WinEventLog:Security Archives -

Search for disabled AD accounts that have been re-enabled

This is a search you can use as an alert or whatever you desire to look for AD accounts that have been disabled in the past 90 days then re-enabled in the past 24h. You can tweak as needed.

index=YOURINDEX EventCode=4725 OR EventCode=4722 earliest=-90d 
| eval account=mvindex(Account_Name,1), action_user=mvindex(Account_Name,0)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by action_user, account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| eval range=relative_time(now(), "-1d") ```this determines what range to look for the re-enabling```
| eval enabled_DT=mvindex(times,1), disabled_DT=mvindex(times, 0)
| where enabled_DT &gt; range 
| table account, action_user, disabled_DT, enabled_DT
| rename account as "Enabled Account", action_user as "Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled"
| convert ctime("DateTime Disabled"), ctime("DateTime Enabled")

index=YOURINDEX EventCode=4725 OR EventCode=4722 earliest=-90d

| eval account=mvindex(Account_Name,1), action_user=mvindex(Account_Name,0)

| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by action_user, account

| replace "4722" with "enabled" in firstEvent, lastEvent

| replace "4725" with "disabled" in firstEvent, lastEvent

| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"

| eval range=relative_time(now(), "-1d") ```this determines what range to look for the re-enabling```

| eval enabled_DT=mvindex(times,1), disabled_DT=mvindex(times, 0)

| where enabled_DT > range

| table account, action_user, disabled_DT, enabled_DT

| rename account as "Enabled Account", action_user as "Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled"

| convert ctime("DateTime Disabled"), ctime("DateTime Enabled")

Continue Reading →

Zerologon Detection (CVE-2020-1472)

Primary Search for Local Domain Controller Exploitation by Zerologon

index="<windows_index>" (sourcetype="<windows_sourcetype_security>" OR source="windows_source_security") EventCode="4742" OR EventCode="4624" AND (src_user="*anonymous*" OR member_id="*S-1-0*")
`comment("This looks for all 4624 and 4742 events under an 'ANONYMOUS USER', which are tied to the exploitation of Zerologon")`
| eval local_system=mvindex(upper(split(user,"$")),0)
`comment("This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the '$', creating a new field, deriving the local_system name via the original user field [ie. user='NameOfDC$' would become local_system='NameofDC']")`
| search host=local_system
`comment("A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action")`
| table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain

index="<windows_index>" (sourcetype="<windows_sourcetype_security>" OR source="windows_source_security") EventCode="4742" OR EventCode="4624" AND (src_user="*anonymous*" OR member_id="*S-1-0*")

`comment("This looks for all 4624 and 4742 events under an 'ANONYMOUS USER', which are tied to the exploitation of Zerologon")`

| eval local_system=mvindex(upper(split(user,"$")),0)

`comment("This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the '$', creating a new field, deriving the local_system name via the original user field [ie. user='NameOfDC$' would become local_system='NameofDC']")`

| search host=local_system

`comment("A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action")`

| table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain

You can also modify this search to only look at your Active Directory DCs. If you have common naming schemas, you can use that as well. Please see the report linked to get more info about the CVE itself.

Continue Reading →

Successful File Access Attempts and Filename Accessed

Ever need to find when a user accessed a file within a Windows environment? The following Splunk query will show successful file accesses by each user for a given day. Depending on the size of your environment this can get out of hand quickly. You’ll want to tweak to best fit your environment. *Note* you […]

Continue Reading →

Successful Logons – Windows

The following is a Splunk query that will display a timechart for all successful logons to windows:

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| timechart span=1h count by host

1 2	source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-", "UMFD-") \| timechart span=1h count by host

Here’s a detailed table showing similar information with greater detail:

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host)
| eval hammer=_time 
| bucket span=12h hammer 
| stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name
| rename hammer as "12 hour blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("12 hour blocks")
| sort - "12 hour blocks"

source="WinEventLog:security" EventCode=4624 Logon_Type IN (2,7,10,11) NOT user IN ("DWM-*", "UMFD-*")

| eval Workstation_Name=lower(Workstation_Name)

| eval host=lower(host)

| eval hammer=_time

| bucket span=12h hammer

| stats values(Logon_Type) as "Logon Type" count sparkline by user host, hammer, Workstation_Name

| rename hammer as "12 hour blocks" host as "Target Host" Workstation_Name as "Source Host"

| convert ctime("12 hour blocks")

| sort - "12 hour blocks"

Continue Reading →

Failed Logon Attempts – Windows

The following Splunk query will show a timechart of failed logon attempts per host:

source="WinEventLog:security" EventCode=4625 
| timechart span=1h count by host

1 2	source="WinEventLog:security" EventCode=4625 \| timechart span=1h count by host

The following Splunk query will show a detailed table of failed logon attempts per host and user with 5 minute chunks/blocks of time, as well as show a sparkline (mini timechart) within the table itself.

source="WinEventLog:security" EventCode=4625
| eval Workstation_Name=lower(Workstation_Name)
| eval host=lower(host) 
| eval hammer=_time 
| bucket span=5m hammer 
| stats count sparkline by user host, hammer, Workstation_Name
| rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host"
| convert ctime("5 minute blocks")

source="WinEventLog:security" EventCode=4625

| eval Workstation_Name=lower(Workstation_Name)

| eval host=lower(host)

| eval hammer=_time

| bucket span=5m hammer

| stats count sparkline by user host, hammer, Workstation_Name

| rename hammer as "5 minute blocks" host as "Target Host" Workstation_Name as "Source Host"

| convert ctime("5 minute blocks")

#Admin Notes – This […]

Continue Reading →

User Logon, Logoff, and Duration

Tweaked wenthold response to include more EventCodes. Also depending on the environment EventCode 4800|4801|4802 which is screen lock may be the closest thing to getting a log off time. > original post on splunk answers: https://answers.splunk.com/answers/597752/report-for-showing-users-logon-logoff-and-the-dura.html

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date 
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host
| eval session_duration=logout-login 
| eval h=floor(session_duration/3600) 
| eval m=floor((session_duration-(h*3600))/60) 
| eval SessionDuration=h."h ".m."m " 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login 
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout 
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user

source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)

| convert timeformat="%a %B %d %Y" ctime(_time) AS Date

| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host

| eval session_duration=logout-login

| eval h=floor(session_duration/3600)

| eval m=floor((session_duration-(h*3600))/60)

| eval SessionDuration=h."h ".m."m "

| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login

| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout

| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user

#Edit by Admin 12/17/2018

Continue Reading →

Windows security daily domain activities

sourcetype=WinEventLog:Security src_nt_domain!="NT AUTHORITY" EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764 OR EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762
| rex field=member_id "^\w+\W(?<ITS_Admin>\w*\s\w*\s\w*|\w+_\w+|\w*\s\w*|\w*)(\s\w+\W|\s)(?<Target_Account>.*\S)"
| eval Target_Account=if(Target_Account="NONE_MAPPED", trim(member_dn, ITS_Admin), Target_Account)
| table _time, EventCode, EventCodeDescription, src_nt_domain, ITS_Admin, Target_Account,src_nt_domain,msad_action,Group_Name
| sort EventCodeDescription,ITS_Admin, Target_Account
| rename ITS_Admin as "ITS Admin", src_nt_domain as "Source Domain"

sourcetype=WinEventLog:Security src_nt_domain!="NT AUTHORITY" EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764 OR EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762

| eval Target_Account=if(Target_Account="NONE_MAPPED", trim(member_dn, ITS_Admin), Target_Account)

| table _time, EventCode, EventCodeDescription, src_nt_domain, ITS_Admin, Target_Account,src_nt_domain,msad_action,Group_Name

| sort EventCodeDescription,ITS_Admin, Target_Account

| rename ITS_Admin as "ITS Admin", src_nt_domain as "Source Domain"

Continue Reading →

Timechart of the status of an Locked Out Account

This query will show a timechart of the status of an Locked Out Account

sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count

1	sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 \| timechart count by user \| sort -count

Continue Reading →

Active Directory Password change attempts

Use the following search to create a stacked barchart of AD Password change attempts:

source="WinEventLog:Security" "EventCode=4723" src_user!="*$" src_user!="_svc_*" | eval daynumber=strftime(_time,"%Y-%m-%d") | chart count by daynumber, status | eval daynumber = mvindex(split(daynumber,"-"),2)

1	source="WinEventLog:Security" "EventCode=4723" src_user!="$" src_user!="_svc_" \| eval daynumber=strftime(_time,"%Y-%m-%d") \| chart count by daynumber, status \| eval daynumber = mvindex(split(daynumber,"-"),2)

Continue Reading →

Detect Username Guessing Brute Force Attacks

The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 accounts. This first checks for all accounts having an account login failure of 4 or more, it then checks for the quantity of […]

Continue Reading →

Find passwords in User_Name field

This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event. Below example is for Windows failed login. The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 […]

Continue Reading →

Potential Suspicious Activity in Windows

The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based […]

Continue Reading →

Monitor File Shares being Accessed in Windows

This splunk search will show file shares being accessed within windows environments.

sourcetype="WinEventLog:Security" EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1" | eval Destination_Sys1=trim(host,"1") | eval Destination_Sys2=trim(host,"2") | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(Destination) AS Destination, dc(Destination) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name

sourcetype="WinEventLog:Security" EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1" | eval Destination_Sys1=trim(host,"1") | eval Destination_Sys2=trim(host,"2") | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(Destination) AS Destination, dc(Destination) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name

Continue Reading →

Pass the Hash Detection

index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAIN NOT Account_Name="ANONYMOUS LOGON"

1	index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAIN NOT Account_Name="ANONYMOUS LOGON"

Continue Reading →

Failed Attempt to Login to a Disabled Account

This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).

source="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as "Host" Keywords as "Status" count as "Count"

source="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as "Host" Keywords as "Status" count as "Count"

Continue Reading →

Failed Versus Successful Logon Attempts

This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:

source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count

Continue Reading →

Event Logs | System Logs | Warnings and Errors

This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need

source=wineventlog:application

1	source=wineventlog:application

source=wineventlog:security

1	source=wineventlog:security

source=wineventlog:system

1	source=wineventlog:system

host="*" source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message

1	host="*" source=wineventlog:system NOT Type=Information \| stats count by Message \| sort -count \| table count, Message

Continue Reading →

Get list of concurrent users on a specific server

The following Splunk query will return results for concurrent logon sessions (in a Windows Environment) on any given server (or multiple servers) with slight modification. First you must define the time span in which you consider “concurrent” this is defined in the “bucket” section below and the example uses a 30 minute range (widen […]

Continue Reading →

List of Legitimate Account Names in Windows

This splunk query will list all successful logins by account name for a given time range. This query will work on a variety of Windows Operating systems to include XP, 2003, Vista, 2008, 7, 8, and server 2012. I’ve tested in some capacity in Windows 10 for some of my queries, so far they appear […]

Continue Reading →

Clearing of Windows Audit Logs

This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/

source=WinEventLog:security (EventCode=1102 OR EventCode=517) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Client_User_Name, host, index, Date | sort - Date | rename Client_User_Name as "Account Name"

1	source=WinEventLog:security (EventCode=1102 OR EventCode=517) \| eval Date=strftime(_time, "%Y/%m/%d") \| stats count by Client_User_Name, host, index, Date \| sort - Date \| rename Client_User_Name as "Account Name"

Continue Reading →

Sourcetype: WinEventLog:Security