Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

odd results without adequate description in report. #55

Open
neztach opened this issue Jun 27, 2019 · 4 comments
Open

odd results without adequate description in report. #55

neztach opened this issue Jun 27, 2019 · 4 comments

Comments

@neztach
Copy link

neztach commented Jun 27, 2019

so I've modified PSWinReporting/Examples/RunMe-Reporting.ps1 to fit my needs, and am getting strange results.

First, because I'm not sure how pertinent it is, here's the output of auditpol on my domain controllers:

C:\Windows\system32>auditpol.exe /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            Success and Failure
  Other System Events                     No Auditing
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure
  User / Device Claims                    No Auditing
Object Access
  File System                             Success and Failure
  Registry                                Success and Failure
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     Success and Failure
  File Share                              Success and Failure
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     Success and Failure
  Removable Storage                       No Auditing
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 Success and Failure
Detailed Tracking
  Process Creation                        Success and Failure
  Process Termination                     No Auditing
  DPAPI Activity                          Success and Failure
  RPC Events                              No Auditing
  Plug and Play Events                    No Auditing
Policy Change
  Authentication Policy Change            Success and Failure
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         Success
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
  Audit Policy Change                     Success and Failure
Account Management
  User Account Management                 Success and Failure
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           Success and Failure
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
DS Access
  Directory Service Changes               Success
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                Success
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              Success and Failure
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure

Under the section for "AD Computer Changes Detailed" happened, I have results that show these things, but I wish there was a more adequate explanation listed:

under Field Value:
TERMSRV/<PC Name> -- Terminal Server?
CmRcService/<PC Name> (directly followed by CmRcService/<PC FQDN>) -- Config Manager Remote Service?
WSMAN/<PC Name> -- Web Services for Management?

even if I add those to ignore, I'm still left with unclear results:
Action: A directory service object was modified
Field Changed: objectClass
Field Value: 1.2.840.113556.1.3.30 -- Computer?

Action: A directory service object was modified
Field Changed: userAccountControl
Field Value: 4096 (and another for 4098)

Action: A directory service object was modified
Action Details: Value Deleted (followed by another entry that says "Value Added")
Who: NT AUTHORITY\SYSTEM
Field Changed: userCertificate
Field Value: %%14672 -- DNS changes?

Here is my sterilized copy with my modifications (I added a ton of notes to keep track of the windows events and what they mean.

The last thing I would request is to somehow consolidate all changes that occur when a user is created or deleted. Having a dozen lines to show all the things that were created/modified when a user is created is a little cumbersome to read. I should emphasize I AM NOT COMPLAINING I love the tool and its potential, just a humble request.
@PrzemyslawKlys
Copy link
Member

Well, I've not spent much time on each and every report and surely all can be optimized. Generally, each and every report has its own definition so no coding is required (unless we want more options). All those 3 definitions below have one thing in common - same EventID, Security Log. Now depending on needs, I'm filtering out stuff based on conditions.

PSWinReporting/Private/Parameters/Script.ReportDefinitions.ps1

Lines 145 to 176 in fb3be60

ADComputerChangesDetailed = [ordered] @{
Enabled = $false
Events = @{
Enabled = $true
Events = 5136, 5137, 5139, 5141
LogName = 'Security'
Filter = @{
'ObjectClass' = 'computer'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'Computer' = 'Domain Controller'
'Action' = 'Action'
'OperationType' = 'Action Detail'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'Computer Object'
'AttributeLDAPDisplayName' = 'Field Changed'
'AttributeValue' = 'Field Value'
# Common Fields
'RecordID' = 'Record ID'
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{}
}
}

Compare this to:

PSWinReporting/Private/Parameters/Script.ReportDefinitions.ps1

Lines 177 to 227 in fb3be60

ADOrganizationalUnitChangesDetailed = [ordered] @{
Enabled = $false
OUEventsModify = @{
Enabled = $true
Events = 5136, 5137, 5139, 5141
LogName = 'Security'
Filter = @{
'ObjectClass' = 'organizationalUnit'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'Computer' = 'Domain Controller'
'Action' = 'Action'
'OperationType' = 'Action Detail'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'Organizational Unit'
'AttributeLDAPDisplayName' = 'Field Changed'
'AttributeValue' = 'Field Value'
#'OldObjectDN' = 'OldObjectDN'
#'NewObjectDN' = 'NewObjectDN'
# Common Fields
'RecordID' = 'Record ID'
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
Overwrite = @{
'Action Detail#1' = 'Action', 'A directory service object was created.', 'Organizational Unit Created'
'Action Detail#2' = 'Action', 'A directory service object was deleted.', 'Organizational Unit Deleted'
'Action Detail#3' = 'Action', 'A directory service object was moved.', 'Organizational Unit Moved'
#'Organizational Unit' = 'Action', 'A directory service object was moved.', 'OldObjectDN'
#'Field Changed' = 'Action', 'A directory service object was moved.', ''
#'Field Value' = 'Action', 'A directory service object was moved.', 'NewObjectDN'
}
# This Overwrite works in a way where you can swap one value with another value from another field within same Event
# It's useful if you have an event that already has some fields used but empty and you wnat to utilize them
# for some content
OverwriteByField = @{
'Organizational Unit' = 'Action', 'A directory service object was moved.', 'OldObjectDN'
#'Field Changed' = 'Action', 'A directory service object was moved.', ''
'Field Value' = 'Action', 'A directory service object was moved.', 'NewObjectDN'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{}
}
}

Notice Overwrite/OverwriteByField - on how and what they do. Overwrite lets you do If/else/Then on static values. Overwrite by field is If/else/then based on fields rather than a static value. So, for example, it's possible to tell if field Action contains value 'A directory service object was moved' put the value from OldObjectDN into field 'Organizational Unit'

Compare this to:

PSWinReporting/Private/Parameters/Script.ReportDefinitions.ps1

Lines 566 to 718 in fb3be60

ADGroupPolicyChanges = [ordered] @{
Enabled = $false
'Group Policy Name Changes' = @{
Enabled = $true
Events = 5136, 5137, 5141
LogName = 'Security'
Filter = @{
# Filter is special, if there is just one object on the right side
# If there are more objects filter will pick all values on the right side and display them as required
'ObjectClass' = 'groupPolicyContainer'
#'OperationType' = 'Value Added'
'AttributeLDAPDisplayName' = $null, 'displayName' #, 'versionNumber'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'RecordID' = 'Record ID'
'Computer' = 'Domain Controller'
'Action' = 'Action'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'ObjectDN'
'ObjectGUID' = 'ObjectGUID'
'ObjectClass' = 'ObjectClass'
'AttributeLDAPDisplayName' = 'AttributeLDAPDisplayName'
#'AttributeSyntaxOID' = 'AttributeSyntaxOID'
'AttributeValue' = 'AttributeValue'
'OperationType' = 'OperationType'
'OpCorrelationID' = 'OperationCorelationID'
'AppCorrelationID' = 'OperationApplicationCorrelationID'
'DSName' = 'DSName'
'DSType' = 'DSType'
'Task' = 'Task'
'Version' = 'Version'
# Common Fields
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{
}
}
'Group Policy Edits' = @{
Enabled = $true
Events = 5136, 5137, 5141
LogName = 'Security'
Filter = @{
# Filter is special, if there is just one object on the right side
# If there are more objects filter will pick all values on the right side and display them as required
'ObjectClass' = 'groupPolicyContainer'
#'OperationType' = 'Value Added'
'AttributeLDAPDisplayName' = 'versionNumber'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'RecordID' = 'Record ID'
'Computer' = 'Domain Controller'
'Action' = 'Action'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'ObjectDN'
'ObjectGUID' = 'ObjectGUID'
'ObjectClass' = 'ObjectClass'
'AttributeLDAPDisplayName' = 'AttributeLDAPDisplayName'
#'AttributeSyntaxOID' = 'AttributeSyntaxOID'
'AttributeValue' = 'AttributeValue'
'OperationType' = 'OperationType'
'OpCorrelationID' = 'OperationCorelationID'
'AppCorrelationID' = 'OperationApplicationCorrelationID'
'DSName' = 'DSName'
'DSType' = 'DSType'
'Task' = 'Task'
'Version' = 'Version'
# Common Fields
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{
}
}
'Group Policy Links' = @{
Enabled = $true
Events = 5136, 5137, 5141
LogName = 'Security'
Filter = @{
# Filter is special, if there is just one object on the right side
# If there are more objects filter will pick all values on the right side and display them as required
'ObjectClass' = 'domainDNS'
#'OperationType' = 'Value Added'
#'AttributeLDAPDisplayName' = 'versionNumber'
}
Functions = @{
'OperationType' = 'ConvertFrom-OperationType'
}
Fields = [ordered] @{
'RecordID' = 'Record ID'
'Computer' = 'Domain Controller'
'Action' = 'Action'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'ObjectDN'
'ObjectGUID' = 'ObjectGUID'
'ObjectClass' = 'ObjectClass'
'AttributeLDAPDisplayName' = 'AttributeLDAPDisplayName'
#'AttributeSyntaxOID' = 'AttributeSyntaxOID'
'AttributeValue' = 'AttributeValue'
'OperationType' = 'OperationType'
'OpCorrelationID' = 'OperationCorelationID'
'AppCorrelationID' = 'OperationApplicationCorrelationID'
'DSName' = 'DSName'
'DSType' = 'DSType'
'Task' = 'Task'
'Version' = 'Version'
# Common Fields
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
SortBy = 'Record ID'
Descending = $false
IgnoreWords = @{
}
}
}

This one is actually 3 different types combined into one report.

Now if you want to debug issues like that my recommendation would take a look at this:

https://github.com/EvotecIT/PSWinReporting/blob/master/Examples/RunMe-FindEventsExtended.ps1

Basically, you tell Find-Events to use $Definitions, $Target, $Times so you don't need to run the whole PSWinReporting to "work" on the report. You can tell it to scan only one server, remove Filters, remove Fields and see what is provided and how you can optimize things. You can play with overwrites and see how they work and based on that you could enhance the report to a degree you're happy with it.

I would be more than happy to get more detailed/better reports out of this :-)

Using Ignore should be your last resort thou. It's not really great implementation.

As for the last request - if you have an idea on how to combine them I'm all ears :-) I mean from even technical perspective how do you imagine combining 10 Events combined into 1 entry so that it's readable :-) When we have proposed output we can talk implementation.

@neztach
Copy link
Author

neztach commented Jun 27, 2019

as for combining details ona created/deleted user, we can look specifically for a user creation/deletion and in the user details report, we can look for the relevant user object and combine those field values that match that user at approximately the same time. My original question though wasn't about weeding out found logs, but about defining log values better.

under AD user changes, I'm getting values of %%1794 in the "Password Last Set" column, and don't know what that means.

  • under ad user changes detailed, I'm getting firstNameLastName of numbers in field value while field changed is msExchUMDtmfMap. In fact, the values shown no matter what the field is in "Field Value" if the "field changed" is msExchUMDtmfMap.

  • lockout time appears to be filetime rather than [datetime]::fromfiletime()

  • msExchSafeSendersHash is %%14672

  • msExchTextMessagingState is just numbers

  • action detail: value deleted, field changed: userAccountControl, Field Value: 546 (for example).

just having trouble translating these values to something meaningful.

@PrzemyslawKlys
Copy link
Member

Ok, well the list is incomplete:

Function ConvertFrom-OperationType {
    param ([string] $OperationType)
    $Known = @{'%%14674' = 'Value Added'
        '%%14675' = 'Value Deleted'
        '%%14676' = 'Unknown'
    }
    foreach ($id in $OperationType) { if ($name = $Known[$id]) { return $name } }
    return $OperationType
}

That's all I have. We need to build this hashtable. with proper values. The way I did before was google...

https://system32.eventsentry.com/security/event/4741 - take a look it has some of your values.

The issue is that I read this XML:

image

and the values that you mention are in there usually with percent sign which makes it hard for me to translate as I'm clueless as you are about it. What you can do is try to check what Message value holds

image

Maybe you will find the information you need. Here's something I found: https://social.technet.microsoft.com/Forums/windows/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity

@neztach
Copy link
Author

neztach commented Jun 27, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PrzemyslawKlys @neztach