LAPS logging and Splunk
Today, we are going to discuss LAPS logging and Splunk integration.
LAPS (Local Administrator Password Solution) is a free tool created by Microsoft. It provides a cost effective password management solution within AD environment. In a nutshell, LAPS generate random and different password for each managed window workstations/member servers. Then, LAPS change the password regularly based on GPO policy and save it into AD LDAP. As a result, LAPS makes lateral movement via Pass-the-Hash (PtH) attack more difficult.
Some small businesses use LAPS as their primary PAM (Privilege account management) solution. However, many organization are using enterprise PAM and LAPS as a hybrid approach. For instance, they choose CyberArk to manage privilege account of servers and LAPS to manage built-in administrator account of workstation.
Although the GPO policy of LAPS should only be applied to local account, we have experienced in some case LAPS change the built-in “Domain Admins” administrator automatically. Make sure you prepare for it. One option to deal with this kind of situation is to preserve an active session, and login a new session to test the credential.
Many authors discussed about setup and configuration of LAPS. The resource are available in INSIDER THREAT SECURITY BLOG, IT Connect, RECAST SOFTWARE 及 SECURITY BOULEVARD. Therefore, we are not going to discuss the basic setup and configuration of LAPS. However, we do have one recommendation which is to ensure the value of “Password Length” is greater than 14 characters. It is because Windows may store LANMAN hash value in memory or even SAM file if the password characters less or equal to 14 characters.
Configure LAPS logging
In this section, we will discuss how to LAPS logging, which log who access the password of which workstations. You need to execute the following PowerShell on a domain controller, simply replace <OU-of-Computers-to-Audit> with the OU in your organisation:
Set-AdmPwdAuditing -OrgUnit <OU-of-Computers-to-Audit> -AuditedPrincipals:Everyone
After enabled LAPS logging, Event Code 4662 will be generated whenever you retrieve password via LAPS GUI or Get-AdmPwdPassword PowerShell command. For example, below is sample Event ID 4662 indicating user SOCTEST1\Administrator retrieve the password of workstation WIN10-1:
An operation was performed on an object.
Subject :
Security ID: SOCTEST1\Administrator
Account Name: Administrator
Account Domain: SOCTEST1
Logon ID: 0x5DC20
Object:
Object Server: DS
Object Type: computer
Object Name: CN=WIN10-1,OU=Computers_OU,DC=soctest,DC=loc
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Control Access
Access Mask: 0x100
Properties: Control Access
Default Property Set
ms-Mcs-AdmPwd
computer
Additional Information:
Parameter 1: -
Parameter 2:
When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.
blacklist1 = EventCode="4662" Message="(Object Type:(?!\s*groupPolicyContainer))[\s\S]*(Properties:(?![\s\S]*Default Property Set))"
Next step we can setup and monitor these privilege account usage. Enjoy it!