Skip to content

Commit

Permalink
x-pack/winlogbeat/modules/security: fix UAC attribute bit table
Browse files Browse the repository at this point in the history
The previous table was incorrect. Table data comes from MS-SAMR: Security
Account Manager (SAM) Remote Protocol (Client-to-Server) version 46.0[1],
2.2.1.12 USER_ACCOUNT Codes.

[1]https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SAMR/%5bMS-SAMR%5d-230828.docx
  • Loading branch information
efd6 committed Oct 31, 2023
1 parent f7ec53f commit 221de89
Show file tree
Hide file tree
Showing 6 changed files with 39 additions and 34 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ is collected by it.

*Winlogbeat*

- Fix User Account Control Attributes Table values for Security module. {issue}36999[36999] {pull}[]

*Elastic Logging Plugin*

Expand Down
46 changes: 23 additions & 23 deletions x-pack/winlogbeat/module/security/ingest/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -836,30 +836,30 @@ processors:
tag: Set User Account Control
description: Set User Account Control
# User Account Control Attributes Table
# https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380
params:
"0x00000001": SCRIPT
"0x00000002": ACCOUNTDISABLE
"0x00000008": HOMEDIR_REQUIRED
"0x00000010": LOCKOUT
"0x00000020": PASSWD_NOTREQD
"0x00000040": PASSWD_CANT_CHANGE
"0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED
"0x00000100": TEMP_DUPLICATE_ACCOUNT
"0x00000200": NORMAL_ACCOUNT
"0x00000800": INTERDOMAIN_TRUST_ACCOUNT
"0x00001000": WORKSTATION_TRUST_ACCOUNT
"0x00002000": SERVER_TRUST_ACCOUNT
"0x00010000": DONT_EXPIRE_PASSWORD
"0x00020000": MNS_LOGON_ACCOUNT
"0x00040000": SMARTCARD_REQUIRED
"0x00080000": TRUSTED_FOR_DELEGATION
"0x00100000": NOT_DELEGATED
"0x00200000": USE_DES_KEY_ONLY
"0x00400000": DONT_REQ_PREAUTH
"0x00800000": PASSWORD_EXPIRED
"0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION
"0x04000000": PARTIAL_SECRETS_ACCOUNT
"0x00000001": USER_ACCOUNT_DISABLED
"0x00000002": USER_HOME_DIRECTORY_REQUIRED
"0x00000004": USER_PASSWORD_NOT_REQUIRED
"0x00000008": USER_TEMP_DUPLICATE_ACCOUNT
"0x00000010": USER_NORMAL_ACCOUNT
"0x00000020": USER_MNS_LOGON_ACCOUNT
"0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT
"0x00000080": USER_WORKSTATION_TRUST_ACCOUNT
"0x00000100": USER_SERVER_TRUST_ACCOUNT
"0x00000200": USER_DONT_EXPIRE_PASSWORD
"0x00000400": USER_ACCOUNT_AUTO_LOCKED
"0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED
"0x00001000": USER_SMARTCARD_REQUIRED
"0x00002000": USER_TRUSTED_FOR_DELEGATION
"0x00004000": USER_NOT_DELEGATED
"0x00008000": USER_USE_DES_KEY_ONLY
"0x00010000": USER_DONT_REQUIRE_PREAUTH
"0x00020000": USER_PASSWORD_EXPIRED
"0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
"0x00080000": USER_NO_AUTH_DATA_REQUIRED
"0x00100000": USER_PARTIAL_SECRETS_ACCOUNT
"0x00200000": USER_USE_AES_KEYS
source: |-
if (ctx?.winlog?.event_data?.NewUacValue == null) {
return;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,9 @@
"HomePath": "-",
"LogonHours": "%%1793",
"NewUACList": [
"SCRIPT",
"ENCRYPTED_TEXT_PWD_ALLOWED"
"USER_ACCOUNT_DISABLED",
"USER_PASSWORD_NOT_REQUIRED",
"USER_WORKSTATION_TRUST_ACCOUNT"
],
"NewUacValue": "0x85",
"OldUacValue": "0x0",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,8 @@
"HomePath": "-",
"LogonHours": "-",
"NewUACList": [
"ENCRYPTED_TEXT_PWD_ALLOWED"
"USER_PASSWORD_NOT_REQUIRED",
"USER_WORKSTATION_TRUST_ACCOUNT"
],
"NewUacValue": "0x84",
"OldUacValue": "0x85",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,9 @@
"HomePath": "%%1793",
"LogonHours": "%%1797",
"NewUACList": [
"SCRIPT",
"LOCKOUT"
"USER_ACCOUNT_DISABLED",
"USER_PASSWORD_NOT_REQUIRED",
"USER_NORMAL_ACCOUNT"
],
"NewUacValue": "0x15",
"OldUacValue": "0x0",
Expand Down Expand Up @@ -159,8 +160,9 @@
"HomePath": "%%1793",
"LogonHours": "%%1797",
"NewUACList": [
"SCRIPT",
"LOCKOUT"
"USER_ACCOUNT_DISABLED",
"USER_PASSWORD_NOT_REQUIRED",
"USER_NORMAL_ACCOUNT"
],
"NewUacValue": "0x15",
"OldUacValue": "0x0",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@
"HomePath": "%%1793",
"LogonHours": "%%1797",
"NewUACList": [
"LOCKOUT",
"NORMAL_ACCOUNT"
"USER_NORMAL_ACCOUNT",
"USER_DONT_EXPIRE_PASSWORD"
],
"NewUacValue": "0x210",
"OldUacValue": "0x210",
Expand Down Expand Up @@ -159,8 +159,8 @@
"HomePath": "%%1793",
"LogonHours": "%%1797",
"NewUACList": [
"LOCKOUT",
"NORMAL_ACCOUNT"
"USER_NORMAL_ACCOUNT",
"USER_DONT_EXPIRE_PASSWORD"
],
"NewUacValue": "0x210",
"OldUacValue": "0x10",
Expand Down

0 comments on commit 221de89

Please sign in to comment.