Skip to content

Commit

Permalink
Fix AccessList & AccessMask processing in security data_stream (#29016)…
Browse files Browse the repository at this point in the history
… (#29055)

- According to MS documentation examples AccessList contains a space
    separated list of access masks and AccessMask contains an integer.
  - Retain old behavior if AccessMask contains a space separated
    list of access masks
  - Add new code to parse AccessList as space separated list of
    access masks
  - Add new code to parse AccessMask if an integer

(cherry picked from commit 7323a63)

Co-authored-by: Lee E Hinman <[email protected]>
  • Loading branch information
mergify[bot] and leehinman authored Nov 20, 2021
1 parent 0ea1244 commit 6497af6
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 11 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

- Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
- Add ECS 1.9 new users fields {pull}26509[26509]
- Don't split hyphenated tokens {pull}28483[28483]
- Correctly handle AccessMask if it is an integer or list of masks. {pull}29016[29016]

*Functionbeat*

Expand Down
86 changes: 75 additions & 11 deletions x-pack/winlogbeat/module/security/config/winlogbeat-security.js
Original file line number Diff line number Diff line change
Expand Up @@ -1595,6 +1595,32 @@ var security = (function () {
[0x00010000, 'Delete']
];

// https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks
var accessMaskDescriptions = [
[0x00000001, 'Create Child'],
[0x00000002, 'Delete Child'],
[0x00000004, 'List Contents'],
[0x00000008, 'SELF'],
[0x00000010, 'Read Property'],
[0x00000020, 'Write Property'],
[0x00000040, 'Delete Treee'],
[0x00000080, 'List Object'],
[0x00000100, 'Control Access'],
[0x00010000, 'DELETE'],
[0x00020000, 'READ_CONTROL'],
[0x00040000, 'WRITE_DAC'],
[0x00080000, 'WRITE_OWNER'],
[0x00100000, 'SYNCHRONIZE'],
[0x00F00000, 'STANDARD_RIGHTS_REQUIRED'],
[0x001F0000, 'STANDARD_RIGHTS_ALL'],
[0x0000FFFF, 'SPECIFIC_RIGHTS_ALL'],
[0x01000000, 'ADS_RIGHT_ACCESS_SYSTEM_SECURITY'],
[0x10000000, 'ADS_RIGHT_GENERIC_ALL'],
[0x20000000, 'ADS_RIGHT_GENERIC_EXECUTE'],
[0x40000000, 'ADS_RIGHT_GENERIC_WRITE'],
[0x80000000, 'ADS_RIGHT_GENERIC_READ']
];

// lookupMessageCode returns the string associated with the code. key should
// be the name of the field in evt containing the code (e.g. %%2313).
var lookupMessageCode = function (evt, key) {
Expand Down Expand Up @@ -1844,6 +1870,22 @@ var security = (function () {
}
};

var translateAccessMask = function(mask) {
if (!mask) {
return;
}
var accessCode = parseInt(mask);
var accessResult = [];
for (var i = 0; i < accessMaskDescriptions.length; i++) {
if ((accessCode | accessMaskDescriptions[i][0]) === accessCode) {
accessResult.push(accessMaskDescriptions[i][1]);
}
}
if (accessResult) {
return accessResult;
}
};

var addSessionData = new processor.Chain()
.Convert({
fields: [
Expand Down Expand Up @@ -2389,22 +2431,44 @@ var security = (function () {
evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/));
})
.Add(function(evt){
var maskCodes = evt.Get("winlog.event_data.AccessMask");
if (!maskCodes) {
var accessMask = evt.Get("winlog.event_data.AccessMask");
if (!accessMask) {
return;
}
var maskList = maskCodes.replace(/\s+/g, '').split("%%").filter(String);
evt.Put("winlog.event_data.AccessMask", maskList);
var maskResults = [];
for (var j = 0; j < maskList.length; j++) {
var description = msobjsMessageTable[maskList[j]];
if (description === undefined) {
return;
var accessDescriptions = translateAccessMask(accessMask);
if (!accessDescriptions) {
return;
}
if (accessDescriptions.length > 0) {
evt.Put("winlog.event_data.AccessMaskDescription", accessDescriptions);
}
})
.Add(function(evt){
var listNames = ["AccessList", "AccessMask"]
for (var i = 0; i < listNames.length; i++) {
var listContents = evt.Get("winlog.event_data." + listNames[i])
if (!listContents) {
continue;
}
maskResults.push(description);
var listDescription = evt.Get("winlog.event_data." + listNames[i] + "Description")
if (listDescription) {
continue;
}

var items = listContents.replace(/\s+/g, '').split("%%").filter(String);
evt.Put("winlog.event_data." + listNames[i], items)
var results = [];
for (var j = 0; j < items.length; j++) {
var description = msobjsMessageTable[items[j]];
if (description === undefined) {
continue;
}
results.push(description);
}
evt.Put("winlog.event_data." + listNames[i] + "Description", results);
}
evt.Put("winlog.event_data.AccessMaskDescription", maskResults);
})

.Build();

var trustDomainMgmtEvts = new processor.Chain()
Expand Down

0 comments on commit 6497af6

Please sign in to comment.