Splunk EventCode 4662 with ms-Mcs-AdmPwd

LAPS logging and Splunk

Today, we are going to discuss LAPS logging and Splunk integration.

LAPS (Local Administrator Password Solution) is a free tool created by Microsoft. It provides a cost effective password management solution within AD environment. In a nutshell, LAPS generate random and different password for each managed window workstations/member servers. Then, LAPS change the password regularly based on GPO policy and save it into AD LDAP. As a result, LAPS makes lateral movement via Pass-the-Hash (PtH) attack more difficult.

Some small businesses use LAPS as their primary PAM (Privilege account management) solution. However, many organization are using enterprise PAM and LAPS as a hybrid approach. For instance, they choose CyberArk to manage privilege account of servers and LAPS to manage built-in administrator account of workstation.

Although the GPO policy of LAPS should only be applied to local account, we have experienced in some case LAPS change the built-in “Domain Admins” administrator automatically. Make sure you prepare for it. One option to deal with this kind of situation is to preserve an active session, and login a new session to test the credential.

Many authors discussed about setup and configuration of LAPS. The resource are available in INSIDER THREAT SECURITY BLOGIT Connect, RECAST SOFTWARE and SECURITY BOULEVARD. Therefore, we are not going to discuss the basic setup and configuration of LAPS. However, we do have one recommendation which is to ensure the value of “Password Length” is greater than 14 characters. It is because Windows may store LANMAN hash value in memory or even SAM file if the password characters less or equal to 14 characters. 


Configure LAPS logging

In this section, we will discuss how to LAPS logging, which log who access the password of which workstations. You need to execute the following PowerShell on a domain controller, simply replace <OU-of-Computers-to-Audit> with the OU in your organisation:

Set-AdmPwdAuditing -OrgUnit <OU-of-Computers-to-Audit> -AuditedPrincipals:Everyone

After enabled LAPS logging, Event Code 4662 will be generated whenever you retrieve password via LAPS GUI or Get-AdmPwdPassword PowerShell command. For example, below is sample Event ID 4662 indicating user SOCTEST1\Administrator retrieve the password of workstation WIN10-1:

An operation was performed on an object.
Subject :
	Security ID:		SOCTEST1\Administrator
	Account Name:		Administrator
	Account Domain:		SOCTEST1
	Logon ID:		0x5DC20
	Object Server:		DS
	Object Type:		computer
	Object Name:		CN=WIN10-1,OU=Computers_OU,DC=soctest,DC=loc
	Handle ID:		0x0
	Operation Type:		Object Access
	Accesses:		Control Access
	Access Mask:		0x100
	Properties:		Control Access
		Default Property Set
Additional Information:
	Parameter 1:		-
	Parameter 2:

When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.

disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.

blacklist1 = EventCode="4662" Message="(Object Type:(?!\s*groupPolicyContainer))[\s\S]*(Properties:(?![\s\S]*Default Property Set))"

Next step we can setup and monitor these privilege account usage. Enjoy it!

Similar Posts


Your email address will not be published. Required fields are marked *