Splunk EventCode 4662 with ms-Mcs-AdmPwd

LAPS logging and Splunk

Today, we are going to discuss LAPS logging and Splunk integration.

LAPS (Local Administrator Password Solution) is a free tool created by Microsoft. It provides a cost effective password management solution within AD environment. In a nutshell, LAPS generate random and different password for each managed window workstations/member servers. Then, LAPS change the password regularly based on GPO policy and save it into AD LDAP. As a result, LAPS makes lateral movement via Pass-the-Hash (PtH) attack more difficult.

Some small businesses use LAPS as their primary PAM (Privilege account management) solution. However, many organization are using enterprise PAM and LAPS as a hybrid approach. For instance, they choose CyberArk to manage privilege account of servers and LAPS to manage built-in administrator account of workstation.

Although the GPO policy of LAPS should only be applied to local account, we have experienced in some case LAPS change the built-in “Domain Admins” administrator automatically. Make sure you prepare for it. One option to deal with this kind of situation is to preserve an active session, and login a new session to test the credential.

Many authors discussed about setup and configuration of LAPS. The resource are available in INSIDER THREAT SECURITY BLOGIT Connect, RECAST SOFTWARESECURITY BOULEVARD. Therefore, we are not going to discuss the basic setup and configuration of LAPS. However, we do have one recommendation which is to ensure the value of “Password Length” is greater than 14 characters. It is because Windows may store LANMAN hash value in memory or even SAM file if the password characters less or equal to 14 characters. 

laps-gpo-password-complexity

Configure LAPS logging

In this section, we will discuss how to LAPS logging, which log who access the password of which workstations. You need to execute the following PowerShell on a domain controller, simply replace <OU-of-Computers-to-Audit> with the OU in your organisation:

Set-AdmPwdAuditing -OrgUnit <OU-of-Computers-to-Audit> -AuditedPrincipals:Everyone

After enabled LAPS logging, Event Code 4662 will be generated whenever you retrieve password via LAPS GUI or Get-AdmPwdPassword PowerShell command. For example, below is sample Event ID 4662 indicating user SOCTEST1\Administrator retrieve the password of workstation WIN10-1:

An operation was performed on an object.
Subject :
	Security ID:		SOCTEST1\Administrator
	Account Name:		Administrator
	Account Domain:		SOCTEST1
	Logon ID:		0x5DC20
Object:
	Object Server:		DS
	Object Type:		computer
	Object Name:		CN=WIN10-1,OU=Computers_OU,DC=soctest,DC=loc
	Handle ID:		0x0
Operation:
	Operation Type:		Object Access
	Accesses:		Control Access
				
	Access Mask:		0x100
	Properties:		Control Access
		Default Property Set
			ms-Mcs-AdmPwd
	computer
Additional Information:
	Parameter 1:		-
	Parameter 2:

When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true

It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.

blacklist1 = EventCode="4662" Message="(Object Type:(?!\s*groupPolicyContainer))[\s\S]*(Properties:(?![\s\S]*Default Property Set))"

Next step we can setup and monitor these privilege account usage. Enjoy it!

Similar Posts

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *