[BUG] Detect New Local Admin Account

[jwindley]

With WindowsXML logs, the group name in a 4732 event seems to be in the field "TargetSid" rather than Group_Name. In the logs I'm looking at, the value also is "BUILTIN\Administrators" as well, rather than "Administrators". Can someone from Security content team please check?
Windows Add-on 9.0.1
ESCU 5.16.0

[nasbench]

Hi, thanks for opening this issue.

So in Event ID 4732 the Group Name is stored in the TargetUserName, and the notation DOMAIN\GROUP_NAME (AKA Security Principal) is stored in the TargetSid field. So in an example of the event you'll find the raw event in like this

<EventData>
        <Data Name='MemberName'>CN=MAURICE_ANDERSON,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local</Data>
        <Data Name='MemberSid'>ATTACKRANGE\MAURICE_ANDERSON</Data>
        <Data Name='TargetUserName'>DnsAdmins</Data> // Group Name
        <Data Name='TargetDomainName'>ATTACKRANGE</Data>
        <Data Name='TargetSid'>ATTACKRANGE\DnsAdmins</Data>
        <Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data>
        <Data Name='SubjectUserName'>Administrator</Data>
        <Data Name='SubjectDomainName'>ATTACKRANGE</Data>
        <Data Name='SubjectLogonId'>0x5184c3</Data>
        <Data Name='PrivilegeList'>-</Data>
    </EventData>

Where Group Name is DnsAdmins and the Security Principal is ATTACKRANGE\DnsAdmins.

Now into the Splunk side of things, the Windows TA extracts the Group_name from the TargetUserName field. As seen by this eval

EVAL-Group_Name=case(isnotnull(TargetUserName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetUserName, 1=1, Group_Name)

The rest of the Security principal is extracted in the field Group_domain from the TargetDomainName field. As seen here

EVAL-Group_Domain=case(isnotnull(TargetDomainName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetDomainName, 1=1, Group_Domain)

For this specific EventID i am not seeing an extraction with the full SPN. So you'll have to construct manually or use the raw TargetSid field.

Let me know if this answer your question.

Thanks.

[nasbench]

Just for more context. After an additional discussion with Jamie, the extraction of the Group_Name isn't always occurring. From my testing and looking at some data we had on attack data, I've noticed the only case we had where the extraction did not occur was when the source was not set to XmlWinEventLog:Security.

There could be another thing causing this, but i am not seeing it as of now.

If @patel-bhavin or @ljstella could take a look maybe you'll find something I missed.

[patel-bhavin]

Hello @jwindley - In our logs we see these extractions working as expected! The event where its not getting extracted there is likely an ingestion issue on the internal test server (if you used the latest )

Following screenshot shows the field extractions.

So the first row you see has empty as it is a poorly ingested data on our test server , The rest of the rows shows the extractions working as expected !

Can you double check if the ingested data is source = XmlWinEventLog:Security and sourcetype = XmlWinEventLog ?

[jwindley]

Hi @patel-bhavin - looks like it isn't extracting DnsAdmins though in your case? Why is that?

[nasbench]

As a solution in case this is actually an extraction issue, i added the raw field in the condition so that it works anyway. See #3726 for the fix.

Also @jwindley after talking with @patel-bhavin the only issue we're seeing in our data is the source as bhavin also mentioned. The props also confirms this as we discussed last time.

Can you confirm that the case you are looking at has accurate source/sourcetype? Maybe provide an SS of the ingested log?

[jwindley]

Ok, thanks. Yes source/sourcetype is as expected. I couldn't seem to see why it isn't extracted - seems a mystery just like why DnsAdmins not extracted in your case. No SS unfortunately.

[patel-bhavin]

Hi @patel-bhavin - looks like it isn't extracting DnsAdmins though in your case? Why is that?
This error related to DnsAdmins is specifically related to our test server That isnt being extracted since I think that specific event ( in our test server ) is actually XmlWinEventLog:Security and is incorrectly ingested as XmlWinEventLog:System - check screenshot