From edc708cae629ccf886fa56eb64514090d81904ee Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Thu, 11 Nov 2021 13:39:17 -0800 Subject: [PATCH] Fix AccessList & AccessMask processing in security data_stream - According to MS documentation and AccessList contains a space separated list of access masks and AccessMask contains an integer. - Old code treated AccessMask as if it was a space separated list of access masks, this was causing script errors. - Fix code to treat AccessList as space separated list of access masks - Add new code to parse AccessMask correctly --- packages/system/changelog.yml | 5 + .../_dev/test/pipeline/test-4663.json | 74 + .../pipeline/test-4663.json-expected.json | 86 + .../_dev/test/pipeline/test-4674.json | 72 + .../pipeline/test-4674.json-expected.json | 101 + .../elasticsearch/ingest_pipeline/default.yml | 2035 +++++++++-------- .../data_stream/security/fields/winlog.yml | 10 + packages/system/docs/README.md | 7 +- packages/system/manifest.yml | 2 +- 9 files changed, 1413 insertions(+), 979 deletions(-) create mode 100644 packages/system/data_stream/security/_dev/test/pipeline/test-4663.json create mode 100644 packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json create mode 100644 packages/system/data_stream/security/_dev/test/pipeline/test-4674.json create mode 100644 packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 69d261e857f..0495bf94ce1 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.3" + changes: + - description: Fix AccessList and AccessMask processing in security data_stream + type: bugfix + link: https://github.com/elastic/integrations/pull/2156 - version: "1.6.2" changes: - description: Fix missing null check in security pipeline diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json new file mode 100644 index 00000000000..6eba2351238 --- /dev/null +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json @@ -0,0 +1,74 @@ +{ + "events": [ + { + "@timestamp": "2021-11-11T04:51:32.660Z", + "ecs": { + "version": "1.11.0" + }, + "host": { + "name": "DC01.contoso.local" + }, + "agent": { + "version": "7.15.2", + "hostname": "hostname", + "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797", + "name": "AgentName", + "type": "filebeat" + }, + "winlog": { + "event_id": "4663", + "opcode": "Info", + "time_created": "2015-09-18T22:13:54.770Z", + "level": "information", + "process": { + "pid": 516, + "thread": { + "id": 524 + } + }, + "keywords": [ + "Audit Success" + ], + "outcome": "success", + "event_data": { + "AccessMask": "0x6", + "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x4367b", + "ObjectType": "File", + "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", + "AccessList": "%%4417 %%4418", + "ProcessId": "0x458", + "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104", + "SubjectUserName": "dadmin", + "ObjectServer": "Security", + "HandleId": "0x1bc" + }, + "computer_name": "DC01.contoso.local", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "version": 1, + "channel": "Security", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 273866 + }, + "event": { + "code": "4663", + "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "log": { + "file": { + "path": "/file/path/4663.xml" + }, + "level": "information" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "input": { + "type": "log" + } + } + ] +} \ No newline at end of file diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json new file mode 100644 index 00000000000..431e11e5642 --- /dev/null +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json @@ -0,0 +1,86 @@ +{ + "expected": [ + { + "input": { + "type": "log" + }, + "agent": { + "name": "AgentName", + "hostname": "hostname", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797", + "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", + "type": "filebeat", + "version": "7.15.2" + }, + "@timestamp": "2015-09-18T22:13:54.770Z", + "winlog": { + "computer_name": "DC01.contoso.local", + "process": { + "pid": 516, + "thread": { + "id": 524 + } + }, + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4367b" + }, + "channel": "Security", + "event_data": { + "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", + "SubjectLogonId": "0x4367b", + "AccessMask": "0x6", + "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", + "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", + "ObjectType": "File", + "SubjectUserName": "dadmin", + "AccessListDescription": [ + "WriteData (or AddFile)", + "AppendData (or AddSubdirectory or CreatePipeInstance)" + ], + "ObjectServer": "Security", + "HandleId": "0x1bc", + "SubjectDomainName": "CONTOSO", + "ProcessId": "0x458", + "AccessMaskDescription": [ + "Delete Child", + "List Contents" + ], + "AccessList": "%%4417 %%4418", + "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" + }, + "opcode": "Info", + "version": 1, + "record_id": "273866", + "event_id": "4663", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "time_created": "2015-09-18T22:13:54.770Z", + "provider_name": "Microsoft-Windows-Security-Auditing", + "outcome": "success" + }, + "ecs": { + "version": "1.12.0" + }, + "log": { + "level": "information", + "file": { + "path": "/file/path/4663.xml" + } + }, + "host": { + "name": "DC01.contoso.local" + }, + "event": { + "ingested": "2021-11-11T21:31:58.908808600Z", + "code": "4663", + "provider": "Microsoft-Windows-Security-Auditing", + "kind": "event", + "outcome": "success" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + } + ] +} \ No newline at end of file diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json new file mode 100644 index 00000000000..1a877bc8e64 --- /dev/null +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json @@ -0,0 +1,72 @@ +{ + "events": [ + { + "@timestamp": "2021-11-11T17:14:52.001Z", + "agent": { + "name": "AgentName", + "type": "filebeat", + "version": "7.15.2", + "hostname": "hostname", + "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797" + }, + "winlog": { + "time_created": "2015-10-09T00:22:36.237Z", + "event_id": "4674", + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Failure" + ], + "opcode": "Info", + "outcome": "failure", + "level": "information", + "event_data": { + "ProcessId": "0x1f0", + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e5", + "ObjectType": "-", + "ObjectName": "-", + "AccessMask": "16777216", + "PrivilegeList": "SeSecurityPrivilege", + "ProcessName": "C:\\\\Windows\\\\System32\\\\lsass.exe", + "SubjectUserSid": "S-1-5-19", + "SubjectUserName": "LOCAL SERVICE", + "ObjectServer": "LSA", + "HandleId": "0x0" + }, + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "channel": "Security", + "record_id": 1099680, + "computer_name": "DC01.contoso.local", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}" + }, + "event": { + "code": "4674", + "kind": "event", + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "failure" + }, + "log": { + "file": { + "path": "/file/path/4674.xml" + }, + "level": "information" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "input": { + "type": "log" + }, + "ecs": { + "version": "1.11.0" + }, + "host": { + "name": "DC01.contoso.local" + } + } + ] +} \ No newline at end of file diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json new file mode 100644 index 00000000000..98f2ff26a00 --- /dev/null +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json @@ -0,0 +1,101 @@ +{ + "expected": [ + { + "agent": { + "name": "AgentName", + "hostname": "hostname", + "id": "7d1ef343-9372-428d-bd10-0a78e6894797", + "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", + "type": "filebeat", + "version": "7.15.2" + }, + "process": { + "name": "lsass.exe", + "pid": 496, + "executable": "C:\\\\Windows\\\\System32\\\\lsass.exe" + }, + "winlog": { + "computer_name": "DC01.contoso.local", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "keywords": [ + "Audit Failure" + ], + "level": "information", + "logon": { + "id": "0x3e5" + }, + "channel": "Security", + "event_data": { + "ObjectType": "-", + "SubjectUserName": "LOCAL SERVICE", + "ObjectServer": "LSA", + "HandleId": "0x0", + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e5", + "AccessMaskDescription": [ + "ADS_RIGHT_ACCESS_SYSTEM_SECURITY" + ], + "AccessMask": "16777216", + "PrivilegeList": [ + "SeSecurityPrivilege" + ], + "SubjectUserSid": "S-1-5-19", + "ObjectName": "-" + }, + "opcode": "Info", + "record_id": "1099680", + "event_id": "4674", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "time_created": "2015-10-09T00:22:36.237Z", + "provider_name": "Microsoft-Windows-Security-Auditing", + "outcome": "failure" + }, + "log": { + "level": "information", + "file": { + "path": "/file/path/4674.xml" + } + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "input": { + "type": "log" + }, + "@timestamp": "2015-10-09T00:22:36.237Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "user": [ + "LOCAL SERVICE" + ] + }, + "host": { + "name": "DC01.contoso.local" + }, + "event": { + "ingested": "2021-11-11T21:31:59.255100300Z", + "code": "4674", + "provider": "Microsoft-Windows-Security-Auditing", + "kind": "event", + "action": "privileged-operation", + "category": [ + "iam" + ], + "type": [ + "admin" + ], + "outcome": "failure" + }, + "user": { + "name": "LOCAL SERVICE", + "domain": "NT AUTHORITY", + "id": "S-1-5-19" + } + } + ] +} \ No newline at end of file diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml index 3b13a0a47fc..cc02ddc2d98 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml @@ -754,6 +754,8 @@ processors: ignore_failure: false tag: Set Logon Type description: Set Logon Type +# Logon Types +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events params: "2": Interactive "3": Network @@ -782,6 +784,8 @@ processors: ignore_failure: false tag: Set User Account Control description: Set User Account Control + # User Account Control Attributes Table + # https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties params: "0x00000001": SCRIPT "0x00000002": ACCOUNTDISABLE @@ -836,6 +840,9 @@ processors: ignore_failure: false tag: Set Kerberos Ticket Options description: Set Kerberos Ticket Options +# Kerberos TGT and TGS Ticket Options +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 params: "0x40000000": Forwardable "0x20000000": Forwarded @@ -878,6 +885,9 @@ processors: ignore_failure: false tag: Set Kerberos Encryption Types description: Set Kerberos Encryption Types + # Kerberos Encryption Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 params: "0x1": DES-CBC-CRC "0x3": DES-CBC-MD5 @@ -896,6 +906,9 @@ processors: lang: painless ignore_failure: false tag: Set Kerberos Ticket Status Codes + # Kerberos Result Status Codes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 description: Set Kerberos Ticket Status Codes params: "0x0": KDC_ERR_NONE @@ -968,6 +981,8 @@ processors: ignore_failure: false tag: Set Service Type and Name description: Set Service Type and Name + # Services Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 params: "0x1": Kernel Driver "0x2": File System Driver @@ -996,6 +1011,8 @@ processors: ignore_failure: false tag: Set Audit Information description: Set Audit Information + # Audit Categories Description + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d params: "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] @@ -1069,980 +1086,1008 @@ processors: ignore_failure: false tag: Decode message table description: Decode message table + # Message table extracted from msobjs.dll on Windows 2019. + # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b params: - "279": "Undefined Access (no effect) Bit 7" - "1536": "Unused message ID" - "1537": "DELETE" - "1538": "READ_CONTROL" - "1539": "WRITE_DAC" - "1540": "WRITE_OWNER" - "1541": "SYNCHRONIZE" - "1542": "ACCESS_SYS_SEC" - "1543": "MAX_ALLOWED" - "1552": "Unknown specific access (bit 0)" - "1553": "Unknown specific access (bit 1)" - "1554": "Unknown specific access (bit 2)" - "1555": "Unknown specific access (bit 3)" - "1556": "Unknown specific access (bit 4)" - "1557": "Unknown specific access (bit 5)" - "1558": "Unknown specific access (bit 6)" - "1559": "Unknown specific access (bit 7)" - "1560": "Unknown specific access (bit 8)" - "1561": "Unknown specific access (bit 9)" - "1562": "Unknown specific access (bit 10)" - "1563": "Unknown specific access (bit 11)" - "1564": "Unknown specific access (bit 12)" - "1565": "Unknown specific access (bit 13)" - "1566": "Unknown specific access (bit 14)" - "1567": "Unknown specific access (bit 15)" - "1601": "Not used" - "1603": "Assign Primary Token Privilege" - "1604": "Lock Memory Privilege" - "1605": "Increase Memory Quota Privilege" - "1606": "Unsolicited Input Privilege" - "1607": "Trusted Computer Base Privilege" - "1608": "Security Privilege" - "1609": "Take Ownership Privilege" - "1610": "Load/Unload Driver Privilege" - "1611": "Profile System Privilege" - "1612": "Set System Time Privilege" - "1613": "Profile Single Process Privilege" - "1614": "Increment Base Priority Privilege" - "1615": "Create Pagefile Privilege" - "1616": "Create Permanent Object Privilege" - "1617": "Backup Privilege" - "1618": "Restore From Backup Privilege" - "1619": "Shutdown System Privilege" - "1620": "Debug Privilege" - "1621": "View or Change Audit Log Privilege" - "1622": "Change Hardware Environment Privilege" - "1623": "Change Notify (and Traverse) Privilege" - "1624": "Remotely Shut System Down Privilege" - "1792": "" - "1794": "" - "1795": "Enabled" - "1796": "Disabled" - "1797": "All" - "1798": "None" - "1799": "Audit Policy query/set API Operation" - "1800": "" - "1801": "Granted by" - "1802": "Denied by" - "1803": "Denied by Integrity Policy check" - "1804": "Granted by Ownership" - "1805": "Not granted" - "1806": "Granted by NULL DACL" - "1807": "Denied by Empty DACL" - "1808": "Granted by NULL Security Descriptor" - "1809": "Unknown or unchecked" - "1810": "Not granted due to missing" - "1811": "Granted by ACE on parent folder" - "1812": "Denied by ACE on parent folder" - "1813": "Granted by Central Access Rule" - "1814": "NOT Granted by Central Access Rule" - "1815": "Granted by parent folder's Central Access Rule" - "1816": "NOT Granted by parent folder's Central Access Rule" - "1817": "Unknown Type" - "1818": "String" - "1819": "Unsigned 64-bit Integer" - "1820": "64-bit Integer" - "1821": "FQBN" - "1822": "Blob" - "1823": "Sid" - "1824": "Boolean" - "1825": "TRUE" - "1826": "FALSE" - "1827": "Invalid" - "1828": "an ACE too long to display" - "1829": "a Security Descriptor too long to display" - "1830": "Not granted to AppContainers" - "1831": "..." - "1832": "Identification" - "1833": "Impersonation" - "1840": "Delegation" - "1841": "Denied by Process Trust Label ACE" - "1842": "Yes" - "1843": "No" - "1844": "System" - "1845": "Not Available" - "1846": "Default" - "1847": "DisallowMmConfig" - "1848": "Off" - "1849": "Auto" - "1872": "REG_NONE" - "1873": "REG_SZ" - "1874": "REG_EXPAND_SZ" - "1875": "REG_BINARY" - "1876": "REG_DWORD" - "1877": "REG_DWORD_BIG_ENDIAN" - "1878": "REG_LINK" - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" - "1880": "REG_RESOURCE_LIST" - "1881": "REG_FULL_RESOURCE_DESCRIPTOR" - "1882": "REG_RESOURCE_REQUIREMENTS_LIST" - "1883": "REG_QWORD" - "1904": "New registry value created" - "1905": "Existing registry value modified" - "1906": "Registry value deleted" - "1920": "Sunday" - "1921": "Monday" - "1922": "Tuesday" - "1923": "Wednesday" - "1924": "Thursday" - "1925": "Friday" - "1926": "Saturday" - "1936": "TokenElevationTypeDefault (1)" - "1937": "TokenElevationTypeFull (2)" - "1938": "TokenElevationTypeLimited (3)" - "2048": "Account Enabled" - "2049": "Home Directory Required' - Disabled" - "2050": "Password Not Required' - Disabled" - "2051": "Temp Duplicate Account' - Disabled" - "2052": "Normal Account' - Disabled" - "2053": "MNS Logon Account' - Disabled" - "2054": "Interdomain Trust Account' - Disabled" - "2055": "Workstation Trust Account' - Disabled" - "2056": "Server Trust Account' - Disabled" - "2057": "Don't Expire Password' - Disabled" - "2058": "Account Unlocked" - "2059": "Encrypted Text Password Allowed' - Disabled" - "2060": "Smartcard Required' - Disabled" - "2061": "Trusted For Delegation' - Disabled" - "2062": "Not Delegated' - Disabled" - "2063": "Use DES Key Only' - Disabled" - "2064": "Don't Require Preauth' - Disabled" - "2065": "Password Expired' - Disabled" - "2066": "Trusted To Authenticate For Delegation' - Disabled" - "2067": "Exclude Authorization Information' - Disabled" - "2068": "Undefined UserAccountControl Bit 20' - Disabled" - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" - "2070": "Undefined UserAccountControl Bit 22' - Disabled" - "2071": "Undefined UserAccountControl Bit 23' - Disabled" - "2072": "Undefined UserAccountControl Bit 24' - Disabled" - "2073": "Undefined UserAccountControl Bit 25' - Disabled" - "2074": "Undefined UserAccountControl Bit 26' - Disabled" - "2075": "Undefined UserAccountControl Bit 27' - Disabled" - "2076": "Undefined UserAccountControl Bit 28' - Disabled" - "2077": "Undefined UserAccountControl Bit 29' - Disabled" - "2078": "Undefined UserAccountControl Bit 30' - Disabled" - "2079": "Undefined UserAccountControl Bit 31' - Disabled" - "2080": "Account Disabled" - "2081": "Home Directory Required' - Enabled" - "2082": "Password Not Required' - Enabled" - "2083": "Temp Duplicate Account' - Enabled" - "2084": "Normal Account' - Enabled" - "2085": "MNS Logon Account' - Enabled" - "2086": "Interdomain Trust Account' - Enabled" - "2087": "Workstation Trust Account' - Enabled" - "2088": "Server Trust Account' - Enabled" - "2089": "Don't Expire Password' - Enabled" - "2090": "Account Locked" - "2091": "Encrypted Text Password Allowed' - Enabled" - "2092": "Smartcard Required' - Enabled" - "2093": "Trusted For Delegation' - Enabled" - "2094": "Not Delegated' - Enabled" - "2095": "Use DES Key Only' - Enabled" - "2096": "Don't Require Preauth' - Enabled" - "2097": "Password Expired' - Enabled" - "2098": "Trusted To Authenticate For Delegation' - Enabled" - "2099": "Exclude Authorization Information' - Enabled" - "2100": "Undefined UserAccountControl Bit 20' - Enabled" - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" - "2102": "Undefined UserAccountControl Bit 22' - Enabled" - "2103": "Undefined UserAccountControl Bit 23' - Enabled" - "2104": "Undefined UserAccountControl Bit 24' - Enabled" - "2105": "Undefined UserAccountControl Bit 25' - Enabled" - "2106": "Undefined UserAccountControl Bit 26' - Enabled" - "2107": "Undefined UserAccountControl Bit 27' - Enabled" - "2108": "Undefined UserAccountControl Bit 28' - Enabled" - "2109": "Undefined UserAccountControl Bit 29' - Enabled" - "2110": "Undefined UserAccountControl Bit 30' - Enabled" - "2111": "Undefined UserAccountControl Bit 31' - Enabled" - "2304": "An Error occured during Logon." - "2305": "The specified user account has expired." - "2306": "The NetLogon component is not active." - "2307": "Account locked out." - "2308": "The user has not been granted the requested logon type at this machine." - "2309": "The specified account's password has expired." - "2310": "Account currently disabled." - "2311": "Account logon time restriction violation." - "2312": "User not allowed to logon at this computer." - "2313": "Unknown user name or bad password." - "2314": "Domain sid inconsistent." - "2315": "Smartcard logon is required and was not used." - "2432": "Not Available." - "2436": "Random number generator failure." - "2437": "Random number generation failed FIPS-140 pre-hash check." - "2438": "Failed to zero secret data." - "2439": "Key failed pair wise consistency check." - "2448": "Failed to unprotect persistent cryptographic key." - "2449": "Key export checks failed." - "2450": "Validation of public key failed." - "2451": "Signature verification failed." - "2456": "Open key file." - "2457": "Delete key file." - "2458": "Read persisted key from file." - "2459": "Write persisted key to file." - "2464": "Export of persistent cryptographic key." - "2465": "Import of persistent cryptographic key." - "2480": "Open Key." - "2481": "Create Key." - "2482": "Delete Key." - "2483": "Encrypt." - "2484": "Decrypt." - "2485": "Sign hash." - "2486": "Secret agreement." - "2487": "Domain settings" - "2488": "Local settings" - "2489": "Add provider." - "2490": "Remove provider." - "2491": "Add context." - "2492": "Remove context." - "2493": "Add function." - "2494": "Remove function." - "2495": "Add function provider." - "2496": "Remove function provider." - "2497": "Add function property." - "2498": "Remove function property." - "2499": "Machine key." - "2500": "User key." - "2501": "Key Derivation." - "4352": "Device Access Bit 0" - "4353": "Device Access Bit 1" - "4354": "Device Access Bit 2" - "4355": "Device Access Bit 3" - "4356": "Device Access Bit 4" - "4357": "Device Access Bit 5" - "4358": "Device Access Bit 6" - "4359": "Device Access Bit 7" - "4360": "Device Access Bit 8" - "4361": "Undefined Access (no effect) Bit 9" - "4362": "Undefined Access (no effect) Bit 10" - "4363": "Undefined Access (no effect) Bit 11" - "4364": "Undefined Access (no effect) Bit 12" - "4365": "Undefined Access (no effect) Bit 13" - "4366": "Undefined Access (no effect) Bit 14" - "4367": "Undefined Access (no effect) Bit 15" - "4368": "Query directory" - "4369": "Traverse" - "4370": "Create object in directory" - "4371": "Create sub-directory" - "4372": "Undefined Access (no effect) Bit 4" - "4373": "Undefined Access (no effect) Bit 5" - "4374": "Undefined Access (no effect) Bit 6" - "4375": "Undefined Access (no effect) Bit 7" - "4376": "Undefined Access (no effect) Bit 8" - "4377": "Undefined Access (no effect) Bit 9" - "4378": "Undefined Access (no effect) Bit 10" - "4379": "Undefined Access (no effect) Bit 11" - "4380": "Undefined Access (no effect) Bit 12" - "4381": "Undefined Access (no effect) Bit 13" - "4382": "Undefined Access (no effect) Bit 14" - "4383": "Undefined Access (no effect) Bit 15" - "4384": "Query event state" - "4385": "Modify event state" - "4386": "Undefined Access (no effect) Bit 2" - "4387": "Undefined Access (no effect) Bit 3" - "4388": "Undefined Access (no effect) Bit 4" - "4389": "Undefined Access (no effect) Bit 5" - "4390": "Undefined Access (no effect) Bit 6" - "4391": "Undefined Access (no effect) Bit 7" - "4392": "Undefined Access (no effect) Bit 8" - "4393": "Undefined Access (no effect) Bit 9" - "4394": "Undefined Access (no effect) Bit 10" - "4395": "Undefined Access (no effect) Bit 11" - "4396": "Undefined Access (no effect) Bit 12" - "4397": "Undefined Access (no effect) Bit 13" - "4398": "Undefined Access (no effect) Bit 14" - "4399": "Undefined Access (no effect) Bit 15" - "4416": "ReadData (or ListDirectory)" - "4417": "WriteData (or AddFile)" - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" - "4419": "ReadEA" - "4420": "WriteEA" - "4421": "Execute/Traverse" - "4422": "DeleteChild" - "4423": "ReadAttributes" - "4424": "WriteAttributes" - "4425": "Undefined Access (no effect) Bit 9" - "4426": "Undefined Access (no effect) Bit 10" - "4427": "Undefined Access (no effect) Bit 11" - "4428": "Undefined Access (no effect) Bit 12" - "4429": "Undefined Access (no effect) Bit 13" - "4430": "Undefined Access (no effect) Bit 14" - "4431": "Undefined Access (no effect) Bit 15" - "4432": "Query key value" - "4433": "Set key value" - "4434": "Create sub-key" - "4435": "Enumerate sub-keys" - "4436": "Notify about changes to keys" - "4437": "Create Link" - "4438": "Undefined Access (no effect) Bit 6" - "4439": "Undefined Access (no effect) Bit 7" - "4440": "Enable 64(or 32) bit application to open 64 bit key" - "4441": "Enable 64(or 32) bit application to open 32 bit key" - "4442": "Undefined Access (no effect) Bit 10" - "4443": "Undefined Access (no effect) Bit 11" - "4444": "Undefined Access (no effect) Bit 12" - "4445": "Undefined Access (no effect) Bit 13" - "4446": "Undefined Access (no effect) Bit 14" - "4447": "Undefined Access (no effect) Bit 15" - "4448": "Query mutant state" - "4449": "Undefined Access (no effect) Bit 1" - "4450": "Undefined Access (no effect) Bit 2" - "4451": "Undefined Access (no effect) Bit 3" - "4452": "Undefined Access (no effect) Bit 4" - "4453": "Undefined Access (no effect) Bit 5" - "4454": "Undefined Access (no effect) Bit 6" - "4455": "Undefined Access (no effect) Bit 7" - "4456": "Undefined Access (no effect) Bit 8" - "4457": "Undefined Access (no effect) Bit 9" - "4458": "Undefined Access (no effect) Bit 10" - "4459": "Undefined Access (no effect) Bit 11" - "4460": "Undefined Access (no effect) Bit 12" - "4461": "Undefined Access (no effect) Bit 13" - "4462": "Undefined Access (no effect) Bit 14" - "4463": "Undefined Access (no effect) Bit 15" - "4464": "Communicate using port" - "4465": "Undefined Access (no effect) Bit 1" - "4466": "Undefined Access (no effect) Bit 2" - "4467": "Undefined Access (no effect) Bit 3" - "4468": "Undefined Access (no effect) Bit 4" - "4469": "Undefined Access (no effect) Bit 5" - "4470": "Undefined Access (no effect) Bit 6" - "4471": "Undefined Access (no effect) Bit 7" - "4472": "Undefined Access (no effect) Bit 8" - "4473": "Undefined Access (no effect) Bit 9" - "4474": "Undefined Access (no effect) Bit 10" - "4475": "Undefined Access (no effect) Bit 11" - "4476": "Undefined Access (no effect) Bit 12" - "4477": "Undefined Access (no effect) Bit 13" - "4478": "Undefined Access (no effect) Bit 14" - "4479": "Undefined Access (no effect) Bit 15" - "4480": "Force process termination" - "4481": "Create new thread in process" - "4482": "Set process session ID" - "4483": "Perform virtual memory operation" - "4484": "Read from process memory" - "4485": "Write to process memory" - "4486": "Duplicate handle into or out of process" - "4487": "Create a subprocess of process" - "4488": "Set process quotas" - "4489": "Set process information" - "4490": "Query process information" - "4491": "Set process termination port" - "4492": "Undefined Access (no effect) Bit 12" - "4493": "Undefined Access (no effect) Bit 13" - "4494": "Undefined Access (no effect) Bit 14" - "4495": "Undefined Access (no effect) Bit 15" - "4496": "Control profile" - "4497": "Undefined Access (no effect) Bit 1" - "4498": "Undefined Access (no effect) Bit 2" - "4499": "Undefined Access (no effect) Bit 3" - "4500": "Undefined Access (no effect) Bit 4" - "4501": "Undefined Access (no effect) Bit 5" - "4502": "Undefined Access (no effect) Bit 6" - "4503": "Undefined Access (no effect) Bit 7" - "4504": "Undefined Access (no effect) Bit 8" - "4505": "Undefined Access (no effect) Bit 9" - "4506": "Undefined Access (no effect) Bit 10" - "4507": "Undefined Access (no effect) Bit 11" - "4508": "Undefined Access (no effect) Bit 12" - "4509": "Undefined Access (no effect) Bit 13" - "4510": "Undefined Access (no effect) Bit 14" - "4511": "Undefined Access (no effect) Bit 15" - "4512": "Query section state" - "4513": "Map section for write" - "4514": "Map section for read" - "4515": "Map section for execute" - "4516": "Extend size" - "4517": "Undefined Access (no effect) Bit 5" - "4518": "Undefined Access (no effect) Bit 6" - "4519": "Undefined Access (no effect) Bit 7" - "4520": "Undefined Access (no effect) Bit 8" - "4521": "Undefined Access (no effect) Bit 9" - "4522": "Undefined Access (no effect) Bit 10" - "4523": "Undefined Access (no effect) Bit 11" - "4524": "Undefined Access (no effect) Bit 12" - "4525": "Undefined Access (no effect) Bit 13" - "4526": "Undefined Access (no effect) Bit 14" - "4527": "Undefined Access (no effect) Bit 15" - "4528": "Query semaphore state" - "4529": "Modify semaphore state" - "4530": "Undefined Access (no effect) Bit 2" - "4531": "Undefined Access (no effect) Bit 3" - "4532": "Undefined Access (no effect) Bit 4" - "4533": "Undefined Access (no effect) Bit 5" - "4534": "Undefined Access (no effect) Bit 6" - "4535": "Undefined Access (no effect) Bit 7" - "4536": "Undefined Access (no effect) Bit 8" - "4537": "Undefined Access (no effect) Bit 9" - "4538": "Undefined Access (no effect) Bit 10" - "4539": "Undefined Access (no effect) Bit 11" - "4540": "Undefined Access (no effect) Bit 12" - "4541": "Undefined Access (no effect) Bit 13" - "4542": "Undefined Access (no effect) Bit 14" - "4543": "Undefined Access (no effect) Bit 15" - "4544": "Use symbolic link" - "4545": "Undefined Access (no effect) Bit 1" - "4546": "Undefined Access (no effect) Bit 2" - "4547": "Undefined Access (no effect) Bit 3" - "4548": "Undefined Access (no effect) Bit 4" - "4549": "Undefined Access (no effect) Bit 5" - "4550": "Undefined Access (no effect) Bit 6" - "4551": "Undefined Access (no effect) Bit 7" - "4552": "Undefined Access (no effect) Bit 8" - "4553": "Undefined Access (no effect) Bit 9" - "4554": "Undefined Access (no effect) Bit 10" - "4555": "Undefined Access (no effect) Bit 11" - "4556": "Undefined Access (no effect) Bit 12" - "4557": "Undefined Access (no effect) Bit 13" - "4558": "Undefined Access (no effect) Bit 14" - "4559": "Undefined Access (no effect) Bit 15" - "4560": "Force thread termination" - "4561": "Suspend or resume thread" - "4562": "Send an alert to thread" - "4563": "Get thread context" - "4564": "Set thread context" - "4565": "Set thread information" - "4566": "Query thread information" - "4567": "Assign a token to the thread" - "4568": "Cause thread to directly impersonate another thread" - "4569": "Directly impersonate this thread" - "4570": "Undefined Access (no effect) Bit 10" - "4571": "Undefined Access (no effect) Bit 11" - "4572": "Undefined Access (no effect) Bit 12" - "4573": "Undefined Access (no effect) Bit 13" - "4574": "Undefined Access (no effect) Bit 14" - "4575": "Undefined Access (no effect) Bit 15" - "4576": "Query timer state" - "4577": "Modify timer state" - "4578": "Undefined Access (no effect) Bit 2" - "4579": "Undefined Access (no effect) Bit 3" - "4580": "Undefined Access (no effect) Bit 4" - "4581": "Undefined Access (no effect) Bit 5" - "4582": "Undefined Access (no effect) Bit 6" - "4584": "Undefined Access (no effect) Bit 8" - "4585": "Undefined Access (no effect) Bit 9" - "4586": "Undefined Access (no effect) Bit 10" - "4587": "Undefined Access (no effect) Bit 11" - "4588": "Undefined Access (no effect) Bit 12" - "4589": "Undefined Access (no effect) Bit 13" - "4590": "Undefined Access (no effect) Bit 14" - "4591": "Undefined Access (no effect) Bit 15" - "4592": "AssignAsPrimary" - "4593": "Duplicate" - "4594": "Impersonate" - "4595": "Query" - "4596": "QuerySource" - "4597": "AdjustPrivileges" - "4598": "AdjustGroups" - "4599": "AdjustDefaultDacl" - "4600": "AdjustSessionID" - "4601": "Undefined Access (no effect) Bit 9" - "4602": "Undefined Access (no effect) Bit 10" - "4603": "Undefined Access (no effect) Bit 11" - "4604": "Undefined Access (no effect) Bit 12" - "4605": "Undefined Access (no effect) Bit 13" - "4606": "Undefined Access (no effect) Bit 14" - "4607": "Undefined Access (no effect) Bit 15" - "4608": "Create instance of object type" - "4609": "Undefined Access (no effect) Bit 1" - "4610": "Undefined Access (no effect) Bit 2" - "4611": "Undefined Access (no effect) Bit 3" - "4612": "Undefined Access (no effect) Bit 4" - "4613": "Undefined Access (no effect) Bit 5" - "4614": "Undefined Access (no effect) Bit 6" - "4615": "Undefined Access (no effect) Bit 7" - "4616": "Undefined Access (no effect) Bit 8" - "4617": "Undefined Access (no effect) Bit 9" - "4618": "Undefined Access (no effect) Bit 10" - "4619": "Undefined Access (no effect) Bit 11" - "4620": "Undefined Access (no effect) Bit 12" - "4621": "Undefined Access (no effect) Bit 13" - "4622": "Undefined Access (no effect) Bit 14" - "4623": "Undefined Access (no effect) Bit 15" - "4864": "Query State" - "4865": "Modify State" - "5120": "Channel read message" - "5121": "Channel write message" - "5122": "Channel query information" - "5123": "Channel set information" - "5124": "Undefined Access (no effect) Bit 4" - "5125": "Undefined Access (no effect) Bit 5" - "5126": "Undefined Access (no effect) Bit 6" - "5127": "Undefined Access (no effect) Bit 7" - "5128": "Undefined Access (no effect) Bit 8" - "5129": "Undefined Access (no effect) Bit 9" - "5130": "Undefined Access (no effect) Bit 10" - "5131": "Undefined Access (no effect) Bit 11" - "5132": "Undefined Access (no effect) Bit 12" - "5133": "Undefined Access (no effect) Bit 13" - "5134": "Undefined Access (no effect) Bit 14" - "5135": "Undefined Access (no effect) Bit 15" - "5136": "Assign process" - "5137": "Set Attributes" - "5138": "Query Attributes" - "5139": "Terminate Job" - "5140": "Set Security Attributes" - "5141": "Undefined Access (no effect) Bit 5" - "5142": "Undefined Access (no effect) Bit 6" - "5143": "Undefined Access (no effect) Bit 7" - "5144": "Undefined Access (no effect) Bit 8" - "5145": "Undefined Access (no effect) Bit 9" - "5146": "Undefined Access (no effect) Bit 10" - "5147": "Undefined Access (no effect) Bit 11" - "5148": "Undefined Access (no effect) Bit 12" - "5149": "Undefined Access (no effect) Bit 13" - "5150": "Undefined Access (no effect) Bit 14" - "5151": "Undefined Access (no effect) Bit 15" - "5376": "ConnectToServer" - "5377": "ShutdownServer" - "5378": "InitializeServer" - "5379": "CreateDomain" - "5380": "EnumerateDomains" - "5381": "LookupDomain" - "5382": "Undefined Access (no effect) Bit 6" - "5383": "Undefined Access (no effect) Bit 7" - "5384": "Undefined Access (no effect) Bit 8" - "5385": "Undefined Access (no effect) Bit 9" - "5386": "Undefined Access (no effect) Bit 10" - "5387": "Undefined Access (no effect) Bit 11" - "5388": "Undefined Access (no effect) Bit 12" - "5389": "Undefined Access (no effect) Bit 13" - "5390": "Undefined Access (no effect) Bit 14" - "5391": "Undefined Access (no effect) Bit 15" - "5392": "ReadPasswordParameters" - "5393": "WritePasswordParameters" - "5394": "ReadOtherParameters" - "5395": "WriteOtherParameters" - "5396": "CreateUser" - "5397": "CreateGlobalGroup" - "5398": "CreateLocalGroup" - "5399": "GetLocalGroupMembership" - "5400": "ListAccounts" - "5401": "LookupIDs" - "5402": "AdministerServer" - "5403": "Undefined Access (no effect) Bit 11" - "5404": "Undefined Access (no effect) Bit 12" - "5405": "Undefined Access (no effect) Bit 13" - "5406": "Undefined Access (no effect) Bit 14" - "5407": "Undefined Access (no effect) Bit 15" - "5408": "ReadInformation" - "5409": "WriteAccount" - "5410": "AddMember" - "5411": "RemoveMember" - "5412": "ListMembers" - "5413": "Undefined Access (no effect) Bit 5" - "5414": "Undefined Access (no effect) Bit 6" - "5415": "Undefined Access (no effect) Bit 7" - "5416": "Undefined Access (no effect) Bit 8" - "5417": "Undefined Access (no effect) Bit 9" - "5418": "Undefined Access (no effect) Bit 10" - "5419": "Undefined Access (no effect) Bit 11" - "5420": "Undefined Access (no effect) Bit 12" - "5421": "Undefined Access (no effect) Bit 13" - "5422": "Undefined Access (no effect) Bit 14" - "5423": "Undefined Access (no effect) Bit 15" - "5424": "AddMember" - "5425": "RemoveMember" - "5426": "ListMembers" - "5427": "ReadInformation" - "5428": "WriteAccount" - "5429": "Undefined Access (no effect) Bit 5" - "5430": "Undefined Access (no effect) Bit 6" - "5431": "Undefined Access (no effect) Bit 7" - "5432": "Undefined Access (no effect) Bit 8" - "5433": "Undefined Access (no effect) Bit 9" - "5434": "Undefined Access (no effect) Bit 10" - "5435": "Undefined Access (no effect) Bit 11" - "5436": "Undefined Access (no effect) Bit 12" - "5437": "Undefined Access (no effect) Bit 13" - "5438": "Undefined Access (no effect) Bit 14" - "5439": "Undefined Access (no effect) Bit 15" - "5440": "ReadGeneralInformation" - "5441": "ReadPreferences" - "5442": "WritePreferences" - "5443": "ReadLogon" - "5444": "ReadAccount" - "5445": "WriteAccount" - "5446": "ChangePassword (with knowledge of old password)" - "5447": "SetPassword (without knowledge of old password)" - "5448": "ListGroups" - "5449": "ReadGroupMembership" - "5450": "ChangeGroupMembership" - "5451": "Undefined Access (no effect) Bit 11" - "5452": "Undefined Access (no effect) Bit 12" - "5453": "Undefined Access (no effect) Bit 13" - "5454": "Undefined Access (no effect) Bit 14" - "5455": "Undefined Access (no effect) Bit 15" - "5632": "View non-sensitive policy information" - "5633": "View system audit requirements" - "5634": "Get sensitive policy information" - "5635": "Modify domain trust relationships" - "5636": "Create special accounts (for assignment of user rights)" - "5637": "Create a secret object" - "5638": "Create a privilege" - "5639": "Set default quota limits" - "5640": "Change system audit requirements" - "5641": "Administer audit log attributes" - "5642": "Enable/Disable LSA" - "5643": "Lookup Names/SIDs" - "5648": "Change secret value" - "5649": "Query secret value" - "5650": "Undefined Access (no effect) Bit 2" - "5651": "Undefined Access (no effect) Bit 3" - "5652": "Undefined Access (no effect) Bit 4" - "5653": "Undefined Access (no effect) Bit 5" - "5654": "Undefined Access (no effect) Bit 6" - "5655": "Undefined Access (no effect) Bit 7" - "5656": "Undefined Access (no effect) Bit 8" - "5657": "Undefined Access (no effect) Bit 9" - "5658": "Undefined Access (no effect) Bit 10" - "5659": "Undefined Access (no effect) Bit 11" - "5660": "Undefined Access (no effect) Bit 12" - "5661": "Undefined Access (no effect) Bit 13" - "5662": "Undefined Access (no effect) Bit 14" - "5663": "Undefined Access (no effect) Bit 15" - "5664": "Query trusted domain name/SID" - "5665": "Retrieve the controllers in the trusted domain" - "5666": "Change the controllers in the trusted domain" - "5667": "Query the Posix ID offset assigned to the trusted domain" - "5668": "Change the Posix ID offset assigned to the trusted domain" - "5669": "Undefined Access (no effect) Bit 5" - "5670": "Undefined Access (no effect) Bit 6" - "5671": "Undefined Access (no effect) Bit 7" - "5672": "Undefined Access (no effect) Bit 8" - "5673": "Undefined Access (no effect) Bit 9" - "5674": "Undefined Access (no effect) Bit 10" - "5675": "Undefined Access (no effect) Bit 11" - "5676": "Undefined Access (no effect) Bit 12" - "5677": "Undefined Access (no effect) Bit 13" - "5678": "Undefined Access (no effect) Bit 14" - "5679": "Undefined Access (no effect) Bit 15" - "5680": "Query account information" - "5681": "Change privileges assigned to account" - "5682": "Change quotas assigned to account" - "5683": "Change logon capabilities assigned to account" - "5684": "Change the Posix ID offset assigned to the accounted domain" - "5685": "Undefined Access (no effect) Bit 5" - "5686": "Undefined Access (no effect) Bit 6" - "5687": "Undefined Access (no effect) Bit 7" - "5688": "Undefined Access (no effect) Bit 8" - "5689": "Undefined Access (no effect) Bit 9" - "5690": "Undefined Access (no effect) Bit 10" - "5691": "Undefined Access (no effect) Bit 11" - "5692": "Undefined Access (no effect) Bit 12" - "5693": "Undefined Access (no effect) Bit 13" - "5694": "Undefined Access (no effect) Bit 14" - "5695": "Undefined Access (no effect) Bit 15" - "5696": "KeyedEvent Wait" - "5697": "KeyedEvent Wake" - "5698": "Undefined Access (no effect) Bit 2" - "5699": "Undefined Access (no effect) Bit 3" - "5700": "Undefined Access (no effect) Bit 4" - "5701": "Undefined Access (no effect) Bit 5" - "5702": "Undefined Access (no effect) Bit 6" - "5703": "Undefined Access (no effect) Bit 7" - "5704": "Undefined Access (no effect) Bit 8" - "5705": "Undefined Access (no effect) Bit 9" - "5706": "Undefined Access (no effect) Bit 10" - "5707": "Undefined Access (no effect) Bit 11" - "5708": "Undefined Access (no effect) Bit 12" - "5709": "Undefined Access (no effect) Bit 13" - "5710": "Undefined Access (no effect) Bit 14" - "5711": "Undefined Access (no effect) Bit 15" - "6656": "Enumerate desktops" - "6657": "Read attributes" - "6658": "Access Clipboard" - "6659": "Create desktop" - "6660": "Write attributes" - "6661": "Access global atoms" - "6662": "Exit windows" - "6663": "Unused Access Flag" - "6664": "Include this windowstation in enumerations" - "6665": "Read screen" - "6672": "Read Objects" - "6673": "Create window" - "6674": "Create menu" - "6675": "Hook control" - "6676": "Journal (record)" - "6677": "Journal (playback)" - "6678": "Include this desktop in enumerations" - "6679": "Write objects" - "6680": "Switch to this desktop" - "6912": "Administer print server" - "6913": "Enumerate printers" - "6930": "Full Control" - "6931": "Print" - "6948": "Administer Document" - "7168": "Connect to service controller" - "7169": "Create a new service" - "7170": "Enumerate services" - "7171": "Lock service database for exclusive access" - "7172": "Query service database lock state" - "7173": "Set last-known-good state of service database" - "7184": "Query service configuration information" - "7185": "Set service configuration information" - "7186": "Query status of service" - "7187": "Enumerate dependencies of service" - "7188": "Start the service" - "7189": "Stop the service" - "7190": "Pause or continue the service" - "7191": "Query information from service" - "7192": "Issue service-specific control commands" - "7424": "DDE Share Read" - "7425": "DDE Share Write" - "7426": "DDE Share Initiate Static" - "7427": "DDE Share Initiate Link" - "7428": "DDE Share Request" - "7429": "DDE Share Advise" - "7430": "DDE Share Poke" - "7431": "DDE Share Execute" - "7432": "DDE Share Add Items" - "7433": "DDE Share List Items" - "7680": "Create Child" - "7681": "Delete Child" - "7682": "List Contents" - "7683": "Write Self" - "7684": "Read Property" - "7685": "Write Property" - "7686": "Delete Tree" - "7687": "List Object" - "7688": "Control Access" - "7689": "Undefined Access (no effect) Bit 9" - "7690": "Undefined Access (no effect) Bit 10" - "7691": "Undefined Access (no effect) Bit 11" - "7692": "Undefined Access (no effect) Bit 12" - "7693": "Undefined Access (no effect) Bit 13" - "7694": "Undefined Access (no effect) Bit 14" - "7695": "Undefined Access (no effect) Bit 15" - "7936": "Audit Set System Policy" - "7937": "Audit Query System Policy" - "7938": "Audit Set Per User Policy" - "7939": "Audit Query Per User Policy" - "7940": "Audit Enumerate Users" - "7941": "Audit Set Options" - "7942": "Audit Query Options" - "8064": "Port sharing (read)" - "8065": "Port sharing (write)" - "8096": "Default credentials" - "8097": "Credentials manager" - "8098": "Fresh credentials" - "8192": "Kerberos" - "8193": "Preshared key" - "8194": "Unknown authentication" - "8195": "DES" - "8196": "3DES" - "8197": "MD5" - "8198": "SHA1" - "8199": "Local computer" - "8200": "Remote computer" - "8201": "No state" - "8202": "Sent first (SA) payload" - "8203": "Sent second (KE) payload" - "8204": "Sent third (ID) payload" - "8205": "Initiator" - "8206": "Responder" - "8207": "No state" - "8208": "Sent first (SA) payload" - "8209": "Sent final payload" - "8210": "Complete" - "8211": "Unknown" - "8212": "Transport" - "8213": "Tunnel" - "8214": "IKE/AuthIP DoS prevention mode started" - "8215": "IKE/AuthIP DoS prevention mode stopped" - "8216": "Enabled" - "8217": "Not enabled" - "8218": "No state" - "8219": "Sent first (EM attributes) payload" - "8220": "Sent second (SSPI) payload" - "8221": "Sent third (hash) payload" - "8222": "IKEv1" - "8223": "AuthIP" - "8224": "Anonymous" - "8225": "NTLM V2" - "8226": "CGA" - "8227": "Certificate" - "8228": "SSL" - "8229": "None" - "8230": "DH group 1" - "8231": "DH group 2" - "8232": "DH group 14" - "8233": "DH group ECP 256" - "8234": "DH group ECP 384" - "8235": "AES-128" - "8236": "AES-192" - "8237": "AES-256" - "8238": "Certificate ECDSA P256" - "8239": "Certificate ECDSA P384" - "8240": "SSL ECDSA P256" - "8241": "SSL ECDSA P384" - "8242": "SHA 256" - "8243": "SHA 384" - "8244": "IKEv2" - "8245": "EAP payload sent" - "8246": "Authentication payload sent" - "8247": "EAP" - "8248": "DH group 24" - "8272": "System" - "8273": "Logon/Logoff" - "8274": "Object Access" - "8275": "Privilege Use" - "8276": "Detailed Tracking" - "8277": "Policy Change" - "8278": "Account Management" - "8279": "DS Access" - "8280": "Account Logon" - "8448": "Success removed" - "8449": "Success Added" - "8450": "Failure removed" - "8451": "Failure Added" - "8452": "Success include removed" - "8453": "Success include added" - "8454": "Success exclude removed" - "8455": "Success exclude added" - "8456": "Failure include removed" - "8457": "Failure include added" - "8458": "Failure exclude removed" - "8459": "Failure exclude added" - "12288": "Security State Change" - "12289": "Security System Extension" - "12290": "System Integrity" - "12291": "IPsec Driver" - "12292": "Other System Events" - "12544": "Logon" - "12545": "Logoff" - "12546": "Account Lockout" - "12547": "IPsec Main Mode" - "12548": "Special Logon" - "12549": "IPsec Quick Mode" - "12550": "IPsec Extended Mode" - "12551": "Other Logon/Logoff Events" - "12552": "Network Policy Server" - "12553": "User / Device Claims" - "12554": "Group Membership" - "12800": "File System" - "12801": "Registry" - "12802": "Kernel Object" - "12803": "SAM" - "12804": "Other Object Access Events" - "12805": "Certification Services" - "12806": "Application Generated" - "12807": "Handle Manipulation" - "12808": "File Share" - "12809": "Filtering Platform Packet Drop" - "12810": "Filtering Platform Connection" - "12811": "Detailed File Share" - "12812": "Removable Storage" - "12813": "Central Policy Staging" - "13056": "Sensitive Privilege Use" - "13057": "Non Sensitive Privilege Use" - "13058": "Other Privilege Use Events" - "13312": "Process Creation" - "13313": "Process Termination" - "13314": "DPAPI Activity" - "13315": "RPC Events" - "13316": "Plug and Play Events" - "13317": "Token Right Adjusted Events" - "13568": "Audit Policy Change" - "13569": "Authentication Policy Change" - "13570": "Authorization Policy Change" - "13571": "MPSSVC Rule-Level Policy Change" - "13572": "Filtering Platform Policy Change" - "13573": "Other Policy Change Events" - "13824": "User Account Management" - "13825": "Computer Account Management" - "13826": "Security Group Management" - "13827": "Distribution Group Management" - "13828": "Application Group Management" - "13829": "Other Account Management Events" - "14080": "Directory Service Access" - "14081": "Directory Service Changes" - "14082": "Directory Service Replication" - "14083": "Detailed Directory Service Replication" - "14336": "Credential Validation" - "14337": "Kerberos Service Ticket Operations" - "14338": "Other Account Logon Events" - "14339": "Kerberos Authentication Service" - "14592": "Inbound" - "14593": "Outbound" - "14594": "Forward" - "14595": "Bidirectional" - "14596": "IP Packet" - "14597": "Transport" - "14598": "Forward" - "14599": "Stream" - "14600": "Datagram Data" - "14601": "ICMP Error" - "14602": "MAC 802.3" - "14603": "MAC Native" - "14604": "vSwitch" - "14608": "Resource Assignment" - "14609": "Listen" - "14610": "Receive/Accept" - "14611": "Connect" - "14612": "Flow Established" - "14614": "Resource Release" - "14615": "Endpoint Closure" - "14616": "Connect Redirect" - "14617": "Bind Redirect" - "14624": "Stream Packet" - "14640": "ICMP Echo-Request" - "14641": "vSwitch Ingress" - "14642": "vSwitch Egress" - "14672": "" - "14673": "[NULL]" - "14674": "Value Added" - "14675": "Value Deleted" - "14676": "Active Directory Domain Services" - "14677": "Active Directory Lightweight Directory Services" - "14678": "Yes" - "14679": "No" - "14680": "Value Added With Expiration Time" - "14681": "Value Deleted With Expiration Time" - "14688": "Value Auto Deleted With Expiration Time" - "16384": "Add" - "16385": "Delete" - "16386": "Boot-time" - "16387": "Persistent" - "16388": "Not persistent" - "16389": "Block" - "16390": "Permit" - "16391": "Callout" - "16392": "MD5" - "16393": "SHA-1" - "16394": "SHA-256" - "16395": "AES-GCM 128" - "16396": "AES-GCM 192" - "16397": "AES-GCM 256" - "16398": "DES" - "16399": "3DES" - "16400": "AES-128" - "16401": "AES-192" - "16402": "AES-256" - "16403": "Transport" - "16404": "Tunnel" - "16405": "Responder" - "16406": "Initiator" - "16407": "AES-GMAC 128" - "16408": "AES-GMAC 192" - "16409": "AES-GMAC 256" - "16416": "AuthNoEncap Transport" - "16896": "Enable WMI Account" - "16897": "Execute Method" - "16898": "Full Write" - "16899": "Partial Write" - "16900": "Provider Write" - "16901": "Remote Access" - "16902": "Subscribe" - "16903": "Publish" + descriptions: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + AccessMaskDescriptions: + "0x00000001": Create Child + "0x00000002": Delete Child + "0x00000004": List Contents + "0x00000008": SELF + "0x00000010": Read Property + "0x00000020": Write Property + "0x00000040": Delete Treee + "0x00000080": List Object + "0x00000100": Control Access + "0x00010000": DELETE + "0x00020000": READ_CONTROL + "0x00040000": WRITE_DAC + "0x00080000": WRITE_OWNER + "0x00100000": SYNCHRONIZE + "0x00F00000": STANDARD_RIGHTS_REQUIRED + "0x001F0000": STANDARD_RIGHTS_ALL + "0x0000FFFF": SPECIFIC_RIGHTS_ALL + "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY + "0x10000000": ADS_RIGHT_GENERIC_ALL + "0x20000000": ADS_RIGHT_GENERIC_EXECUTE + "0x40000000": ADS_RIGHT_GENERIC_WRITE + "0x80000000": ADS_RIGHT_GENERIC_READ source: |- if (ctx?.winlog?.event_data?.FailureReason != null) { def code = ctx.winlog.event_data.FailureReason.replace("%%",""); - if (params.containsKey(code)) { + if (params.descriptions.containsKey(code)) { if (ctx?.winlog?.logon == null ) { HashMap hm = new HashMap(); ctx.winlog.put("logon", hm); @@ -2051,27 +2096,40 @@ processors: HashMap hm = new HashMap(); ctx.winlog.logon.put("failure", hm); } - ctx.winlog.logon.failure.put("reason", params[code]); + ctx.winlog.logon.failure.put("reason", params.descriptions[code]); } } if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { ArrayList results = new ArrayList(); for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { def code = elem.replace("%%","").trim(); - if (params.containsKey(code)) { - results.add(params[code]); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); } } if (results.length > 0) { ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); } } - if (ctx?.winlog?.event_data?.AccessMask != null) { + if (ctx?.winlog?.event_data?.AccessList != null) { ArrayList results = new ArrayList(); - for (elem in ctx.winlog.event_data.AccessMask) { + for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) { def code = elem.replace("%%","").trim(); - if (params.containsKey(code)) { - results.add(params[code]); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessListDescription", results); + } + } + if (ctx?.winlog?.event_data?.AccessMask != null) { + ArrayList results = new ArrayList(); + Long accessMask = Long.decode(ctx.winlog.event_data.AccessMask); + for (entry in params.AccessMaskDescriptions.entrySet()) { + Long accessFlag = Long.decode(entry.getKey()); + if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) { + results.add(entry.getValue()); } } if (results.length > 0) { @@ -2083,6 +2141,9 @@ processors: ignore_failure: false tag: 4625 and 4776 Set Status and SubStatus description: 4625 and 4776 Set Status and SubStatus + # Descriptions of failure status codes. + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 params: "0xc000005e": "There are currently no logon servers available to service the logon request." "0xc0000064": "User logon with misspelled or bad user account" @@ -2140,6 +2201,8 @@ processors: ignore_failure: false tag: Set Trust Type description: Set Trust Type + # Trust Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 params: "1": "TRUST_TYPE_DOWNLEVEL" "2": "TRUST_TYPE_UPLEVEL" @@ -2158,6 +2221,8 @@ processors: ignore_failure: false tag: Set Trust Direction description: Set Trust Direction + # Trust Direction + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 params: "0": "TRUST_DIRECTION_DISABLED" "1": "TRUST_DIRECTION_INBOUND" @@ -2176,6 +2241,8 @@ processors: ignore_failure: false tag: Set Trust Attributes description: Set Trust Attributes + # Trust Attributes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 params: "0": "UNDEFINED" "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" @@ -2911,6 +2978,20 @@ processors: ignore_failure: false tag: Object Policy Change and SidListDesc description: Object Policy Change and SidListDesc + # SDDL Ace Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # SDDL Permissions + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # Known SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + # Domain-specific SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + # Object Permission Flags + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b params: AccountSIDDescription: AO: Account operators diff --git a/packages/system/data_stream/security/fields/winlog.yml b/packages/system/data_stream/security/fields/winlog.yml index cd357afbe94..4a7fbb9b8b5 100644 --- a/packages/system/data_stream/security/fields/winlog.yml +++ b/packages/system/data_stream/security/fields/winlog.yml @@ -57,6 +57,14 @@ fields: - name: AccessGranted type: keyword + - name: AccessList + type: keyword + - name: AccessListDescription + type: keyword + - name: AccessMask + type: keyword + - name: AccessMaskDescription + type: keyword - name: AccessRemoved type: keyword - name: AccountDomain @@ -327,6 +335,8 @@ type: keyword - name: Reason type: keyword + - name: ResourceAttributes + type: keyword - name: SamAccountName type: keyword - name: SchemaVersion diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 35ef4964d0f..011940a6ef3 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -512,7 +512,7 @@ An example event for `security` looks as following: | event.dataset | Event dataset. | constant_keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.module | Event module | constant_keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | @@ -582,6 +582,10 @@ An example event for `security` looks as following: | winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | | winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | | winlog.event_data.AccessGranted | | keyword | +| winlog.event_data.AccessList | | keyword | +| winlog.event_data.AccessListDescription | | keyword | +| winlog.event_data.AccessMask | | keyword | +| winlog.event_data.AccessMaskDescription | | keyword | | winlog.event_data.AccessRemoved | | keyword | | winlog.event_data.AccountDomain | | keyword | | winlog.event_data.AccountExpires | | keyword | @@ -717,6 +721,7 @@ An example event for `security` looks as following: | winlog.event_data.PuaPolicyId | | keyword | | winlog.event_data.QfeVersion | | keyword | | winlog.event_data.Reason | | keyword | +| winlog.event_data.ResourceAttributes | | keyword | | winlog.event_data.SamAccountName | | keyword | | winlog.event_data.SchemaVersion | | keyword | | winlog.event_data.ScriptBlockText | | keyword | diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 423882cf6a8..db4a5359e57 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.6.2 +version: 1.6.3 license: basic description: Collect system logs and metrics from your servers with Elastic Agent. type: integration