?.winlog?.user_data?.SubjectDomainName != null) { - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); - } - - - set: - field: winlog.logon.id - copy_from: winlog.event_data.SubjectLogonId - ignore_failure: true - - - set: - field: winlog.logon.id - copy_from: winlog.user_data.SubjectLogonId - ignore_failure: true - if: |- - ctx?.event?.code != null && - ["1102"].contains(ctx.event.code) - - - script: - lang: painless - ignore_failure: false - tag: Rename Common Auth Fields - description: Rename Common Auth Fields - source: |- - if (ctx?.event?.code == null || - !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", - "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", - "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", - "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", - "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", - "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", - "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", - "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", - "4904", "4905", "4907", "4912"].contains(ctx.event.code)) { - return; - } - if (ctx?.winlog?.event_data?.ProcessId != null) { - if (ctx?.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.winlog.event_data.ProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.ProcessId); - ctx.process.put("pid", pid.longValue()); - } else { - ctx.process.put("pid", ctx.winlog.event_data.ProcessId); - } - ctx.winlog.event_data.remove("ProcessId"); - } - if (ctx?.winlog?.event_data?.ProcessName != null) { - if (ctx?.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("executable", ctx.winlog.event_data.ProcessName); - ctx.winlog.event_data.remove("ProcessName"); - } - if (ctx?.winlog?.event_data?.IpAddress != null && - ctx.winlog.event_data.IpAddress != "-") { - if (ctx?.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("ip", ctx.winlog.event_data.IpAddress); - ctx.winlog.event_data.remove("IpAddress"); - } - if (ctx?.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { - if (ctx?.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); - ctx.winlog.event_data.remove("IpPort"); - } - if (ctx?.winlog?.event_data?.WorkstationName != null) { - if (ctx?.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); - ctx.winlog.event_data.remove("WorkstationName"); - } - if (ctx?.winlog?.event_data?.ClientAddress != null && - ctx.winlog.event_data.ClientAddress != "-") { - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); - ctx.winlog.event_data.remove("ClientAddress"); - } - if (ctx?.process?.name == null && ctx?.process?.executable != null) { - def parts = ctx.process.executable.splitOnToken("\\"); - ctx.process.put("name", parts[-1]); - } - - - script: - lang: painless - ignore_failure: false - tag: Process Event 4688 - description: Process Event 4688 - source: |- - if (ctx?.event?.code == null || - !["4688"].contains(ctx.event.code)) { - return; - } - if (ctx?.winlog?.event_data?.NewProcessId != null) { - if (ctx?.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.winlog.event_data.NewProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); - ctx.process.put("pid", pid.longValue()); - } else { - ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); - } - ctx.winlog.event_data.remove("NewProcessId"); - } - if (ctx?.winlog?.event_data?.NewProcessName != null) { - if (ctx?.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); - ctx.winlog.event_data.remove("NewProcessName"); - } - if (ctx?.winlog?.event_data?.ParentProcessName != null) { - if (ctx?.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx?.process?.parent == null) { - HashMap hm = new HashMap(); - ctx.process.put("parent", hm); - } - ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); - ctx.winlog.event_data.remove("ParentProcessName"); - } - if (ctx?.process?.name == null && ctx?.process?.executable != null) { - def parts = ctx.process.executable.splitOnToken("\\"); - ctx.process.put("name", parts[-1]); - } - if (ctx?.process?.parent?.name == null && ctx?.process?.parent?.executable != null) { - def parts = ctx.process.parent.executable.splitOnToken("\\"); - ctx.process.parent.put("name", parts[-1]); - } - if (ctx?.winlog?.event_data?.CommandLine != null) { - int start = 0; - int end = 0; - boolean in_quote = false; - ArrayList al = new ArrayList(); - for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { - end = i; - if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { - if (in_quote) { - in_quote = false; - } else { - in_quote = true; - } - } - if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { - al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); - start = i + 1; - } - if (i == ctx.winlog.event_data.CommandLine.length() - 1) { - al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); - } - } - if (ctx?.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("args", al); - ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); - } - if ((ctx?.winlog?.event_data?.TargetUserName != null) && - (!ctx.winlog.event_data.TargetUserName.equals("-"))) { - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { - ctx.related.user.add(ctx.winlog.event_data.TargetUserName); - } - } - - - append: - field: related.user - value: '{{winlog.event_data.SubjectUserName}}' - allow_duplicates: false - if: |- - ctx?.event?.code != null && - ["4624", "4648"].contains(ctx.event.code) && - ctx?.winlog?.event_data?.SubjectUserName != null && - ctx.winlog.event_data.SubjectUserName != "-" - - - append: - field: related.user - value: '{{winlog.event_data.TargetUserName}}' - allow_duplicates: false - if: |- - ctx?.event?.code != null && - ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", - "4740", "4767", "4798"].contains(ctx.event.code) && - ctx?.winlog?.event_data?.TargetUserName != null && - ctx.winlog.event_data.TargetUserName != "-" - - - split: - field: winlog.event_data.PrivilegeList - separator: "\\s+" - if: |- - ctx?.event?.code != null && - ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && - ctx?.winlog?.event_data?.PrivilegeList != null - - - set: - field: user.target.name - copy_from: winlog.event_data.OldTargetUserName - ignore_empty_value: true - - - set: - field: user.changes.name - copy_from: winlog.event_data.NewTargetUserName - ignore_empty_value: true - - - append: - field: related.user - value: '{{winlog.event_data.NewTargetUserName}}' - allow_duplicates: false - if: |- - ctx?.winlog?.event_data?.NewTargetUserName != null && - ctx.winlog.event_data.NewTargetUserName != "-" - - - append: - field: related.user - value: '{{winlog.event_data.OldTargetUserName}}' - allow_duplicates: false - if: |- - ctx?.winlog?.event_data?.OldTargetUserName != null && - ctx.winlog.event_data.OldTargetUserName != "-" - + - pipeline: + name: '{{ IngestPipeline "standard" }}' + if: 'ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)' - gsub: field: source.ip pattern: "::ffff:" replacement: "" ignore_missing: true - - append: field: related.ip value: '{{source.ip}}' @@ -2972,392 +23,34 @@ processors: if: |- ctx?.source?.ip != null && ctx.source.ip != "-" - - - script: - lang: painless - ignore_failure: false - tag: Object Policy Change and SidListDesc - description: Object Policy Change and SidListDesc - # SDDL Ace Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # SDDL Permissions - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # Known SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - # Domain-specific SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - # Object Permission Flags - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - params: - AccountSIDDescription: - AO: Account operators - RU: Alias to allow previous Windows 2000 - AN: Anonymous logon - AU: Authenticated users - BA: Built-in administrators - BG: Built-in guests - BO: Backup operators - BU: Built-in users - CA: Certificate server administrators - CG: Creator group - CO: Creator owner - DA: Domain administrators - DC: Domain computers - DD: Domain controllers - DG: Domain guests - DU: Domain users - EA: Enterprise administrators - ED: Enterprise domain controllers - WD: Everyone - PA: Group Policy administrators - IU: Interactively logged-on user - LA: Local administrator - LG: Local guest - LS: Local service account - SY: Local system - NU: Network logon user - NO: Network configuration operators - NS: Network service account - PO: Printer operators - PS: Personal self - PU: Power users - RS: RAS servers group - RD: Terminal server users - RE: Replicator - RC: Restricted code - SA: Schema administrators - SO: Server operators - SU: Service logon user - S-1-0: Null Authority - S-1-0-0: Nobody - S-1-1: World Authority - S-1-1-0: Everyone - S-1-16-0: Untrusted Mandatory Level - S-1-16-12288: High Mandatory Level - S-1-16-16384: System Mandatory Level - S-1-16-20480: Protected Process Mandatory Level - S-1-16-28672: Secure Process Mandatory Level - S-1-16-4096: Low Mandatory Level - S-1-16-8192: Medium Mandatory Level - S-1-16-8448: Medium Plus Mandatory Level - S-1-2: Local Authority - S-1-2-0: Local - S-1-2-1: Console Logon - S-1-3: Creator Authority - S-1-3-0: Creator Owner - S-1-3-1: Creator Group - S-1-3-2: Creator Owner Server - S-1-3-3: Creator Group Server - S-1-3-4: Owner Rights - S-1-4: Non-unique Authority - S-1-5: NT Authority - S-1-5-1: Dialup - S-1-5-10: Principal Self - S-1-5-11: Authenticated Users - S-1-5-12: Restricted Code - S-1-5-13: Terminal Server Users - S-1-5-14: Remote Interactive Logon - S-1-5-15: This Organization - S-1-5-17: This Organization - S-1-5-18: Local System - S-1-5-19: NT Authority - S-1-5-2: Network - S-1-5-20: NT Authority - S-1-5-3: Batch - S-1-5-32-544: Administrators - S-1-5-32-545: Users - S-1-5-32-546: Guests - S-1-5-32-547: Power Users - S-1-5-32-548: Account Operators - S-1-5-32-549: Server Operators - S-1-5-32-550: Print Operators - S-1-5-32-551: Backup Operators - S-1-5-32-552: Replicators - S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access - S-1-5-32-555: Builtin\Remote Desktop Users - S-1-5-32-556: Builtin\Network Configuration Operators - S-1-5-32-557: Builtin\Incoming Forest Trust Builders - S-1-5-32-558: Builtin\Performance Monitor Users - S-1-5-32-559: Builtin\Performance Log Users - S-1-5-32-560: Builtin\Windows Authorization Access Group - S-1-5-32-561: Builtin\Terminal Server License Servers - S-1-5-32-562: Builtin\Distributed COM Users - S-1-5-32-569: Builtin\Cryptographic Operators - S-1-5-32-573: Builtin\Event Log Readers - S-1-5-32-574: Builtin\Certificate Service DCOM Access - S-1-5-32-575: Builtin\RDS Remote Access Servers - S-1-5-32-576: Builtin\RDS Endpoint Servers - S-1-5-32-577: Builtin\RDS Management Servers - S-1-5-32-578: Builtin\Hyper-V Administrators - S-1-5-32-579: Builtin\Access Control Assistance Operators - S-1-5-32-580: Builtin\Remote Management Users - S-1-5-32-582: Storage Replica Administrators - S-1-5-4: Interactive - S-1-5-5-X-Y: Logon Session - S-1-5-6: Service - S-1-5-64-10: NTLM Authentication - S-1-5-64-14: SChannel Authentication - S-1-5-64-21: Digest Authentication - S-1-5-7: Anonymous - S-1-5-8: Proxy - S-1-5-80: NT Service - S-1-5-80-0: All Services - S-1-5-83-0: NT Virtual Machine\Virtual Machines - S-1-5-9: Enterprise Domain Controllers - S-1-5-90-0: Windows Manager\Windows Manager Group - AceTypes: - A: Access Allowed - D: Access Denied - OA: Object Access Allowed - OD: Object Access Denied - AU: System Audit - AL: System Alarm - OU: System Object Audit - OL: System Object Alarm - ML: System Mandatory Label - SP: Central Policy ID - DomainSpecificSID: - "498": Enterprise Read-only Domain Controllers - "500": Administrator - "501": Guest - "502": KRBTGT - "512": Domain Admins - "513": Domain Users - "514": Domain Guests - "515": Domain Computers - "516": Domain Controllers - "517": Cert Publishers - "518": Schema Admins - "519": Enterprise Admins - "520": Group Policy Creator Owners - "521": Read-only Domain Controllers - "522": Cloneable Domain Controllers - "526": Key Admins - "527": Enterprise Key Admins - "553": RAS and IAS Servers - "571": Allowed RODC Password Replication Group - "572": Denied RODC Password Replication Group - PermissionDescription: - GA: Generic All - GR: Generic Read - GW: Generic Write - GX: Generic Execute - RC: Read Permissions - SD: Delete - WD: Modify Permissions - WO: Modify Owner - RP: Read All Properties - WP: Write All Properties - CC: Create All Child Objects - DC: Delete All Child Objects - LC: List Contents - SW: All Validated - LO: List Object - DT: Delete Subtree - CR: All Extended Rights - FA: File All Access - FR: File Generic Read - FX: FILE GENERIC EXECUTE - FW: FILE GENERIC WRITE - KA: KEY ALL ACCESS - KR: KEY READ - KW: KEY WRITE - KX: KEY EXECUTE - PermsFlags: - "0x80000000": 'Generic Read' - "0x4000000": 'Generic Write' - "0x20000000": 'Generic Execute' - "0x10000000": 'Generic All' - "0x02000000": 'Maximum Allowed' - "0x01000000": 'Access System Security' - "0x00100000": 'Syncronize' - "0x00080000": 'Write Owner' - "0x00040000": 'Write DACL' - "0x00020000": 'Read Control' - "0x00010000": 'Delete' - source: |- - ArrayList translatePermissionMask(def mask, def params) { - ArrayList al = new ArrayList(); - Long permCode = Long.decode(mask); - for (entry in params.PermsFlags.entrySet()) { - Long permFlag = Long.decode(entry.getKey()); - if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { - al.add(entry.getValue()); - } - } - if (al.length == 0) { - al.add(mask); - } - return al; - } - - HashMap translateACL(def dacl, def params) { - def aceArray = dacl.splitOnToken(";"); - HashMap hm = new HashMap(); - - if (aceArray.length >= 6 ) { - hm.put("grantee", translateSID(aceArray[5], params)); - } - - if (aceArray.length >= 1) { - hm.put("type", params.AceTypes[aceArray[0]]); - } - - if (aceArray.length >= 3) { - if (aceArray[2].startsWith("0x")) { - hm.put("perms", translatePermissionMask(aceArray[2], params)); - } else { - ArrayList al = new ArrayList(); - Pattern permPattern = /.{1,2}/; - Matcher permMatcher = permPattern.matcher(aceArray[2]); - while (permMatcher.find()) { - al.add(params.PermissionDescription[permMatcher.group(0)]); - } - hm.put("perms", al); - } - } - return hm; - } - String translateSID(def sid, def params) { - if (!params.AccountSIDDescription.containsKey(sid)) { - if (sid.startsWith("S-1-5-21")) { - Pattern uidPattern = /[0-9]{1,5}$/; - Matcher uidMatcher = uidPattern.matcher(sid); - if (uidMatcher.find()) { - return params.DomainSpecificSID[uidMatcher.group(0)]; - } - return sid; - } - return sid; - } - return params.AccountSIDDescription[sid]; - } - - - void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { - Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; - Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); - if (sdOwnerMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); - } - - Pattern sdGroupPattern = /^G\:[A-Z]{2}/; - Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); - if (sdGroupMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); - } - - Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; - Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); - if (sdDaclMatcher.find()) { - Pattern dacListPattern = /\([^*\)]*\)/; - Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); - for (def i = 0; dacListMatcher.find(); i++) { - def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newDacl['grantee'])) { - ctx.related.user.add(newDacl['grantee']); - } - } - } - } - - Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; - Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); - if (sdSaclMatcher.find()) { - Pattern sacListPattern = /\([^*\)]*\)/; - Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); - for (def i = 0; sacListMatcher.find(); i++) { - def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { - if (ctx?.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newSacl['grantee'])) { - ctx.related.user.add(newSacl['grantee']); - } - } - } - } - } - - void splitSidList(def sids, def params, def ctx) { - ArrayList al = new ArrayList(); - def sidList = sids.splitOnToken(" "); - ctx.winlog.event_data.put("SidList", sidList); - for (def i = 0; i < sidList.length; i++ ) { - al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); - } - ctx.winlog.event_data.put("SidListDesc", al); - } - - if (ctx?.event?.code == null || - !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { - return; - } - if (ctx?.winlog?.event_data?.OldSd != null) { - enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); - } - if (ctx?.winlog?.event_data?.NewSd != null) { - enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); - } - if (ctx?.winlog?.event_data?.SidList != null) { - splitSidList(ctx.winlog.event_data.SidList, params, ctx); - } - - convert: field: winlog.record_id type: string ignore_missing: true - - convert: field: winlog.event_id type: string ignore_missing: true - - set: field: ecs.version value: '1.12.0' - - set: field: log.level copy_from: winlog.level ignore_empty_value: true ignore_failure: true if: ctx?.winlog?.level != "" - - date: field: winlog.time_created formats: - ISO8601 ignore_failure: true if: ctx?.winlog?.time_created != null - - remove: field: event.original if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true - on_failure: - set: field: error.message diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml new file mode 100644 index 00000000000..8cd3dcc16c5 --- /dev/null +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml @@ -0,0 +1,3311 @@ +--- +description: Pipeline for Windows Security events +processors: + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params.get(ctx.event.code)); + hm.forEach((k, v) -> ctx.event[k] = v); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type +# Logon Types +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx?.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx?.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + # User Account Control Attributes Table + # https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties + params: + "0x00000001": SCRIPT + "0x00000002": ACCOUNTDISABLE + "0x00000008": HOMEDIR_REQUIRED + "0x00000010": LOCKOUT + "0x00000020": PASSWD_NOTREQD + "0x00000040": PASSWD_CANT_CHANGE + "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED + "0x00000100": TEMP_DUPLICATE_ACCOUNT + "0x00000200": NORMAL_ACCOUNT + "0x00000800": INTERDOMAIN_TRUST_ACCOUNT + "0x00001000": WORKSTATION_TRUST_ACCOUNT + "0x00002000": SERVER_TRUST_ACCOUNT + "0x00010000": DONT_EXPIRE_PASSWORD + "0x00020000": MNS_LOGON_ACCOUNT + "0x00040000": SMARTCARD_REQUIRED + "0x00080000": TRUSTED_FOR_DELEGATION + "0x00100000": NOT_DELEGATED + "0x00200000": USE_DES_KEY_ONLY + "0x00400000": DONT_REQ_PREAUTH + "0x00800000": PASSWORD_EXPIRED + "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION + "0x04000000": PARTIAL_SECRETS_ACCOUNT + source: |- + if (ctx?.winlog?.event_data?.NewUacValue == null) { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx?.winlog?.event_data?.UserAccountControl == null) { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) { + if (elem.trim().length() > 0) { + uac_array.add(elem.trim()); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options +# Kerberos TGT and TGS Ticket Options +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx?.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + # Kerberos Encryption Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx?.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + # Kerberos Result Status Codes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + # Services Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx?.winlog?.event_data?.ServiceName != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx?.winlog.event_data?.ServiceType != null) { + if (ctx?.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + # Audit Categories Description + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx?.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + # Message table extracted from msobjs.dll on Windows 2019. + # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + descriptions: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + AccessMaskDescriptions: + "0x00000001": Create Child + "0x00000002": Delete Child + "0x00000004": List Contents + "0x00000008": SELF + "0x00000010": Read Property + "0x00000020": Write Property + "0x00000040": Delete Treee + "0x00000080": List Object + "0x00000100": Control Access + "0x00010000": DELETE + "0x00020000": READ_CONTROL + "0x00040000": WRITE_DAC + "0x00080000": WRITE_OWNER + "0x00100000": SYNCHRONIZE + "0x00F00000": STANDARD_RIGHTS_REQUIRED + "0x001F0000": STANDARD_RIGHTS_ALL + "0x0000FFFF": SPECIFIC_RIGHTS_ALL + "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY + "0x10000000": ADS_RIGHT_GENERIC_ALL + "0x20000000": ADS_RIGHT_GENERIC_EXECUTE + "0x40000000": ADS_RIGHT_GENERIC_WRITE + "0x80000000": ADS_RIGHT_GENERIC_READ + source: |- + if (ctx?.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + if (params.descriptions.containsKey(code)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", params.descriptions[code]); + } + } + if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx?.winlog?.event_data?.AccessList != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessListDescription", results); + } + } + if (ctx?.winlog?.event_data?.AccessMask != null) { + ArrayList results = new ArrayList(); + Long accessMask = Long.decode(ctx.winlog.event_data.AccessMask); + for (entry in params.AccessMaskDescriptions.entrySet()) { + Long accessFlag = Long.decode(entry.getKey()); + if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) { + results.add(entry.getValue()); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", results); + } + } + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + # Descriptions of failure status codes. + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx?.winlog?.event_data?.Status == null || + ctx?.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx?.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx?.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx?.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + # Trust Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx?.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + # Trust Direction + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx?.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + # Trust Attributes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx?.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx?.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx?.winlog?.event_data?.AccountName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx?.winlog?.event_data?.AccountDomain != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx?.winlog?.event_data?.ClientName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx?.winlog?.event_data?.LogonID != null) { + if (ctx?.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx?.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + def targetUserId = ctx?.winlog?.event_data?.TargetUserSid; + if (targetUserId == null) { + targetUserId = ctx?.winlog?.event_data?.TargetSid; + } + + //TargetUserSid to user.id or user.target.id + if (targetUserId != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.id == null) { + ctx.user.put("id", targetUserId); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", targetUserId); + } + } + + //TargetUserName to related.user and user.name or user.target.name + if (ctx?.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } + - script: + lang: painless + ignore_failure: false + tag: Copy MemberName to User and User to Group + description: Copy MemberName to User and User to Group + source: |- + if (ctx?.event?.code == null || + !["4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", + "4737", "4744", "4745", "4746", "4747", "4748", "4749", "4750", "4751", + "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", "4760", + "4761", "4762", "4763", "4764", "4799"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.MemberName != null) { + def memberNameParts = ctx.winlog.event_data.MemberName.splitOnToken(","); + def memberName = memberNameParts[0].replace("CN=","").replace("cn=",""); + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", memberName); + if (!ctx.related.user.contains(memberName)) { + ctx.related.user.add(memberName); + } + if (memberNameParts.length >= 4) { + def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); + ctx.user.target.put("domain", domain); + } + } + if (ctx?.winlog?.event_data?.TargetUserSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); + ctx.group.put("domain", domain); + } + if (ctx?.user?.target != null) { + if (ctx?.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx?.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx?.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx?.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx?.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.TargetSid != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx?.winlog?.event_data?.TargetUserName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx?.winlog?.event_data?.TargetDomainName != null) { + if (ctx?.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx?.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx?.event?.code == null || + !["4657", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", + "4716", "4717", "4718", "4719", "4720", "4722", "4723", "4724", + "4725", "4726", "4727", "4728", "4729", "4730", "4731", "4732", + "4733", "4734", "4735", "4737", "4738", "4739", "4740", "4741", + "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", + "4758", "4759", "4760", "4761", "4762", "4763", "4764", "4767", + "4781", "4798", "4799", "4817", "4904", "4905", "4907", "4912", + "4648"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx?.winlog?.event_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx?.winlog?.event_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Target + description: Copy Target User to Target + source: |- + if (ctx?.event?.code == null || + !["4670", "4720", "4722", "4723", "4724", "4725", + "4726", "4738", "4740", "4767", "4798", "4817", + "4907"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + def userId = ctx?.winlog?.event_data?.TargetSid; + if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.target.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.target.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.target.name)) { + ctx.related.user.add(ctx.user.target.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; + if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Effective + description: Copy Target User to Effective + source: |- + if (ctx?.event?.code == null || + !["4648", "4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.effective == null) { + HashMap hm = new HashMap(); + ctx.user.put("effective", hm); + } + def userId = ctx?.winlog?.event_data?.TargetUserSid; + if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.effective.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.effective.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.effective.name)) { + ctx.related.user.add(ctx.user.effective.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; + if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx?.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.user_data?.SubjectUserSid != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx?.winlog?.user_data?.SubjectUserName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx?.winlog?.user_data?.SubjectDomainName != null) { + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx?.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx?.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx?.winlog?.event_data?.ProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx?.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx?.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx?.winlog?.event_data?.WorkstationName != null) { + if (ctx?.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx?.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx?.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.NewProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx?.winlog?.event_data?.NewProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx?.winlog?.event_data?.ParentProcessName != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx?.process?.name == null && ctx?.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx?.process?.parent?.name == null && ctx?.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx?.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx?.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4624", "4648"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx?.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4798"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx?.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx?.winlog?.event_data?.PrivilegeList != null + + - set: + field: user.target.name + copy_from: winlog.event_data.OldTargetUserName + ignore_empty_value: true + + - set: + field: user.changes.name + copy_from: winlog.event_data.NewTargetUserName + ignore_empty_value: true + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx?.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + # SDDL Ace Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # SDDL Permissions + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # Known SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + # Domain-specific SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + # Object Permission Flags + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + NO: Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx?.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx?.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx?.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx?.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx?.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 21f52767978..f6382e7795e 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.7.0 +version: 1.8.0 license: basic description: Collect system logs and metrics from your servers with Elastic Agent. type: integration