diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e17ad295d32d..8c680a3323b7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -248,6 +248,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - Sync missing changes in modules pipelines. {pull}42619[42619] - Reset EventLog if error EOF is encountered. {pull}42826[42826] - Implement backoff on error retrial. {pull}42826[42826] +- Fix boolean key in security pipelines and sync pipelines with integration. {pull}43027[43027] *Elastic Logging Plugin* diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml index d14a9e25aa32..7cde92f7cb04 100644 --- a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml @@ -46,7 +46,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - set: field: log.level copy_from: winlog.level diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml index 206d25db3de8..a514f85b5fb7 100644 --- a/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell_operational.yml @@ -26,7 +26,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - set: field: log.level copy_from: winlog.level diff --git a/x-pack/winlogbeat/module/routing/ingest/routing.yml b/x-pack/winlogbeat/module/routing/ingest/routing.yml index 9c00e19e1603..945408bed4c8 100644 --- a/x-pack/winlogbeat/module/routing/ingest/routing.yml +++ b/x-pack/winlogbeat/module/routing/ingest/routing.yml @@ -16,6 +16,7 @@ processors: - pipeline: name: '{< IngestPipeline "powershell_operational" >}' if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'microsoft-windows-powershell/operational' + - set: field: host.os.type value: windows @@ -25,8 +26,39 @@ processors: value: windows override: false + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + + - convert: + field: error.code + type: string + ignore_missing: true + on_failure: - set: + field: event.kind + value: pipeline_error + - append: field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index 55687df728cb..ccbb522879ef 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for Windows Security events +description: Pipeline for Security events processors: - set: field: event.module @@ -8,3793 +8,34 @@ processors: field: event.code type: string ignore_missing: true - - script: - lang: painless - ignore_failure: false - tag: Set ECS categorization fields - description: Set ECS categorization fields - params: - "1100": - category: - - process - type: - - end - action: logging-service-shutdown - "1102": - category: - - iam - type: - - admin - - change - action: audit-log-cleared - "1104": - category: - - iam - type: - - admin - action: logging-full - "1105": - category: - - iam - type: - - admin - action: auditlog-archieved - "1108": - category: - - iam - type: - - admin - action: logging-processing-error - "4610": - category: - - configuration - type: - - access - action: authentication-package-loaded - "4611": - category: - - configuration - type: - - change - action: trusted-logon-process-registered - "4614": - category: - - configuration - type: - - access - action: notification-package-loaded - "4616": - category: - - configuration - type: - - change - action: system-time-changed - "4622": - category: - - configuration - type: - - access - action: security-package-loaded - "4624": - category: - - authentication - type: - - start - action: logged-in - "4625": - category: - - authentication - type: - - start - action: logon-failed - "4634": - category: - - authentication - type: - - end - action: logged-out - "4647": - category: - - authentication - type: - - end - action: logged-out - "4648": - category: - - authentication - type: - - start - action: logged-in-explicit - "4657": - category: - - registry - - configuration - type: - - change - action: registry-value-modified - "4662": - category: - - iam - - configuration - type: - - admin - - change - action: object-operation-performed - "4670": - category: - - iam - - configuration - type: - - admin - - change - action: permissions-changed - "4672": - category: - - iam - type: - - admin - action: logged-in-special - "4673": - category: - - iam - type: - - admin - action: privileged-service-called - "4674": - category: - - iam - type: - - admin - action: privileged-operation - "4688": - category: - - process - type: - - start - action: created-process - "4689": - category: - - process - type: - - end - action: exited-process - "4697": - category: - - iam - - configuration - type: - - admin - - change - action: service-installed - "4698": - category: - - iam - - configuration - type: - - creation - - admin - action: scheduled-task-created - "4699": - category: - - iam - - configuration - type: - - deletion - - admin - action: scheduled-task-deleted - "4700": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-enabled - "4701": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-disabled - "4702": - category: - - iam - - configuration - type: - - change - - admin - action: scheduled-task-updated - "4706": - category: - - configuration - type: - - creation - action: domain-trust-added - "4707": - category: - - configuration - type: - - deletion - action: domain-trust-removed - "4713": - category: - - configuration - type: - - change - action: kerberos-policy-changed - "4714": - category: - - configuration - type: - - change - action: encrypted-data-recovery-policy-changed - "4715": - category: - - configuration - type: - - change - action: object-audit-policy-changed - "4716": - category: - - configuration - type: - - change - action: trusted-domain-information-changed - "4717": - category: - - iam - - configuration - type: - - admin - - change - action: system-security-access-granted - "4718": - category: - - iam - - configuration - type: - - admin - - deletion - action: system-security-access-removed - "4719": - category: - - iam - - configuration - type: - - admin - - change - action: changed-audit-config - "4720": - category: - - iam - type: - - user - - creation - action: added-user-account - "4722": - category: - - iam - type: - - user - - change - action: enabled-user-account - "4723": - category: - - iam - type: - - user - - change - action: changed-password - "4724": - category: - - iam - type: - - user - - change - action: reset-password - "4725": - category: - - iam - type: - - user - - deletion - action: disabled-user-account - "4726": - category: - - iam - type: - - user - - deletion - action: deleted-user-account - "4727": - category: - - iam - type: - - group - - creation - action: added-group-account - "4728": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4729": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4730": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4731": - category: - - iam - type: - - group - - creation - action: added-group-account - "4732": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4733": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4734": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4735": - category: - - iam - type: - - group - - change - action: modified-group-account - "4737": - category: - - iam - type: - - group - - change - action: modified-group-account - "4738": - category: - - iam - type: - - user - - change - action: modified-user-account - "4739": - category: - - configuration - type: - - change - action: domain-policy-changed - "4740": - category: - - iam - type: - - user - - change - action: locked-out-user-account - "4741": - category: - - iam - type: - - creation - - admin - action: added-computer-account - "4742": - category: - - iam - type: - - change - - admin - action: changed-computer-account - "4743": - category: - - iam - type: - - deletion - - admin - action: deleted-computer-account - "4744": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4745": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4746": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4747": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4748": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4749": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4750": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4751": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4752": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4753": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4754": - category: - - iam - type: - - group - - creation - action: added-group-account - "4755": - category: - - iam - type: - - group - - change - action: modified-group-account - "4756": - category: - - iam - type: - - group - - change - action: added-member-to-group - "4757": - category: - - iam - type: - - group - - change - action: removed-member-from-group - "4758": - category: - - iam - type: - - group - - deletion - action: deleted-group-account - "4759": - category: - - iam - type: - - group - - creation - action: added-distribution-group-account - "4760": - category: - - iam - type: - - group - - change - action: changed-distribution-group-account - "4761": - category: - - iam - type: - - group - - change - action: added-member-to-distribution-group - "4762": - category: - - iam - type: - - group - - change - action: removed-member-from-distribution-group - "4763": - category: - - iam - type: - - group - - deletion - action: deleted-distribution-group-account - "4764": - category: - - iam - type: - - group - - change - action: type-changed-group-account - "4767": - category: - - iam - type: - - user - - change - action: unlocked-user-account - "4768": - category: - - authentication - type: - - start - action: kerberos-authentication-ticket-requested - "4769": - category: - - authentication - type: - - start - action: kerberos-service-ticket-requested - "4770": - category: - - authentication - type: - - start - action: kerberos-service-ticket-renewed - "4771": - category: - - authentication - type: - - start - action: kerberos-preauth-failed - "4776": - category: - - authentication - type: - - start - action: credential-validated - "4778": - category: - - authentication - - session - type: - - start - action: session-reconnected - "4779": - category: - - authentication - - session - type: - - end - action: session-disconnected - "4781": - category: - - iam - type: - - user - - change - action: renamed-user-account - "4797": - category: - - iam - type: - - user - - info - action: query-existence-of-blank-password - "4798": - category: - - iam - type: - - user - - info - action: group-membership-enumerated - "4799": - category: - - iam - type: - - group - - info - action: user-member-enumerated - "4817": - category: - - iam - - configuration - type: - - admin - - change - action: object-audit-changed - "4902": - category: - - iam - - configuration - type: - - admin - - creation - action: user-audit-policy-created - "4904": - category: - - iam - - configuration - type: - - admin - - change - action: security-event-source-added - "4905": - category: - - iam - - configuration - type: - - admin - - deletion - action: security-event-source-removed - "4906": - category: - - iam - - configuration - type: - - admin - - change - action: crash-on-audit-changed - "4907": - category: - - iam - - configuration - type: - - admin - - change - action: audit-setting-changed - "4908": - category: - - iam - - configuration - type: - - admin - - change - action: special-group-table-changed - "4912": - category: - - iam - - configuration - type: - - admin - - change - action: per-user-audit-policy-changed - "4950": - category: - - configuration - type: - - change - action: windows-firewall-setting-changed - "4954": - category: - - configuration - type: - - change - action: windows-firewall-group-policy-changed - "4964": - category: - - iam - type: - - admin - - group - action: logged-in-special - "5024": - category: - - process - type: - - start - action: windows-firewall-service-started - "5025": - category: - - process - type: - - end - action: windows-firewall-service-stopped - "5033": - category: - - driver - type: - - start - action: windows-firewall-driver-started - "5034": - category: - - driver - type: - - end - action: windows-firewall-driver-stopped - "5037": - category: - - driver - type: - - end - action: windows-firewall-driver-error - "5136": - category: - - iam - - configuration - type: - - admin - - change - action: directory-service-object-modified - "5140": - category: - - network - - file - type: - - info - - access - action: network-share-object-accessed - "5145": - category: - - network - - file - type: - - info - - access - action: network-share-object-access-checked - "5379": - category: - - iam - type: - - user - - info - action: credential-manager-credentials-were-read - "5380": - category: - - iam - type: - - user - - info - action: vault-credential-find - "5381": - category: - - iam - type: - - user - - info - action: vault-credentials-were-read - "5382": - category: - - iam - type: - - user - - info - action: vault-credentials-were-read - source: |- - if (ctx.event?.code == null || params.get(ctx.event.code) == null) { - return; - } - params.get(ctx.event.code).forEach((k, v) -> { - if (v instanceof List) { - ctx.event[k] = new ArrayList(v); - } else { - ctx.event[k] = v; - } - }); - - script: - lang: painless - ignore_failure: false - tag: Set Logon Type - description: Set Logon Type - # Logon Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events - params: - "2": Interactive - "3": Network - "4": Batch - "5": Service - "7": Unlock - "8": NetworkCleartext - "9": NewCredentials - "10": RemoteInteractive - "11": CachedInteractive - source: |- - if (ctx.winlog?.event_data?.LogonType == null) { - return; - } - def t = params.get(ctx.winlog.event_data.LogonType); - if (t == null) { - return; - } - if (ctx.winlog?.logon == null ) { - Map map = new HashMap(); - ctx.winlog.put("logon", map); - } - ctx.winlog.logon.put("type", t) - - script: - lang: painless - ignore_failure: false - tag: Set User Account Control - description: Set User Account Control - # User Account Control Attributes Table - # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380 - params: - "0x00000001": USER_ACCOUNT_DISABLED - "0x00000002": USER_HOME_DIRECTORY_REQUIRED - "0x00000004": USER_PASSWORD_NOT_REQUIRED - "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT - "0x00000010": USER_NORMAL_ACCOUNT - "0x00000020": USER_MNS_LOGON_ACCOUNT - "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT - "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT - "0x00000100": USER_SERVER_TRUST_ACCOUNT - "0x00000200": USER_DONT_EXPIRE_PASSWORD - "0x00000400": USER_ACCOUNT_AUTO_LOCKED - "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED - "0x00001000": USER_SMARTCARD_REQUIRED - "0x00002000": USER_TRUSTED_FOR_DELEGATION - "0x00004000": USER_NOT_DELEGATED - "0x00008000": USER_USE_DES_KEY_ONLY - "0x00010000": USER_DONT_REQUIRE_PREAUTH - "0x00020000": USER_PASSWORD_EXPIRED - "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - "0x00080000": USER_NO_AUTH_DATA_REQUIRED - "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT - "0x00200000": USER_USE_AES_KEYS - source: |- - if (ctx.winlog?.event_data == null) { - return; - } - if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") { - return; - } - Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); - ArrayList uacResult = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { - uacResult.add(entry.getValue()); - } - } - if (uacResult.length == 0) { - return; - } - ctx.winlog.event_data.put("NewUACList", uacResult); - if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") { - return; - } - ArrayList uac_array = new ArrayList(); - for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { - def trimmed = elem.replace("%%","").trim(); - if (trimmed.length() > 0) { - uac_array.add(trimmed); - } - } - ctx.winlog.event_data.UserAccountControl = uac_array; - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Ticket Options - description: Set Kerberos Ticket Options - # Kerberos TGT and TGS Ticket Options - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 - params: - "0x40000000": Forwardable - "0x20000000": Forwarded - "0x10000000": Proxiable - "0x08000000": Proxy - "0x04000000": Allow-postdate - "0x02000000": Postdated - "0x01000000": Invalid - "0x00800000": Renewable - "0x00400000": Initial - "0x00200000": Pre-authent - "0x00100000": Opt-hardware-auth - "0x00080000": Transited-policy-checked - "0x00040000": Ok-as-delegate - "0x00020000": Request-anonymous - "0x00010000": Name-canonicalize - "0x00000020": Disable-transited-check - "0x00000010": Renewable-ok - "0x00000008": Enc-tkt-in-skey - "0x00000002": Renew - "0x00000001": Validate - source: |- - if (ctx.winlog?.event_data?.TicketOptions == null) { - return; - } - Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); - ArrayList tDescs = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { - tDescs.add(entry.getValue()); - } - } - if (tDescs.length == 0) { - return; - } - ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Encryption Types - description: Set Kerberos Encryption Types - # Kerberos Encryption Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - params: - "0x1": DES-CBC-CRC - "0x3": DES-CBC-MD5 - "0x11": AES128-CTS-HMAC-SHA1-96 - "0x12": AES256-CTS-HMAC-SHA1-96 - "0x17": RC4-HMAC - "0x18": RC4-HMAC-EXP - "0xffffffff": FAIL - source: |- - if (ctx.winlog?.event_data?.TicketEncryptionType == null) { - return; - } - ctx.winlog.event_data.put("TicketEncryptionTypeDescription", - params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) - - script: - lang: painless - ignore_failure: false - tag: Set Kerberos Ticket Status Codes - # Kerberos Result Status Codes - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 - description: Set Kerberos Ticket Status Codes - params: - "0x0": KDC_ERR_NONE - "0x1": KDC_ERR_NAME_EXP - "0x2": KDC_ERR_SERVICE_EXP - "0x3": KDC_ERR_BAD_PVNO - "0x4": KDC_ERR_C_OLD_MAST_KVNO - "0x5": KDC_ERR_S_OLD_MAST_KVNO - "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN - "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN - "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE - "0x9": KDC_ERR_NULL_KEY - "0xA": KDC_ERR_CANNOT_POSTDATE - "0xB": KDC_ERR_NEVER_VALID - "0xC": KDC_ERR_POLICY - "0xD": KDC_ERR_BADOPTION - "0xE": KDC_ERR_ETYPE_NOTSUPP - "0xF": KDC_ERR_SUMTYPE_NOSUPP - "0x10": KDC_ERR_PADATA_TYPE_NOSUPP - "0x11": KDC_ERR_TRTYPE_NO_SUPP - "0x12": KDC_ERR_CLIENT_REVOKED - "0x13": KDC_ERR_SERVICE_REVOKED - "0x14": KDC_ERR_TGT_REVOKED - "0x15": KDC_ERR_CLIENT_NOTYET - "0x16": KDC_ERR_SERVICE_NOTYET - "0x17": KDC_ERR_KEY_EXPIRED - "0x18": KDC_ERR_PREAUTH_FAILED - "0x19": KDC_ERR_PREAUTH_REQUIRED - "0x1A": KDC_ERR_SERVER_NOMATCH - "0x1B": KDC_ERR_MUST_USE_USER2USER - "0x1F": KRB_AP_ERR_BAD_INTEGRITY - "0x20": KRB_AP_ERR_TKT_EXPIRED - "0x21": KRB_AP_ERR_TKT_NYV - "0x22": KRB_AP_ERR_REPEAT - "0x23": KRB_AP_ERR_NOT_US - "0x24": KRB_AP_ERR_BADMATCH - "0x25": KRB_AP_ERR_SKEW - "0x26": KRB_AP_ERR_BADADDR - "0x27": KRB_AP_ERR_BADVERSION - "0x28": KRB_AP_ERR_MSG_TYPE - "0x29": KRB_AP_ERR_MODIFIED - "0x2A": KRB_AP_ERR_BADORDER - "0x2C": KRB_AP_ERR_BADKEYVER - "0x2D": KRB_AP_ERR_NOKEY - "0x2E": KRB_AP_ERR_MUT_FAIL - "0x2F": KRB_AP_ERR_BADDIRECTION - "0x30": KRB_AP_ERR_METHOD - "0x31": KRB_AP_ERR_BADSEQ - "0x32": KRB_AP_ERR_INAPP_CKSUM - "0x33": KRB_AP_PATH_NOT_ACCEPTED - "0x34": KRB_ERR_RESPONSE_TOO_BIG - "0x3C": KRB_ERR_GENERIC - "0x3D": KRB_ERR_FIELD_TOOLONG - "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED - "0x3F": KDC_ERR_KDC_NOT_TRUSTED - "0x40": KDC_ERR_INVALID_SIG - "0x41": KDC_ERR_KEY_TOO_WEAK - "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED - "0x43": KRB_AP_ERR_NO_TGT - "0x44": KDC_ERR_WRONG_REALM - source: |- - if (ctx.winlog?.event_data?.Status == null || - ctx.event?.code == null || - !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { - return; - } - ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); - - script: - lang: painless - ignore_failure: false - tag: Set Service Type and Name - description: Set Service Type and Name - # Services Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 - params: - "0x1": Kernel Driver - "0x2": File System Driver - "0x8": Recognizer Driver - "0x10": Win32 Own Process - "0x20": Win32 Share Process - "0x110": Interactive Own Process - "0x120": Interactive Share Process - source: |- - if (ctx.winlog?.event_data?.ServiceName != null) { - if (ctx.service == null) { - HashMap hm = new HashMap(); - ctx.put("service", hm); - } - ctx.service.put("name", ctx.winlog.event_data.ServiceName); - } - if (ctx.winlog.event_data?.ServiceType != null) { - if (ctx.service == null) { - HashMap hm = new HashMap(); - ctx.put("service", hm); - } - ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); - } - - script: - lang: painless - ignore_failure: false - tag: Set Audit Information - description: Set Audit Information - params: - "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] - "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] - "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] - "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] - "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] - "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] - "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] - "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] - "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] - "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] - "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] - "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] - "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] - "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] - "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] - "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] - "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] - "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] - "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] - "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] - "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] - "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] - "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] - "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] - "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] - "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] - "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] - "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] - "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] - "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] - "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] - "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] - "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] - "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] - "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] - "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] - "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] - "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] - "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] - "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] - "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] - "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] - "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] - "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] - "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] - "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] - "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] - "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] - "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] - "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] - "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] - "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] - "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] - "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] - "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] - "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] - "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] - source: |- - if (ctx.winlog?.event_data?.SubcategoryGuid == null) { - return; - } - def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); - if (!params.containsKey(subCatGuid)) { - return; - } - ctx.winlog.event_data.put("Category", params[subCatGuid][1]); - ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); - - script: - lang: painless - ignore_failure: false - tag: Decode message table - description: Decode message table - # Message table extracted from msobjs.dll on Windows 2019. - # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 - # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - params: - descriptions: - "279": "Undefined Access (no effect) Bit 7" - "1536": "Unused message ID" - "1537": "DELETE" - "1538": "READ_CONTROL" - "1539": "WRITE_DAC" - "1540": "WRITE_OWNER" - "1541": "SYNCHRONIZE" - "1542": "ACCESS_SYS_SEC" - "1543": "MAX_ALLOWED" - "1552": "Unknown specific access (bit 0)" - "1553": "Unknown specific access (bit 1)" - "1554": "Unknown specific access (bit 2)" - "1555": "Unknown specific access (bit 3)" - "1556": "Unknown specific access (bit 4)" - "1557": "Unknown specific access (bit 5)" - "1558": "Unknown specific access (bit 6)" - "1559": "Unknown specific access (bit 7)" - "1560": "Unknown specific access (bit 8)" - "1561": "Unknown specific access (bit 9)" - "1562": "Unknown specific access (bit 10)" - "1563": "Unknown specific access (bit 11)" - "1564": "Unknown specific access (bit 12)" - "1565": "Unknown specific access (bit 13)" - "1566": "Unknown specific access (bit 14)" - "1567": "Unknown specific access (bit 15)" - "1601": "Not used" - "1603": "Assign Primary Token Privilege" - "1604": "Lock Memory Privilege" - "1605": "Increase Memory Quota Privilege" - "1606": "Unsolicited Input Privilege" - "1607": "Trusted Computer Base Privilege" - "1608": "Security Privilege" - "1609": "Take Ownership Privilege" - "1610": "Load/Unload Driver Privilege" - "1611": "Profile System Privilege" - "1612": "Set System Time Privilege" - "1613": "Profile Single Process Privilege" - "1614": "Increment Base Priority Privilege" - "1615": "Create Pagefile Privilege" - "1616": "Create Permanent Object Privilege" - "1617": "Backup Privilege" - "1618": "Restore From Backup Privilege" - "1619": "Shutdown System Privilege" - "1620": "Debug Privilege" - "1621": "View or Change Audit Log Privilege" - "1622": "Change Hardware Environment Privilege" - "1623": "Change Notify (and Traverse) Privilege" - "1624": "Remotely Shut System Down Privilege" - "1792": "" - "1794": "" - "1795": "Enabled" - "1796": "Disabled" - "1797": "All" - "1798": "None" - "1799": "Audit Policy query/set API Operation" - "1800": "" - "1801": "Granted by" - "1802": "Denied by" - "1803": "Denied by Integrity Policy check" - "1804": "Granted by Ownership" - "1805": "Not granted" - "1806": "Granted by NULL DACL" - "1807": "Denied by Empty DACL" - "1808": "Granted by NULL Security Descriptor" - "1809": "Unknown or unchecked" - "1810": "Not granted due to missing" - "1811": "Granted by ACE on parent folder" - "1812": "Denied by ACE on parent folder" - "1813": "Granted by Central Access Rule" - "1814": "NOT Granted by Central Access Rule" - "1815": "Granted by parent folder's Central Access Rule" - "1816": "NOT Granted by parent folder's Central Access Rule" - "1817": "Unknown Type" - "1818": "String" - "1819": "Unsigned 64-bit Integer" - "1820": "64-bit Integer" - "1821": "FQBN" - "1822": "Blob" - "1823": "Sid" - "1824": "Boolean" - "1825": "TRUE" - "1826": "FALSE" - "1827": "Invalid" - "1828": "an ACE too long to display" - "1829": "a Security Descriptor too long to display" - "1830": "Not granted to AppContainers" - "1831": "..." - "1832": "Identification" - "1833": "Impersonation" - "1840": "Delegation" - "1841": "Denied by Process Trust Label ACE" - "1842": "Yes" - "1843": "No" - "1844": "System" - "1845": "Not Available" - "1846": "Default" - "1847": "DisallowMmConfig" - "1848": "Off" - "1849": "Auto" - "1872": "REG_NONE" - "1873": "REG_SZ" - "1874": "REG_EXPAND_SZ" - "1875": "REG_BINARY" - "1876": "REG_DWORD" - "1877": "REG_DWORD_BIG_ENDIAN" - "1878": "REG_LINK" - "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" - "1880": "REG_RESOURCE_LIST" - "1881": "REG_FULL_RESOURCE_DESCRIPTOR" - "1882": "REG_RESOURCE_REQUIREMENTS_LIST" - "1883": "REG_QWORD" - "1904": "New registry value created" - "1905": "Existing registry value modified" - "1906": "Registry value deleted" - "1920": "Sunday" - "1921": "Monday" - "1922": "Tuesday" - "1923": "Wednesday" - "1924": "Thursday" - "1925": "Friday" - "1926": "Saturday" - "1936": "TokenElevationTypeDefault (1)" - "1937": "TokenElevationTypeFull (2)" - "1938": "TokenElevationTypeLimited (3)" - "2048": "Account Enabled" - "2049": "Home Directory Required' - Disabled" - "2050": "Password Not Required' - Disabled" - "2051": "Temp Duplicate Account' - Disabled" - "2052": "Normal Account' - Disabled" - "2053": "MNS Logon Account' - Disabled" - "2054": "Interdomain Trust Account' - Disabled" - "2055": "Workstation Trust Account' - Disabled" - "2056": "Server Trust Account' - Disabled" - "2057": "Don't Expire Password' - Disabled" - "2058": "Account Unlocked" - "2059": "Encrypted Text Password Allowed' - Disabled" - "2060": "Smartcard Required' - Disabled" - "2061": "Trusted For Delegation' - Disabled" - "2062": "Not Delegated' - Disabled" - "2063": "Use DES Key Only' - Disabled" - "2064": "Don't Require Preauth' - Disabled" - "2065": "Password Expired' - Disabled" - "2066": "Trusted To Authenticate For Delegation' - Disabled" - "2067": "Exclude Authorization Information' - Disabled" - "2068": "Undefined UserAccountControl Bit 20' - Disabled" - "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" - "2070": "Undefined UserAccountControl Bit 22' - Disabled" - "2071": "Undefined UserAccountControl Bit 23' - Disabled" - "2072": "Undefined UserAccountControl Bit 24' - Disabled" - "2073": "Undefined UserAccountControl Bit 25' - Disabled" - "2074": "Undefined UserAccountControl Bit 26' - Disabled" - "2075": "Undefined UserAccountControl Bit 27' - Disabled" - "2076": "Undefined UserAccountControl Bit 28' - Disabled" - "2077": "Undefined UserAccountControl Bit 29' - Disabled" - "2078": "Undefined UserAccountControl Bit 30' - Disabled" - "2079": "Undefined UserAccountControl Bit 31' - Disabled" - "2080": "Account Disabled" - "2081": "Home Directory Required' - Enabled" - "2082": "Password Not Required' - Enabled" - "2083": "Temp Duplicate Account' - Enabled" - "2084": "Normal Account' - Enabled" - "2085": "MNS Logon Account' - Enabled" - "2086": "Interdomain Trust Account' - Enabled" - "2087": "Workstation Trust Account' - Enabled" - "2088": "Server Trust Account' - Enabled" - "2089": "Don't Expire Password' - Enabled" - "2090": "Account Locked" - "2091": "Encrypted Text Password Allowed' - Enabled" - "2092": "Smartcard Required' - Enabled" - "2093": "Trusted For Delegation' - Enabled" - "2094": "Not Delegated' - Enabled" - "2095": "Use DES Key Only' - Enabled" - "2096": "Don't Require Preauth' - Enabled" - "2097": "Password Expired' - Enabled" - "2098": "Trusted To Authenticate For Delegation' - Enabled" - "2099": "Exclude Authorization Information' - Enabled" - "2100": "Undefined UserAccountControl Bit 20' - Enabled" - "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" - "2102": "Undefined UserAccountControl Bit 22' - Enabled" - "2103": "Undefined UserAccountControl Bit 23' - Enabled" - "2104": "Undefined UserAccountControl Bit 24' - Enabled" - "2105": "Undefined UserAccountControl Bit 25' - Enabled" - "2106": "Undefined UserAccountControl Bit 26' - Enabled" - "2107": "Undefined UserAccountControl Bit 27' - Enabled" - "2108": "Undefined UserAccountControl Bit 28' - Enabled" - "2109": "Undefined UserAccountControl Bit 29' - Enabled" - "2110": "Undefined UserAccountControl Bit 30' - Enabled" - "2111": "Undefined UserAccountControl Bit 31' - Enabled" - "2304": "An Error occured during Logon." - "2305": "The specified user account has expired." - "2306": "The NetLogon component is not active." - "2307": "Account locked out." - "2308": "The user has not been granted the requested logon type at this machine." - "2309": "The specified account's password has expired." - "2310": "Account currently disabled." - "2311": "Account logon time restriction violation." - "2312": "User not allowed to logon at this computer." - "2313": "Unknown user name or bad password." - "2314": "Domain sid inconsistent." - "2315": "Smartcard logon is required and was not used." - "2432": "Not Available." - "2436": "Random number generator failure." - "2437": "Random number generation failed FIPS-140 pre-hash check." - "2438": "Failed to zero secret data." - "2439": "Key failed pair wise consistency check." - "2448": "Failed to unprotect persistent cryptographic key." - "2449": "Key export checks failed." - "2450": "Validation of public key failed." - "2451": "Signature verification failed." - "2456": "Open key file." - "2457": "Delete key file." - "2458": "Read persisted key from file." - "2459": "Write persisted key to file." - "2464": "Export of persistent cryptographic key." - "2465": "Import of persistent cryptographic key." - "2480": "Open Key." - "2481": "Create Key." - "2482": "Delete Key." - "2483": "Encrypt." - "2484": "Decrypt." - "2485": "Sign hash." - "2486": "Secret agreement." - "2487": "Domain settings" - "2488": "Local settings" - "2489": "Add provider." - "2490": "Remove provider." - "2491": "Add context." - "2492": "Remove context." - "2493": "Add function." - "2494": "Remove function." - "2495": "Add function provider." - "2496": "Remove function provider." - "2497": "Add function property." - "2498": "Remove function property." - "2499": "Machine key." - "2500": "User key." - "2501": "Key Derivation." - "4352": "Device Access Bit 0" - "4353": "Device Access Bit 1" - "4354": "Device Access Bit 2" - "4355": "Device Access Bit 3" - "4356": "Device Access Bit 4" - "4357": "Device Access Bit 5" - "4358": "Device Access Bit 6" - "4359": "Device Access Bit 7" - "4360": "Device Access Bit 8" - "4361": "Undefined Access (no effect) Bit 9" - "4362": "Undefined Access (no effect) Bit 10" - "4363": "Undefined Access (no effect) Bit 11" - "4364": "Undefined Access (no effect) Bit 12" - "4365": "Undefined Access (no effect) Bit 13" - "4366": "Undefined Access (no effect) Bit 14" - "4367": "Undefined Access (no effect) Bit 15" - "4368": "Query directory" - "4369": "Traverse" - "4370": "Create object in directory" - "4371": "Create sub-directory" - "4372": "Undefined Access (no effect) Bit 4" - "4373": "Undefined Access (no effect) Bit 5" - "4374": "Undefined Access (no effect) Bit 6" - "4375": "Undefined Access (no effect) Bit 7" - "4376": "Undefined Access (no effect) Bit 8" - "4377": "Undefined Access (no effect) Bit 9" - "4378": "Undefined Access (no effect) Bit 10" - "4379": "Undefined Access (no effect) Bit 11" - "4380": "Undefined Access (no effect) Bit 12" - "4381": "Undefined Access (no effect) Bit 13" - "4382": "Undefined Access (no effect) Bit 14" - "4383": "Undefined Access (no effect) Bit 15" - "4384": "Query event state" - "4385": "Modify event state" - "4386": "Undefined Access (no effect) Bit 2" - "4387": "Undefined Access (no effect) Bit 3" - "4388": "Undefined Access (no effect) Bit 4" - "4389": "Undefined Access (no effect) Bit 5" - "4390": "Undefined Access (no effect) Bit 6" - "4391": "Undefined Access (no effect) Bit 7" - "4392": "Undefined Access (no effect) Bit 8" - "4393": "Undefined Access (no effect) Bit 9" - "4394": "Undefined Access (no effect) Bit 10" - "4395": "Undefined Access (no effect) Bit 11" - "4396": "Undefined Access (no effect) Bit 12" - "4397": "Undefined Access (no effect) Bit 13" - "4398": "Undefined Access (no effect) Bit 14" - "4399": "Undefined Access (no effect) Bit 15" - "4416": "ReadData (or ListDirectory)" - "4417": "WriteData (or AddFile)" - "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" - "4419": "ReadEA" - "4420": "WriteEA" - "4421": "Execute/Traverse" - "4422": "DeleteChild" - "4423": "ReadAttributes" - "4424": "WriteAttributes" - "4425": "Undefined Access (no effect) Bit 9" - "4426": "Undefined Access (no effect) Bit 10" - "4427": "Undefined Access (no effect) Bit 11" - "4428": "Undefined Access (no effect) Bit 12" - "4429": "Undefined Access (no effect) Bit 13" - "4430": "Undefined Access (no effect) Bit 14" - "4431": "Undefined Access (no effect) Bit 15" - "4432": "Query key value" - "4433": "Set key value" - "4434": "Create sub-key" - "4435": "Enumerate sub-keys" - "4436": "Notify about changes to keys" - "4437": "Create Link" - "4438": "Undefined Access (no effect) Bit 6" - "4439": "Undefined Access (no effect) Bit 7" - "4440": "Enable 64(or 32) bit application to open 64 bit key" - "4441": "Enable 64(or 32) bit application to open 32 bit key" - "4442": "Undefined Access (no effect) Bit 10" - "4443": "Undefined Access (no effect) Bit 11" - "4444": "Undefined Access (no effect) Bit 12" - "4445": "Undefined Access (no effect) Bit 13" - "4446": "Undefined Access (no effect) Bit 14" - "4447": "Undefined Access (no effect) Bit 15" - "4448": "Query mutant state" - "4449": "Undefined Access (no effect) Bit 1" - "4450": "Undefined Access (no effect) Bit 2" - "4451": "Undefined Access (no effect) Bit 3" - "4452": "Undefined Access (no effect) Bit 4" - "4453": "Undefined Access (no effect) Bit 5" - "4454": "Undefined Access (no effect) Bit 6" - "4455": "Undefined Access (no effect) Bit 7" - "4456": "Undefined Access (no effect) Bit 8" - "4457": "Undefined Access (no effect) Bit 9" - "4458": "Undefined Access (no effect) Bit 10" - "4459": "Undefined Access (no effect) Bit 11" - "4460": "Undefined Access (no effect) Bit 12" - "4461": "Undefined Access (no effect) Bit 13" - "4462": "Undefined Access (no effect) Bit 14" - "4463": "Undefined Access (no effect) Bit 15" - "4464": "Communicate using port" - "4465": "Undefined Access (no effect) Bit 1" - "4466": "Undefined Access (no effect) Bit 2" - "4467": "Undefined Access (no effect) Bit 3" - "4468": "Undefined Access (no effect) Bit 4" - "4469": "Undefined Access (no effect) Bit 5" - "4470": "Undefined Access (no effect) Bit 6" - "4471": "Undefined Access (no effect) Bit 7" - "4472": "Undefined Access (no effect) Bit 8" - "4473": "Undefined Access (no effect) Bit 9" - "4474": "Undefined Access (no effect) Bit 10" - "4475": "Undefined Access (no effect) Bit 11" - "4476": "Undefined Access (no effect) Bit 12" - "4477": "Undefined Access (no effect) Bit 13" - "4478": "Undefined Access (no effect) Bit 14" - "4479": "Undefined Access (no effect) Bit 15" - "4480": "Force process termination" - "4481": "Create new thread in process" - "4482": "Set process session ID" - "4483": "Perform virtual memory operation" - "4484": "Read from process memory" - "4485": "Write to process memory" - "4486": "Duplicate handle into or out of process" - "4487": "Create a subprocess of process" - "4488": "Set process quotas" - "4489": "Set process information" - "4490": "Query process information" - "4491": "Set process termination port" - "4492": "Undefined Access (no effect) Bit 12" - "4493": "Undefined Access (no effect) Bit 13" - "4494": "Undefined Access (no effect) Bit 14" - "4495": "Undefined Access (no effect) Bit 15" - "4496": "Control profile" - "4497": "Undefined Access (no effect) Bit 1" - "4498": "Undefined Access (no effect) Bit 2" - "4499": "Undefined Access (no effect) Bit 3" - "4500": "Undefined Access (no effect) Bit 4" - "4501": "Undefined Access (no effect) Bit 5" - "4502": "Undefined Access (no effect) Bit 6" - "4503": "Undefined Access (no effect) Bit 7" - "4504": "Undefined Access (no effect) Bit 8" - "4505": "Undefined Access (no effect) Bit 9" - "4506": "Undefined Access (no effect) Bit 10" - "4507": "Undefined Access (no effect) Bit 11" - "4508": "Undefined Access (no effect) Bit 12" - "4509": "Undefined Access (no effect) Bit 13" - "4510": "Undefined Access (no effect) Bit 14" - "4511": "Undefined Access (no effect) Bit 15" - "4512": "Query section state" - "4513": "Map section for write" - "4514": "Map section for read" - "4515": "Map section for execute" - "4516": "Extend size" - "4517": "Undefined Access (no effect) Bit 5" - "4518": "Undefined Access (no effect) Bit 6" - "4519": "Undefined Access (no effect) Bit 7" - "4520": "Undefined Access (no effect) Bit 8" - "4521": "Undefined Access (no effect) Bit 9" - "4522": "Undefined Access (no effect) Bit 10" - "4523": "Undefined Access (no effect) Bit 11" - "4524": "Undefined Access (no effect) Bit 12" - "4525": "Undefined Access (no effect) Bit 13" - "4526": "Undefined Access (no effect) Bit 14" - "4527": "Undefined Access (no effect) Bit 15" - "4528": "Query semaphore state" - "4529": "Modify semaphore state" - "4530": "Undefined Access (no effect) Bit 2" - "4531": "Undefined Access (no effect) Bit 3" - "4532": "Undefined Access (no effect) Bit 4" - "4533": "Undefined Access (no effect) Bit 5" - "4534": "Undefined Access (no effect) Bit 6" - "4535": "Undefined Access (no effect) Bit 7" - "4536": "Undefined Access (no effect) Bit 8" - "4537": "Undefined Access (no effect) Bit 9" - "4538": "Undefined Access (no effect) Bit 10" - "4539": "Undefined Access (no effect) Bit 11" - "4540": "Undefined Access (no effect) Bit 12" - "4541": "Undefined Access (no effect) Bit 13" - "4542": "Undefined Access (no effect) Bit 14" - "4543": "Undefined Access (no effect) Bit 15" - "4544": "Use symbolic link" - "4545": "Undefined Access (no effect) Bit 1" - "4546": "Undefined Access (no effect) Bit 2" - "4547": "Undefined Access (no effect) Bit 3" - "4548": "Undefined Access (no effect) Bit 4" - "4549": "Undefined Access (no effect) Bit 5" - "4550": "Undefined Access (no effect) Bit 6" - "4551": "Undefined Access (no effect) Bit 7" - "4552": "Undefined Access (no effect) Bit 8" - "4553": "Undefined Access (no effect) Bit 9" - "4554": "Undefined Access (no effect) Bit 10" - "4555": "Undefined Access (no effect) Bit 11" - "4556": "Undefined Access (no effect) Bit 12" - "4557": "Undefined Access (no effect) Bit 13" - "4558": "Undefined Access (no effect) Bit 14" - "4559": "Undefined Access (no effect) Bit 15" - "4560": "Force thread termination" - "4561": "Suspend or resume thread" - "4562": "Send an alert to thread" - "4563": "Get thread context" - "4564": "Set thread context" - "4565": "Set thread information" - "4566": "Query thread information" - "4567": "Assign a token to the thread" - "4568": "Cause thread to directly impersonate another thread" - "4569": "Directly impersonate this thread" - "4570": "Undefined Access (no effect) Bit 10" - "4571": "Undefined Access (no effect) Bit 11" - "4572": "Undefined Access (no effect) Bit 12" - "4573": "Undefined Access (no effect) Bit 13" - "4574": "Undefined Access (no effect) Bit 14" - "4575": "Undefined Access (no effect) Bit 15" - "4576": "Query timer state" - "4577": "Modify timer state" - "4578": "Undefined Access (no effect) Bit 2" - "4579": "Undefined Access (no effect) Bit 3" - "4580": "Undefined Access (no effect) Bit 4" - "4581": "Undefined Access (no effect) Bit 5" - "4582": "Undefined Access (no effect) Bit 6" - "4584": "Undefined Access (no effect) Bit 8" - "4585": "Undefined Access (no effect) Bit 9" - "4586": "Undefined Access (no effect) Bit 10" - "4587": "Undefined Access (no effect) Bit 11" - "4588": "Undefined Access (no effect) Bit 12" - "4589": "Undefined Access (no effect) Bit 13" - "4590": "Undefined Access (no effect) Bit 14" - "4591": "Undefined Access (no effect) Bit 15" - "4592": "AssignAsPrimary" - "4593": "Duplicate" - "4594": "Impersonate" - "4595": "Query" - "4596": "QuerySource" - "4597": "AdjustPrivileges" - "4598": "AdjustGroups" - "4599": "AdjustDefaultDacl" - "4600": "AdjustSessionID" - "4601": "Undefined Access (no effect) Bit 9" - "4602": "Undefined Access (no effect) Bit 10" - "4603": "Undefined Access (no effect) Bit 11" - "4604": "Undefined Access (no effect) Bit 12" - "4605": "Undefined Access (no effect) Bit 13" - "4606": "Undefined Access (no effect) Bit 14" - "4607": "Undefined Access (no effect) Bit 15" - "4608": "Create instance of object type" - "4609": "Undefined Access (no effect) Bit 1" - "4610": "Undefined Access (no effect) Bit 2" - "4611": "Undefined Access (no effect) Bit 3" - "4612": "Undefined Access (no effect) Bit 4" - "4613": "Undefined Access (no effect) Bit 5" - "4614": "Undefined Access (no effect) Bit 6" - "4615": "Undefined Access (no effect) Bit 7" - "4616": "Undefined Access (no effect) Bit 8" - "4617": "Undefined Access (no effect) Bit 9" - "4618": "Undefined Access (no effect) Bit 10" - "4619": "Undefined Access (no effect) Bit 11" - "4620": "Undefined Access (no effect) Bit 12" - "4621": "Undefined Access (no effect) Bit 13" - "4622": "Undefined Access (no effect) Bit 14" - "4623": "Undefined Access (no effect) Bit 15" - "4864": "Query State" - "4865": "Modify State" - "5120": "Channel read message" - "5121": "Channel write message" - "5122": "Channel query information" - "5123": "Channel set information" - "5124": "Undefined Access (no effect) Bit 4" - "5125": "Undefined Access (no effect) Bit 5" - "5126": "Undefined Access (no effect) Bit 6" - "5127": "Undefined Access (no effect) Bit 7" - "5128": "Undefined Access (no effect) Bit 8" - "5129": "Undefined Access (no effect) Bit 9" - "5130": "Undefined Access (no effect) Bit 10" - "5131": "Undefined Access (no effect) Bit 11" - "5132": "Undefined Access (no effect) Bit 12" - "5133": "Undefined Access (no effect) Bit 13" - "5134": "Undefined Access (no effect) Bit 14" - "5135": "Undefined Access (no effect) Bit 15" - "5136": "Assign process" - "5137": "Set Attributes" - "5138": "Query Attributes" - "5139": "Terminate Job" - "5140": "Set Security Attributes" - "5141": "Undefined Access (no effect) Bit 5" - "5142": "Undefined Access (no effect) Bit 6" - "5143": "Undefined Access (no effect) Bit 7" - "5144": "Undefined Access (no effect) Bit 8" - "5145": "Undefined Access (no effect) Bit 9" - "5146": "Undefined Access (no effect) Bit 10" - "5147": "Undefined Access (no effect) Bit 11" - "5148": "Undefined Access (no effect) Bit 12" - "5149": "Undefined Access (no effect) Bit 13" - "5150": "Undefined Access (no effect) Bit 14" - "5151": "Undefined Access (no effect) Bit 15" - "5376": "ConnectToServer" - "5377": "ShutdownServer" - "5378": "InitializeServer" - "5379": "CreateDomain" - "5380": "EnumerateDomains" - "5381": "LookupDomain" - "5382": "Undefined Access (no effect) Bit 6" - "5383": "Undefined Access (no effect) Bit 7" - "5384": "Undefined Access (no effect) Bit 8" - "5385": "Undefined Access (no effect) Bit 9" - "5386": "Undefined Access (no effect) Bit 10" - "5387": "Undefined Access (no effect) Bit 11" - "5388": "Undefined Access (no effect) Bit 12" - "5389": "Undefined Access (no effect) Bit 13" - "5390": "Undefined Access (no effect) Bit 14" - "5391": "Undefined Access (no effect) Bit 15" - "5392": "ReadPasswordParameters" - "5393": "WritePasswordParameters" - "5394": "ReadOtherParameters" - "5395": "WriteOtherParameters" - "5396": "CreateUser" - "5397": "CreateGlobalGroup" - "5398": "CreateLocalGroup" - "5399": "GetLocalGroupMembership" - "5400": "ListAccounts" - "5401": "LookupIDs" - "5402": "AdministerServer" - "5403": "Undefined Access (no effect) Bit 11" - "5404": "Undefined Access (no effect) Bit 12" - "5405": "Undefined Access (no effect) Bit 13" - "5406": "Undefined Access (no effect) Bit 14" - "5407": "Undefined Access (no effect) Bit 15" - "5408": "ReadInformation" - "5409": "WriteAccount" - "5410": "AddMember" - "5411": "RemoveMember" - "5412": "ListMembers" - "5413": "Undefined Access (no effect) Bit 5" - "5414": "Undefined Access (no effect) Bit 6" - "5415": "Undefined Access (no effect) Bit 7" - "5416": "Undefined Access (no effect) Bit 8" - "5417": "Undefined Access (no effect) Bit 9" - "5418": "Undefined Access (no effect) Bit 10" - "5419": "Undefined Access (no effect) Bit 11" - "5420": "Undefined Access (no effect) Bit 12" - "5421": "Undefined Access (no effect) Bit 13" - "5422": "Undefined Access (no effect) Bit 14" - "5423": "Undefined Access (no effect) Bit 15" - "5424": "AddMember" - "5425": "RemoveMember" - "5426": "ListMembers" - "5427": "ReadInformation" - "5428": "WriteAccount" - "5429": "Undefined Access (no effect) Bit 5" - "5430": "Undefined Access (no effect) Bit 6" - "5431": "Undefined Access (no effect) Bit 7" - "5432": "Undefined Access (no effect) Bit 8" - "5433": "Undefined Access (no effect) Bit 9" - "5434": "Undefined Access (no effect) Bit 10" - "5435": "Undefined Access (no effect) Bit 11" - "5436": "Undefined Access (no effect) Bit 12" - "5437": "Undefined Access (no effect) Bit 13" - "5438": "Undefined Access (no effect) Bit 14" - "5439": "Undefined Access (no effect) Bit 15" - "5440": "ReadGeneralInformation" - "5441": "ReadPreferences" - "5442": "WritePreferences" - "5443": "ReadLogon" - "5444": "ReadAccount" - "5445": "WriteAccount" - "5446": "ChangePassword (with knowledge of old password)" - "5447": "SetPassword (without knowledge of old password)" - "5448": "ListGroups" - "5449": "ReadGroupMembership" - "5450": "ChangeGroupMembership" - "5451": "Undefined Access (no effect) Bit 11" - "5452": "Undefined Access (no effect) Bit 12" - "5453": "Undefined Access (no effect) Bit 13" - "5454": "Undefined Access (no effect) Bit 14" - "5455": "Undefined Access (no effect) Bit 15" - "5632": "View non-sensitive policy information" - "5633": "View system audit requirements" - "5634": "Get sensitive policy information" - "5635": "Modify domain trust relationships" - "5636": "Create special accounts (for assignment of user rights)" - "5637": "Create a secret object" - "5638": "Create a privilege" - "5639": "Set default quota limits" - "5640": "Change system audit requirements" - "5641": "Administer audit log attributes" - "5642": "Enable/Disable LSA" - "5643": "Lookup Names/SIDs" - "5648": "Change secret value" - "5649": "Query secret value" - "5650": "Undefined Access (no effect) Bit 2" - "5651": "Undefined Access (no effect) Bit 3" - "5652": "Undefined Access (no effect) Bit 4" - "5653": "Undefined Access (no effect) Bit 5" - "5654": "Undefined Access (no effect) Bit 6" - "5655": "Undefined Access (no effect) Bit 7" - "5656": "Undefined Access (no effect) Bit 8" - "5657": "Undefined Access (no effect) Bit 9" - "5658": "Undefined Access (no effect) Bit 10" - "5659": "Undefined Access (no effect) Bit 11" - "5660": "Undefined Access (no effect) Bit 12" - "5661": "Undefined Access (no effect) Bit 13" - "5662": "Undefined Access (no effect) Bit 14" - "5663": "Undefined Access (no effect) Bit 15" - "5664": "Query trusted domain name/SID" - "5665": "Retrieve the controllers in the trusted domain" - "5666": "Change the controllers in the trusted domain" - "5667": "Query the Posix ID offset assigned to the trusted domain" - "5668": "Change the Posix ID offset assigned to the trusted domain" - "5669": "Undefined Access (no effect) Bit 5" - "5670": "Undefined Access (no effect) Bit 6" - "5671": "Undefined Access (no effect) Bit 7" - "5672": "Undefined Access (no effect) Bit 8" - "5673": "Undefined Access (no effect) Bit 9" - "5674": "Undefined Access (no effect) Bit 10" - "5675": "Undefined Access (no effect) Bit 11" - "5676": "Undefined Access (no effect) Bit 12" - "5677": "Undefined Access (no effect) Bit 13" - "5678": "Undefined Access (no effect) Bit 14" - "5679": "Undefined Access (no effect) Bit 15" - "5680": "Query account information" - "5681": "Change privileges assigned to account" - "5682": "Change quotas assigned to account" - "5683": "Change logon capabilities assigned to account" - "5684": "Change the Posix ID offset assigned to the accounted domain" - "5685": "Undefined Access (no effect) Bit 5" - "5686": "Undefined Access (no effect) Bit 6" - "5687": "Undefined Access (no effect) Bit 7" - "5688": "Undefined Access (no effect) Bit 8" - "5689": "Undefined Access (no effect) Bit 9" - "5690": "Undefined Access (no effect) Bit 10" - "5691": "Undefined Access (no effect) Bit 11" - "5692": "Undefined Access (no effect) Bit 12" - "5693": "Undefined Access (no effect) Bit 13" - "5694": "Undefined Access (no effect) Bit 14" - "5695": "Undefined Access (no effect) Bit 15" - "5696": "KeyedEvent Wait" - "5697": "KeyedEvent Wake" - "5698": "Undefined Access (no effect) Bit 2" - "5699": "Undefined Access (no effect) Bit 3" - "5700": "Undefined Access (no effect) Bit 4" - "5701": "Undefined Access (no effect) Bit 5" - "5702": "Undefined Access (no effect) Bit 6" - "5703": "Undefined Access (no effect) Bit 7" - "5704": "Undefined Access (no effect) Bit 8" - "5705": "Undefined Access (no effect) Bit 9" - "5706": "Undefined Access (no effect) Bit 10" - "5707": "Undefined Access (no effect) Bit 11" - "5708": "Undefined Access (no effect) Bit 12" - "5709": "Undefined Access (no effect) Bit 13" - "5710": "Undefined Access (no effect) Bit 14" - "5711": "Undefined Access (no effect) Bit 15" - "6656": "Enumerate desktops" - "6657": "Read attributes" - "6658": "Access Clipboard" - "6659": "Create desktop" - "6660": "Write attributes" - "6661": "Access global atoms" - "6662": "Exit windows" - "6663": "Unused Access Flag" - "6664": "Include this windowstation in enumerations" - "6665": "Read screen" - "6672": "Read Objects" - "6673": "Create window" - "6674": "Create menu" - "6675": "Hook control" - "6676": "Journal (record)" - "6677": "Journal (playback)" - "6678": "Include this desktop in enumerations" - "6679": "Write objects" - "6680": "Switch to this desktop" - "6912": "Administer print server" - "6913": "Enumerate printers" - "6930": "Full Control" - "6931": "Print" - "6948": "Administer Document" - "7168": "Connect to service controller" - "7169": "Create a new service" - "7170": "Enumerate services" - "7171": "Lock service database for exclusive access" - "7172": "Query service database lock state" - "7173": "Set last-known-good state of service database" - "7184": "Query service configuration information" - "7185": "Set service configuration information" - "7186": "Query status of service" - "7187": "Enumerate dependencies of service" - "7188": "Start the service" - "7189": "Stop the service" - "7190": "Pause or continue the service" - "7191": "Query information from service" - "7192": "Issue service-specific control commands" - "7424": "DDE Share Read" - "7425": "DDE Share Write" - "7426": "DDE Share Initiate Static" - "7427": "DDE Share Initiate Link" - "7428": "DDE Share Request" - "7429": "DDE Share Advise" - "7430": "DDE Share Poke" - "7431": "DDE Share Execute" - "7432": "DDE Share Add Items" - "7433": "DDE Share List Items" - "7680": "Create Child" - "7681": "Delete Child" - "7682": "List Contents" - "7683": "Write Self" - "7684": "Read Property" - "7685": "Write Property" - "7686": "Delete Tree" - "7687": "List Object" - "7688": "Control Access" - "7689": "Undefined Access (no effect) Bit 9" - "7690": "Undefined Access (no effect) Bit 10" - "7691": "Undefined Access (no effect) Bit 11" - "7692": "Undefined Access (no effect) Bit 12" - "7693": "Undefined Access (no effect) Bit 13" - "7694": "Undefined Access (no effect) Bit 14" - "7695": "Undefined Access (no effect) Bit 15" - "7936": "Audit Set System Policy" - "7937": "Audit Query System Policy" - "7938": "Audit Set Per User Policy" - "7939": "Audit Query Per User Policy" - "7940": "Audit Enumerate Users" - "7941": "Audit Set Options" - "7942": "Audit Query Options" - "8064": "Port sharing (read)" - "8065": "Port sharing (write)" - "8096": "Default credentials" - "8097": "Credentials manager" - "8098": "Fresh credentials" - "8192": "Kerberos" - "8193": "Preshared key" - "8194": "Unknown authentication" - "8195": "DES" - "8196": "3DES" - "8197": "MD5" - "8198": "SHA1" - "8199": "Local computer" - "8200": "Remote computer" - "8201": "No state" - "8202": "Sent first (SA) payload" - "8203": "Sent second (KE) payload" - "8204": "Sent third (ID) payload" - "8205": "Initiator" - "8206": "Responder" - "8207": "No state" - "8208": "Sent first (SA) payload" - "8209": "Sent final payload" - "8210": "Complete" - "8211": "Unknown" - "8212": "Transport" - "8213": "Tunnel" - "8214": "IKE/AuthIP DoS prevention mode started" - "8215": "IKE/AuthIP DoS prevention mode stopped" - "8216": "Enabled" - "8217": "Not enabled" - "8218": "No state" - "8219": "Sent first (EM attributes) payload" - "8220": "Sent second (SSPI) payload" - "8221": "Sent third (hash) payload" - "8222": "IKEv1" - "8223": "AuthIP" - "8224": "Anonymous" - "8225": "NTLM V2" - "8226": "CGA" - "8227": "Certificate" - "8228": "SSL" - "8229": "None" - "8230": "DH group 1" - "8231": "DH group 2" - "8232": "DH group 14" - "8233": "DH group ECP 256" - "8234": "DH group ECP 384" - "8235": "AES-128" - "8236": "AES-192" - "8237": "AES-256" - "8238": "Certificate ECDSA P256" - "8239": "Certificate ECDSA P384" - "8240": "SSL ECDSA P256" - "8241": "SSL ECDSA P384" - "8242": "SHA 256" - "8243": "SHA 384" - "8244": "IKEv2" - "8245": "EAP payload sent" - "8246": "Authentication payload sent" - "8247": "EAP" - "8248": "DH group 24" - "8272": "System" - "8273": "Logon/Logoff" - "8274": "Object Access" - "8275": "Privilege Use" - "8276": "Detailed Tracking" - "8277": "Policy Change" - "8278": "Account Management" - "8279": "DS Access" - "8280": "Account Logon" - "8448": "Success removed" - "8449": "Success Added" - "8450": "Failure removed" - "8451": "Failure Added" - "8452": "Success include removed" - "8453": "Success include added" - "8454": "Success exclude removed" - "8455": "Success exclude added" - "8456": "Failure include removed" - "8457": "Failure include added" - "8458": "Failure exclude removed" - "8459": "Failure exclude added" - "12288": "Security State Change" - "12289": "Security System Extension" - "12290": "System Integrity" - "12291": "IPsec Driver" - "12292": "Other System Events" - "12544": "Logon" - "12545": "Logoff" - "12546": "Account Lockout" - "12547": "IPsec Main Mode" - "12548": "Special Logon" - "12549": "IPsec Quick Mode" - "12550": "IPsec Extended Mode" - "12551": "Other Logon/Logoff Events" - "12552": "Network Policy Server" - "12553": "User / Device Claims" - "12554": "Group Membership" - "12800": "File System" - "12801": "Registry" - "12802": "Kernel Object" - "12803": "SAM" - "12804": "Other Object Access Events" - "12805": "Certification Services" - "12806": "Application Generated" - "12807": "Handle Manipulation" - "12808": "File Share" - "12809": "Filtering Platform Packet Drop" - "12810": "Filtering Platform Connection" - "12811": "Detailed File Share" - "12812": "Removable Storage" - "12813": "Central Policy Staging" - "13056": "Sensitive Privilege Use" - "13057": "Non Sensitive Privilege Use" - "13058": "Other Privilege Use Events" - "13312": "Process Creation" - "13313": "Process Termination" - "13314": "DPAPI Activity" - "13315": "RPC Events" - "13316": "Plug and Play Events" - "13317": "Token Right Adjusted Events" - "13568": "Audit Policy Change" - "13569": "Authentication Policy Change" - "13570": "Authorization Policy Change" - "13571": "MPSSVC Rule-Level Policy Change" - "13572": "Filtering Platform Policy Change" - "13573": "Other Policy Change Events" - "13824": "User Account Management" - "13825": "Computer Account Management" - "13826": "Security Group Management" - "13827": "Distribution Group Management" - "13828": "Application Group Management" - "13829": "Other Account Management Events" - "14080": "Directory Service Access" - "14081": "Directory Service Changes" - "14082": "Directory Service Replication" - "14083": "Detailed Directory Service Replication" - "14336": "Credential Validation" - "14337": "Kerberos Service Ticket Operations" - "14338": "Other Account Logon Events" - "14339": "Kerberos Authentication Service" - "14592": "Inbound" - "14593": "Outbound" - "14594": "Forward" - "14595": "Bidirectional" - "14596": "IP Packet" - "14597": "Transport" - "14598": "Forward" - "14599": "Stream" - "14600": "Datagram Data" - "14601": "ICMP Error" - "14602": "MAC 802.3" - "14603": "MAC Native" - "14604": "vSwitch" - "14608": "Resource Assignment" - "14609": "Listen" - "14610": "Receive/Accept" - "14611": "Connect" - "14612": "Flow Established" - "14614": "Resource Release" - "14615": "Endpoint Closure" - "14616": "Connect Redirect" - "14617": "Bind Redirect" - "14624": "Stream Packet" - "14640": "ICMP Echo-Request" - "14641": "vSwitch Ingress" - "14642": "vSwitch Egress" - "14672": "" - "14673": "[NULL]" - "14674": "Value Added" - "14675": "Value Deleted" - "14676": "Active Directory Domain Services" - "14677": "Active Directory Lightweight Directory Services" - "14678": "Yes" - "14679": "No" - "14680": "Value Added With Expiration Time" - "14681": "Value Deleted With Expiration Time" - "14688": "Value Auto Deleted With Expiration Time" - "16384": "Add" - "16385": "Delete" - "16386": "Boot-time" - "16387": "Persistent" - "16388": "Not persistent" - "16389": "Block" - "16390": "Permit" - "16391": "Callout" - "16392": "MD5" - "16393": "SHA-1" - "16394": "SHA-256" - "16395": "AES-GCM 128" - "16396": "AES-GCM 192" - "16397": "AES-GCM 256" - "16398": "DES" - "16399": "3DES" - "16400": "AES-128" - "16401": "AES-192" - "16402": "AES-256" - "16403": "Transport" - "16404": "Tunnel" - "16405": "Responder" - "16406": "Initiator" - "16407": "AES-GMAC 128" - "16408": "AES-GMAC 192" - "16409": "AES-GMAC 256" - "16416": "AuthNoEncap Transport" - "16896": "Enable WMI Account" - "16897": "Execute Method" - "16898": "Full Write" - "16899": "Partial Write" - "16900": "Provider Write" - "16901": "Remote Access" - "16902": "Subscribe" - "16903": "Publish" - reversed_descriptions: - "..." : ["1831"] - "3DES" : ["8196","16399"] - "64-bit Integer" : ["1820"] - "" : ["14672"] - "" : ["1800"] - "" : ["1794"] - "" : ["1793"] - "ACCESS_SYS_SEC" : ["1542"] - "AES-128" : ["16400","8235"] - "AES-192" : ["8236","16401"] - "AES-256" : ["16402","8237"] - "AES-GCM 128" : ["16395"] - "AES-GCM 192" : ["16396"] - "AES-GCM 256" : ["16397"] - "AES-GMAC 128" : ["16407"] - "AES-GMAC 192" : ["16408"] - "AES-GMAC 256" : ["16409"] - "Access Clipboard" : ["6658"] - "Access global atoms" : ["6661"] - "Account Disabled" : ["2080"] - "Account Enabled" : ["2048"] - "Account Locked" : ["2090"] - "Account Lockout" : ["12546"] - "Account Logon" : ["8280"] - "Account Management" : ["8278"] - "Account Unlocked" : ["2058"] - "Account currently disabled." : ["2310"] - "Account locked out." : ["2307"] - "Account logon time restriction violation." : ["2311"] - "Active Directory Domain Services" : ["14676"] - "Active Directory Lightweight Directory Services" : ["14677"] - "Add" : ["16384"] - "Add context." : ["2491"] - "Add function property." : ["2497"] - "Add function provider." : ["2495"] - "Add function." : ["2493"] - "Add provider." : ["2489"] - "AddMember" : ["5410","5424"] - "AdjustDefaultDacl" : ["4599"] - "AdjustGroups" : ["4598"] - "AdjustPrivileges" : ["4597"] - "AdjustSessionID" : ["4600"] - "Administer Document" : ["6948"] - "Administer audit log attributes" : ["5641"] - "Administer print server" : ["6912"] - "AdministerServer" : ["5402"] - "All" : ["1797"] - "An Error occured during Logon." : ["2304"] - "Anonymous" : ["8224"] - "AppendData (or AddSubdirectory or CreatePipeInstance)" : ["4418"] - "Application Generated" : ["12806"] - "Application Group Management" : ["13828"] - "Assign Primary Token Privilege" : ["1603"] - "Assign a token to the thread" : ["4567"] - "Assign process" : ["5136"] - "AssignAsPrimary" : ["4592"] - "Audit Enumerate Users" : ["7940"] - "Audit Policy Change" : ["13568"] - "Audit Policy query/set API Operation" : ["1799"] - "Audit Query Options" : ["7942"] - "Audit Query Per User Policy" : ["7939"] - "Audit Query System Policy" : ["7937"] - "Audit Set Options" : ["7941"] - "Audit Set Per User Policy" : ["7938"] - "Audit Set System Policy" : ["7936"] - "AuthIP" : ["8223"] - "AuthNoEncap Transport" : ["16416"] - "Authentication Policy Change" : ["13569"] - "Authentication payload sent" : ["8246"] - "Authorization Policy Change" : ["13570"] - "Auto" : ["1849"] - "Backup Privilege" : ["1617"] - "Bidirectional" : ["14595"] - "Bind Redirect" : ["14617"] - "Blob" : ["1822"] - "Block" : ["16389"] - "Boolean" : ["1824"] - "Boot-time" : ["16386"] - "CGA" : ["8226"] - "Callout" : ["16391"] - "Cause thread to directly impersonate another thread" : ["4568"] - "Central Policy Staging" : ["12813"] - "Certificate" : ["8227"] - "Certificate ECDSA P256" : ["8238"] - "Certificate ECDSA P384" : ["8239"] - "Certification Services" : ["12805"] - "Change Hardware Environment Privilege" : ["1622"] - "Change Notify (and Traverse) Privilege" : ["1623"] - "Change logon capabilities assigned to account" : ["5683"] - "Change privileges assigned to account" : ["5681"] - "Change quotas assigned to account" : ["5682"] - "Change secret value" : ["5648"] - "Change system audit requirements" : ["5640"] - "Change the Posix ID offset assigned to the accounted domain" : ["5684"] - "Change the Posix ID offset assigned to the trusted domain" : ["5668"] - "Change the controllers in the trusted domain" : ["5666"] - "ChangeGroupMembership" : ["5450"] - "ChangePassword (with knowledge of old password)" : ["5446"] - "Channel query information" : ["5122"] - "Channel read message" : ["5120"] - "Channel set information" : ["5123"] - "Channel write message" : ["5121"] - "Communicate using port" : ["4464"] - "Complete" : ["8210"] - "Computer Account Management" : ["13825"] - "Connect" : ["14611"] - "Connect Redirect" : ["14616"] - "Connect to service controller" : ["7168"] - "ConnectToServer" : ["5376"] - "Control Access" : ["7688"] - "Control profile" : ["4496"] - "Create Child" : ["7680"] - "Create Key." : ["2481"] - "Create Link" : ["4437"] - "Create Pagefile Privilege" : ["1615"] - "Create Permanent Object Privilege" : ["1616"] - "Create a new service" : ["7169"] - "Create a privilege" : ["5638"] - "Create a secret object" : ["5637"] - "Create a subprocess of process" : ["4487"] - "Create desktop" : ["6659"] - "Create instance of object type" : ["4608"] - "Create menu" : ["6674"] - "Create new thread in process" : ["4481"] - "Create object in directory" : ["4370"] - "Create special accounts (for assignment of user rights)" : ["5636"] - "Create sub-directory" : ["4371"] - "Create sub-key" : ["4434"] - "Create window" : ["6673"] - "CreateDomain" : ["5379"] - "CreateGlobalGroup" : ["5397"] - "CreateLocalGroup" : ["5398"] - "CreateUser" : ["5396"] - "Credential Validation" : ["14336"] - "Credentials manager" : ["8097"] - "DDE Share Add Items" : ["7432"] - "DDE Share Advise" : ["7429"] - "DDE Share Execute" : ["7431"] - "DDE Share Initiate Link" : ["7427"] - "DDE Share Initiate Static" : ["7426"] - "DDE Share List Items" : ["7433"] - "DDE Share Poke" : ["7430"] - "DDE Share Read" : ["7424"] - "DDE Share Request" : ["7428"] - "DDE Share Write" : ["7425"] - "DELETE" : ["1537"] - "DES" : ["16398","8195"] - "DH group 1" : ["8230"] - "DH group 14" : ["8232"] - "DH group 2" : ["8231"] - "DH group 24" : ["8248"] - "DH group ECP 256" : ["8233"] - "DH group ECP 384" : ["8234"] - "DPAPI Activity" : ["13314"] - "DS Access" : ["8279"] - "Datagram Data" : ["14600"] - "Debug Privilege" : ["1620"] - "Decrypt." : ["2484"] - "Default" : ["1846"] - "Default credentials" : ["8096"] - "Delegation" : ["1840"] - "Delete" : ["16385"] - "Delete Child" : ["7681"] - "Delete Key." : ["2482"] - "Delete Tree" : ["7686"] - "Delete key file." : ["2457"] - "DeleteChild" : ["4422"] - "Denied by" : ["1802"] - "Denied by ACE on parent folder" : ["1812"] - "Denied by Empty DACL" : ["1807"] - "Denied by Integrity Policy check" : ["1803"] - "Denied by Process Trust Label ACE" : ["1841"] - "Detailed Directory Service Replication" : ["14083"] - "Detailed File Share" : ["12811"] - "Detailed Tracking" : ["8276"] - "Device Access Bit 0" : ["4352"] - "Device Access Bit 1" : ["4353"] - "Device Access Bit 2" : ["4354"] - "Device Access Bit 3" : ["4355"] - "Device Access Bit 4" : ["4356"] - "Device Access Bit 5" : ["4357"] - "Device Access Bit 6" : ["4358"] - "Device Access Bit 7" : ["4359"] - "Device Access Bit 8" : ["4360"] - "Directly impersonate this thread" : ["4569"] - "Directory Service Access" : ["14080"] - "Directory Service Changes" : ["14081"] - "Directory Service Replication" : ["14082"] - "Disabled" : ["1796"] - "DisallowMmConfig" : ["1847"] - "Distribution Group Management" : ["13827"] - "Domain settings" : ["2487"] - "Domain sid inconsistent." : ["2314"] - "Don't Expire Password' - Disabled" : ["2057"] - "Don't Expire Password' - Enabled" : ["2089"] - "Don't Require Preauth' - Disabled" : ["2064"] - "Don't Require Preauth' - Enabled" : ["2096"] - "Duplicate" : ["4593"] - "Duplicate handle into or out of process" : ["4486"] - "EAP" : ["8247"] - "EAP payload sent" : ["8245"] - "Enable 64(or 32) bit application to open 32 bit key" : ["4441"] - "Enable 64(or 32) bit application to open 64 bit key" : ["4440"] - "Enable WMI Account" : ["16896"] - "Enable/Disable LSA" : ["5642"] - "Enabled" : ["1795","8216"] - "Encrypt." : ["2483"] - "Encrypted Text Password Allowed' - Disabled" : ["2059"] - "Encrypted Text Password Allowed' - Enabled" : ["2091"] - "Endpoint Closure" : ["14615"] - "Enumerate dependencies of service" : ["7187"] - "Enumerate desktops" : ["6656"] - "Enumerate printers" : ["6913"] - "Enumerate services" : ["7170"] - "Enumerate sub-keys" : ["4435"] - "EnumerateDomains" : ["5380"] - "Exclude Authorization Information' - Disabled" : ["2067"] - "Exclude Authorization Information' - Enabled" : ["2099"] - "Execute Method" : ["16897"] - "Execute/Traverse" : ["4421"] - "Existing registry value modified" : ["1905"] - "Exit windows" : ["6662"] - "Export of persistent cryptographic key." : ["2464"] - "Extend size" : ["4516"] - "FALSE" : ["1826"] - "FQBN" : ["1821"] - "Failed to unprotect persistent cryptographic key." : ["2448"] - "Failed to zero secret data." : ["2438"] - "Failure Added" : ["8451"] - "Failure exclude added" : ["8459"] - "Failure exclude removed" : ["8458"] - "Failure include added" : ["8457"] - "Failure include removed" : ["8456"] - "Failure removed" : ["8450"] - "File Share" : ["12808"] - "File System" : ["12800"] - "Filtering Platform Connection" : ["12810"] - "Filtering Platform Packet Drop" : ["12809"] - "Filtering Platform Policy Change" : ["13572"] - "Flow Established" : ["14612"] - "Force process termination" : ["4480"] - "Force thread termination" : ["4560"] - "Forward" : ["14598","14594"] - "Fresh credentials" : ["8098"] - "Friday" : ["1925"] - "Full Control" : ["6930"] - "Full Write" : ["16898"] - "Get sensitive policy information" : ["5634"] - "Get thread context" : ["4563"] - "GetLocalGroupMembership" : ["5399"] - "Granted by" : ["1801"] - "Granted by ACE on parent folder" : ["1811"] - "Granted by Central Access Rule" : ["1813"] - "Granted by NULL DACL" : ["1806"] - "Granted by NULL Security Descriptor" : ["1808"] - "Granted by Ownership" : ["1804"] - "Granted by parent folder's Central Access Rule" : ["1815"] - "Group Membership" : ["12554"] - "Handle Manipulation" : ["12807"] - "Home Directory Required' - Disabled" : ["2049"] - "Home Directory Required' - Enabled" : ["2081"] - "Hook control" : ["6675"] - "ICMP Echo-Request" : ["14640"] - "ICMP Error" : ["14601"] - "IKE/AuthIP DoS prevention mode started" : ["8214"] - "IKE/AuthIP DoS prevention mode stopped" : ["8215"] - "IKEv1" : ["8222"] - "IKEv2" : ["8244"] - "IP Packet" : ["14596"] - "IPsec Driver" : ["12291"] - "IPsec Extended Mode" : ["12550"] - "IPsec Main Mode" : ["12547"] - "IPsec Quick Mode" : ["12549"] - "Identification" : ["1832"] - "Impersonate" : ["4594"] - "Impersonation" : ["1833"] - "Import of persistent cryptographic key." : ["2465"] - "Inbound" : ["14592"] - "Include this desktop in enumerations" : ["6678"] - "Include this windowstation in enumerations" : ["6664"] - "Increase Memory Quota Privilege" : ["1605"] - "Increment Base Priority Privilege" : ["1614"] - "InitializeServer" : ["5378"] - "Initiator" : ["8205","16406"] - "Interdomain Trust Account' - Disabled" : ["2054"] - "Interdomain Trust Account' - Enabled" : ["2086"] - "Invalid" : ["1827"] - "Issue service-specific control commands" : ["7192"] - "Journal (playback)" : ["6677"] - "Journal (record)" : ["6676"] - "Kerberos" : ["8192"] - "Kerberos Authentication Service" : ["14339"] - "Kerberos Service Ticket Operations" : ["14337"] - "Kernel Object" : ["12802"] - "Key Derivation." : ["2501"] - "Key export checks failed." : ["2449"] - "Key failed pair wise consistency check." : ["2439"] - "KeyedEvent Wait" : ["5696"] - "KeyedEvent Wake" : ["5697"] - "List Contents" : ["7682"] - "List Object" : ["7687"] - "ListAccounts" : ["5400"] - "ListGroups" : ["5448"] - "ListMembers" : ["5412","5426"] - "Listen" : ["14609"] - "Load/Unload Driver Privilege" : ["1610"] - "Local computer" : ["8199"] - "Local settings" : ["2488"] - "Lock Memory Privilege" : ["1604"] - "Lock service database for exclusive access" : ["7171"] - "Logoff" : ["12545"] - "Logon" : ["12544"] - "Logon/Logoff" : ["8273"] - "Lookup Names/SIDs" : ["5643"] - "LookupDomain" : ["5381"] - "LookupIDs" : ["5401"] - "MAC 802.3" : ["14602"] - "MAC Native" : ["14603"] - "MAX_ALLOWED" : ["1543"] - "MD5" : ["16392","8197"] - "MNS Logon Account' - Disabled" : ["2053"] - "MNS Logon Account' - Enabled" : ["2085"] - "MPSSVC Rule-Level Policy Change" : ["13571"] - "Machine key." : ["2499"] - "Map section for execute" : ["4515"] - "Map section for read" : ["4514"] - "Map section for write" : ["4513"] - "Modify State" : ["4865"] - "Modify domain trust relationships" : ["5635"] - "Modify event state" : ["4385"] - "Modify semaphore state" : ["4529"] - "Modify timer state" : ["4577"] - "Monday" : ["1921"] - "NOT Granted by Central Access Rule" : ["1814"] - "NOT Granted by parent folder's Central Access Rule" : ["1816"] - "NTLM V2" : ["8225"] - "Network Policy Server" : ["12552"] - "New registry value created" : ["1904"] - "No" : ["14679","1843"] - "No state" : ["8207","8218","8201"] - "Non Sensitive Privilege Use" : ["13057"] - "None" : ["1798","8229"] - "Normal Account' - Disabled" : ["2052"] - "Normal Account' - Enabled" : ["2084"] - "Not Available" : ["1845"] - "Not Available." : ["2432"] - "Not Delegated' - Disabled" : ["2062"] - "Not Delegated' - Enabled" : ["2094"] - "Not enabled" : ["8217"] - "Not granted" : ["1805"] - "Not granted due to missing" : ["1810"] - "Not granted to AppContainers" : ["1830"] - "Not persistent" : ["16388"] - "Not used" : ["1601"] - "Notify about changes to keys" : ["4436"] - "Object Access" : ["8274"] - "Off" : ["1848"] - "Open Key." : ["2480"] - "Open key file." : ["2456"] - "Other Account Logon Events" : ["14338"] - "Other Account Management Events" : ["13829"] - "Other Logon/Logoff Events" : ["12551"] - "Other Object Access Events" : ["12804"] - "Other Policy Change Events" : ["13573"] - "Other Privilege Use Events" : ["13058"] - "Other System Events" : ["12292"] - "Outbound" : ["14593"] - "Partial Write" : ["16899"] - "Password Expired' - Disabled" : ["2065"] - "Password Expired' - Enabled" : ["2097"] - "Password Not Required' - Disabled" : ["2050"] - "Password Not Required' - Enabled" : ["2082"] - "Pause or continue the service" : ["7190"] - "Perform virtual memory operation" : ["4483"] - "Permit" : ["16390"] - "Persistent" : ["16387"] - "Plug and Play Events" : ["13316"] - "Policy Change" : ["8277"] - "Port sharing (read)" : ["8064"] - "Port sharing (write)" : ["8065"] - "Preshared key" : ["8193"] - "Print" : ["6931"] - "Privilege Use" : ["8275"] - "Process Creation" : ["13312"] - "Process Termination" : ["13313"] - "Profile Single Process Privilege" : ["1613"] - "Profile System Privilege" : ["1611"] - "Protect Kerberos Service Tickets with AES Keys' - Disabled" : ["2069"] - "Protect Kerberos Service Tickets with AES Keys' - Enabled" : ["2101"] - "Provider Write" : ["16900"] - "Publish" : ["16903"] - "Query" : ["4595"] - "Query Attributes" : ["5138"] - "Query State" : ["4864"] - "Query account information" : ["5680"] - "Query directory" : ["4368"] - "Query event state" : ["4384"] - "Query information from service" : ["7191"] - "Query key value" : ["4432"] - "Query mutant state" : ["4448"] - "Query process information" : ["4490"] - "Query secret value" : ["5649"] - "Query section state" : ["4512"] - "Query semaphore state" : ["4528"] - "Query service configuration information" : ["7184"] - "Query service database lock state" : ["7172"] - "Query status of service" : ["7186"] - "Query the Posix ID offset assigned to the trusted domain" : ["5667"] - "Query thread information" : ["4566"] - "Query timer state" : ["4576"] - "Query trusted domain name/SID" : ["5664"] - "QuerySource" : ["4596"] - "READ_CONTROL" : ["1538"] - "REG_BINARY" : ["1875"] - "REG_DWORD" : ["1876"] - "REG_DWORD_BIG_ENDIAN" : ["1877"] - "REG_EXPAND_SZ" : ["1874"] - "REG_FULL_RESOURCE_DESCRIPTOR" : ["1881"] - "REG_LINK" : ["1878"] - "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : ["1879"] - "REG_NONE" : ["1872"] - "REG_QWORD" : ["1883"] - "REG_RESOURCE_LIST" : ["1880"] - "REG_RESOURCE_REQUIREMENTS_LIST" : ["1882"] - "REG_SZ" : ["1873"] - "RPC Events" : ["13315"] - "Random number generation failed FIPS-140 pre-hash check." : ["2437"] - "Random number generator failure." : ["2436"] - "Read Objects" : ["6672"] - "Read Property" : ["7684"] - "Read attributes" : ["6657"] - "Read from process memory" : ["4484"] - "Read persisted key from file." : ["2458"] - "Read screen" : ["6665"] - "ReadAccount" : ["5444"] - "ReadAttributes" : ["4423"] - "ReadData (or ListDirectory)" : ["4416"] - "ReadEA" : ["4419"] - "ReadGeneralInformation" : ["5440"] - "ReadGroupMembership" : ["5449"] - "ReadInformation" : ["5427","5408"] - "ReadLogon" : ["5443"] - "ReadOtherParameters" : ["5394"] - "ReadPasswordParameters" : ["5392"] - "ReadPreferences" : ["5441"] - "Receive/Accept" : ["14610"] - "Registry" : ["12801"] - "Registry value deleted" : ["1906"] - "Remote Access" : ["16901"] - "Remote computer" : ["8200"] - "Remotely Shut System Down Privilege" : ["1624"] - "Removable Storage" : ["12812"] - "Remove context." : ["2492"] - "Remove function property." : ["2498"] - "Remove function provider." : ["2496"] - "Remove function." : ["2494"] - "Remove provider." : ["2490"] - "RemoveMember" : ["5425","5411"] - "Resource Assignment" : ["14608"] - "Resource Release" : ["14614"] - "Responder" : ["16405","8206"] - "Restore From Backup Privilege" : ["1618"] - "Retrieve the controllers in the trusted domain" : ["5665"] - "SAM" : ["12803"] - "SHA 256" : ["8242"] - "SHA 384" : ["8243"] - "SHA-1" : ["16393"] - "SHA-256" : ["16394"] - "SHA1" : ["8198"] - "SSL" : ["8228"] - "SSL ECDSA P256" : ["8240"] - "SSL ECDSA P384" : ["8241"] - "SYNCHRONIZE" : ["1541"] - "Saturday" : ["1926"] - "Secret agreement." : ["2486"] - "Security Group Management" : ["13826"] - "Security Privilege" : ["1608"] - "Security State Change" : ["12288"] - "Security System Extension" : ["12289"] - "Send an alert to thread" : ["4562"] - "Sensitive Privilege Use" : ["13056"] - "Sent final payload" : ["8209"] - "Sent first (EM attributes) payload" : ["8219"] - "Sent first (SA) payload" : ["8208","8202"] - "Sent second (KE) payload" : ["8203"] - "Sent second (SSPI) payload" : ["8220"] - "Sent third (ID) payload" : ["8204"] - "Sent third (hash) payload" : ["8221"] - "Server Trust Account' - Disabled" : ["2056"] - "Server Trust Account' - Enabled" : ["2088"] - "Set Attributes" : ["5137"] - "Set Security Attributes" : ["5140"] - "Set System Time Privilege" : ["1612"] - "Set default quota limits" : ["5639"] - "Set key value" : ["4433"] - "Set last-known-good state of service database" : ["7173"] - "Set process information" : ["4489"] - "Set process quotas" : ["4488"] - "Set process session ID" : ["4482"] - "Set process termination port" : ["4491"] - "Set service configuration information" : ["7185"] - "Set thread context" : ["4564"] - "Set thread information" : ["4565"] - "SetPassword (without knowledge of old password)" : ["5447"] - "Shutdown System Privilege" : ["1619"] - "ShutdownServer" : ["5377"] - "Sid" : ["1823"] - "Sign hash." : ["2485"] - "Signature verification failed." : ["2451"] - "Smartcard Required' - Disabled" : ["2060"] - "Smartcard Required' - Enabled" : ["2092"] - "Smartcard logon is required and was not used." : ["2315"] - "Special Logon" : ["12548"] - "Start the service" : ["7188"] - "Stop the service" : ["7189"] - "Stream" : ["14599"] - "Stream Packet" : ["14624"] - "String" : ["1818"] - "Subscribe" : ["16902"] - "Success Added" : ["8449"] - "Success exclude added" : ["8455"] - "Success exclude removed" : ["8454"] - "Success include added" : ["8453"] - "Success include removed" : ["8452"] - "Success removed" : ["8448"] - "Sunday" : ["1920"] - "Suspend or resume thread" : ["4561"] - "Switch to this desktop" : ["6680"] - "System" : ["1844","8272"] - "System Integrity" : ["12290"] - "TRUE" : ["1825"] - "Take Ownership Privilege" : ["1609"] - "Temp Duplicate Account' - Disabled" : ["2051"] - "Temp Duplicate Account' - Enabled" : ["2083"] - "Terminate Job" : ["5139"] - "The NetLogon component is not active." : ["2306"] - "The specified account's password has expired." : ["2309"] - "The specified user account has expired." : ["2305"] - "The user has not been granted the requested logon type at this machine." : ["2308"] - "Thursday" : ["1924"] - "Token Right Adjusted Events" : ["13317"] - "TokenElevationTypeDefault (1)" : ["1936"] - "TokenElevationTypeFull (2)" : ["1937"] - "TokenElevationTypeLimited (3)" : ["1938"] - "Transport" : ["14597","16403","8212"] - "Traverse" : ["4369"] - "Trusted Computer Base Privilege" : ["1607"] - "Trusted For Delegation' - Disabled" : ["2061"] - "Trusted For Delegation' - Enabled" : ["2093"] - "Trusted To Authenticate For Delegation' - Disabled" : ["2066"] - "Trusted To Authenticate For Delegation' - Enabled" : ["2098"] - "Tuesday" : ["1922"] - "Tunnel" : ["16404","8213"] - "Undefined Access (no effect) Bit 1" : ["4609","4545","4497","4465","4449"] - "Undefined Access (no effect) Bit 10" : ["4554","4618","4378","5418","4474","7690","5690","4442","4522","4458","4602","5658","5434","5146","5706","4426","5386","4362","4538","4570","4586","5674","4506","4394","5130"] - "Undefined Access (no effect) Bit 11" : ["4587","5435","5691","5675","4603","4379","5451","5387","5707","4619","7691","4395","4459","4427","4571","4363","4539","5403","4443","5147","4523","5131","4475","4555","4507","5419","5659"] - "Undefined Access (no effect) Bit 12" : ["5660","4364","4620","5708","4540","4428","4524","5148","5420","4508","5404","5452","4380","4460","4604","5436","4492","4396","4556","7692","5676","4588","4476","4572","4444","5132","5692","5388"] - "Undefined Access (no effect) Bit 13" : ["5149","5437","4477","5389","4525","4557","5421","4605","4541","4461","5677","5693","4509","4621","4589","4381","5405","4429","4445","4573","5661","4397","5709","4365","5453","7693","4493","5133"] - "Undefined Access (no effect) Bit 14" : ["4510","4366","4606","4462","4558","5694","4446","5710","5390","5438","4478","4398","4382","4590","5150","5454","5134","5678","7694","5662","4526","4622","5422","4574","4542","4494","4430","5406"] - "Undefined Access (no effect) Bit 15" : ["4399","5679","4447","5391","5407","5135","4559","4591","5663","5439","4511","4431","4495","5151","4607","7695","4623","4575","4543","4479","5455","4367","4383","5695","5423","5711","4527","4463"] - "Undefined Access (no effect) Bit 2" : ["4450","4498","4466","5698","4386","5650","4610","4578","4530","4546"] - "Undefined Access (no effect) Bit 3" : ["4451","5699","4579","5651","4467","4387","4547","4611","4531","4499"] - "Undefined Access (no effect) Bit 4" : ["4372","5652","5124","4468","4580","4548","4500","4452","4532","5700","4612","4388"] - "Undefined Access (no effect) Bit 5" : ["5669","5701","5653","4517","4453","4469","4501","5125","4549","4533","4581","5429","5685","4373","5413","4389","4613","5141"] - "Undefined Access (no effect) Bit 6" : ["5654","4534","4502","4390","5414","5382","4550","4582","4518","4614","4438","4454","4374","5126","4470","5430","5702","5670","5686","5142"] - "Undefined Access (no effect) Bit 7" : ["4519","4455","5143","4375","5703","4471","5383","5415","4391","5687","5431","5655","4551","5127","4503","4439","5671","279","4535","4615"] - "Undefined Access (no effect) Bit 8" : ["5144","4376","5656","4552","4472","4504","4456","5128","4392","4616","4536","4584","4520","5432","5384","5672","5416","5704","5688"] - "Undefined Access (no effect) Bit 9" : ["5433","5145","4361","4457","4601","4537","4585","4393","4521","5657","5673","4553","7689","5385","4425","4505","4377","5689","5417","5705","4617","5129","4473"] - "Undefined UserAccountControl Bit 20' - Disabled" : ["2068"] - "Undefined UserAccountControl Bit 20' - Enabled" : ["2100"] - "Undefined UserAccountControl Bit 22' - Disabled" : ["2070"] - "Undefined UserAccountControl Bit 22' - Enabled" : ["2102"] - "Undefined UserAccountControl Bit 23' - Disabled" : ["2071"] - "Undefined UserAccountControl Bit 23' - Enabled" : ["2103"] - "Undefined UserAccountControl Bit 24' - Disabled" : ["2072"] - "Undefined UserAccountControl Bit 24' - Enabled" : ["2104"] - "Undefined UserAccountControl Bit 25' - Disabled" : ["2073"] - "Undefined UserAccountControl Bit 25' - Enabled" : ["2105"] - "Undefined UserAccountControl Bit 26' - Disabled" : ["2074"] - "Undefined UserAccountControl Bit 26' - Enabled" : ["2106"] - "Undefined UserAccountControl Bit 27' - Disabled" : ["2075"] - "Undefined UserAccountControl Bit 27' - Enabled" : ["2107"] - "Undefined UserAccountControl Bit 28' - Disabled" : ["2076"] - "Undefined UserAccountControl Bit 28' - Enabled" : ["2108"] - "Undefined UserAccountControl Bit 29' - Disabled" : ["2077"] - "Undefined UserAccountControl Bit 29' - Enabled" : ["2109"] - "Undefined UserAccountControl Bit 30' - Disabled" : ["2078"] - "Undefined UserAccountControl Bit 30' - Enabled" : ["2110"] - "Undefined UserAccountControl Bit 31' - Disabled" : ["2079"] - "Undefined UserAccountControl Bit 31' - Enabled" : ["2111"] - "Unknown" : ["8211"] - "Unknown Type" : ["1817"] - "Unknown authentication" : ["8194"] - "Unknown or unchecked" : ["1809"] - "Unknown specific access (bit 0)" : ["1552"] - "Unknown specific access (bit 1)" : ["1553"] - "Unknown specific access (bit 10)" : ["1562"] - "Unknown specific access (bit 11)" : ["1563"] - "Unknown specific access (bit 12)" : ["1564"] - "Unknown specific access (bit 13)" : ["1565"] - "Unknown specific access (bit 14)" : ["1566"] - "Unknown specific access (bit 15)" : ["1567"] - "Unknown specific access (bit 2)" : ["1554"] - "Unknown specific access (bit 3)" : ["1555"] - "Unknown specific access (bit 4)" : ["1556"] - "Unknown specific access (bit 5)" : ["1557"] - "Unknown specific access (bit 6)" : ["1558"] - "Unknown specific access (bit 7)" : ["1559"] - "Unknown specific access (bit 8)" : ["1560"] - "Unknown specific access (bit 9)" : ["1561"] - "Unknown user name or bad password." : ["2313"] - "Unsigned 64-bit Integer" : ["1819"] - "Unsolicited Input Privilege" : ["1606"] - "Unused Access Flag" : ["6663"] - "Unused message ID" : ["1536"] - "Use DES Key Only' - Disabled" : ["2063"] - "Use DES Key Only' - Enabled" : ["2095"] - "Use symbolic link" : ["4544"] - "User / Device Claims" : ["12553"] - "User Account Management" : ["13824"] - "User key." : ["2500"] - "User not allowed to logon at this computer." : ["2312"] - "Validation of public key failed." : ["2450"] - "Value Added" : ["14674"] - "Value Added With Expiration Time" : ["14680"] - "Value Auto Deleted With Expiration Time" : ["14688"] - "Value Deleted" : ["14675"] - "Value Deleted With Expiration Time" : ["14681"] - "View non-sensitive policy information" : ["5632"] - "View or Change Audit Log Privilege" : ["1621"] - "View system audit requirements" : ["5633"] - "WRITE_DAC" : ["1539"] - "WRITE_OWNER" : ["1540"] - "Wednesday" : ["1923"] - "Workstation Trust Account' - Disabled" : ["2055"] - "Workstation Trust Account' - Enabled" : ["2087"] - "Write Property" : ["7685"] - "Write Self" : ["7683"] - "Write attributes" : ["6660"] - "Write objects" : ["6679"] - "Write persisted key to file." : ["2459"] - "Write to process memory" : ["4485"] - "WriteAccount" : ["5409","5445","5428"] - "WriteAttributes" : ["4424"] - "WriteData (or AddFile)" : ["4417"] - "WriteEA" : ["4420"] - "WriteOtherParameters" : ["5395"] - "WritePasswordParameters" : ["5393"] - "WritePreferences" : ["5442"] - "Yes" : ["1842","14678"] - "[NULL]" : ["14673"] - "a Security Descriptor too long to display" : ["1829"] - "an ACE too long to display" : ["1828"] - "vSwitch" : ["14604"] - "vSwitch Egress" : ["14642"] - "vSwitch Ingress" : ["14641"] - AccessMaskDescriptions: - "0x00000001": Create Child - "0x00000002": Delete Child - "0x00000004": List Contents - "0x00000008": SELF - "0x00000010": Read Property - "0x00000020": Write Property - "0x00000040": Delete Treee - "0x00000080": List Object - "0x00000100": Control Access - "0x00010000": DELETE - "0x00020000": READ_CONTROL - "0x00040000": WRITE_DAC - "0x00080000": WRITE_OWNER - "0x00100000": SYNCHRONIZE - "0x00F00000": STANDARD_RIGHTS_REQUIRED - "0x001F0000": STANDARD_RIGHTS_ALL - "0x0000FFFF": SPECIFIC_RIGHTS_ALL - "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY - "0x10000000": ADS_RIGHT_GENERIC_ALL - "0x20000000": ADS_RIGHT_GENERIC_EXECUTE - "0x40000000": ADS_RIGHT_GENERIC_WRITE - "0x80000000": ADS_RIGHT_GENERIC_READ - source: |- - def split(String s) { - def f = new ArrayList(); - int last = 0; - for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} - for (def i = last; i < s.length(); i++) { - if (!Character.isWhitespace(s.charAt(i))) { - continue; - } - f.add(s.substring(last, i)); - for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} - last = i; - } - f.add(s.substring(last)); - return f; - } - if (ctx.winlog?.event_data?.FailureReason != null) { - def code = ctx.winlog.event_data.FailureReason.replace("%%",""); - def desc = params.descriptions[code]; - if (desc == null) { - desc = code; - } - if (desc != null) { - if (ctx.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("reason", desc); - } - } - if (ctx.winlog?.event_data?.AuditPolicyChanges != null) { - ArrayList results = new ArrayList(); - for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { - def code = elem.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - results.add(params.descriptions[code]); - } else { - results.add(code); - } - } - if (results.length > 0) { - ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); - } - } - if (ctx.winlog?.event_data?.AccessList != null) { - ArrayList codes = new ArrayList(); - ArrayList results = new ArrayList(); - for (elem in split(ctx.winlog.event_data.AccessList)) { - def code = elem.replace("%%","").trim(); - if (code != "") { - codes.add(code); - } - if (params.descriptions.containsKey(code)) { - results.add(params.descriptions[code]); - } else { - results.add(code); - } - } - if (codes.length > 0) { - ctx.winlog.event_data.AccessList = codes; - } - if (results.length > 0) { - ctx.winlog.event_data.put("AccessListDescription", results); - } - } - if (ctx.winlog?.event_data?.Direction != null) { - def code = ctx.winlog.event_data.Direction.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - ctx.winlog.event_data.put("DirectionDescription", params.descriptions[code]); - } - } - if (ctx.winlog?.event_data?.LayerName != null) { - def code = ctx.winlog.event_data.LayerName.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - ctx.winlog.event_data.put("LayerNameDescription", params.descriptions[code]); - } - } - if (ctx.winlog?.event_data?.AccessMask != null) { - ArrayList list = new ArrayList(); - long accessMask; - for (elem in split(ctx.winlog.event_data.AccessMask)) { - if (elem.length() == 0) { - continue; - } - def code = elem.replace("%%","").trim(); - if (params.descriptions.containsKey(code)) { - list.add(params.descriptions[code]); - } else { - list.add(code); - if (params.reversed_descriptions.containsKey(code)) - code = params.reversed_descriptions[code][0]; - } - try { - def longCode = Long.decode(code).longValue(); - accessMask |= longCode; - } catch (Exception e) {} - } - if (list.length > 0) { - ctx.winlog.event_data.put("AccessMask", list); - } - - ArrayList desc = new ArrayList(); - def[] w = new def[] { null }; - for (long b = 0; b < 32; b++) { - long flag = 1L << b; - if ((accessMask & flag) == flag) { - w[0] = flag; - def fDesc = params.AccessMaskDescriptions[String.format("0x%08X", w)]; - if (fDesc != null) { - desc.add(fDesc); - } - } - } - if (desc.length > 0) { - ctx.winlog.event_data.put("AccessMaskDescription", desc); - } - ArrayList results = new ArrayList(); - } - - script: - lang: painless - ignore_failure: false - tag: 4625 and 4776 Set Status and SubStatus - description: 4625 and 4776 Set Status and SubStatus - # Descriptions of failure status codes. - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - params: - "0xc000005e": "There are currently no logon servers available to service the logon request." - "0xc0000064": "User logon with misspelled or bad user account" - "0xc000006a": "User logon with misspelled or bad password" - "0xc000006d": "This is either due to a bad username or authentication information" - "0xc000006e": "Unknown user name or bad password." - "0xc000006f": "User logon outside authorized hours" - "0xc0000070": "User logon from unauthorized workstation" - "0xc0000071": "User logon with expired password" - "0xc0000072": "User logon to account disabled by administrator" - "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." - "0xc0000133": "Clocks between DC and other computer too far out of sync" - "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" - "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." - "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." - "0xc0000193": "User logon with expired account" - "0xc0000224": "User is required to change password at next logon" - "0xc0000225": "Evidently a bug in Windows and not a risk" - "0xc0000234": "User logon with account locked" - "0xc00002ee": "Failure Reason: An Error occurred during Logon" - "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." - "0xc0000371": "The local account store does not contain secret material for the specified account" - "0x0": "Status OK." - source: |- - if (ctx.winlog?.event_data?.Status == null || - ctx.event?.code == null || - !["4625", "4776"].contains(ctx.event.code)) { - return; - } - if (params.containsKey(ctx.winlog.event_data.Status)) { - if (ctx.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); - } - if (ctx.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { - return; - } - if (ctx.winlog?.logon == null ) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - if (ctx.winlog?.logon?.failure == null) { - HashMap hm = new HashMap(); - ctx.winlog.logon.put("failure", hm); - } - ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Type - description: Set Trust Type - # Trust Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "1": "TRUST_TYPE_DOWNLEVEL" - "2": "TRUST_TYPE_UPLEVEL" - "3": "TRUST_TYPE_MIT" - "4": "TRUST_TYPE_DCE" - source: |- - if (ctx.winlog?.event_data?.TdoType == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoType)) { - return; - } - ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Direction - description: Set Trust Direction - # Trust Direction - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "0": "TRUST_DIRECTION_DISABLED" - "1": "TRUST_DIRECTION_INBOUND" - "2": "TRUST_DIRECTION_OUTBOUND" - "3": "TRUST_DIRECTION_BIDIRECTIONAL" - source: |- - if (ctx.winlog?.event_data?.TdoDirection == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { - return; - } - ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); - - script: - lang: painless - ignore_failure: false - tag: Set Trust Attributes - description: Set Trust Attributes - # Trust Attributes - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 - params: - "0": "UNDEFINED" - "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" - "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" - "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" - "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" - "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" - "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" - "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" - "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" - "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" - "1024": "TRUST_ATTRIBUTE_PIM_TRUST" - source: |- - if (ctx.winlog?.event_data?.TdoAttributes == null) { - return; - } - if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { - return; - } - ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); - - script: - lang: painless - ignore_failure: false - tag: Add Session Events - description: Add Session Events - source: |- - if (ctx.event?.code == null || - !["4778", "4779"].contains(ctx.event.code)) { - return; - } - //AccountName to user.name and related.user - if (ctx.winlog?.event_data?.AccountName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.event_data.AccountName); - if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { - ctx.related.user.add(ctx.winlog.event_data.AccountName); - } - } - - //AccountDomain to user.domain - if (ctx.winlog?.event_data?.AccountDomain != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); - } - - //ClientAddress to source.ip and related.ip - if (ctx.winlog?.event_data?.ClientAddress != null && - ctx.winlog.event_data.ClientAddress != "-" && - ctx.winlog.event_data.ClientAddress != "Unknown") { - // Correct invalid IP address "LOCAL" - if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") { - ctx.winlog.event_data.ClientAddress="127.0.0.1"; - } - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.ip == null) { - ArrayList al = new ArrayList(); - ctx.related.put("ip", al); - } - ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); - if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { - ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); - } - } - - //ClientName to source.domain - if (ctx.winlog?.event_data?.ClientName != null) { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("domain", ctx.winlog.event_data.ClientName); - } - - //LogonID to winlog.logon.id - if (ctx.winlog?.event_data?.LogonID != null) { - if (ctx.winlog?.logon == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("logon", hm); - } - ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User - description: Copy Target User - source: |- - if (ctx.event?.code == null || - !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", - "4771", "4776", "4964"].contains(ctx.event.code)) { - return; - } - - def targetUserId = ctx.winlog?.event_data?.TargetUserSid; - if (targetUserId == null) { - targetUserId = ctx.winlog?.event_data?.TargetSid; - } - - //TargetUserSid to user.id or user.target.id - if (targetUserId != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.user?.id == null) { - ctx.user.put("id", targetUserId); - } else { - if (ctx.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("id", targetUserId); - } - } - - //TargetUserName to related.user and user.name or user.target.name - if (ctx.winlog?.event_data?.TargetUserName != null) { - def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.user?.name == null) { - ctx.user.put("name", tun[0]); - } else { - if (ctx.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("name", tun[0]); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(tun[0])) { - ctx.related.user.add(tun[0]); - } - } - //TargetUserDomain to user.domain or user.target.domain - if (ctx.winlog?.event_data?.TargetDomainName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.user?.domain == null) { - ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); - } else { - if (ctx.user?.target == null){ - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); - } - } -# split member name into parts based on comma ignoring escaped commas -# https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names - - split: - if: ctx.winlog?.event_data?.MemberName != null - field: winlog.event_data.MemberName - target_field: _temp.MemberNameParts - separator: "(?= 4) { - def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); - ctx.user.target.put("domain", domain); - } - } - if (ctx.winlog?.event_data?.TargetUserSid != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); - } - if (ctx.winlog?.event_data?.TargetSid != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("id", ctx.winlog.event_data.TargetSid); - } - if (ctx.winlog?.event_data?.TargetUserName != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - ctx.group.put("name", ctx.winlog.event_data.TargetUserName); - } - if (ctx.winlog?.event_data?.TargetDomainName != null) { - if (ctx.group == null) { - HashMap hm = new HashMap(); - ctx.put("group", hm); - } - def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); - ctx.group.put("domain", domain); - } - if (ctx.user?.target != null) { - if (ctx.user?.target?.group == null) { - HashMap hm = new HashMap(); - ctx.user.target.put("group", hm); - } - if (ctx.group?.id != null) { - ctx.user.target.group.put("id", ctx.group.id); - } - if (ctx.group?.name != null) { - ctx.user.target.group.put("name", ctx.group.name); - } - if (ctx.group?.domain != null) { - ctx.user.target.group.put("domain", ctx.group.domain); - } - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Computer Object - description: Copy Target User to Computer Object - source: |- - if (ctx.event?.code == null || - !["4741", "4742", "4743"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.TargetSid != null) { - if (ctx.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); - } - if (ctx.winlog?.event_data?.TargetUserName != null) { - if (ctx.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); - } - if (ctx.winlog?.event_data?.TargetDomainName != null) { - if (ctx.winlog?.computerObject == null) { - HashMap hm = new HashMap(); - ctx.winlog.put("computerObject", hm); - } - ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); - } - - - set: - field: winlog.logon.id - copy_from: winlog.event_data.TargetLogonId - ignore_failure: false - if: ctx.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) - - - script: - lang: painless - ignore_failure: false - tag: Copy Subject User from Event Data - description: Copy Subject User from Event Data - source: |- - if (ctx.event?.code == null || - !["4648", "4657", "4662", "4670", "4672", "4673", "4674", "4688", "4689", "4697", - "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", "4716", "4717", - "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726", "4727", "4728", - "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4739", - "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", - "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", - "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4797", "4798", "4799", - "4817", "4904", "4905", "4907", "4912", "5136", "5140", "5145", "5379", "5380", - "5381", "5382"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.SubjectUserSid != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); - } - if (ctx.winlog?.event_data?.SubjectUserName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); - if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { - ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); - } - } - if (ctx.winlog?.event_data?.SubjectDomainName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); - } - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Target - description: Copy Target User to Target - source: |- - if (ctx?.event?.code == null || - !["4670", "4720", "4722", "4723", "4724", "4725", - "4726", "4738", "4740", "4767", "4798", "4817", - "4907", "4797"].contains(ctx.event.code)) { - return; - } - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.target == null) { - HashMap hm = new HashMap(); - ctx.user.put("target", hm); - } - def userId = ctx?.winlog?.event_data?.TargetSid; - if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; - def userName = ctx?.winlog?.event_data?.TargetUserName; - if (userName != null && userName != "" && userName != "-") { - ctx.user.target.name = userName; - def parts = userName.splitOnToken("@"); - if (parts.length > 1) { - ctx.user.target.name = parts[0]; - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.user.target.name)) { - ctx.related.user.add(ctx.user.target.name); - } - } - def userDomain = ctx?.winlog?.event_data?.TargetDomainName; - if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; - if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); - - - script: - lang: painless - ignore_failure: false - tag: Copy Target User to Effective - description: Copy Target User to Effective - source: |- - if (ctx?.event?.code == null || - !["4648", "4688"].contains(ctx.event.code)) { - return; - } - if (ctx?.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx?.user?.effective == null) { - HashMap hm = new HashMap(); - ctx.user.put("effective", hm); - } - def userId = ctx?.winlog?.event_data?.TargetUserSid; - if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; - def userName = ctx?.winlog?.event_data?.TargetUserName; - if (userName != null && userName != "" && userName != "-") { - ctx.user.effective.name = userName; - def parts = userName.splitOnToken("@"); - if (parts.length > 1) { - ctx.user.effective.name = parts[0]; - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.user.effective.name)) { - ctx.related.user.add(ctx.user.effective.name); - } - } - def userDomain = ctx?.winlog?.event_data?.TargetDomainName; - if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; - if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); - - - script: - lang: painless - ignore_failure: false - tag: Copy Subject User from user_data - description: Copy Subject User from user_data - source: |- - if (ctx.event?.code == null || - !["1102"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.user_data?.SubjectUserSid != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); - } - if (ctx.winlog?.user_data?.SubjectUserName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); - if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { - ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); - } - } - if (ctx.winlog?.user_data?.SubjectDomainName != null) { - if (ctx.user == null) { - HashMap hm = new HashMap(); - ctx.put("user", hm); - } - ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); - } - - - set: - field: winlog.logon.id - copy_from: winlog.event_data.SubjectLogonId - ignore_failure: true - - - set: - field: winlog.logon.id - copy_from: winlog.user_data.SubjectLogonId - ignore_failure: true - if: |- - ctx.event?.code != null && - ["1102"].contains(ctx.event.code) - - - script: - lang: painless - ignore_failure: false - tag: Rename Common Auth Fields - description: Rename Common Auth Fields - source: |- - if (ctx.event?.code == null || - !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", - "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", - "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", - "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", - "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", - "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", - "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", - "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", - "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.ProcessId != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.winlog.event_data.ProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.ProcessId); - ctx.process.put("pid", pid.longValue()); - } else { - ctx.process.put("pid", ctx.winlog.event_data.ProcessId); - } - ctx.winlog.event_data.remove("ProcessId"); - } - if (ctx.winlog?.event_data?.ProcessName != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("executable", ctx.winlog.event_data.ProcessName); - ctx.winlog.event_data.remove("ProcessName"); - } - if (ctx.winlog?.event_data?.IpAddress != null && - ctx.winlog.event_data.IpAddress != "-") { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("ip", ctx.winlog.event_data.IpAddress); - ctx.winlog.event_data.remove("IpAddress"); - } - if (ctx.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); - ctx.winlog.event_data.remove("IpPort"); - } - if (ctx.winlog?.event_data?.WorkstationName != null) { - if (ctx.source == null) { - HashMap hm = new HashMap(); - ctx.put("source", hm); - } - ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); - ctx.winlog.event_data.remove("WorkstationName"); - } - if (ctx.winlog?.event_data?.ClientAddress != null && - ctx.winlog.event_data.ClientAddress != "-") { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); - ctx.winlog.event_data.remove("ClientAddress"); - } - if (ctx.process?.name == null && ctx.process?.executable != null) { - def parts = ctx.process.executable.splitOnToken("\\"); - ctx.process.put("name", parts[-1]); - } - - - script: - lang: painless - ignore_failure: false - tag: Process Event 4688 - description: Process Event 4688 - source: |- - if (ctx.event?.code == null || - !["4688"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.NewProcessId != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.winlog.event_data.NewProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); - ctx.process.put("pid", pid.longValue()); - } else { - ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); - } - ctx.winlog.event_data.remove("NewProcessId"); - } - if (ctx.winlog?.event_data?.NewProcessName != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); - ctx.winlog.event_data.remove("NewProcessName"); - } - if (ctx.winlog?.event_data?.ParentProcessName != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.process?.parent == null) { - HashMap hm = new HashMap(); - ctx.process.put("parent", hm); - } - ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); - ctx.winlog.event_data.remove("ParentProcessName"); - } - if (ctx.process?.name == null && ctx.process?.executable != null) { - def parts = ctx.process.executable.splitOnToken("\\"); - ctx.process.put("name", parts[-1]); - } - if (ctx.process?.parent?.name == null && ctx.process?.parent?.executable != null) { - def parts = ctx.process.parent.executable.splitOnToken("\\"); - ctx.process.parent.put("name", parts[-1]); - } - if (ctx.winlog?.event_data?.ProcessId != null) { - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - if (ctx.process?.parent == null) { - HashMap hm = new HashMap(); - ctx.process.put("parent", hm); - } - if (ctx.winlog.event_data.ProcessId instanceof String) { - Long pid = Long.decode(ctx.winlog.event_data.ProcessId); - ctx.process.parent.put("pid", pid.longValue()); - } else { - ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); - } - } - if (ctx.winlog?.event_data?.CommandLine != null) { - int start = 0; - int end = 0; - boolean in_quote = false; - ArrayList al = new ArrayList(); - for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { - end = i; - if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { - if (in_quote) { - in_quote = false; - } else { - in_quote = true; - } - } - if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { - al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); - start = i + 1; - } - if (i == ctx.winlog.event_data.CommandLine.length() - 1) { - al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); - } - } - if (ctx.process == null) { - HashMap hm = new HashMap(); - ctx.put("process", hm); - } - ctx.process.put("args", al); - ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); - } - if ((ctx.winlog?.event_data?.TargetUserName != null) && - (!ctx.winlog.event_data.TargetUserName.equals("-"))) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { - ctx.related.user.add(ctx.winlog.event_data.TargetUserName); - } - } - - - append: - field: related.user - value: '{{winlog.event_data.SubjectUserName}}' - allow_duplicates: false - if: |- - ctx.event?.code != null && - ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) && - ctx.winlog?.event_data?.SubjectUserName != null && - ctx.winlog.event_data.SubjectUserName != "-" - - - append: - field: related.user - value: '{{winlog.event_data.TargetUserName}}' - allow_duplicates: false - if: |- - ctx.event?.code != null && - ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", - "4740", "4767", "4797", "4798"].contains(ctx.event.code) && - ctx.winlog?.event_data?.TargetUserName != null && - ctx.winlog.event_data.TargetUserName != "-" - - - split: - field: winlog.event_data.PrivilegeList - separator: "\\s+" - if: |- - ctx.event?.code != null && - ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && - ctx.winlog?.event_data?.PrivilegeList != null - - - set: - field: user.target.name - copy_from: winlog.event_data.OldTargetUserName - ignore_empty_value: true - - - set: - field: user.changes.name - copy_from: winlog.event_data.NewTargetUserName - ignore_empty_value: true - - - append: - field: related.user - value: '{{winlog.event_data.NewTargetUserName}}' - allow_duplicates: false - if: |- - ctx.winlog?.event_data?.NewTargetUserName != null && - ctx.winlog.event_data.NewTargetUserName != "-" - - - append: - field: related.user - value: '{{winlog.event_data.OldTargetUserName}}' - allow_duplicates: false - if: |- - ctx.winlog?.event_data?.OldTargetUserName != null && - ctx.winlog.event_data.OldTargetUserName != "-" - + - pipeline: + name: '{< IngestPipeline "security_standard" >}' + if: 'ctx.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog.provider_name)' - gsub: field: source.ip pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' replacement: '$1' ignore_missing: true - + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - append: field: related.ip value: '{{source.ip}}' @@ -3802,424 +43,23 @@ processors: if: |- ctx.source?.ip != null && ctx.source.ip != "-" - - - script: - lang: painless - ignore_failure: false - tag: Object Policy Change and SidListDesc - description: Object Policy Change and SidListDesc - # SDDL Ace Types - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # SDDL Permissions - # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 - # Known SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems - # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings - # Domain-specific SIDs - # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems - # Object Permission Flags - # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b - params: - AccountSIDDescription: - AO: Account operators - RU: Alias to allow previous Windows 2000 - AN: Anonymous logon - AU: Authenticated users - BA: Built-in administrators - BG: Built-in guests - BO: Backup operators - BU: Built-in users - CA: Certificate server administrators - CG: Creator group - CO: Creator owner - DA: Domain administrators - DC: Domain computers - DD: Domain controllers - DG: Domain guests - DU: Domain users - EA: Enterprise administrators - ED: Enterprise domain controllers - WD: Everyone - PA: Group Policy administrators - IU: Interactively logged-on user - LA: Local administrator - LG: Local guest - LS: Local service account - SY: Local system - NU: Network logon user - NO: Network configuration operators - NS: Network service account - PO: Printer operators - PS: Personal self - PU: Power users - RS: RAS servers group - RD: Terminal server users - RE: Replicator - RC: Restricted code - SA: Schema administrators - SO: Server operators - SU: Service logon user - S-1-0: Null Authority - S-1-0-0: Nobody - S-1-1: World Authority - S-1-1-0: Everyone - S-1-16-0: Untrusted Mandatory Level - S-1-16-12288: High Mandatory Level - S-1-16-16384: System Mandatory Level - S-1-16-20480: Protected Process Mandatory Level - S-1-16-28672: Secure Process Mandatory Level - S-1-16-4096: Low Mandatory Level - S-1-16-8192: Medium Mandatory Level - S-1-16-8448: Medium Plus Mandatory Level - S-1-2: Local Authority - S-1-2-0: Local - S-1-2-1: Console Logon - S-1-3: Creator Authority - S-1-3-0: Creator Owner - S-1-3-1: Creator Group - S-1-3-2: Creator Owner Server - S-1-3-3: Creator Group Server - S-1-3-4: Owner Rights - S-1-4: Non-unique Authority - S-1-5: NT Authority - S-1-5-1: Dialup - S-1-5-10: Principal Self - S-1-5-11: Authenticated Users - S-1-5-12: Restricted Code - S-1-5-13: Terminal Server Users - S-1-5-14: Remote Interactive Logon - S-1-5-15: This Organization - S-1-5-17: This Organization - S-1-5-18: Local System - S-1-5-19: NT Authority - S-1-5-2: Network - S-1-5-20: NT Authority - S-1-5-3: Batch - S-1-5-32-544: Administrators - S-1-5-32-545: Users - S-1-5-32-546: Guests - S-1-5-32-547: Power Users - S-1-5-32-548: Account Operators - S-1-5-32-549: Server Operators - S-1-5-32-550: Print Operators - S-1-5-32-551: Backup Operators - S-1-5-32-552: Replicators - S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access - S-1-5-32-555: Builtin\Remote Desktop Users - S-1-5-32-556: Builtin\Network Configuration Operators - S-1-5-32-557: Builtin\Incoming Forest Trust Builders - S-1-5-32-558: Builtin\Performance Monitor Users - S-1-5-32-559: Builtin\Performance Log Users - S-1-5-32-560: Builtin\Windows Authorization Access Group - S-1-5-32-561: Builtin\Terminal Server License Servers - S-1-5-32-562: Builtin\Distributed COM Users - S-1-5-32-569: Builtin\Cryptographic Operators - S-1-5-32-573: Builtin\Event Log Readers - S-1-5-32-574: Builtin\Certificate Service DCOM Access - S-1-5-32-575: Builtin\RDS Remote Access Servers - S-1-5-32-576: Builtin\RDS Endpoint Servers - S-1-5-32-577: Builtin\RDS Management Servers - S-1-5-32-578: Builtin\Hyper-V Administrators - S-1-5-32-579: Builtin\Access Control Assistance Operators - S-1-5-32-580: Builtin\Remote Management Users - S-1-5-32-582: Storage Replica Administrators - S-1-5-4: Interactive - S-1-5-5-X-Y: Logon Session - S-1-5-6: Service - S-1-5-64-10: NTLM Authentication - S-1-5-64-14: SChannel Authentication - S-1-5-64-21: Digest Authentication - S-1-5-7: Anonymous - S-1-5-8: Proxy - S-1-5-80: NT Service - S-1-5-80-0: All Services - S-1-5-83-0: NT Virtual Machine\Virtual Machines - S-1-5-9: Enterprise Domain Controllers - S-1-5-90-0: Windows Manager\Windows Manager Group - AceTypes: - A: Access Allowed - D: Access Denied - OA: Object Access Allowed - OD: Object Access Denied - AU: System Audit - AL: System Alarm - OU: System Object Audit - OL: System Object Alarm - ML: System Mandatory Label - SP: Central Policy ID - DomainSpecificSID: - "498": Enterprise Read-only Domain Controllers - "500": Administrator - "501": Guest - "502": KRBTGT - "512": Domain Admins - "513": Domain Users - "514": Domain Guests - "515": Domain Computers - "516": Domain Controllers - "517": Cert Publishers - "518": Schema Admins - "519": Enterprise Admins - "520": Group Policy Creator Owners - "521": Read-only Domain Controllers - "522": Cloneable Domain Controllers - "526": Key Admins - "527": Enterprise Key Admins - "553": RAS and IAS Servers - "571": Allowed RODC Password Replication Group - "572": Denied RODC Password Replication Group - PermissionDescription: - GA: Generic All - GR: Generic Read - GW: Generic Write - GX: Generic Execute - RC: Read Permissions - SD: Delete - WD: Modify Permissions - WO: Modify Owner - RP: Read All Properties - WP: Write All Properties - CC: Create All Child Objects - DC: Delete All Child Objects - LC: List Contents - SW: All Validated - LO: List Object - DT: Delete Subtree - CR: All Extended Rights - FA: File All Access - FR: File Generic Read - FX: FILE GENERIC EXECUTE - FW: FILE GENERIC WRITE - KA: KEY ALL ACCESS - KR: KEY READ - KW: KEY WRITE - KX: KEY EXECUTE - PermsFlags: - "0x80000000": 'Generic Read' - "0x4000000": 'Generic Write' - "0x20000000": 'Generic Execute' - "0x10000000": 'Generic All' - "0x02000000": 'Maximum Allowed' - "0x01000000": 'Access System Security' - "0x00100000": 'Syncronize' - "0x00080000": 'Write Owner' - "0x00040000": 'Write DACL' - "0x00020000": 'Read Control' - "0x00010000": 'Delete' - source: |- - ArrayList translatePermissionMask(def mask, def params) { - ArrayList al = new ArrayList(); - Long permCode = Long.decode(mask); - for (entry in params.PermsFlags.entrySet()) { - Long permFlag = Long.decode(entry.getKey()); - if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { - al.add(entry.getValue()); - } - } - if (al.length == 0) { - al.add(mask); - } - return al; - } - - HashMap translateACL(def dacl, def params) { - def aceArray = dacl.splitOnToken(";"); - HashMap hm = new HashMap(); - - if (aceArray.length >= 6 ) { - hm.put("grantee", translateSID(aceArray[5], params)); - } - - if (aceArray.length >= 1) { - hm.put("type", params.AceTypes[aceArray[0]]); - } - - if (aceArray.length >= 3) { - if (aceArray[2].startsWith("0x")) { - hm.put("perms", translatePermissionMask(aceArray[2], params)); - } else { - ArrayList al = new ArrayList(); - Pattern permPattern = /.{1,2}/; - Matcher permMatcher = permPattern.matcher(aceArray[2]); - while (permMatcher.find()) { - al.add(params.PermissionDescription[permMatcher.group(0)]); - } - hm.put("perms", al); - } - } - return hm; - } - String translateSID(def sid, def params) { - if (!params.AccountSIDDescription.containsKey(sid)) { - if (sid.startsWith("S-1-5-21")) { - Pattern uidPattern = /[0-9]{1,5}$/; - Matcher uidMatcher = uidPattern.matcher(sid); - if (uidMatcher.find()) { - return params.DomainSpecificSID[uidMatcher.group(0)]; - } - return sid; - } - return sid; - } - return params.AccountSIDDescription[sid]; - } - - void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { - Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; - Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); - if (sdOwnerMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); - } - - Pattern sdGroupPattern = /^G\:[A-Z]{2}/; - Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); - if (sdGroupMatcher.find()) { - ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); - } - - Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; - Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); - if (sdDaclMatcher.find()) { - Pattern dacListPattern = /\([^*\)]*\)/; - Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); - for (def i = 0; dacListMatcher.find(); i++) { - def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newDacl['grantee'])) { - ctx.related.user.add(newDacl['grantee']); - } - } - } - } - - Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; - Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); - if (sdSaclMatcher.find()) { - Pattern sacListPattern = /\([^*\)]*\)/; - Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); - for (def i = 0; sacListMatcher.find(); i++) { - def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); - ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); - if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { - if (ctx.related == null) { - HashMap hm = new HashMap(); - ctx.put("related", hm); - } - if (ctx.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(newSacl['grantee'])) { - ctx.related.user.add(newSacl['grantee']); - } - } - } - } - } - - void splitSidList(def sids, def params, def ctx) { - ArrayList al = new ArrayList(); - def sidList = sids.splitOnToken(" "); - ctx.winlog.event_data.put("SidList", sidList); - for (def i = 0; i < sidList.length; i++ ) { - al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); - } - ctx.winlog.event_data.put("SidListDesc", al); - } - - if (ctx.event?.code == null || - !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { - return; - } - if (ctx.winlog?.event_data?.OldSd != null) { - enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); - } - if (ctx.winlog?.event_data?.NewSd != null) { - enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); - } - if (ctx.winlog?.event_data?.SidList != null) { - splitSidList(ctx.winlog.event_data.SidList, params, ctx); - } - - - set: - field: file.name - copy_from: winlog.event_data.RelativeTargetName - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.RelativeTargetName != null && - ctx.winlog.event_data.RelativeTargetName != "" - - set: - field: file.directory - copy_from: winlog.event_data.ShareLocalPath - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareLocalPath != null && - ctx.winlog.event_data.ShareLocalPath != "" - - set: - field: file.path - value: "{{file.directory}}\\{{file.name}}" - if: ctx.file?.name != null && ctx.file?.directory != null - - set: - field: file.directory - copy_from: winlog.event_data.ShareLocalPath - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareLocalPath != null && - ctx.winlog.event_data.ShareLocalPath != "" - - set: - field: file.target_path - value: "{{winlog.event_data.ShareName}}\\{{file.name}}" - if: |- - ctx.event?.code != null && - ["5140", "5145"].contains(ctx.event.code) && - ctx.winlog?.event_data?.ShareName != null && - ctx.winlog.event_data.ShareName != "" && - ctx.file?.name != null - - script: - description: Adds file information. - lang: painless - if: ctx.file?.name != null - source: |- - def extIdx = ctx.file.name.lastIndexOf("."); - if (extIdx > -1) { - ctx.file.extension = ctx.file.name.substring(extIdx+1); - } - convert: field: winlog.record_id type: string ignore_missing: true - - convert: field: winlog.event_id type: string ignore_missing: true - - set: field: ecs.version - value: '8.0.0' - + value: '8.17.0' - set: field: log.level copy_from: winlog.level ignore_empty_value: true ignore_failure: true if: ctx.winlog?.level != "" - - date: field: winlog.time_created tag: "time_created_date" @@ -4235,17 +75,14 @@ processors: value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - fail: message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - - #Cleanup _temp fields as it is not needed anymore - - remove: - field: _temp + - convert: + field: error.code + type: string ignore_missing: true - ignore_failure: true - on_failure: - set: field: event.kind value: pipeline_error - append: field: error.message - value: "{{{ _ingest.on_failure_message }}}" + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/winlogbeat/module/security/ingest/security_standard.yml b/x-pack/winlogbeat/module/security/ingest/security_standard.yml new file mode 100644 index 000000000000..68e74d61f1e1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/ingest/security_standard.yml @@ -0,0 +1,4248 @@ +--- +description: Pipeline for Windows Security events +processors: + - convert: + field: event.code + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: false + tag: Set ECS categorization fields + description: Set ECS categorization fields + params: + "1100": + category: + - process + type: + - end + action: logging-service-shutdown + "1102": + category: + - iam + type: + - admin + - change + action: audit-log-cleared + "1104": + category: + - iam + type: + - admin + action: logging-full + "1105": + category: + - iam + type: + - admin + action: auditlog-archieved + "1108": + category: + - iam + type: + - admin + action: logging-processing-error + "4610": + category: + - configuration + type: + - access + action: authentication-package-loaded + "4611": + category: + - configuration + type: + - change + action: trusted-logon-process-registered + "4614": + category: + - configuration + type: + - access + action: notification-package-loaded + "4616": + category: + - configuration + type: + - change + action: system-time-changed + "4622": + category: + - configuration + type: + - access + action: security-package-loaded + "4624": + category: + - authentication + type: + - start + action: logged-in + "4625": + category: + - authentication + type: + - start + action: logon-failed + "4634": + category: + - authentication + type: + - end + action: logged-out + "4647": + category: + - authentication + type: + - end + action: logged-out + "4648": + category: + - authentication + type: + - start + action: logged-in-explicit + "4657": + category: + - registry + - configuration + type: + - change + action: registry-value-modified + "4662": + category: + - iam + - configuration + type: + - admin + - change + action: object-operation-performed + "4670": + category: + - iam + - configuration + type: + - admin + - change + action: permissions-changed + "4672": + category: + - iam + type: + - admin + action: logged-in-special + "4673": + category: + - iam + type: + - admin + action: privileged-service-called + "4674": + category: + - iam + type: + - admin + action: privileged-operation + "4688": + category: + - process + type: + - start + action: created-process + "4689": + category: + - process + type: + - end + action: exited-process + "4697": + category: + - iam + - configuration + type: + - admin + - change + action: service-installed + "4698": + category: + - iam + - configuration + type: + - creation + - admin + action: scheduled-task-created + "4699": + category: + - iam + - configuration + type: + - deletion + - admin + action: scheduled-task-deleted + "4700": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-enabled + "4701": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-disabled + "4702": + category: + - iam + - configuration + type: + - change + - admin + action: scheduled-task-updated + "4706": + category: + - configuration + type: + - creation + action: domain-trust-added + "4707": + category: + - configuration + type: + - deletion + action: domain-trust-removed + "4713": + category: + - configuration + type: + - change + action: kerberos-policy-changed + "4714": + category: + - configuration + type: + - change + action: encrypted-data-recovery-policy-changed + "4715": + category: + - configuration + type: + - change + action: object-audit-policy-changed + "4716": + category: + - configuration + type: + - change + action: trusted-domain-information-changed + "4717": + category: + - iam + - configuration + type: + - admin + - change + action: system-security-access-granted + "4718": + category: + - iam + - configuration + type: + - admin + - deletion + action: system-security-access-removed + "4719": + category: + - iam + - configuration + type: + - admin + - change + action: changed-audit-config + "4720": + category: + - iam + type: + - user + - creation + action: added-user-account + "4722": + category: + - iam + type: + - user + - change + action: enabled-user-account + "4723": + category: + - iam + type: + - user + - change + action: changed-password + "4724": + category: + - iam + type: + - user + - change + action: reset-password + "4725": + category: + - iam + type: + - user + - deletion + action: disabled-user-account + "4726": + category: + - iam + type: + - user + - deletion + action: deleted-user-account + "4727": + category: + - iam + type: + - group + - creation + action: added-group-account + "4728": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4729": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4730": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4731": + category: + - iam + type: + - group + - creation + action: added-group-account + "4732": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4733": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4734": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4735": + category: + - iam + type: + - group + - change + action: modified-group-account + "4737": + category: + - iam + type: + - group + - change + action: modified-group-account + "4738": + category: + - iam + type: + - user + - change + action: modified-user-account + "4739": + category: + - configuration + type: + - change + action: domain-policy-changed + "4740": + category: + - iam + type: + - user + - change + action: locked-out-user-account + "4741": + category: + - iam + type: + - creation + - admin + action: added-computer-account + "4742": + category: + - iam + type: + - change + - admin + action: changed-computer-account + "4743": + category: + - iam + type: + - deletion + - admin + action: deleted-computer-account + "4744": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4745": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4746": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4747": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4748": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4749": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4750": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4751": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4752": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4753": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4754": + category: + - iam + type: + - group + - creation + action: added-group-account + "4755": + category: + - iam + type: + - group + - change + action: modified-group-account + "4756": + category: + - iam + type: + - group + - change + action: added-member-to-group + "4757": + category: + - iam + type: + - group + - change + action: removed-member-from-group + "4758": + category: + - iam + type: + - group + - deletion + action: deleted-group-account + "4759": + category: + - iam + type: + - group + - creation + action: added-distribution-group-account + "4760": + category: + - iam + type: + - group + - change + action: changed-distribution-group-account + "4761": + category: + - iam + type: + - group + - change + action: added-member-to-distribution-group + "4762": + category: + - iam + type: + - group + - change + action: removed-member-from-distribution-group + "4763": + category: + - iam + type: + - group + - deletion + action: deleted-distribution-group-account + "4764": + category: + - iam + type: + - group + - change + action: type-changed-group-account + "4767": + category: + - iam + type: + - user + - change + action: unlocked-user-account + "4768": + category: + - authentication + type: + - start + action: kerberos-authentication-ticket-requested + "4769": + category: + - authentication + type: + - start + action: kerberos-service-ticket-requested + "4770": + category: + - authentication + type: + - start + action: kerberos-service-ticket-renewed + "4771": + category: + - authentication + type: + - start + action: kerberos-preauth-failed + "4776": + category: + - authentication + type: + - start + action: credential-validated + "4778": + category: + - authentication + - session + type: + - start + action: session-reconnected + "4779": + category: + - authentication + - session + type: + - end + action: session-disconnected + "4781": + category: + - iam + type: + - user + - change + action: renamed-user-account + "4797": + category: + - iam + type: + - user + - info + action: query-existence-of-blank-password + "4798": + category: + - iam + type: + - user + - info + action: group-membership-enumerated + "4799": + category: + - iam + type: + - group + - info + action: user-member-enumerated + "4817": + category: + - iam + - configuration + type: + - admin + - change + action: object-audit-changed + "4902": + category: + - iam + - configuration + type: + - admin + - creation + action: user-audit-policy-created + "4904": + category: + - iam + - configuration + type: + - admin + - change + action: security-event-source-added + "4905": + category: + - iam + - configuration + type: + - admin + - deletion + action: security-event-source-removed + "4906": + category: + - iam + - configuration + type: + - admin + - change + action: crash-on-audit-changed + "4907": + category: + - iam + - configuration + type: + - admin + - change + action: audit-setting-changed + "4908": + category: + - iam + - configuration + type: + - admin + - change + action: special-group-table-changed + "4912": + category: + - iam + - configuration + type: + - admin + - change + action: per-user-audit-policy-changed + "4950": + category: + - configuration + type: + - change + action: windows-firewall-setting-changed + "4954": + category: + - configuration + type: + - change + action: windows-firewall-group-policy-changed + "4964": + category: + - iam + type: + - admin + - group + action: logged-in-special + "5024": + category: + - process + type: + - start + action: windows-firewall-service-started + "5025": + category: + - process + type: + - end + action: windows-firewall-service-stopped + "5033": + category: + - driver + type: + - start + action: windows-firewall-driver-started + "5034": + category: + - driver + type: + - end + action: windows-firewall-driver-stopped + "5037": + category: + - driver + type: + - end + action: windows-firewall-driver-error + "5136": + category: + - iam + - configuration + type: + - admin + - change + action: directory-service-object-modified + "5140": + category: + - network + - file + type: + - info + - access + action: network-share-object-accessed + "5145": + category: + - network + - file + type: + - info + - access + action: network-share-object-access-checked + "5379": + category: + - iam + type: + - user + - info + action: credential-manager-credentials-were-read + "5380": + category: + - iam + type: + - user + - info + action: vault-credential-find + "5381": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + "5382": + category: + - iam + type: + - user + - info + action: vault-credentials-were-read + source: |- + if (ctx.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + params.get(ctx.event.code).forEach((k, v) -> { + if (v instanceof List) { + ctx.event[k] = new ArrayList(v); + } else { + ctx.event[k] = v; + } + }); + - script: + lang: painless + ignore_failure: false + tag: Set Logon Type + description: Set Logon Type + # Logon Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events + params: + "2": Interactive + "3": Network + "4": Batch + "5": Service + "7": Unlock + "8": NetworkCleartext + "9": NewCredentials + "10": RemoteInteractive + "11": CachedInteractive + source: |- + if (ctx.winlog?.event_data?.LogonType == null) { + return; + } + def t = params.get(ctx.winlog.event_data.LogonType); + if (t == null) { + return; + } + if (ctx.winlog?.logon == null ) { + Map map = new HashMap(); + ctx.winlog.put("logon", map); + } + ctx.winlog.logon.put("type", t) + - script: + lang: painless + ignore_failure: false + tag: Set User Account Control + description: Set User Account Control + # User Account Control Attributes Table + # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380 + params: + "0x00000001": USER_ACCOUNT_DISABLED + "0x00000002": USER_HOME_DIRECTORY_REQUIRED + "0x00000004": USER_PASSWORD_NOT_REQUIRED + "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT + "0x00000010": USER_NORMAL_ACCOUNT + "0x00000020": USER_MNS_LOGON_ACCOUNT + "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT + "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT + "0x00000100": USER_SERVER_TRUST_ACCOUNT + "0x00000200": USER_DONT_EXPIRE_PASSWORD + "0x00000400": USER_ACCOUNT_AUTO_LOCKED + "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED + "0x00001000": USER_SMARTCARD_REQUIRED + "0x00002000": USER_TRUSTED_FOR_DELEGATION + "0x00004000": USER_NOT_DELEGATED + "0x00008000": USER_USE_DES_KEY_ONLY + "0x00010000": USER_DONT_REQUIRE_PREAUTH + "0x00020000": USER_PASSWORD_EXPIRED + "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION + "0x00080000": USER_NO_AUTH_DATA_REQUIRED + "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT + "0x00200000": USER_USE_AES_KEYS + source: |- + if (ctx.winlog?.event_data == null) { + return; + } + if (ctx.winlog.event_data.NewUacValue == null || ctx.winlog.event_data.NewUacValue == "-") { + return; + } + Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); + ArrayList uacResult = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { + uacResult.add(entry.getValue()); + } + } + if (uacResult.length == 0) { + return; + } + ctx.winlog.event_data.put("NewUACList", uacResult); + if (ctx.winlog.event_data.UserAccountControl == null || ctx.winlog.event_data.UserAccountControl == "-") { + return; + } + ArrayList uac_array = new ArrayList(); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { + def trimmed = elem.replace("%%","").trim(); + if (trimmed.length() > 0) { + uac_array.add(trimmed); + } + } + ctx.winlog.event_data.UserAccountControl = uac_array; + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Options + description: Set Kerberos Ticket Options + # Kerberos TGT and TGS Ticket Options + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 + params: + "0x40000000": Forwardable + "0x20000000": Forwarded + "0x10000000": Proxiable + "0x08000000": Proxy + "0x04000000": Allow-postdate + "0x02000000": Postdated + "0x01000000": Invalid + "0x00800000": Renewable + "0x00400000": Initial + "0x00200000": Pre-authent + "0x00100000": Opt-hardware-auth + "0x00080000": Transited-policy-checked + "0x00040000": Ok-as-delegate + "0x00020000": Request-anonymous + "0x00010000": Name-canonicalize + "0x00000020": Disable-transited-check + "0x00000010": Renewable-ok + "0x00000008": Enc-tkt-in-skey + "0x00000002": Renew + "0x00000001": Validate + source: |- + if (ctx.winlog?.event_data?.TicketOptions == null) { + return; + } + Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); + ArrayList tDescs = new ArrayList(); + for (entry in params.entrySet()) { + Long flag = Long.decode(entry.getKey()); + if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { + tDescs.add(entry.getValue()); + } + } + if (tDescs.length == 0) { + return; + } + ctx.winlog.event_data.put("TicketOptionsDescription", tDescs); + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Encryption Types + description: Set Kerberos Encryption Types + # Kerberos Encryption Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + params: + "0x1": DES-CBC-CRC + "0x3": DES-CBC-MD5 + "0x11": AES128-CTS-HMAC-SHA1-96 + "0x12": AES256-CTS-HMAC-SHA1-96 + "0x17": RC4-HMAC + "0x18": RC4-HMAC-EXP + "0xffffffff": FAIL + source: |- + if (ctx.winlog?.event_data?.TicketEncryptionType == null) { + return; + } + ctx.winlog.event_data.put("TicketEncryptionTypeDescription", + params[ctx.winlog.event_data.TicketEncryptionType.toLowerCase()]) + - script: + lang: painless + ignore_failure: false + tag: Set Kerberos Ticket Status Codes + # Kerberos Result Status Codes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + description: Set Kerberos Ticket Status Codes + params: + "0x0": KDC_ERR_NONE + "0x1": KDC_ERR_NAME_EXP + "0x2": KDC_ERR_SERVICE_EXP + "0x3": KDC_ERR_BAD_PVNO + "0x4": KDC_ERR_C_OLD_MAST_KVNO + "0x5": KDC_ERR_S_OLD_MAST_KVNO + "0x6": KDC_ERR_C_PRINCIPAL_UNKNOWN + "0x7": KDC_ERR_S_PRINCIPAL_UNKNOWN + "0x8": KDC_ERR_PRINCIPAL_NOT_UNIQUE + "0x9": KDC_ERR_NULL_KEY + "0xA": KDC_ERR_CANNOT_POSTDATE + "0xB": KDC_ERR_NEVER_VALID + "0xC": KDC_ERR_POLICY + "0xD": KDC_ERR_BADOPTION + "0xE": KDC_ERR_ETYPE_NOTSUPP + "0xF": KDC_ERR_SUMTYPE_NOSUPP + "0x10": KDC_ERR_PADATA_TYPE_NOSUPP + "0x11": KDC_ERR_TRTYPE_NO_SUPP + "0x12": KDC_ERR_CLIENT_REVOKED + "0x13": KDC_ERR_SERVICE_REVOKED + "0x14": KDC_ERR_TGT_REVOKED + "0x15": KDC_ERR_CLIENT_NOTYET + "0x16": KDC_ERR_SERVICE_NOTYET + "0x17": KDC_ERR_KEY_EXPIRED + "0x18": KDC_ERR_PREAUTH_FAILED + "0x19": KDC_ERR_PREAUTH_REQUIRED + "0x1A": KDC_ERR_SERVER_NOMATCH + "0x1B": KDC_ERR_MUST_USE_USER2USER + "0x1F": KRB_AP_ERR_BAD_INTEGRITY + "0x20": KRB_AP_ERR_TKT_EXPIRED + "0x21": KRB_AP_ERR_TKT_NYV + "0x22": KRB_AP_ERR_REPEAT + "0x23": KRB_AP_ERR_NOT_US + "0x24": KRB_AP_ERR_BADMATCH + "0x25": KRB_AP_ERR_SKEW + "0x26": KRB_AP_ERR_BADADDR + "0x27": KRB_AP_ERR_BADVERSION + "0x28": KRB_AP_ERR_MSG_TYPE + "0x29": KRB_AP_ERR_MODIFIED + "0x2A": KRB_AP_ERR_BADORDER + "0x2C": KRB_AP_ERR_BADKEYVER + "0x2D": KRB_AP_ERR_NOKEY + "0x2E": KRB_AP_ERR_MUT_FAIL + "0x2F": KRB_AP_ERR_BADDIRECTION + "0x30": KRB_AP_ERR_METHOD + "0x31": KRB_AP_ERR_BADSEQ + "0x32": KRB_AP_ERR_INAPP_CKSUM + "0x33": KRB_AP_PATH_NOT_ACCEPTED + "0x34": KRB_ERR_RESPONSE_TOO_BIG + "0x3C": KRB_ERR_GENERIC + "0x3D": KRB_ERR_FIELD_TOOLONG + "0x3E": KDC_ERR_CLIENT_NOT_TRUSTED + "0x3F": KDC_ERR_KDC_NOT_TRUSTED + "0x40": KDC_ERR_INVALID_SIG + "0x41": KDC_ERR_KEY_TOO_WEAK + "0x42": KRB_AP_ERR_USER_TO_USER_REQUIRED + "0x43": KRB_AP_ERR_NO_TGT + "0x44": KDC_ERR_WRONG_REALM + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4768", "4769", "4770", "4771"].contains(ctx.event.code)) { + return; + } + ctx.winlog.event_data.put("StatusDescription", params[ctx.winlog.event_data.Status]); + - script: + lang: painless + ignore_failure: false + tag: Set Service Type and Name + description: Set Service Type and Name + # Services Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 + params: + "0x1": Kernel Driver + "0x2": File System Driver + "0x8": Recognizer Driver + "0x10": Win32 Own Process + "0x20": Win32 Share Process + "0x110": Interactive Own Process + "0x120": Interactive Share Process + source: |- + if (ctx.winlog?.event_data?.ServiceName != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("name", ctx.winlog.event_data.ServiceName); + } + if (ctx.winlog.event_data?.ServiceType != null) { + if (ctx.service == null) { + HashMap hm = new HashMap(); + ctx.put("service", hm); + } + ctx.service.put("type", params[ctx.winlog.event_data.ServiceType]); + } + - script: + lang: painless + ignore_failure: false + tag: Set Audit Information + description: Set Audit Information + params: + "0CCE9210-69AE-11D9-BED3-505054503030": ["Security State Change", "System"] + "0CCE9211-69AE-11D9-BED3-505054503030": ["Security System Extension", "System"] + "0CCE9212-69AE-11D9-BED3-505054503030": ["System Integrity", "System"] + "0CCE9213-69AE-11D9-BED3-505054503030": ["IPsec Driver", "System"] + "0CCE9214-69AE-11D9-BED3-505054503030": ["Other System Events", "System"] + "0CCE9215-69AE-11D9-BED3-505054503030": ["Logon", "Logon/Logoff"] + "0CCE9216-69AE-11D9-BED3-505054503030": ["Logoff","Logon/Logoff"] + "0CCE9217-69AE-11D9-BED3-505054503030": ["Account Lockout","Logon/Logoff"] + "0CCE9218-69AE-11D9-BED3-505054503030": ["IPsec Main Mode","Logon/Logoff"] + "0CCE9219-69AE-11D9-BED3-505054503030": ["IPsec Quick Mode","Logon/Logoff"] + "0CCE921A-69AE-11D9-BED3-505054503030": ["IPsec Extended Mode","Logon/Logoff"] + "0CCE921B-69AE-11D9-BED3-505054503030": ["Special Logon","Logon/Logoff"] + "0CCE921C-69AE-11D9-BED3-505054503030": ["Other Logon/Logoff Events","Logon/Logoff"] + "0CCE9243-69AE-11D9-BED3-505054503030": ["Network Policy Server","Logon/Logoff"] + "0CCE9247-69AE-11D9-BED3-505054503030": ["User / Device Claims","Logon/Logoff"] + "0CCE921D-69AE-11D9-BED3-505054503030": ["File System","Object Access"] + "0CCE921E-69AE-11D9-BED3-505054503030": ["Registry","Object Access"] + "0CCE921F-69AE-11D9-BED3-505054503030": ["Kernel Object","Object Access"] + "0CCE9220-69AE-11D9-BED3-505054503030": ["SAM","Object Access"] + "0CCE9221-69AE-11D9-BED3-505054503030": ["Certification Services","Object Access"] + "0CCE9222-69AE-11D9-BED3-505054503030": ["Application Generated","Object Access"] + "0CCE9223-69AE-11D9-BED3-505054503030": ["Handle Manipulation","Object Access"] + "0CCE9224-69AE-11D9-BED3-505054503030": ["File Share","Object Access"] + "0CCE9225-69AE-11D9-BED3-505054503030": ["Filtering Platform Packet Drop","Object Access"] + "0CCE9226-69AE-11D9-BED3-505054503030": ["Filtering Platform Connection ","Object Access"] + "0CCE9227-69AE-11D9-BED3-505054503030": ["Other Object Access Events","Object Access"] + "0CCE9244-69AE-11D9-BED3-505054503030": ["Detailed File Share","Object Access"] + "0CCE9245-69AE-11D9-BED3-505054503030": ["Removable Storage","Object Access"] + "0CCE9246-69AE-11D9-BED3-505054503030": ["Central Policy Staging","Object Access"] + "0CCE9228-69AE-11D9-BED3-505054503030": ["Sensitive Privilege Use","Privilege Use"] + "0CCE9229-69AE-11D9-BED3-505054503030": ["Non Sensitive Privilege Use","Privilege Use"] + "0CCE922A-69AE-11D9-BED3-505054503030": ["Other Privilege Use Events","Privilege Use"] + "0CCE922B-69AE-11D9-BED3-505054503030": ["Process Creation","Detailed Tracking"] + "0CCE922C-69AE-11D9-BED3-505054503030": ["Process Termination","Detailed Tracking"] + "0CCE922D-69AE-11D9-BED3-505054503030": ["DPAPI Activity","Detailed Tracking"] + "0CCE922E-69AE-11D9-BED3-505054503030": ["RPC Events","Detailed Tracking"] + "0CCE9248-69AE-11D9-BED3-505054503030": ["Plug and Play Events","Detailed Tracking"] + "0CCE922F-69AE-11D9-BED3-505054503030": ["Audit Policy Change","Policy Change"] + "0CCE9230-69AE-11D9-BED3-505054503030": ["Authentication Policy Change","Policy Change"] + "0CCE9231-69AE-11D9-BED3-505054503030": ["Authorization Policy Change","Policy Change"] + "0CCE9232-69AE-11D9-BED3-505054503030": ["MPSSVC Rule-Level Policy Change","Policy Change"] + "0CCE9233-69AE-11D9-BED3-505054503030": ["Filtering Platform Policy Change","Policy Change"] + "0CCE9234-69AE-11D9-BED3-505054503030": ["Other Policy Change Events","Policy Change"] + "0CCE9235-69AE-11D9-BED3-505054503030": ["User Account Management","Account Management"] + "0CCE9236-69AE-11D9-BED3-505054503030": ["Computer Account Management","Account Management"] + "0CCE9237-69AE-11D9-BED3-505054503030": ["Security Group Management","Account Management"] + "0CCE9238-69AE-11D9-BED3-505054503030": ["Distribution Group Management","Account Management"] + "0CCE9239-69AE-11D9-BED3-505054503030": ["Application Group Management","Account Management"] + "0CCE923A-69AE-11D9-BED3-505054503030": ["Other Account Management Events","Account Management"] + "0CCE923B-69AE-11D9-BED3-505054503030": ["Directory Service Access","Account Management"] + "0CCE923C-69AE-11D9-BED3-505054503030": ["Directory Service Changes","Account Management"] + "0CCE923D-69AE-11D9-BED3-505054503030": ["Directory Service Replication","Account Management"] + "0CCE923E-69AE-11D9-BED3-505054503030": ["Detailed Directory Service Replication","Account Management"] + "0CCE923F-69AE-11D9-BED3-505054503030": ["Credential Validation","Account Logon"] + "0CCE9240-69AE-11D9-BED3-505054503030": ["Kerberos Service Ticket Operations","Account Logon"] + "0CCE9241-69AE-11D9-BED3-505054503030": ["Other Account Logon Events","Account Logon"] + "0CCE9242-69AE-11D9-BED3-505054503030": ["Kerberos Authentication Service","Account Logon"] + source: |- + if (ctx.winlog?.event_data?.SubcategoryGuid == null) { + return; + } + def subCatGuid = ctx.winlog.event_data.SubcategoryGuid.replace("{","").replace("}","").toUpperCase(); + if (!params.containsKey(subCatGuid)) { + return; + } + ctx.winlog.event_data.put("Category", params[subCatGuid][1]); + ctx.winlog.event_data.put("SubCategory", params[subCatGuid][0]); + - script: + lang: painless + ignore_failure: false + tag: Decode message table + description: Decode message table + # Message table extracted from msobjs.dll on Windows 2019. + # https://gist.github.com/andrewkroh/665dca0682bd0e4daf194ab291694012 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + descriptions: + "279": "Undefined Access (no effect) Bit 7" + "1536": "Unused message ID" + "1537": "DELETE" + "1538": "READ_CONTROL" + "1539": "WRITE_DAC" + "1540": "WRITE_OWNER" + "1541": "SYNCHRONIZE" + "1542": "ACCESS_SYS_SEC" + "1543": "MAX_ALLOWED" + "1552": "Unknown specific access (bit 0)" + "1553": "Unknown specific access (bit 1)" + "1554": "Unknown specific access (bit 2)" + "1555": "Unknown specific access (bit 3)" + "1556": "Unknown specific access (bit 4)" + "1557": "Unknown specific access (bit 5)" + "1558": "Unknown specific access (bit 6)" + "1559": "Unknown specific access (bit 7)" + "1560": "Unknown specific access (bit 8)" + "1561": "Unknown specific access (bit 9)" + "1562": "Unknown specific access (bit 10)" + "1563": "Unknown specific access (bit 11)" + "1564": "Unknown specific access (bit 12)" + "1565": "Unknown specific access (bit 13)" + "1566": "Unknown specific access (bit 14)" + "1567": "Unknown specific access (bit 15)" + "1601": "Not used" + "1603": "Assign Primary Token Privilege" + "1604": "Lock Memory Privilege" + "1605": "Increase Memory Quota Privilege" + "1606": "Unsolicited Input Privilege" + "1607": "Trusted Computer Base Privilege" + "1608": "Security Privilege" + "1609": "Take Ownership Privilege" + "1610": "Load/Unload Driver Privilege" + "1611": "Profile System Privilege" + "1612": "Set System Time Privilege" + "1613": "Profile Single Process Privilege" + "1614": "Increment Base Priority Privilege" + "1615": "Create Pagefile Privilege" + "1616": "Create Permanent Object Privilege" + "1617": "Backup Privilege" + "1618": "Restore From Backup Privilege" + "1619": "Shutdown System Privilege" + "1620": "Debug Privilege" + "1621": "View or Change Audit Log Privilege" + "1622": "Change Hardware Environment Privilege" + "1623": "Change Notify (and Traverse) Privilege" + "1624": "Remotely Shut System Down Privilege" + "1792": "" + "1794": "" + "1795": "Enabled" + "1796": "Disabled" + "1797": "All" + "1798": "None" + "1799": "Audit Policy query/set API Operation" + "1800": "" + "1801": "Granted by" + "1802": "Denied by" + "1803": "Denied by Integrity Policy check" + "1804": "Granted by Ownership" + "1805": "Not granted" + "1806": "Granted by NULL DACL" + "1807": "Denied by Empty DACL" + "1808": "Granted by NULL Security Descriptor" + "1809": "Unknown or unchecked" + "1810": "Not granted due to missing" + "1811": "Granted by ACE on parent folder" + "1812": "Denied by ACE on parent folder" + "1813": "Granted by Central Access Rule" + "1814": "NOT Granted by Central Access Rule" + "1815": "Granted by parent folder's Central Access Rule" + "1816": "NOT Granted by parent folder's Central Access Rule" + "1817": "Unknown Type" + "1818": "String" + "1819": "Unsigned 64-bit Integer" + "1820": "64-bit Integer" + "1821": "FQBN" + "1822": "Blob" + "1823": "Sid" + "1824": "Boolean" + "1825": "TRUE" + "1826": "FALSE" + "1827": "Invalid" + "1828": "an ACE too long to display" + "1829": "a Security Descriptor too long to display" + "1830": "Not granted to AppContainers" + "1831": "..." + "1832": "Identification" + "1833": "Impersonation" + "1840": "Delegation" + "1841": "Denied by Process Trust Label ACE" + "1842": "Yes" + "1843": "No" + "1844": "System" + "1845": "Not Available" + "1846": "Default" + "1847": "DisallowMmConfig" + "1848": "Off" + "1849": "Auto" + "1872": "REG_NONE" + "1873": "REG_SZ" + "1874": "REG_EXPAND_SZ" + "1875": "REG_BINARY" + "1876": "REG_DWORD" + "1877": "REG_DWORD_BIG_ENDIAN" + "1878": "REG_LINK" + "1879": "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" + "1880": "REG_RESOURCE_LIST" + "1881": "REG_FULL_RESOURCE_DESCRIPTOR" + "1882": "REG_RESOURCE_REQUIREMENTS_LIST" + "1883": "REG_QWORD" + "1904": "New registry value created" + "1905": "Existing registry value modified" + "1906": "Registry value deleted" + "1920": "Sunday" + "1921": "Monday" + "1922": "Tuesday" + "1923": "Wednesday" + "1924": "Thursday" + "1925": "Friday" + "1926": "Saturday" + "1936": "TokenElevationTypeDefault (1)" + "1937": "TokenElevationTypeFull (2)" + "1938": "TokenElevationTypeLimited (3)" + "2048": "Account Enabled" + "2049": "Home Directory Required' - Disabled" + "2050": "Password Not Required' - Disabled" + "2051": "Temp Duplicate Account' - Disabled" + "2052": "Normal Account' - Disabled" + "2053": "MNS Logon Account' - Disabled" + "2054": "Interdomain Trust Account' - Disabled" + "2055": "Workstation Trust Account' - Disabled" + "2056": "Server Trust Account' - Disabled" + "2057": "Don't Expire Password' - Disabled" + "2058": "Account Unlocked" + "2059": "Encrypted Text Password Allowed' - Disabled" + "2060": "Smartcard Required' - Disabled" + "2061": "Trusted For Delegation' - Disabled" + "2062": "Not Delegated' - Disabled" + "2063": "Use DES Key Only' - Disabled" + "2064": "Don't Require Preauth' - Disabled" + "2065": "Password Expired' - Disabled" + "2066": "Trusted To Authenticate For Delegation' - Disabled" + "2067": "Exclude Authorization Information' - Disabled" + "2068": "Undefined UserAccountControl Bit 20' - Disabled" + "2069": "Protect Kerberos Service Tickets with AES Keys' - Disabled" + "2070": "Undefined UserAccountControl Bit 22' - Disabled" + "2071": "Undefined UserAccountControl Bit 23' - Disabled" + "2072": "Undefined UserAccountControl Bit 24' - Disabled" + "2073": "Undefined UserAccountControl Bit 25' - Disabled" + "2074": "Undefined UserAccountControl Bit 26' - Disabled" + "2075": "Undefined UserAccountControl Bit 27' - Disabled" + "2076": "Undefined UserAccountControl Bit 28' - Disabled" + "2077": "Undefined UserAccountControl Bit 29' - Disabled" + "2078": "Undefined UserAccountControl Bit 30' - Disabled" + "2079": "Undefined UserAccountControl Bit 31' - Disabled" + "2080": "Account Disabled" + "2081": "Home Directory Required' - Enabled" + "2082": "Password Not Required' - Enabled" + "2083": "Temp Duplicate Account' - Enabled" + "2084": "Normal Account' - Enabled" + "2085": "MNS Logon Account' - Enabled" + "2086": "Interdomain Trust Account' - Enabled" + "2087": "Workstation Trust Account' - Enabled" + "2088": "Server Trust Account' - Enabled" + "2089": "Don't Expire Password' - Enabled" + "2090": "Account Locked" + "2091": "Encrypted Text Password Allowed' - Enabled" + "2092": "Smartcard Required' - Enabled" + "2093": "Trusted For Delegation' - Enabled" + "2094": "Not Delegated' - Enabled" + "2095": "Use DES Key Only' - Enabled" + "2096": "Don't Require Preauth' - Enabled" + "2097": "Password Expired' - Enabled" + "2098": "Trusted To Authenticate For Delegation' - Enabled" + "2099": "Exclude Authorization Information' - Enabled" + "2100": "Undefined UserAccountControl Bit 20' - Enabled" + "2101": "Protect Kerberos Service Tickets with AES Keys' - Enabled" + "2102": "Undefined UserAccountControl Bit 22' - Enabled" + "2103": "Undefined UserAccountControl Bit 23' - Enabled" + "2104": "Undefined UserAccountControl Bit 24' - Enabled" + "2105": "Undefined UserAccountControl Bit 25' - Enabled" + "2106": "Undefined UserAccountControl Bit 26' - Enabled" + "2107": "Undefined UserAccountControl Bit 27' - Enabled" + "2108": "Undefined UserAccountControl Bit 28' - Enabled" + "2109": "Undefined UserAccountControl Bit 29' - Enabled" + "2110": "Undefined UserAccountControl Bit 30' - Enabled" + "2111": "Undefined UserAccountControl Bit 31' - Enabled" + "2304": "An Error occured during Logon." + "2305": "The specified user account has expired." + "2306": "The NetLogon component is not active." + "2307": "Account locked out." + "2308": "The user has not been granted the requested logon type at this machine." + "2309": "The specified account's password has expired." + "2310": "Account currently disabled." + "2311": "Account logon time restriction violation." + "2312": "User not allowed to logon at this computer." + "2313": "Unknown user name or bad password." + "2314": "Domain sid inconsistent." + "2315": "Smartcard logon is required and was not used." + "2432": "Not Available." + "2436": "Random number generator failure." + "2437": "Random number generation failed FIPS-140 pre-hash check." + "2438": "Failed to zero secret data." + "2439": "Key failed pair wise consistency check." + "2448": "Failed to unprotect persistent cryptographic key." + "2449": "Key export checks failed." + "2450": "Validation of public key failed." + "2451": "Signature verification failed." + "2456": "Open key file." + "2457": "Delete key file." + "2458": "Read persisted key from file." + "2459": "Write persisted key to file." + "2464": "Export of persistent cryptographic key." + "2465": "Import of persistent cryptographic key." + "2480": "Open Key." + "2481": "Create Key." + "2482": "Delete Key." + "2483": "Encrypt." + "2484": "Decrypt." + "2485": "Sign hash." + "2486": "Secret agreement." + "2487": "Domain settings" + "2488": "Local settings" + "2489": "Add provider." + "2490": "Remove provider." + "2491": "Add context." + "2492": "Remove context." + "2493": "Add function." + "2494": "Remove function." + "2495": "Add function provider." + "2496": "Remove function provider." + "2497": "Add function property." + "2498": "Remove function property." + "2499": "Machine key." + "2500": "User key." + "2501": "Key Derivation." + "4352": "Device Access Bit 0" + "4353": "Device Access Bit 1" + "4354": "Device Access Bit 2" + "4355": "Device Access Bit 3" + "4356": "Device Access Bit 4" + "4357": "Device Access Bit 5" + "4358": "Device Access Bit 6" + "4359": "Device Access Bit 7" + "4360": "Device Access Bit 8" + "4361": "Undefined Access (no effect) Bit 9" + "4362": "Undefined Access (no effect) Bit 10" + "4363": "Undefined Access (no effect) Bit 11" + "4364": "Undefined Access (no effect) Bit 12" + "4365": "Undefined Access (no effect) Bit 13" + "4366": "Undefined Access (no effect) Bit 14" + "4367": "Undefined Access (no effect) Bit 15" + "4368": "Query directory" + "4369": "Traverse" + "4370": "Create object in directory" + "4371": "Create sub-directory" + "4372": "Undefined Access (no effect) Bit 4" + "4373": "Undefined Access (no effect) Bit 5" + "4374": "Undefined Access (no effect) Bit 6" + "4375": "Undefined Access (no effect) Bit 7" + "4376": "Undefined Access (no effect) Bit 8" + "4377": "Undefined Access (no effect) Bit 9" + "4378": "Undefined Access (no effect) Bit 10" + "4379": "Undefined Access (no effect) Bit 11" + "4380": "Undefined Access (no effect) Bit 12" + "4381": "Undefined Access (no effect) Bit 13" + "4382": "Undefined Access (no effect) Bit 14" + "4383": "Undefined Access (no effect) Bit 15" + "4384": "Query event state" + "4385": "Modify event state" + "4386": "Undefined Access (no effect) Bit 2" + "4387": "Undefined Access (no effect) Bit 3" + "4388": "Undefined Access (no effect) Bit 4" + "4389": "Undefined Access (no effect) Bit 5" + "4390": "Undefined Access (no effect) Bit 6" + "4391": "Undefined Access (no effect) Bit 7" + "4392": "Undefined Access (no effect) Bit 8" + "4393": "Undefined Access (no effect) Bit 9" + "4394": "Undefined Access (no effect) Bit 10" + "4395": "Undefined Access (no effect) Bit 11" + "4396": "Undefined Access (no effect) Bit 12" + "4397": "Undefined Access (no effect) Bit 13" + "4398": "Undefined Access (no effect) Bit 14" + "4399": "Undefined Access (no effect) Bit 15" + "4416": "ReadData (or ListDirectory)" + "4417": "WriteData (or AddFile)" + "4418": "AppendData (or AddSubdirectory or CreatePipeInstance)" + "4419": "ReadEA" + "4420": "WriteEA" + "4421": "Execute/Traverse" + "4422": "DeleteChild" + "4423": "ReadAttributes" + "4424": "WriteAttributes" + "4425": "Undefined Access (no effect) Bit 9" + "4426": "Undefined Access (no effect) Bit 10" + "4427": "Undefined Access (no effect) Bit 11" + "4428": "Undefined Access (no effect) Bit 12" + "4429": "Undefined Access (no effect) Bit 13" + "4430": "Undefined Access (no effect) Bit 14" + "4431": "Undefined Access (no effect) Bit 15" + "4432": "Query key value" + "4433": "Set key value" + "4434": "Create sub-key" + "4435": "Enumerate sub-keys" + "4436": "Notify about changes to keys" + "4437": "Create Link" + "4438": "Undefined Access (no effect) Bit 6" + "4439": "Undefined Access (no effect) Bit 7" + "4440": "Enable 64(or 32) bit application to open 64 bit key" + "4441": "Enable 64(or 32) bit application to open 32 bit key" + "4442": "Undefined Access (no effect) Bit 10" + "4443": "Undefined Access (no effect) Bit 11" + "4444": "Undefined Access (no effect) Bit 12" + "4445": "Undefined Access (no effect) Bit 13" + "4446": "Undefined Access (no effect) Bit 14" + "4447": "Undefined Access (no effect) Bit 15" + "4448": "Query mutant state" + "4449": "Undefined Access (no effect) Bit 1" + "4450": "Undefined Access (no effect) Bit 2" + "4451": "Undefined Access (no effect) Bit 3" + "4452": "Undefined Access (no effect) Bit 4" + "4453": "Undefined Access (no effect) Bit 5" + "4454": "Undefined Access (no effect) Bit 6" + "4455": "Undefined Access (no effect) Bit 7" + "4456": "Undefined Access (no effect) Bit 8" + "4457": "Undefined Access (no effect) Bit 9" + "4458": "Undefined Access (no effect) Bit 10" + "4459": "Undefined Access (no effect) Bit 11" + "4460": "Undefined Access (no effect) Bit 12" + "4461": "Undefined Access (no effect) Bit 13" + "4462": "Undefined Access (no effect) Bit 14" + "4463": "Undefined Access (no effect) Bit 15" + "4464": "Communicate using port" + "4465": "Undefined Access (no effect) Bit 1" + "4466": "Undefined Access (no effect) Bit 2" + "4467": "Undefined Access (no effect) Bit 3" + "4468": "Undefined Access (no effect) Bit 4" + "4469": "Undefined Access (no effect) Bit 5" + "4470": "Undefined Access (no effect) Bit 6" + "4471": "Undefined Access (no effect) Bit 7" + "4472": "Undefined Access (no effect) Bit 8" + "4473": "Undefined Access (no effect) Bit 9" + "4474": "Undefined Access (no effect) Bit 10" + "4475": "Undefined Access (no effect) Bit 11" + "4476": "Undefined Access (no effect) Bit 12" + "4477": "Undefined Access (no effect) Bit 13" + "4478": "Undefined Access (no effect) Bit 14" + "4479": "Undefined Access (no effect) Bit 15" + "4480": "Force process termination" + "4481": "Create new thread in process" + "4482": "Set process session ID" + "4483": "Perform virtual memory operation" + "4484": "Read from process memory" + "4485": "Write to process memory" + "4486": "Duplicate handle into or out of process" + "4487": "Create a subprocess of process" + "4488": "Set process quotas" + "4489": "Set process information" + "4490": "Query process information" + "4491": "Set process termination port" + "4492": "Undefined Access (no effect) Bit 12" + "4493": "Undefined Access (no effect) Bit 13" + "4494": "Undefined Access (no effect) Bit 14" + "4495": "Undefined Access (no effect) Bit 15" + "4496": "Control profile" + "4497": "Undefined Access (no effect) Bit 1" + "4498": "Undefined Access (no effect) Bit 2" + "4499": "Undefined Access (no effect) Bit 3" + "4500": "Undefined Access (no effect) Bit 4" + "4501": "Undefined Access (no effect) Bit 5" + "4502": "Undefined Access (no effect) Bit 6" + "4503": "Undefined Access (no effect) Bit 7" + "4504": "Undefined Access (no effect) Bit 8" + "4505": "Undefined Access (no effect) Bit 9" + "4506": "Undefined Access (no effect) Bit 10" + "4507": "Undefined Access (no effect) Bit 11" + "4508": "Undefined Access (no effect) Bit 12" + "4509": "Undefined Access (no effect) Bit 13" + "4510": "Undefined Access (no effect) Bit 14" + "4511": "Undefined Access (no effect) Bit 15" + "4512": "Query section state" + "4513": "Map section for write" + "4514": "Map section for read" + "4515": "Map section for execute" + "4516": "Extend size" + "4517": "Undefined Access (no effect) Bit 5" + "4518": "Undefined Access (no effect) Bit 6" + "4519": "Undefined Access (no effect) Bit 7" + "4520": "Undefined Access (no effect) Bit 8" + "4521": "Undefined Access (no effect) Bit 9" + "4522": "Undefined Access (no effect) Bit 10" + "4523": "Undefined Access (no effect) Bit 11" + "4524": "Undefined Access (no effect) Bit 12" + "4525": "Undefined Access (no effect) Bit 13" + "4526": "Undefined Access (no effect) Bit 14" + "4527": "Undefined Access (no effect) Bit 15" + "4528": "Query semaphore state" + "4529": "Modify semaphore state" + "4530": "Undefined Access (no effect) Bit 2" + "4531": "Undefined Access (no effect) Bit 3" + "4532": "Undefined Access (no effect) Bit 4" + "4533": "Undefined Access (no effect) Bit 5" + "4534": "Undefined Access (no effect) Bit 6" + "4535": "Undefined Access (no effect) Bit 7" + "4536": "Undefined Access (no effect) Bit 8" + "4537": "Undefined Access (no effect) Bit 9" + "4538": "Undefined Access (no effect) Bit 10" + "4539": "Undefined Access (no effect) Bit 11" + "4540": "Undefined Access (no effect) Bit 12" + "4541": "Undefined Access (no effect) Bit 13" + "4542": "Undefined Access (no effect) Bit 14" + "4543": "Undefined Access (no effect) Bit 15" + "4544": "Use symbolic link" + "4545": "Undefined Access (no effect) Bit 1" + "4546": "Undefined Access (no effect) Bit 2" + "4547": "Undefined Access (no effect) Bit 3" + "4548": "Undefined Access (no effect) Bit 4" + "4549": "Undefined Access (no effect) Bit 5" + "4550": "Undefined Access (no effect) Bit 6" + "4551": "Undefined Access (no effect) Bit 7" + "4552": "Undefined Access (no effect) Bit 8" + "4553": "Undefined Access (no effect) Bit 9" + "4554": "Undefined Access (no effect) Bit 10" + "4555": "Undefined Access (no effect) Bit 11" + "4556": "Undefined Access (no effect) Bit 12" + "4557": "Undefined Access (no effect) Bit 13" + "4558": "Undefined Access (no effect) Bit 14" + "4559": "Undefined Access (no effect) Bit 15" + "4560": "Force thread termination" + "4561": "Suspend or resume thread" + "4562": "Send an alert to thread" + "4563": "Get thread context" + "4564": "Set thread context" + "4565": "Set thread information" + "4566": "Query thread information" + "4567": "Assign a token to the thread" + "4568": "Cause thread to directly impersonate another thread" + "4569": "Directly impersonate this thread" + "4570": "Undefined Access (no effect) Bit 10" + "4571": "Undefined Access (no effect) Bit 11" + "4572": "Undefined Access (no effect) Bit 12" + "4573": "Undefined Access (no effect) Bit 13" + "4574": "Undefined Access (no effect) Bit 14" + "4575": "Undefined Access (no effect) Bit 15" + "4576": "Query timer state" + "4577": "Modify timer state" + "4578": "Undefined Access (no effect) Bit 2" + "4579": "Undefined Access (no effect) Bit 3" + "4580": "Undefined Access (no effect) Bit 4" + "4581": "Undefined Access (no effect) Bit 5" + "4582": "Undefined Access (no effect) Bit 6" + "4584": "Undefined Access (no effect) Bit 8" + "4585": "Undefined Access (no effect) Bit 9" + "4586": "Undefined Access (no effect) Bit 10" + "4587": "Undefined Access (no effect) Bit 11" + "4588": "Undefined Access (no effect) Bit 12" + "4589": "Undefined Access (no effect) Bit 13" + "4590": "Undefined Access (no effect) Bit 14" + "4591": "Undefined Access (no effect) Bit 15" + "4592": "AssignAsPrimary" + "4593": "Duplicate" + "4594": "Impersonate" + "4595": "Query" + "4596": "QuerySource" + "4597": "AdjustPrivileges" + "4598": "AdjustGroups" + "4599": "AdjustDefaultDacl" + "4600": "AdjustSessionID" + "4601": "Undefined Access (no effect) Bit 9" + "4602": "Undefined Access (no effect) Bit 10" + "4603": "Undefined Access (no effect) Bit 11" + "4604": "Undefined Access (no effect) Bit 12" + "4605": "Undefined Access (no effect) Bit 13" + "4606": "Undefined Access (no effect) Bit 14" + "4607": "Undefined Access (no effect) Bit 15" + "4608": "Create instance of object type" + "4609": "Undefined Access (no effect) Bit 1" + "4610": "Undefined Access (no effect) Bit 2" + "4611": "Undefined Access (no effect) Bit 3" + "4612": "Undefined Access (no effect) Bit 4" + "4613": "Undefined Access (no effect) Bit 5" + "4614": "Undefined Access (no effect) Bit 6" + "4615": "Undefined Access (no effect) Bit 7" + "4616": "Undefined Access (no effect) Bit 8" + "4617": "Undefined Access (no effect) Bit 9" + "4618": "Undefined Access (no effect) Bit 10" + "4619": "Undefined Access (no effect) Bit 11" + "4620": "Undefined Access (no effect) Bit 12" + "4621": "Undefined Access (no effect) Bit 13" + "4622": "Undefined Access (no effect) Bit 14" + "4623": "Undefined Access (no effect) Bit 15" + "4864": "Query State" + "4865": "Modify State" + "5120": "Channel read message" + "5121": "Channel write message" + "5122": "Channel query information" + "5123": "Channel set information" + "5124": "Undefined Access (no effect) Bit 4" + "5125": "Undefined Access (no effect) Bit 5" + "5126": "Undefined Access (no effect) Bit 6" + "5127": "Undefined Access (no effect) Bit 7" + "5128": "Undefined Access (no effect) Bit 8" + "5129": "Undefined Access (no effect) Bit 9" + "5130": "Undefined Access (no effect) Bit 10" + "5131": "Undefined Access (no effect) Bit 11" + "5132": "Undefined Access (no effect) Bit 12" + "5133": "Undefined Access (no effect) Bit 13" + "5134": "Undefined Access (no effect) Bit 14" + "5135": "Undefined Access (no effect) Bit 15" + "5136": "Assign process" + "5137": "Set Attributes" + "5138": "Query Attributes" + "5139": "Terminate Job" + "5140": "Set Security Attributes" + "5141": "Undefined Access (no effect) Bit 5" + "5142": "Undefined Access (no effect) Bit 6" + "5143": "Undefined Access (no effect) Bit 7" + "5144": "Undefined Access (no effect) Bit 8" + "5145": "Undefined Access (no effect) Bit 9" + "5146": "Undefined Access (no effect) Bit 10" + "5147": "Undefined Access (no effect) Bit 11" + "5148": "Undefined Access (no effect) Bit 12" + "5149": "Undefined Access (no effect) Bit 13" + "5150": "Undefined Access (no effect) Bit 14" + "5151": "Undefined Access (no effect) Bit 15" + "5376": "ConnectToServer" + "5377": "ShutdownServer" + "5378": "InitializeServer" + "5379": "CreateDomain" + "5380": "EnumerateDomains" + "5381": "LookupDomain" + "5382": "Undefined Access (no effect) Bit 6" + "5383": "Undefined Access (no effect) Bit 7" + "5384": "Undefined Access (no effect) Bit 8" + "5385": "Undefined Access (no effect) Bit 9" + "5386": "Undefined Access (no effect) Bit 10" + "5387": "Undefined Access (no effect) Bit 11" + "5388": "Undefined Access (no effect) Bit 12" + "5389": "Undefined Access (no effect) Bit 13" + "5390": "Undefined Access (no effect) Bit 14" + "5391": "Undefined Access (no effect) Bit 15" + "5392": "ReadPasswordParameters" + "5393": "WritePasswordParameters" + "5394": "ReadOtherParameters" + "5395": "WriteOtherParameters" + "5396": "CreateUser" + "5397": "CreateGlobalGroup" + "5398": "CreateLocalGroup" + "5399": "GetLocalGroupMembership" + "5400": "ListAccounts" + "5401": "LookupIDs" + "5402": "AdministerServer" + "5403": "Undefined Access (no effect) Bit 11" + "5404": "Undefined Access (no effect) Bit 12" + "5405": "Undefined Access (no effect) Bit 13" + "5406": "Undefined Access (no effect) Bit 14" + "5407": "Undefined Access (no effect) Bit 15" + "5408": "ReadInformation" + "5409": "WriteAccount" + "5410": "AddMember" + "5411": "RemoveMember" + "5412": "ListMembers" + "5413": "Undefined Access (no effect) Bit 5" + "5414": "Undefined Access (no effect) Bit 6" + "5415": "Undefined Access (no effect) Bit 7" + "5416": "Undefined Access (no effect) Bit 8" + "5417": "Undefined Access (no effect) Bit 9" + "5418": "Undefined Access (no effect) Bit 10" + "5419": "Undefined Access (no effect) Bit 11" + "5420": "Undefined Access (no effect) Bit 12" + "5421": "Undefined Access (no effect) Bit 13" + "5422": "Undefined Access (no effect) Bit 14" + "5423": "Undefined Access (no effect) Bit 15" + "5424": "AddMember" + "5425": "RemoveMember" + "5426": "ListMembers" + "5427": "ReadInformation" + "5428": "WriteAccount" + "5429": "Undefined Access (no effect) Bit 5" + "5430": "Undefined Access (no effect) Bit 6" + "5431": "Undefined Access (no effect) Bit 7" + "5432": "Undefined Access (no effect) Bit 8" + "5433": "Undefined Access (no effect) Bit 9" + "5434": "Undefined Access (no effect) Bit 10" + "5435": "Undefined Access (no effect) Bit 11" + "5436": "Undefined Access (no effect) Bit 12" + "5437": "Undefined Access (no effect) Bit 13" + "5438": "Undefined Access (no effect) Bit 14" + "5439": "Undefined Access (no effect) Bit 15" + "5440": "ReadGeneralInformation" + "5441": "ReadPreferences" + "5442": "WritePreferences" + "5443": "ReadLogon" + "5444": "ReadAccount" + "5445": "WriteAccount" + "5446": "ChangePassword (with knowledge of old password)" + "5447": "SetPassword (without knowledge of old password)" + "5448": "ListGroups" + "5449": "ReadGroupMembership" + "5450": "ChangeGroupMembership" + "5451": "Undefined Access (no effect) Bit 11" + "5452": "Undefined Access (no effect) Bit 12" + "5453": "Undefined Access (no effect) Bit 13" + "5454": "Undefined Access (no effect) Bit 14" + "5455": "Undefined Access (no effect) Bit 15" + "5632": "View non-sensitive policy information" + "5633": "View system audit requirements" + "5634": "Get sensitive policy information" + "5635": "Modify domain trust relationships" + "5636": "Create special accounts (for assignment of user rights)" + "5637": "Create a secret object" + "5638": "Create a privilege" + "5639": "Set default quota limits" + "5640": "Change system audit requirements" + "5641": "Administer audit log attributes" + "5642": "Enable/Disable LSA" + "5643": "Lookup Names/SIDs" + "5648": "Change secret value" + "5649": "Query secret value" + "5650": "Undefined Access (no effect) Bit 2" + "5651": "Undefined Access (no effect) Bit 3" + "5652": "Undefined Access (no effect) Bit 4" + "5653": "Undefined Access (no effect) Bit 5" + "5654": "Undefined Access (no effect) Bit 6" + "5655": "Undefined Access (no effect) Bit 7" + "5656": "Undefined Access (no effect) Bit 8" + "5657": "Undefined Access (no effect) Bit 9" + "5658": "Undefined Access (no effect) Bit 10" + "5659": "Undefined Access (no effect) Bit 11" + "5660": "Undefined Access (no effect) Bit 12" + "5661": "Undefined Access (no effect) Bit 13" + "5662": "Undefined Access (no effect) Bit 14" + "5663": "Undefined Access (no effect) Bit 15" + "5664": "Query trusted domain name/SID" + "5665": "Retrieve the controllers in the trusted domain" + "5666": "Change the controllers in the trusted domain" + "5667": "Query the Posix ID offset assigned to the trusted domain" + "5668": "Change the Posix ID offset assigned to the trusted domain" + "5669": "Undefined Access (no effect) Bit 5" + "5670": "Undefined Access (no effect) Bit 6" + "5671": "Undefined Access (no effect) Bit 7" + "5672": "Undefined Access (no effect) Bit 8" + "5673": "Undefined Access (no effect) Bit 9" + "5674": "Undefined Access (no effect) Bit 10" + "5675": "Undefined Access (no effect) Bit 11" + "5676": "Undefined Access (no effect) Bit 12" + "5677": "Undefined Access (no effect) Bit 13" + "5678": "Undefined Access (no effect) Bit 14" + "5679": "Undefined Access (no effect) Bit 15" + "5680": "Query account information" + "5681": "Change privileges assigned to account" + "5682": "Change quotas assigned to account" + "5683": "Change logon capabilities assigned to account" + "5684": "Change the Posix ID offset assigned to the accounted domain" + "5685": "Undefined Access (no effect) Bit 5" + "5686": "Undefined Access (no effect) Bit 6" + "5687": "Undefined Access (no effect) Bit 7" + "5688": "Undefined Access (no effect) Bit 8" + "5689": "Undefined Access (no effect) Bit 9" + "5690": "Undefined Access (no effect) Bit 10" + "5691": "Undefined Access (no effect) Bit 11" + "5692": "Undefined Access (no effect) Bit 12" + "5693": "Undefined Access (no effect) Bit 13" + "5694": "Undefined Access (no effect) Bit 14" + "5695": "Undefined Access (no effect) Bit 15" + "5696": "KeyedEvent Wait" + "5697": "KeyedEvent Wake" + "5698": "Undefined Access (no effect) Bit 2" + "5699": "Undefined Access (no effect) Bit 3" + "5700": "Undefined Access (no effect) Bit 4" + "5701": "Undefined Access (no effect) Bit 5" + "5702": "Undefined Access (no effect) Bit 6" + "5703": "Undefined Access (no effect) Bit 7" + "5704": "Undefined Access (no effect) Bit 8" + "5705": "Undefined Access (no effect) Bit 9" + "5706": "Undefined Access (no effect) Bit 10" + "5707": "Undefined Access (no effect) Bit 11" + "5708": "Undefined Access (no effect) Bit 12" + "5709": "Undefined Access (no effect) Bit 13" + "5710": "Undefined Access (no effect) Bit 14" + "5711": "Undefined Access (no effect) Bit 15" + "6656": "Enumerate desktops" + "6657": "Read attributes" + "6658": "Access Clipboard" + "6659": "Create desktop" + "6660": "Write attributes" + "6661": "Access global atoms" + "6662": "Exit windows" + "6663": "Unused Access Flag" + "6664": "Include this windowstation in enumerations" + "6665": "Read screen" + "6672": "Read Objects" + "6673": "Create window" + "6674": "Create menu" + "6675": "Hook control" + "6676": "Journal (record)" + "6677": "Journal (playback)" + "6678": "Include this desktop in enumerations" + "6679": "Write objects" + "6680": "Switch to this desktop" + "6912": "Administer print server" + "6913": "Enumerate printers" + "6930": "Full Control" + "6931": "Print" + "6948": "Administer Document" + "7168": "Connect to service controller" + "7169": "Create a new service" + "7170": "Enumerate services" + "7171": "Lock service database for exclusive access" + "7172": "Query service database lock state" + "7173": "Set last-known-good state of service database" + "7184": "Query service configuration information" + "7185": "Set service configuration information" + "7186": "Query status of service" + "7187": "Enumerate dependencies of service" + "7188": "Start the service" + "7189": "Stop the service" + "7190": "Pause or continue the service" + "7191": "Query information from service" + "7192": "Issue service-specific control commands" + "7424": "DDE Share Read" + "7425": "DDE Share Write" + "7426": "DDE Share Initiate Static" + "7427": "DDE Share Initiate Link" + "7428": "DDE Share Request" + "7429": "DDE Share Advise" + "7430": "DDE Share Poke" + "7431": "DDE Share Execute" + "7432": "DDE Share Add Items" + "7433": "DDE Share List Items" + "7680": "Create Child" + "7681": "Delete Child" + "7682": "List Contents" + "7683": "Write Self" + "7684": "Read Property" + "7685": "Write Property" + "7686": "Delete Tree" + "7687": "List Object" + "7688": "Control Access" + "7689": "Undefined Access (no effect) Bit 9" + "7690": "Undefined Access (no effect) Bit 10" + "7691": "Undefined Access (no effect) Bit 11" + "7692": "Undefined Access (no effect) Bit 12" + "7693": "Undefined Access (no effect) Bit 13" + "7694": "Undefined Access (no effect) Bit 14" + "7695": "Undefined Access (no effect) Bit 15" + "7936": "Audit Set System Policy" + "7937": "Audit Query System Policy" + "7938": "Audit Set Per User Policy" + "7939": "Audit Query Per User Policy" + "7940": "Audit Enumerate Users" + "7941": "Audit Set Options" + "7942": "Audit Query Options" + "8064": "Port sharing (read)" + "8065": "Port sharing (write)" + "8096": "Default credentials" + "8097": "Credentials manager" + "8098": "Fresh credentials" + "8192": "Kerberos" + "8193": "Preshared key" + "8194": "Unknown authentication" + "8195": "DES" + "8196": "3DES" + "8197": "MD5" + "8198": "SHA1" + "8199": "Local computer" + "8200": "Remote computer" + "8201": "No state" + "8202": "Sent first (SA) payload" + "8203": "Sent second (KE) payload" + "8204": "Sent third (ID) payload" + "8205": "Initiator" + "8206": "Responder" + "8207": "No state" + "8208": "Sent first (SA) payload" + "8209": "Sent final payload" + "8210": "Complete" + "8211": "Unknown" + "8212": "Transport" + "8213": "Tunnel" + "8214": "IKE/AuthIP DoS prevention mode started" + "8215": "IKE/AuthIP DoS prevention mode stopped" + "8216": "Enabled" + "8217": "Not enabled" + "8218": "No state" + "8219": "Sent first (EM attributes) payload" + "8220": "Sent second (SSPI) payload" + "8221": "Sent third (hash) payload" + "8222": "IKEv1" + "8223": "AuthIP" + "8224": "Anonymous" + "8225": "NTLM V2" + "8226": "CGA" + "8227": "Certificate" + "8228": "SSL" + "8229": "None" + "8230": "DH group 1" + "8231": "DH group 2" + "8232": "DH group 14" + "8233": "DH group ECP 256" + "8234": "DH group ECP 384" + "8235": "AES-128" + "8236": "AES-192" + "8237": "AES-256" + "8238": "Certificate ECDSA P256" + "8239": "Certificate ECDSA P384" + "8240": "SSL ECDSA P256" + "8241": "SSL ECDSA P384" + "8242": "SHA 256" + "8243": "SHA 384" + "8244": "IKEv2" + "8245": "EAP payload sent" + "8246": "Authentication payload sent" + "8247": "EAP" + "8248": "DH group 24" + "8272": "System" + "8273": "Logon/Logoff" + "8274": "Object Access" + "8275": "Privilege Use" + "8276": "Detailed Tracking" + "8277": "Policy Change" + "8278": "Account Management" + "8279": "DS Access" + "8280": "Account Logon" + "8448": "Success removed" + "8449": "Success Added" + "8450": "Failure removed" + "8451": "Failure Added" + "8452": "Success include removed" + "8453": "Success include added" + "8454": "Success exclude removed" + "8455": "Success exclude added" + "8456": "Failure include removed" + "8457": "Failure include added" + "8458": "Failure exclude removed" + "8459": "Failure exclude added" + "12288": "Security State Change" + "12289": "Security System Extension" + "12290": "System Integrity" + "12291": "IPsec Driver" + "12292": "Other System Events" + "12544": "Logon" + "12545": "Logoff" + "12546": "Account Lockout" + "12547": "IPsec Main Mode" + "12548": "Special Logon" + "12549": "IPsec Quick Mode" + "12550": "IPsec Extended Mode" + "12551": "Other Logon/Logoff Events" + "12552": "Network Policy Server" + "12553": "User / Device Claims" + "12554": "Group Membership" + "12800": "File System" + "12801": "Registry" + "12802": "Kernel Object" + "12803": "SAM" + "12804": "Other Object Access Events" + "12805": "Certification Services" + "12806": "Application Generated" + "12807": "Handle Manipulation" + "12808": "File Share" + "12809": "Filtering Platform Packet Drop" + "12810": "Filtering Platform Connection" + "12811": "Detailed File Share" + "12812": "Removable Storage" + "12813": "Central Policy Staging" + "13056": "Sensitive Privilege Use" + "13057": "Non Sensitive Privilege Use" + "13058": "Other Privilege Use Events" + "13312": "Process Creation" + "13313": "Process Termination" + "13314": "DPAPI Activity" + "13315": "RPC Events" + "13316": "Plug and Play Events" + "13317": "Token Right Adjusted Events" + "13568": "Audit Policy Change" + "13569": "Authentication Policy Change" + "13570": "Authorization Policy Change" + "13571": "MPSSVC Rule-Level Policy Change" + "13572": "Filtering Platform Policy Change" + "13573": "Other Policy Change Events" + "13824": "User Account Management" + "13825": "Computer Account Management" + "13826": "Security Group Management" + "13827": "Distribution Group Management" + "13828": "Application Group Management" + "13829": "Other Account Management Events" + "14080": "Directory Service Access" + "14081": "Directory Service Changes" + "14082": "Directory Service Replication" + "14083": "Detailed Directory Service Replication" + "14336": "Credential Validation" + "14337": "Kerberos Service Ticket Operations" + "14338": "Other Account Logon Events" + "14339": "Kerberos Authentication Service" + "14592": "Inbound" + "14593": "Outbound" + "14594": "Forward" + "14595": "Bidirectional" + "14596": "IP Packet" + "14597": "Transport" + "14598": "Forward" + "14599": "Stream" + "14600": "Datagram Data" + "14601": "ICMP Error" + "14602": "MAC 802.3" + "14603": "MAC Native" + "14604": "vSwitch" + "14608": "Resource Assignment" + "14609": "Listen" + "14610": "Receive/Accept" + "14611": "Connect" + "14612": "Flow Established" + "14614": "Resource Release" + "14615": "Endpoint Closure" + "14616": "Connect Redirect" + "14617": "Bind Redirect" + "14624": "Stream Packet" + "14640": "ICMP Echo-Request" + "14641": "vSwitch Ingress" + "14642": "vSwitch Egress" + "14672": "" + "14673": "[NULL]" + "14674": "Value Added" + "14675": "Value Deleted" + "14676": "Active Directory Domain Services" + "14677": "Active Directory Lightweight Directory Services" + "14678": "Yes" + "14679": "No" + "14680": "Value Added With Expiration Time" + "14681": "Value Deleted With Expiration Time" + "14688": "Value Auto Deleted With Expiration Time" + "16384": "Add" + "16385": "Delete" + "16386": "Boot-time" + "16387": "Persistent" + "16388": "Not persistent" + "16389": "Block" + "16390": "Permit" + "16391": "Callout" + "16392": "MD5" + "16393": "SHA-1" + "16394": "SHA-256" + "16395": "AES-GCM 128" + "16396": "AES-GCM 192" + "16397": "AES-GCM 256" + "16398": "DES" + "16399": "3DES" + "16400": "AES-128" + "16401": "AES-192" + "16402": "AES-256" + "16403": "Transport" + "16404": "Tunnel" + "16405": "Responder" + "16406": "Initiator" + "16407": "AES-GMAC 128" + "16408": "AES-GMAC 192" + "16409": "AES-GMAC 256" + "16416": "AuthNoEncap Transport" + "16896": "Enable WMI Account" + "16897": "Execute Method" + "16898": "Full Write" + "16899": "Partial Write" + "16900": "Provider Write" + "16901": "Remote Access" + "16902": "Subscribe" + "16903": "Publish" + reversed_descriptions: + "..." : ["1831"] + "3DES" : ["8196","16399"] + "64-bit Integer" : ["1820"] + "" : ["14672"] + "" : ["1800"] + "" : ["1794"] + "" : ["1793"] + "ACCESS_SYS_SEC" : ["1542"] + "AES-128" : ["16400","8235"] + "AES-192" : ["8236","16401"] + "AES-256" : ["16402","8237"] + "AES-GCM 128" : ["16395"] + "AES-GCM 192" : ["16396"] + "AES-GCM 256" : ["16397"] + "AES-GMAC 128" : ["16407"] + "AES-GMAC 192" : ["16408"] + "AES-GMAC 256" : ["16409"] + "Access Clipboard" : ["6658"] + "Access global atoms" : ["6661"] + "Account Disabled" : ["2080"] + "Account Enabled" : ["2048"] + "Account Locked" : ["2090"] + "Account Lockout" : ["12546"] + "Account Logon" : ["8280"] + "Account Management" : ["8278"] + "Account Unlocked" : ["2058"] + "Account currently disabled." : ["2310"] + "Account locked out." : ["2307"] + "Account logon time restriction violation." : ["2311"] + "Active Directory Domain Services" : ["14676"] + "Active Directory Lightweight Directory Services" : ["14677"] + "Add" : ["16384"] + "Add context." : ["2491"] + "Add function property." : ["2497"] + "Add function provider." : ["2495"] + "Add function." : ["2493"] + "Add provider." : ["2489"] + "AddMember" : ["5410","5424"] + "AdjustDefaultDacl" : ["4599"] + "AdjustGroups" : ["4598"] + "AdjustPrivileges" : ["4597"] + "AdjustSessionID" : ["4600"] + "Administer Document" : ["6948"] + "Administer audit log attributes" : ["5641"] + "Administer print server" : ["6912"] + "AdministerServer" : ["5402"] + "All" : ["1797"] + "An Error occured during Logon." : ["2304"] + "Anonymous" : ["8224"] + "AppendData (or AddSubdirectory or CreatePipeInstance)" : ["4418"] + "Application Generated" : ["12806"] + "Application Group Management" : ["13828"] + "Assign Primary Token Privilege" : ["1603"] + "Assign a token to the thread" : ["4567"] + "Assign process" : ["5136"] + "AssignAsPrimary" : ["4592"] + "Audit Enumerate Users" : ["7940"] + "Audit Policy Change" : ["13568"] + "Audit Policy query/set API Operation" : ["1799"] + "Audit Query Options" : ["7942"] + "Audit Query Per User Policy" : ["7939"] + "Audit Query System Policy" : ["7937"] + "Audit Set Options" : ["7941"] + "Audit Set Per User Policy" : ["7938"] + "Audit Set System Policy" : ["7936"] + "AuthIP" : ["8223"] + "AuthNoEncap Transport" : ["16416"] + "Authentication Policy Change" : ["13569"] + "Authentication payload sent" : ["8246"] + "Authorization Policy Change" : ["13570"] + "Auto" : ["1849"] + "Backup Privilege" : ["1617"] + "Bidirectional" : ["14595"] + "Bind Redirect" : ["14617"] + "Blob" : ["1822"] + "Block" : ["16389"] + "Boolean" : ["1824"] + "Boot-time" : ["16386"] + "CGA" : ["8226"] + "Callout" : ["16391"] + "Cause thread to directly impersonate another thread" : ["4568"] + "Central Policy Staging" : ["12813"] + "Certificate" : ["8227"] + "Certificate ECDSA P256" : ["8238"] + "Certificate ECDSA P384" : ["8239"] + "Certification Services" : ["12805"] + "Change Hardware Environment Privilege" : ["1622"] + "Change Notify (and Traverse) Privilege" : ["1623"] + "Change logon capabilities assigned to account" : ["5683"] + "Change privileges assigned to account" : ["5681"] + "Change quotas assigned to account" : ["5682"] + "Change secret value" : ["5648"] + "Change system audit requirements" : ["5640"] + "Change the Posix ID offset assigned to the accounted domain" : ["5684"] + "Change the Posix ID offset assigned to the trusted domain" : ["5668"] + "Change the controllers in the trusted domain" : ["5666"] + "ChangeGroupMembership" : ["5450"] + "ChangePassword (with knowledge of old password)" : ["5446"] + "Channel query information" : ["5122"] + "Channel read message" : ["5120"] + "Channel set information" : ["5123"] + "Channel write message" : ["5121"] + "Communicate using port" : ["4464"] + "Complete" : ["8210"] + "Computer Account Management" : ["13825"] + "Connect" : ["14611"] + "Connect Redirect" : ["14616"] + "Connect to service controller" : ["7168"] + "ConnectToServer" : ["5376"] + "Control Access" : ["7688"] + "Control profile" : ["4496"] + "Create Child" : ["7680"] + "Create Key." : ["2481"] + "Create Link" : ["4437"] + "Create Pagefile Privilege" : ["1615"] + "Create Permanent Object Privilege" : ["1616"] + "Create a new service" : ["7169"] + "Create a privilege" : ["5638"] + "Create a secret object" : ["5637"] + "Create a subprocess of process" : ["4487"] + "Create desktop" : ["6659"] + "Create instance of object type" : ["4608"] + "Create menu" : ["6674"] + "Create new thread in process" : ["4481"] + "Create object in directory" : ["4370"] + "Create special accounts (for assignment of user rights)" : ["5636"] + "Create sub-directory" : ["4371"] + "Create sub-key" : ["4434"] + "Create window" : ["6673"] + "CreateDomain" : ["5379"] + "CreateGlobalGroup" : ["5397"] + "CreateLocalGroup" : ["5398"] + "CreateUser" : ["5396"] + "Credential Validation" : ["14336"] + "Credentials manager" : ["8097"] + "DDE Share Add Items" : ["7432"] + "DDE Share Advise" : ["7429"] + "DDE Share Execute" : ["7431"] + "DDE Share Initiate Link" : ["7427"] + "DDE Share Initiate Static" : ["7426"] + "DDE Share List Items" : ["7433"] + "DDE Share Poke" : ["7430"] + "DDE Share Read" : ["7424"] + "DDE Share Request" : ["7428"] + "DDE Share Write" : ["7425"] + "DELETE" : ["1537"] + "DES" : ["16398","8195"] + "DH group 1" : ["8230"] + "DH group 14" : ["8232"] + "DH group 2" : ["8231"] + "DH group 24" : ["8248"] + "DH group ECP 256" : ["8233"] + "DH group ECP 384" : ["8234"] + "DPAPI Activity" : ["13314"] + "DS Access" : ["8279"] + "Datagram Data" : ["14600"] + "Debug Privilege" : ["1620"] + "Decrypt." : ["2484"] + "Default" : ["1846"] + "Default credentials" : ["8096"] + "Delegation" : ["1840"] + "Delete" : ["16385"] + "Delete Child" : ["7681"] + "Delete Key." : ["2482"] + "Delete Tree" : ["7686"] + "Delete key file." : ["2457"] + "DeleteChild" : ["4422"] + "Denied by" : ["1802"] + "Denied by ACE on parent folder" : ["1812"] + "Denied by Empty DACL" : ["1807"] + "Denied by Integrity Policy check" : ["1803"] + "Denied by Process Trust Label ACE" : ["1841"] + "Detailed Directory Service Replication" : ["14083"] + "Detailed File Share" : ["12811"] + "Detailed Tracking" : ["8276"] + "Device Access Bit 0" : ["4352"] + "Device Access Bit 1" : ["4353"] + "Device Access Bit 2" : ["4354"] + "Device Access Bit 3" : ["4355"] + "Device Access Bit 4" : ["4356"] + "Device Access Bit 5" : ["4357"] + "Device Access Bit 6" : ["4358"] + "Device Access Bit 7" : ["4359"] + "Device Access Bit 8" : ["4360"] + "Directly impersonate this thread" : ["4569"] + "Directory Service Access" : ["14080"] + "Directory Service Changes" : ["14081"] + "Directory Service Replication" : ["14082"] + "Disabled" : ["1796"] + "DisallowMmConfig" : ["1847"] + "Distribution Group Management" : ["13827"] + "Domain settings" : ["2487"] + "Domain sid inconsistent." : ["2314"] + "Don't Expire Password' - Disabled" : ["2057"] + "Don't Expire Password' - Enabled" : ["2089"] + "Don't Require Preauth' - Disabled" : ["2064"] + "Don't Require Preauth' - Enabled" : ["2096"] + "Duplicate" : ["4593"] + "Duplicate handle into or out of process" : ["4486"] + "EAP" : ["8247"] + "EAP payload sent" : ["8245"] + "Enable 64(or 32) bit application to open 32 bit key" : ["4441"] + "Enable 64(or 32) bit application to open 64 bit key" : ["4440"] + "Enable WMI Account" : ["16896"] + "Enable/Disable LSA" : ["5642"] + "Enabled" : ["1795","8216"] + "Encrypt." : ["2483"] + "Encrypted Text Password Allowed' - Disabled" : ["2059"] + "Encrypted Text Password Allowed' - Enabled" : ["2091"] + "Endpoint Closure" : ["14615"] + "Enumerate dependencies of service" : ["7187"] + "Enumerate desktops" : ["6656"] + "Enumerate printers" : ["6913"] + "Enumerate services" : ["7170"] + "Enumerate sub-keys" : ["4435"] + "EnumerateDomains" : ["5380"] + "Exclude Authorization Information' - Disabled" : ["2067"] + "Exclude Authorization Information' - Enabled" : ["2099"] + "Execute Method" : ["16897"] + "Execute/Traverse" : ["4421"] + "Existing registry value modified" : ["1905"] + "Exit windows" : ["6662"] + "Export of persistent cryptographic key." : ["2464"] + "Extend size" : ["4516"] + "FALSE" : ["1826"] + "FQBN" : ["1821"] + "Failed to unprotect persistent cryptographic key." : ["2448"] + "Failed to zero secret data." : ["2438"] + "Failure Added" : ["8451"] + "Failure exclude added" : ["8459"] + "Failure exclude removed" : ["8458"] + "Failure include added" : ["8457"] + "Failure include removed" : ["8456"] + "Failure removed" : ["8450"] + "File Share" : ["12808"] + "File System" : ["12800"] + "Filtering Platform Connection" : ["12810"] + "Filtering Platform Packet Drop" : ["12809"] + "Filtering Platform Policy Change" : ["13572"] + "Flow Established" : ["14612"] + "Force process termination" : ["4480"] + "Force thread termination" : ["4560"] + "Forward" : ["14598","14594"] + "Fresh credentials" : ["8098"] + "Friday" : ["1925"] + "Full Control" : ["6930"] + "Full Write" : ["16898"] + "Get sensitive policy information" : ["5634"] + "Get thread context" : ["4563"] + "GetLocalGroupMembership" : ["5399"] + "Granted by" : ["1801"] + "Granted by ACE on parent folder" : ["1811"] + "Granted by Central Access Rule" : ["1813"] + "Granted by NULL DACL" : ["1806"] + "Granted by NULL Security Descriptor" : ["1808"] + "Granted by Ownership" : ["1804"] + "Granted by parent folder's Central Access Rule" : ["1815"] + "Group Membership" : ["12554"] + "Handle Manipulation" : ["12807"] + "Home Directory Required' - Disabled" : ["2049"] + "Home Directory Required' - Enabled" : ["2081"] + "Hook control" : ["6675"] + "ICMP Echo-Request" : ["14640"] + "ICMP Error" : ["14601"] + "IKE/AuthIP DoS prevention mode started" : ["8214"] + "IKE/AuthIP DoS prevention mode stopped" : ["8215"] + "IKEv1" : ["8222"] + "IKEv2" : ["8244"] + "IP Packet" : ["14596"] + "IPsec Driver" : ["12291"] + "IPsec Extended Mode" : ["12550"] + "IPsec Main Mode" : ["12547"] + "IPsec Quick Mode" : ["12549"] + "Identification" : ["1832"] + "Impersonate" : ["4594"] + "Impersonation" : ["1833"] + "Import of persistent cryptographic key." : ["2465"] + "Inbound" : ["14592"] + "Include this desktop in enumerations" : ["6678"] + "Include this windowstation in enumerations" : ["6664"] + "Increase Memory Quota Privilege" : ["1605"] + "Increment Base Priority Privilege" : ["1614"] + "InitializeServer" : ["5378"] + "Initiator" : ["8205","16406"] + "Interdomain Trust Account' - Disabled" : ["2054"] + "Interdomain Trust Account' - Enabled" : ["2086"] + "Invalid" : ["1827"] + "Issue service-specific control commands" : ["7192"] + "Journal (playback)" : ["6677"] + "Journal (record)" : ["6676"] + "Kerberos" : ["8192"] + "Kerberos Authentication Service" : ["14339"] + "Kerberos Service Ticket Operations" : ["14337"] + "Kernel Object" : ["12802"] + "Key Derivation." : ["2501"] + "Key export checks failed." : ["2449"] + "Key failed pair wise consistency check." : ["2439"] + "KeyedEvent Wait" : ["5696"] + "KeyedEvent Wake" : ["5697"] + "List Contents" : ["7682"] + "List Object" : ["7687"] + "ListAccounts" : ["5400"] + "ListGroups" : ["5448"] + "ListMembers" : ["5412","5426"] + "Listen" : ["14609"] + "Load/Unload Driver Privilege" : ["1610"] + "Local computer" : ["8199"] + "Local settings" : ["2488"] + "Lock Memory Privilege" : ["1604"] + "Lock service database for exclusive access" : ["7171"] + "Logoff" : ["12545"] + "Logon" : ["12544"] + "Logon/Logoff" : ["8273"] + "Lookup Names/SIDs" : ["5643"] + "LookupDomain" : ["5381"] + "LookupIDs" : ["5401"] + "MAC 802.3" : ["14602"] + "MAC Native" : ["14603"] + "MAX_ALLOWED" : ["1543"] + "MD5" : ["16392","8197"] + "MNS Logon Account' - Disabled" : ["2053"] + "MNS Logon Account' - Enabled" : ["2085"] + "MPSSVC Rule-Level Policy Change" : ["13571"] + "Machine key." : ["2499"] + "Map section for execute" : ["4515"] + "Map section for read" : ["4514"] + "Map section for write" : ["4513"] + "Modify State" : ["4865"] + "Modify domain trust relationships" : ["5635"] + "Modify event state" : ["4385"] + "Modify semaphore state" : ["4529"] + "Modify timer state" : ["4577"] + "Monday" : ["1921"] + "NOT Granted by Central Access Rule" : ["1814"] + "NOT Granted by parent folder's Central Access Rule" : ["1816"] + "NTLM V2" : ["8225"] + "Network Policy Server" : ["12552"] + "New registry value created" : ["1904"] + "No" : ["14679","1843"] + "No state" : ["8207","8218","8201"] + "Non Sensitive Privilege Use" : ["13057"] + "None" : ["1798","8229"] + "Normal Account' - Disabled" : ["2052"] + "Normal Account' - Enabled" : ["2084"] + "Not Available" : ["1845"] + "Not Available." : ["2432"] + "Not Delegated' - Disabled" : ["2062"] + "Not Delegated' - Enabled" : ["2094"] + "Not enabled" : ["8217"] + "Not granted" : ["1805"] + "Not granted due to missing" : ["1810"] + "Not granted to AppContainers" : ["1830"] + "Not persistent" : ["16388"] + "Not used" : ["1601"] + "Notify about changes to keys" : ["4436"] + "Object Access" : ["8274"] + "Off" : ["1848"] + "Open Key." : ["2480"] + "Open key file." : ["2456"] + "Other Account Logon Events" : ["14338"] + "Other Account Management Events" : ["13829"] + "Other Logon/Logoff Events" : ["12551"] + "Other Object Access Events" : ["12804"] + "Other Policy Change Events" : ["13573"] + "Other Privilege Use Events" : ["13058"] + "Other System Events" : ["12292"] + "Outbound" : ["14593"] + "Partial Write" : ["16899"] + "Password Expired' - Disabled" : ["2065"] + "Password Expired' - Enabled" : ["2097"] + "Password Not Required' - Disabled" : ["2050"] + "Password Not Required' - Enabled" : ["2082"] + "Pause or continue the service" : ["7190"] + "Perform virtual memory operation" : ["4483"] + "Permit" : ["16390"] + "Persistent" : ["16387"] + "Plug and Play Events" : ["13316"] + "Policy Change" : ["8277"] + "Port sharing (read)" : ["8064"] + "Port sharing (write)" : ["8065"] + "Preshared key" : ["8193"] + "Print" : ["6931"] + "Privilege Use" : ["8275"] + "Process Creation" : ["13312"] + "Process Termination" : ["13313"] + "Profile Single Process Privilege" : ["1613"] + "Profile System Privilege" : ["1611"] + "Protect Kerberos Service Tickets with AES Keys' - Disabled" : ["2069"] + "Protect Kerberos Service Tickets with AES Keys' - Enabled" : ["2101"] + "Provider Write" : ["16900"] + "Publish" : ["16903"] + "Query" : ["4595"] + "Query Attributes" : ["5138"] + "Query State" : ["4864"] + "Query account information" : ["5680"] + "Query directory" : ["4368"] + "Query event state" : ["4384"] + "Query information from service" : ["7191"] + "Query key value" : ["4432"] + "Query mutant state" : ["4448"] + "Query process information" : ["4490"] + "Query secret value" : ["5649"] + "Query section state" : ["4512"] + "Query semaphore state" : ["4528"] + "Query service configuration information" : ["7184"] + "Query service database lock state" : ["7172"] + "Query status of service" : ["7186"] + "Query the Posix ID offset assigned to the trusted domain" : ["5667"] + "Query thread information" : ["4566"] + "Query timer state" : ["4576"] + "Query trusted domain name/SID" : ["5664"] + "QuerySource" : ["4596"] + "READ_CONTROL" : ["1538"] + "REG_BINARY" : ["1875"] + "REG_DWORD" : ["1876"] + "REG_DWORD_BIG_ENDIAN" : ["1877"] + "REG_EXPAND_SZ" : ["1874"] + "REG_FULL_RESOURCE_DESCRIPTOR" : ["1881"] + "REG_LINK" : ["1878"] + "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : ["1879"] + "REG_NONE" : ["1872"] + "REG_QWORD" : ["1883"] + "REG_RESOURCE_LIST" : ["1880"] + "REG_RESOURCE_REQUIREMENTS_LIST" : ["1882"] + "REG_SZ" : ["1873"] + "RPC Events" : ["13315"] + "Random number generation failed FIPS-140 pre-hash check." : ["2437"] + "Random number generator failure." : ["2436"] + "Read Objects" : ["6672"] + "Read Property" : ["7684"] + "Read attributes" : ["6657"] + "Read from process memory" : ["4484"] + "Read persisted key from file." : ["2458"] + "Read screen" : ["6665"] + "ReadAccount" : ["5444"] + "ReadAttributes" : ["4423"] + "ReadData (or ListDirectory)" : ["4416"] + "ReadEA" : ["4419"] + "ReadGeneralInformation" : ["5440"] + "ReadGroupMembership" : ["5449"] + "ReadInformation" : ["5427","5408"] + "ReadLogon" : ["5443"] + "ReadOtherParameters" : ["5394"] + "ReadPasswordParameters" : ["5392"] + "ReadPreferences" : ["5441"] + "Receive/Accept" : ["14610"] + "Registry" : ["12801"] + "Registry value deleted" : ["1906"] + "Remote Access" : ["16901"] + "Remote computer" : ["8200"] + "Remotely Shut System Down Privilege" : ["1624"] + "Removable Storage" : ["12812"] + "Remove context." : ["2492"] + "Remove function property." : ["2498"] + "Remove function provider." : ["2496"] + "Remove function." : ["2494"] + "Remove provider." : ["2490"] + "RemoveMember" : ["5425","5411"] + "Resource Assignment" : ["14608"] + "Resource Release" : ["14614"] + "Responder" : ["16405","8206"] + "Restore From Backup Privilege" : ["1618"] + "Retrieve the controllers in the trusted domain" : ["5665"] + "SAM" : ["12803"] + "SHA 256" : ["8242"] + "SHA 384" : ["8243"] + "SHA-1" : ["16393"] + "SHA-256" : ["16394"] + "SHA1" : ["8198"] + "SSL" : ["8228"] + "SSL ECDSA P256" : ["8240"] + "SSL ECDSA P384" : ["8241"] + "SYNCHRONIZE" : ["1541"] + "Saturday" : ["1926"] + "Secret agreement." : ["2486"] + "Security Group Management" : ["13826"] + "Security Privilege" : ["1608"] + "Security State Change" : ["12288"] + "Security System Extension" : ["12289"] + "Send an alert to thread" : ["4562"] + "Sensitive Privilege Use" : ["13056"] + "Sent final payload" : ["8209"] + "Sent first (EM attributes) payload" : ["8219"] + "Sent first (SA) payload" : ["8208","8202"] + "Sent second (KE) payload" : ["8203"] + "Sent second (SSPI) payload" : ["8220"] + "Sent third (ID) payload" : ["8204"] + "Sent third (hash) payload" : ["8221"] + "Server Trust Account' - Disabled" : ["2056"] + "Server Trust Account' - Enabled" : ["2088"] + "Set Attributes" : ["5137"] + "Set Security Attributes" : ["5140"] + "Set System Time Privilege" : ["1612"] + "Set default quota limits" : ["5639"] + "Set key value" : ["4433"] + "Set last-known-good state of service database" : ["7173"] + "Set process information" : ["4489"] + "Set process quotas" : ["4488"] + "Set process session ID" : ["4482"] + "Set process termination port" : ["4491"] + "Set service configuration information" : ["7185"] + "Set thread context" : ["4564"] + "Set thread information" : ["4565"] + "SetPassword (without knowledge of old password)" : ["5447"] + "Shutdown System Privilege" : ["1619"] + "ShutdownServer" : ["5377"] + "Sid" : ["1823"] + "Sign hash." : ["2485"] + "Signature verification failed." : ["2451"] + "Smartcard Required' - Disabled" : ["2060"] + "Smartcard Required' - Enabled" : ["2092"] + "Smartcard logon is required and was not used." : ["2315"] + "Special Logon" : ["12548"] + "Start the service" : ["7188"] + "Stop the service" : ["7189"] + "Stream" : ["14599"] + "Stream Packet" : ["14624"] + "String" : ["1818"] + "Subscribe" : ["16902"] + "Success Added" : ["8449"] + "Success exclude added" : ["8455"] + "Success exclude removed" : ["8454"] + "Success include added" : ["8453"] + "Success include removed" : ["8452"] + "Success removed" : ["8448"] + "Sunday" : ["1920"] + "Suspend or resume thread" : ["4561"] + "Switch to this desktop" : ["6680"] + "System" : ["1844","8272"] + "System Integrity" : ["12290"] + "TRUE" : ["1825"] + "Take Ownership Privilege" : ["1609"] + "Temp Duplicate Account' - Disabled" : ["2051"] + "Temp Duplicate Account' - Enabled" : ["2083"] + "Terminate Job" : ["5139"] + "The NetLogon component is not active." : ["2306"] + "The specified account's password has expired." : ["2309"] + "The specified user account has expired." : ["2305"] + "The user has not been granted the requested logon type at this machine." : ["2308"] + "Thursday" : ["1924"] + "Token Right Adjusted Events" : ["13317"] + "TokenElevationTypeDefault (1)" : ["1936"] + "TokenElevationTypeFull (2)" : ["1937"] + "TokenElevationTypeLimited (3)" : ["1938"] + "Transport" : ["14597","16403","8212"] + "Traverse" : ["4369"] + "Trusted Computer Base Privilege" : ["1607"] + "Trusted For Delegation' - Disabled" : ["2061"] + "Trusted For Delegation' - Enabled" : ["2093"] + "Trusted To Authenticate For Delegation' - Disabled" : ["2066"] + "Trusted To Authenticate For Delegation' - Enabled" : ["2098"] + "Tuesday" : ["1922"] + "Tunnel" : ["16404","8213"] + "Undefined Access (no effect) Bit 1" : ["4609","4545","4497","4465","4449"] + "Undefined Access (no effect) Bit 10" : ["4554","4618","4378","5418","4474","7690","5690","4442","4522","4458","4602","5658","5434","5146","5706","4426","5386","4362","4538","4570","4586","5674","4506","4394","5130"] + "Undefined Access (no effect) Bit 11" : ["4587","5435","5691","5675","4603","4379","5451","5387","5707","4619","7691","4395","4459","4427","4571","4363","4539","5403","4443","5147","4523","5131","4475","4555","4507","5419","5659"] + "Undefined Access (no effect) Bit 12" : ["5660","4364","4620","5708","4540","4428","4524","5148","5420","4508","5404","5452","4380","4460","4604","5436","4492","4396","4556","7692","5676","4588","4476","4572","4444","5132","5692","5388"] + "Undefined Access (no effect) Bit 13" : ["5149","5437","4477","5389","4525","4557","5421","4605","4541","4461","5677","5693","4509","4621","4589","4381","5405","4429","4445","4573","5661","4397","5709","4365","5453","7693","4493","5133"] + "Undefined Access (no effect) Bit 14" : ["4510","4366","4606","4462","4558","5694","4446","5710","5390","5438","4478","4398","4382","4590","5150","5454","5134","5678","7694","5662","4526","4622","5422","4574","4542","4494","4430","5406"] + "Undefined Access (no effect) Bit 15" : ["4399","5679","4447","5391","5407","5135","4559","4591","5663","5439","4511","4431","4495","5151","4607","7695","4623","4575","4543","4479","5455","4367","4383","5695","5423","5711","4527","4463"] + "Undefined Access (no effect) Bit 2" : ["4450","4498","4466","5698","4386","5650","4610","4578","4530","4546"] + "Undefined Access (no effect) Bit 3" : ["4451","5699","4579","5651","4467","4387","4547","4611","4531","4499"] + "Undefined Access (no effect) Bit 4" : ["4372","5652","5124","4468","4580","4548","4500","4452","4532","5700","4612","4388"] + "Undefined Access (no effect) Bit 5" : ["5669","5701","5653","4517","4453","4469","4501","5125","4549","4533","4581","5429","5685","4373","5413","4389","4613","5141"] + "Undefined Access (no effect) Bit 6" : ["5654","4534","4502","4390","5414","5382","4550","4582","4518","4614","4438","4454","4374","5126","4470","5430","5702","5670","5686","5142"] + "Undefined Access (no effect) Bit 7" : ["4519","4455","5143","4375","5703","4471","5383","5415","4391","5687","5431","5655","4551","5127","4503","4439","5671","279","4535","4615"] + "Undefined Access (no effect) Bit 8" : ["5144","4376","5656","4552","4472","4504","4456","5128","4392","4616","4536","4584","4520","5432","5384","5672","5416","5704","5688"] + "Undefined Access (no effect) Bit 9" : ["5433","5145","4361","4457","4601","4537","4585","4393","4521","5657","5673","4553","7689","5385","4425","4505","4377","5689","5417","5705","4617","5129","4473"] + "Undefined UserAccountControl Bit 20' - Disabled" : ["2068"] + "Undefined UserAccountControl Bit 20' - Enabled" : ["2100"] + "Undefined UserAccountControl Bit 22' - Disabled" : ["2070"] + "Undefined UserAccountControl Bit 22' - Enabled" : ["2102"] + "Undefined UserAccountControl Bit 23' - Disabled" : ["2071"] + "Undefined UserAccountControl Bit 23' - Enabled" : ["2103"] + "Undefined UserAccountControl Bit 24' - Disabled" : ["2072"] + "Undefined UserAccountControl Bit 24' - Enabled" : ["2104"] + "Undefined UserAccountControl Bit 25' - Disabled" : ["2073"] + "Undefined UserAccountControl Bit 25' - Enabled" : ["2105"] + "Undefined UserAccountControl Bit 26' - Disabled" : ["2074"] + "Undefined UserAccountControl Bit 26' - Enabled" : ["2106"] + "Undefined UserAccountControl Bit 27' - Disabled" : ["2075"] + "Undefined UserAccountControl Bit 27' - Enabled" : ["2107"] + "Undefined UserAccountControl Bit 28' - Disabled" : ["2076"] + "Undefined UserAccountControl Bit 28' - Enabled" : ["2108"] + "Undefined UserAccountControl Bit 29' - Disabled" : ["2077"] + "Undefined UserAccountControl Bit 29' - Enabled" : ["2109"] + "Undefined UserAccountControl Bit 30' - Disabled" : ["2078"] + "Undefined UserAccountControl Bit 30' - Enabled" : ["2110"] + "Undefined UserAccountControl Bit 31' - Disabled" : ["2079"] + "Undefined UserAccountControl Bit 31' - Enabled" : ["2111"] + "Unknown" : ["8211"] + "Unknown Type" : ["1817"] + "Unknown authentication" : ["8194"] + "Unknown or unchecked" : ["1809"] + "Unknown specific access (bit 0)" : ["1552"] + "Unknown specific access (bit 1)" : ["1553"] + "Unknown specific access (bit 10)" : ["1562"] + "Unknown specific access (bit 11)" : ["1563"] + "Unknown specific access (bit 12)" : ["1564"] + "Unknown specific access (bit 13)" : ["1565"] + "Unknown specific access (bit 14)" : ["1566"] + "Unknown specific access (bit 15)" : ["1567"] + "Unknown specific access (bit 2)" : ["1554"] + "Unknown specific access (bit 3)" : ["1555"] + "Unknown specific access (bit 4)" : ["1556"] + "Unknown specific access (bit 5)" : ["1557"] + "Unknown specific access (bit 6)" : ["1558"] + "Unknown specific access (bit 7)" : ["1559"] + "Unknown specific access (bit 8)" : ["1560"] + "Unknown specific access (bit 9)" : ["1561"] + "Unknown user name or bad password." : ["2313"] + "Unsigned 64-bit Integer" : ["1819"] + "Unsolicited Input Privilege" : ["1606"] + "Unused Access Flag" : ["6663"] + "Unused message ID" : ["1536"] + "Use DES Key Only' - Disabled" : ["2063"] + "Use DES Key Only' - Enabled" : ["2095"] + "Use symbolic link" : ["4544"] + "User / Device Claims" : ["12553"] + "User Account Management" : ["13824"] + "User key." : ["2500"] + "User not allowed to logon at this computer." : ["2312"] + "Validation of public key failed." : ["2450"] + "Value Added" : ["14674"] + "Value Added With Expiration Time" : ["14680"] + "Value Auto Deleted With Expiration Time" : ["14688"] + "Value Deleted" : ["14675"] + "Value Deleted With Expiration Time" : ["14681"] + "View non-sensitive policy information" : ["5632"] + "View or Change Audit Log Privilege" : ["1621"] + "View system audit requirements" : ["5633"] + "WRITE_DAC" : ["1539"] + "WRITE_OWNER" : ["1540"] + "Wednesday" : ["1923"] + "Workstation Trust Account' - Disabled" : ["2055"] + "Workstation Trust Account' - Enabled" : ["2087"] + "Write Property" : ["7685"] + "Write Self" : ["7683"] + "Write attributes" : ["6660"] + "Write objects" : ["6679"] + "Write persisted key to file." : ["2459"] + "Write to process memory" : ["4485"] + "WriteAccount" : ["5409","5445","5428"] + "WriteAttributes" : ["4424"] + "WriteData (or AddFile)" : ["4417"] + "WriteEA" : ["4420"] + "WriteOtherParameters" : ["5395"] + "WritePasswordParameters" : ["5393"] + "WritePreferences" : ["5442"] + "Yes" : ["1842","14678"] + "[NULL]" : ["14673"] + "a Security Descriptor too long to display" : ["1829"] + "an ACE too long to display" : ["1828"] + "vSwitch" : ["14604"] + "vSwitch Egress" : ["14642"] + "vSwitch Ingress" : ["14641"] + AccessMaskDescriptions: + "0x00000001": Create Child + "0x00000002": Delete Child + "0x00000004": List Contents + "0x00000008": SELF + "0x00000010": Read Property + "0x00000020": Write Property + "0x00000040": Delete Treee + "0x00000080": List Object + "0x00000100": Control Access + "0x00010000": DELETE + "0x00020000": READ_CONTROL + "0x00040000": WRITE_DAC + "0x00080000": WRITE_OWNER + "0x00100000": SYNCHRONIZE + "0x00F00000": STANDARD_RIGHTS_REQUIRED + "0x001F0000": STANDARD_RIGHTS_ALL + "0x0000FFFF": SPECIFIC_RIGHTS_ALL + "0x01000000": ADS_RIGHT_ACCESS_SYSTEM_SECURITY + "0x10000000": ADS_RIGHT_GENERIC_ALL + "0x20000000": ADS_RIGHT_GENERIC_EXECUTE + "0x40000000": ADS_RIGHT_GENERIC_WRITE + "0x80000000": ADS_RIGHT_GENERIC_READ + source: |- + def split(String s) { + def f = new ArrayList(); + int last = 0; + for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} + for (def i = last; i < s.length(); i++) { + if (!Character.isWhitespace(s.charAt(i))) { + continue; + } + f.add(s.substring(last, i)); + for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} + last = i; + } + f.add(s.substring(last)); + return f; + } + if (ctx.winlog?.event_data?.FailureReason != null) { + def code = ctx.winlog.event_data.FailureReason.replace("%%",""); + def desc = params.descriptions[code]; + if (desc == null) { + desc = code; + } + if (desc != null) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("reason", desc); + } + } + if (ctx.winlog?.event_data?.AuditPolicyChanges != null) { + ArrayList results = new ArrayList(); + for (elem in ctx.winlog.event_data.AuditPolicyChanges.splitOnToken(",")) { + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (results.length > 0) { + ctx.winlog.event_data.put("AuditPolicyChangesDescription", results); + } + } + if (ctx.winlog?.event_data?.AccessList != null) { + ArrayList codes = new ArrayList(); + ArrayList results = new ArrayList(); + for (elem in split(ctx.winlog.event_data.AccessList)) { + def code = elem.replace("%%","").trim(); + if (code != "") { + codes.add(code); + } + if (params.descriptions.containsKey(code)) { + results.add(params.descriptions[code]); + } else { + results.add(code); + } + } + if (codes.length > 0) { + ctx.winlog.event_data.AccessList = codes; + } + if (results.length > 0) { + ctx.winlog.event_data.put("AccessListDescription", results); + } + } + if (ctx.winlog?.event_data?.Direction != null) { + def code = ctx.winlog.event_data.Direction.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("DirectionDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.LayerName != null) { + def code = ctx.winlog.event_data.LayerName.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + ctx.winlog.event_data.put("LayerNameDescription", params.descriptions[code]); + } + } + if (ctx.winlog?.event_data?.AccessMask != null) { + ArrayList list = new ArrayList(); + long accessMask; + for (elem in split(ctx.winlog.event_data.AccessMask)) { + if (elem.length() == 0) { + continue; + } + def code = elem.replace("%%","").trim(); + if (params.descriptions.containsKey(code)) { + list.add(params.descriptions[code]); + } else { + list.add(code); + if (params.reversed_descriptions.containsKey(code)) + code = params.reversed_descriptions[code][0]; + } + try { + def longCode = Long.decode(code).longValue(); + accessMask |= longCode; + } catch (Exception e) {} + } + if (list.length > 0) { + ctx.winlog.event_data.put("AccessMask", list); + } + + ArrayList desc = new ArrayList(); + def[] w = new def[] { null }; + for (long b = 0; b < 32; b++) { + long flag = 1L << b; + if ((accessMask & flag) == flag) { + w[0] = flag; + def fDesc = params.AccessMaskDescriptions[String.format("0x%08X", w)]; + if (fDesc != null) { + desc.add(fDesc); + } + } + } + if (desc.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", desc); + } + ArrayList results = new ArrayList(); + } + - script: + lang: painless + ignore_failure: false + tag: 4625 and 4776 Set Status and SubStatus + description: 4625 and 4776 Set Status and SubStatus + # Descriptions of failure status codes. + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 + params: + "0xc000005e": "There are currently no logon servers available to service the logon request." + "0xc0000064": "User logon with misspelled or bad user account" + "0xc000006a": "User logon with misspelled or bad password" + "0xc000006d": "This is either due to a bad username or authentication information" + "0xc000006e": "Unknown user name or bad password." + "0xc000006f": "User logon outside authorized hours" + "0xc0000070": "User logon from unauthorized workstation" + "0xc0000071": "User logon with expired password" + "0xc0000072": "User logon to account disabled by administrator" + "0xc00000dc": "Indicates the Sam Server was in the wrong state to perform the desired operation." + "0xc0000133": "Clocks between DC and other computer too far out of sync" + "0xc000015b": "The user has not been granted the requested logon type (aka logon right) at this machine" + "0xc000018c": "The logon request failed because the trust relationship between the primary domain and the trusted domain failed." + "0xc0000192": "An attempt was made to logon, but the Netlogon service was not started." + "0xc0000193": "User logon with expired account" + "0xc0000224": "User is required to change password at next logon" + "0xc0000225": "Evidently a bug in Windows and not a risk" + "0xc0000234": "User logon with account locked" + "0xc00002ee": "Failure Reason: An Error occurred during Logon" + "0xc0000413": "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine." + "0xc0000371": "The local account store does not contain secret material for the specified account" + "0x0": "Status OK." + source: |- + if (ctx.winlog?.event_data?.Status == null || + ctx.event?.code == null || + !["4625", "4776"].contains(ctx.event.code)) { + return; + } + if (params.containsKey(ctx.winlog.event_data.Status)) { + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("status", params[ctx.winlog.event_data.Status]); + } + if (ctx.winlog?.event_data?.SubStatus == null || !params.containsKey(ctx.winlog.event_data.SubStatus)) { + return; + } + if (ctx.winlog?.logon == null ) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + if (ctx.winlog?.logon?.failure == null) { + HashMap hm = new HashMap(); + ctx.winlog.logon.put("failure", hm); + } + ctx.winlog.logon.failure.put("sub_status", params[ctx.winlog.event_data.SubStatus]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Type + description: Set Trust Type + # Trust Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "1": "TRUST_TYPE_DOWNLEVEL" + "2": "TRUST_TYPE_UPLEVEL" + "3": "TRUST_TYPE_MIT" + "4": "TRUST_TYPE_DCE" + source: |- + if (ctx.winlog?.event_data?.TdoType == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoType)) { + return; + } + ctx.winlog.put("trustType", params[ctx.winlog.event_data.TdoType]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Direction + description: Set Trust Direction + # Trust Direction + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "TRUST_DIRECTION_DISABLED" + "1": "TRUST_DIRECTION_INBOUND" + "2": "TRUST_DIRECTION_OUTBOUND" + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + source: |- + if (ctx.winlog?.event_data?.TdoDirection == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoDirection)) { + return; + } + ctx.winlog.put("trustDirection", params[ctx.winlog.event_data.TdoDirection]); + - script: + lang: painless + ignore_failure: false + tag: Set Trust Attributes + description: Set Trust Attributes + # Trust Attributes + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + params: + "0": "UNDEFINED" + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE" + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY" + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN" + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE" + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION" + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST" + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL" + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION" + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION" + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + source: |- + if (ctx.winlog?.event_data?.TdoAttributes == null) { + return; + } + if (!params.containsKey(ctx.winlog.event_data.TdoAttributes)) { + return; + } + ctx.winlog.put("trustAttribute", params[ctx.winlog.event_data.TdoAttributes]); + - script: + lang: painless + ignore_failure: false + tag: Add Session Events + description: Add Session Events + source: |- + if (ctx.event?.code == null || + !["4778", "4779"].contains(ctx.event.code)) { + return; + } + //AccountName to user.name and related.user + if (ctx.winlog?.event_data?.AccountName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.AccountName); + if (!ctx.related.user.contains(ctx.winlog.event_data.AccountName)) { + ctx.related.user.add(ctx.winlog.event_data.AccountName); + } + } + + //AccountDomain to user.domain + if (ctx.winlog?.event_data?.AccountDomain != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.AccountDomain); + } + + //ClientAddress to source.ip and related.ip + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-" && + ctx.winlog.event_data.ClientAddress != "Unknown") { + // Correct invalid IP address "LOCAL" + if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") { + ctx.winlog.event_data.ClientAddress="127.0.0.1"; + } + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.ip == null) { + ArrayList al = new ArrayList(); + ctx.related.put("ip", al); + } + ctx.source.put("ip", ctx.winlog.event_data.ClientAddress); + if (!ctx.related.ip.contains(ctx.winlog.event_data.ClientAddress)) { + ctx.related.ip.add(ctx.winlog.event_data.ClientAddress); + } + } + + //ClientName to source.domain + if (ctx.winlog?.event_data?.ClientName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.ClientName); + } + + //LogonID to winlog.logon.id + if (ctx.winlog?.event_data?.LogonID != null) { + if (ctx.winlog?.logon == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("logon", hm); + } + ctx.winlog.logon.put("id", ctx.winlog.event_data.LogonID); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User + description: Copy Target User + source: |- + if (ctx.event?.code == null || + !["4624", "4625", "4634", "4647", "4648", "4768", "4769", "4770", + "4771", "4776", "4964"].contains(ctx.event.code)) { + return; + } + + def targetUserId = ctx.winlog?.event_data?.TargetUserSid; + if (targetUserId == null) { + targetUserId = ctx.winlog?.event_data?.TargetSid; + } + + //TargetUserSid to user.id or user.target.id + if (targetUserId != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.id == null) { + ctx.user.put("id", targetUserId); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("id", targetUserId); + } + } + + //TargetUserName to related.user and user.name or user.target.name + if (ctx.winlog?.event_data?.TargetUserName != null) { + def tun = ctx.winlog.event_data.TargetUserName.splitOnToken("@"); + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.name == null) { + ctx.user.put("name", tun[0]); + } else { + if (ctx.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("name", tun[0]); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(tun[0])) { + ctx.related.user.add(tun[0]); + } + } + //TargetUserDomain to user.domain or user.target.domain + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.user?.domain == null) { + ctx.user.put("domain", ctx.winlog.event_data.TargetDomainName); + } else { + if (ctx.user?.target == null){ + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + ctx.user.target.put("domain", ctx.winlog.event_data.TargetDomainName); + } + } +# split member name into parts based on comma ignoring escaped commas +# https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names + - split: + if: ctx.winlog?.event_data?.MemberName != null + field: winlog.event_data.MemberName + target_field: _temp.MemberNameParts + separator: "(?= 4) { + def domain = memberNameParts[3].replace("DC=", "").replace("dc=", ""); + ctx.user.target.put("domain", domain); + } + } + if (ctx.winlog?.event_data?.TargetUserSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetUserSid); + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + ctx.group.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.group == null) { + HashMap hm = new HashMap(); + ctx.put("group", hm); + } + def domain = ctx.winlog.event_data.TargetDomainName.replace("DC=", "").replace("dc=", ""); + ctx.group.put("domain", domain); + } + if (ctx.user?.target != null) { + if (ctx.user?.target?.group == null) { + HashMap hm = new HashMap(); + ctx.user.target.put("group", hm); + } + if (ctx.group?.id != null) { + ctx.user.target.group.put("id", ctx.group.id); + } + if (ctx.group?.name != null) { + ctx.user.target.group.put("name", ctx.group.name); + } + if (ctx.group?.domain != null) { + ctx.user.target.group.put("domain", ctx.group.domain); + } + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Computer Object + description: Copy Target User to Computer Object + source: |- + if (ctx.event?.code == null || + !["4741", "4742", "4743"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.TargetSid != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("id", ctx.winlog.event_data.TargetSid); + } + if (ctx.winlog?.event_data?.TargetUserName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("name", ctx.winlog.event_data.TargetUserName); + } + if (ctx.winlog?.event_data?.TargetDomainName != null) { + if (ctx.winlog?.computerObject == null) { + HashMap hm = new HashMap(); + ctx.winlog.put("computerObject", hm); + } + ctx.winlog.computerObject.put("domain", ctx.winlog.event_data.TargetDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.TargetLogonId + ignore_failure: false + if: ctx.event?.code != null && ["4634", "4647", "4964"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from Event Data + description: Copy Subject User from Event Data + source: |- + if (ctx.event?.code == null || + !["4648", "4657", "4662", "4670", "4672", "4673", "4674", "4688", "4689", "4697", + "4698", "4699", "4700", "4701", "4702", "4706", "4707", "4713", "4716", "4717", + "4718", "4719", "4720", "4722", "4723", "4724", "4725", "4726", "4727", "4728", + "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4739", + "4740", "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", "4749", + "4750", "4751", "4752", "4753", "4754", "4755", "4756", "4757", "4758", "4759", + "4760", "4761", "4762", "4763", "4764", "4767", "4781", "4797", "4798", "4799", + "4817", "4904", "4905", "4907", "4912", "5136", "5140", "5145", "5379", "5380", + "5381", "5382"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.event_data.SubjectUserSid); + } + if (ctx.winlog?.event_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.event_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.event_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.event_data.SubjectUserName); + } + } + if (ctx.winlog?.event_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.event_data.SubjectDomainName); + } + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Target + description: Copy Target User to Target + source: |- + if (ctx?.event?.code == null || + !["4670", "4720", "4722", "4723", "4724", "4725", + "4726", "4738", "4740", "4767", "4798", "4817", + "4907", "4797"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.target == null) { + HashMap hm = new HashMap(); + ctx.user.put("target", hm); + } + def userId = ctx?.winlog?.event_data?.TargetSid; + if (userId != null && userId != "" && userId != "-") ctx.user.target.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.target.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.target.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.target.name)) { + ctx.related.user.add(ctx.user.target.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.target.domain = userDomain; + if (ctx.user?.target != null && ctx.user.target.size() == 0) ctx.user.remove("target"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Target User to Effective + description: Copy Target User to Effective + source: |- + if (ctx?.event?.code == null || + !["4648", "4688"].contains(ctx.event.code)) { + return; + } + if (ctx?.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx?.user?.effective == null) { + HashMap hm = new HashMap(); + ctx.user.put("effective", hm); + } + def userId = ctx?.winlog?.event_data?.TargetUserSid; + if (userId != null && userId != "" && userId != "-") ctx.user.effective.id = userId; + def userName = ctx?.winlog?.event_data?.TargetUserName; + if (userName != null && userName != "" && userName != "-") { + ctx.user.effective.name = userName; + def parts = userName.splitOnToken("@"); + if (parts.length > 1) { + ctx.user.effective.name = parts[0]; + } + if (ctx?.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.user.effective.name)) { + ctx.related.user.add(ctx.user.effective.name); + } + } + def userDomain = ctx?.winlog?.event_data?.TargetDomainName; + if (userDomain != null && userDomain != "" && userDomain != "-") ctx.user.effective.domain = userDomain; + if (ctx.user?.effective != null && ctx.user.effective.size() == 0) ctx.user.remove("effective"); + + - script: + lang: painless + ignore_failure: false + tag: Copy Subject User from user_data + description: Copy Subject User from user_data + source: |- + if (ctx.event?.code == null || + !["1102"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.user_data?.SubjectUserSid != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("id", ctx.winlog.user_data.SubjectUserSid); + } + if (ctx.winlog?.user_data?.SubjectUserName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + ctx.user.put("name", ctx.winlog.user_data.SubjectUserName); + if (!ctx.related.user.contains(ctx.winlog.user_data.SubjectUserName)) { + ctx.related.user.add(ctx.winlog.user_data.SubjectUserName); + } + } + if (ctx.winlog?.user_data?.SubjectDomainName != null) { + if (ctx.user == null) { + HashMap hm = new HashMap(); + ctx.put("user", hm); + } + ctx.user.put("domain", ctx.winlog.user_data.SubjectDomainName); + } + + - set: + field: winlog.logon.id + copy_from: winlog.event_data.SubjectLogonId + ignore_failure: true + + - set: + field: winlog.logon.id + copy_from: winlog.user_data.SubjectLogonId + ignore_failure: true + if: |- + ctx.event?.code != null && + ["1102"].contains(ctx.event.code) + + - script: + lang: painless + ignore_failure: false + tag: Rename Common Auth Fields + description: Rename Common Auth Fields + source: |- + if (ctx.event?.code == null || + !["1100", "1102", "1104", "1105", "1108", "4624", "4648", "4625", + "4670", "4673", "4674", "4689", "4697", "4719", "4720", "4722", + "4723", "4724", "4725", "4726", "4727", "4728", "4729", "4730", + "4731", "4732", "4733", "4734", "4735", "4737", "4738", "4740", + "4741", "4742", "4743", "4744", "4745", "4746", "4747", "4748", + "4749", "4750", "4751", "4752", "4753", "4754", "4755", "4756", + "4757", "4758", "4759", "4760", "4761", "4762", "4763", "4764", + "4767", "4768", "4769", "4770", "4771", "4798", "4799", "4817", + "4904", "4905", "4907", "4912", "5140", "5145"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.ProcessId); + } + ctx.winlog.event_data.remove("ProcessId"); + } + if (ctx.winlog?.event_data?.ProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.ProcessName); + ctx.winlog.event_data.remove("ProcessName"); + } + if (ctx.winlog?.event_data?.IpAddress != null && + ctx.winlog.event_data.IpAddress != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("ip", ctx.winlog.event_data.IpAddress); + ctx.winlog.event_data.remove("IpAddress"); + } + if (ctx.winlog?.event_data?.IpPort != null && ctx.winlog.event_data.IpPort != "-") { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("port", Long.decode(ctx.winlog.event_data.IpPort)); + ctx.winlog.event_data.remove("IpPort"); + } + if (ctx.winlog?.event_data?.WorkstationName != null) { + if (ctx.source == null) { + HashMap hm = new HashMap(); + ctx.put("source", hm); + } + ctx.source.put("domain", ctx.winlog.event_data.WorkstationName); + ctx.winlog.event_data.remove("WorkstationName"); + } + if (ctx.winlog?.event_data?.ClientAddress != null && + ctx.winlog.event_data.ClientAddress != "-") { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + ctx.related.put("ip", ctx.winlog.event_data.ClientAddress); + ctx.winlog.event_data.remove("ClientAddress"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + + - script: + lang: painless + ignore_failure: false + tag: Process Event 4688 + description: Process Event 4688 + source: |- + if (ctx.event?.code == null || + !["4688"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.NewProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.winlog.event_data.NewProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.NewProcessId); + ctx.process.put("pid", pid.longValue()); + } else { + ctx.process.put("pid", ctx.winlog.event_data.NewProcessId); + } + ctx.winlog.event_data.remove("NewProcessId"); + } + if (ctx.winlog?.event_data?.NewProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("executable", ctx.winlog.event_data.NewProcessName); + ctx.winlog.event_data.remove("NewProcessName"); + } + if (ctx.winlog?.event_data?.ParentProcessName != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + ctx.process.parent.put("executable", ctx.winlog.event_data.ParentProcessName); + ctx.winlog.event_data.remove("ParentProcessName"); + } + if (ctx.process?.name == null && ctx.process?.executable != null) { + def parts = ctx.process.executable.splitOnToken("\\"); + ctx.process.put("name", parts[-1]); + } + if (ctx.process?.parent?.name == null && ctx.process?.parent?.executable != null) { + def parts = ctx.process.parent.executable.splitOnToken("\\"); + ctx.process.parent.put("name", parts[-1]); + } + if (ctx.winlog?.event_data?.ProcessId != null) { + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } + if (ctx.winlog?.event_data?.CommandLine != null) { + int start = 0; + int end = 0; + boolean in_quote = false; + ArrayList al = new ArrayList(); + for (int i = 0; i < ctx.winlog.event_data.CommandLine.length(); i++) { + end = i; + if (Character.compare(ctx.winlog.event_data.CommandLine.charAt(i), "\"".charAt(0)) == 0) { + if (in_quote) { + in_quote = false; + } else { + in_quote = true; + } + } + if (Character.isWhitespace(ctx.winlog.event_data.CommandLine.charAt(i)) && !in_quote) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end)); + start = i + 1; + } + if (i == ctx.winlog.event_data.CommandLine.length() - 1) { + al.add(ctx.winlog.event_data.CommandLine.substring(start, end + 1)); + } + } + if (ctx.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + ctx.process.put("args", al); + ctx.process.put("command_line", ctx.winlog.event_data.CommandLine); + } + if ((ctx.winlog?.event_data?.TargetUserName != null) && + (!ctx.winlog.event_data.TargetUserName.equals("-"))) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(ctx.winlog.event_data.TargetUserName)) { + ctx.related.user.add(ctx.winlog.event_data.TargetUserName); + } + } + + - append: + field: related.user + value: '{{winlog.event_data.SubjectUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4624", "4648", "4797", "5379", "5380", "5381", "5382"].contains(ctx.event.code) && + ctx.winlog?.event_data?.SubjectUserName != null && + ctx.winlog.event_data.SubjectUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.TargetUserName}}' + allow_duplicates: false + if: |- + ctx.event?.code != null && + ["4688", "4720", "4722", "4723", "4724", "4725", "4726", "4738", + "4740", "4767", "4797", "4798"].contains(ctx.event.code) && + ctx.winlog?.event_data?.TargetUserName != null && + ctx.winlog.event_data.TargetUserName != "-" + + - split: + field: winlog.event_data.PrivilegeList + separator: "\\s+" + if: |- + ctx.event?.code != null && + ["4672", "4673", "4674", "4741", "4742", "4743"].contains(ctx.event.code) && + ctx.winlog?.event_data?.PrivilegeList != null + + - set: + field: user.target.name + copy_from: winlog.event_data.OldTargetUserName + ignore_empty_value: true + + - set: + field: user.changes.name + copy_from: winlog.event_data.NewTargetUserName + ignore_empty_value: true + + - append: + field: related.user + value: '{{winlog.event_data.NewTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.NewTargetUserName != null && + ctx.winlog.event_data.NewTargetUserName != "-" + + - append: + field: related.user + value: '{{winlog.event_data.OldTargetUserName}}' + allow_duplicates: false + if: |- + ctx.winlog?.event_data?.OldTargetUserName != null && + ctx.winlog.event_data.OldTargetUserName != "-" + + - gsub: + field: source.ip + pattern: '^\[?::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(?:\](?::[0-9]+)?)?$' + replacement: '$1' + ignore_missing: true + + - append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: |- + ctx.source?.ip != null && + ctx.source.ip != "-" + + - script: + lang: painless + ignore_failure: false + tag: Object Policy Change and SidListDesc + description: Object Policy Change and SidListDesc + # SDDL Ace Types + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # SDDL Permissions + # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + # Known SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + # https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + # Domain-specific SIDs + # https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + # Object Permission Flags + # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + params: + AccountSIDDescription: + AO: Account operators + RU: Alias to allow previous Windows 2000 + AN: Anonymous logon + AU: Authenticated users + BA: Built-in administrators + BG: Built-in guests + BO: Backup operators + BU: Built-in users + CA: Certificate server administrators + CG: Creator group + CO: Creator owner + DA: Domain administrators + DC: Domain computers + DD: Domain controllers + DG: Domain guests + DU: Domain users + EA: Enterprise administrators + ED: Enterprise domain controllers + WD: Everyone + PA: Group Policy administrators + IU: Interactively logged-on user + LA: Local administrator + LG: Local guest + LS: Local service account + SY: Local system + NU: Network logon user + "NO": Network configuration operators + NS: Network service account + PO: Printer operators + PS: Personal self + PU: Power users + RS: RAS servers group + RD: Terminal server users + RE: Replicator + RC: Restricted code + SA: Schema administrators + SO: Server operators + SU: Service logon user + S-1-0: Null Authority + S-1-0-0: Nobody + S-1-1: World Authority + S-1-1-0: Everyone + S-1-16-0: Untrusted Mandatory Level + S-1-16-12288: High Mandatory Level + S-1-16-16384: System Mandatory Level + S-1-16-20480: Protected Process Mandatory Level + S-1-16-28672: Secure Process Mandatory Level + S-1-16-4096: Low Mandatory Level + S-1-16-8192: Medium Mandatory Level + S-1-16-8448: Medium Plus Mandatory Level + S-1-2: Local Authority + S-1-2-0: Local + S-1-2-1: Console Logon + S-1-3: Creator Authority + S-1-3-0: Creator Owner + S-1-3-1: Creator Group + S-1-3-2: Creator Owner Server + S-1-3-3: Creator Group Server + S-1-3-4: Owner Rights + S-1-4: Non-unique Authority + S-1-5: NT Authority + S-1-5-1: Dialup + S-1-5-10: Principal Self + S-1-5-11: Authenticated Users + S-1-5-12: Restricted Code + S-1-5-13: Terminal Server Users + S-1-5-14: Remote Interactive Logon + S-1-5-15: This Organization + S-1-5-17: This Organization + S-1-5-18: Local System + S-1-5-19: NT Authority + S-1-5-2: Network + S-1-5-20: NT Authority + S-1-5-3: Batch + S-1-5-32-544: Administrators + S-1-5-32-545: Users + S-1-5-32-546: Guests + S-1-5-32-547: Power Users + S-1-5-32-548: Account Operators + S-1-5-32-549: Server Operators + S-1-5-32-550: Print Operators + S-1-5-32-551: Backup Operators + S-1-5-32-552: Replicators + S-1-5-32-554: Builtin\Pre-Windows 2000 Compatible Access + S-1-5-32-555: Builtin\Remote Desktop Users + S-1-5-32-556: Builtin\Network Configuration Operators + S-1-5-32-557: Builtin\Incoming Forest Trust Builders + S-1-5-32-558: Builtin\Performance Monitor Users + S-1-5-32-559: Builtin\Performance Log Users + S-1-5-32-560: Builtin\Windows Authorization Access Group + S-1-5-32-561: Builtin\Terminal Server License Servers + S-1-5-32-562: Builtin\Distributed COM Users + S-1-5-32-569: Builtin\Cryptographic Operators + S-1-5-32-573: Builtin\Event Log Readers + S-1-5-32-574: Builtin\Certificate Service DCOM Access + S-1-5-32-575: Builtin\RDS Remote Access Servers + S-1-5-32-576: Builtin\RDS Endpoint Servers + S-1-5-32-577: Builtin\RDS Management Servers + S-1-5-32-578: Builtin\Hyper-V Administrators + S-1-5-32-579: Builtin\Access Control Assistance Operators + S-1-5-32-580: Builtin\Remote Management Users + S-1-5-32-582: Storage Replica Administrators + S-1-5-4: Interactive + S-1-5-5-X-Y: Logon Session + S-1-5-6: Service + S-1-5-64-10: NTLM Authentication + S-1-5-64-14: SChannel Authentication + S-1-5-64-21: Digest Authentication + S-1-5-7: Anonymous + S-1-5-8: Proxy + S-1-5-80: NT Service + S-1-5-80-0: All Services + S-1-5-83-0: NT Virtual Machine\Virtual Machines + S-1-5-9: Enterprise Domain Controllers + S-1-5-90-0: Windows Manager\Windows Manager Group + AceTypes: + A: Access Allowed + D: Access Denied + OA: Object Access Allowed + OD: Object Access Denied + AU: System Audit + AL: System Alarm + OU: System Object Audit + OL: System Object Alarm + ML: System Mandatory Label + SP: Central Policy ID + DomainSpecificSID: + "498": Enterprise Read-only Domain Controllers + "500": Administrator + "501": Guest + "502": KRBTGT + "512": Domain Admins + "513": Domain Users + "514": Domain Guests + "515": Domain Computers + "516": Domain Controllers + "517": Cert Publishers + "518": Schema Admins + "519": Enterprise Admins + "520": Group Policy Creator Owners + "521": Read-only Domain Controllers + "522": Cloneable Domain Controllers + "526": Key Admins + "527": Enterprise Key Admins + "553": RAS and IAS Servers + "571": Allowed RODC Password Replication Group + "572": Denied RODC Password Replication Group + PermissionDescription: + GA: Generic All + GR: Generic Read + GW: Generic Write + GX: Generic Execute + RC: Read Permissions + SD: Delete + WD: Modify Permissions + WO: Modify Owner + RP: Read All Properties + WP: Write All Properties + CC: Create All Child Objects + DC: Delete All Child Objects + LC: List Contents + SW: All Validated + LO: List Object + DT: Delete Subtree + CR: All Extended Rights + FA: File All Access + FR: File Generic Read + FX: FILE GENERIC EXECUTE + FW: FILE GENERIC WRITE + KA: KEY ALL ACCESS + KR: KEY READ + KW: KEY WRITE + KX: KEY EXECUTE + PermsFlags: + "0x80000000": 'Generic Read' + "0x4000000": 'Generic Write' + "0x20000000": 'Generic Execute' + "0x10000000": 'Generic All' + "0x02000000": 'Maximum Allowed' + "0x01000000": 'Access System Security' + "0x00100000": 'Syncronize' + "0x00080000": 'Write Owner' + "0x00040000": 'Write DACL' + "0x00020000": 'Read Control' + "0x00010000": 'Delete' + source: |- + ArrayList translatePermissionMask(def mask, def params) { + ArrayList al = new ArrayList(); + Long permCode = Long.decode(mask); + for (entry in params.PermsFlags.entrySet()) { + Long permFlag = Long.decode(entry.getKey()); + if ((permCode.longValue() & permFlag.longValue()) == permFlag.longValue()) { + al.add(entry.getValue()); + } + } + if (al.length == 0) { + al.add(mask); + } + return al; + } + + HashMap translateACL(def dacl, def params) { + def aceArray = dacl.splitOnToken(";"); + HashMap hm = new HashMap(); + + if (aceArray.length >= 6 ) { + hm.put("grantee", translateSID(aceArray[5], params)); + } + + if (aceArray.length >= 1) { + hm.put("type", params.AceTypes[aceArray[0]]); + } + + if (aceArray.length >= 3) { + if (aceArray[2].startsWith("0x")) { + hm.put("perms", translatePermissionMask(aceArray[2], params)); + } else { + ArrayList al = new ArrayList(); + Pattern permPattern = /.{1,2}/; + Matcher permMatcher = permPattern.matcher(aceArray[2]); + while (permMatcher.find()) { + al.add(params.PermissionDescription[permMatcher.group(0)]); + } + hm.put("perms", al); + } + } + return hm; + } + String translateSID(def sid, def params) { + if (!params.AccountSIDDescription.containsKey(sid)) { + if (sid.startsWith("S-1-5-21")) { + Pattern uidPattern = /[0-9]{1,5}$/; + Matcher uidMatcher = uidPattern.matcher(sid); + if (uidMatcher.find()) { + return params.DomainSpecificSID[uidMatcher.group(0)]; + } + return sid; + } + return sid; + } + return params.AccountSIDDescription[sid]; + } + + void enrichSDDL(def sddlStr, def Sd, def params, def ctx) { + Pattern sdOwnerPattern = /^O\:[A-Z]{2}/; + Matcher sdOwnerMatcher = sdOwnerPattern.matcher(sddlStr); + if (sdOwnerMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Owner", translateSID(sdOwnerMatcher.group(0), params)); + } + + Pattern sdGroupPattern = /^G\:[A-Z]{2}/; + Matcher sdGroupMatcher = sdGroupPattern.matcher(sddlStr); + if (sdGroupMatcher.find()) { + ctx.winlog.event_data.put(Sd + "Group", translateSID(sdGroupMatcher.group(0), params)); + } + + Pattern sdDaclPattern = /(D:([A-Z]*(\(.*\))*))/; + Matcher sdDaclMatcher = sdDaclPattern.matcher(sddlStr); + if (sdDaclMatcher.find()) { + Pattern dacListPattern = /\([^*\)]*\)/; + Matcher dacListMatcher = dacListPattern.matcher(sdDaclMatcher.group(1)); + for (def i = 0; dacListMatcher.find(); i++) { + def newDacl = translateACL(dacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Dacl" + i.toString(), newDacl['grantee'] + " :" + newDacl['type'] + " (" + newDacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newDacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newDacl['grantee'])) { + ctx.related.user.add(newDacl['grantee']); + } + } + } + } + + Pattern sdSaclPattern = /(S:([A-Z]*(\(.*\))*))?$/; + Matcher sdSaclMatcher = sdSaclPattern.matcher(sddlStr); + if (sdSaclMatcher.find()) { + Pattern sacListPattern = /\([^*\)]*\)/; + Matcher sacListMatcher = sacListPattern.matcher(sdSaclMatcher.group(0)); + for (def i = 0; sacListMatcher.find(); i++) { + def newSacl = translateACL(sacListMatcher.group(0).replace("(","").replace(")",""), params); + ctx.winlog.event_data.put(Sd + "Sacl" + i.toString(), newSacl['grantee'] + " :" + newSacl['type'] + " (" + newSacl['perms'] + ")"); + if (["Administrator", "Guest", "KRBTGT"].contains(newSacl['grantee'])) { + if (ctx.related == null) { + HashMap hm = new HashMap(); + ctx.put("related", hm); + } + if (ctx.related?.user == null) { + ArrayList al = new ArrayList(); + ctx.related.put("user", al); + } + if (!ctx.related.user.contains(newSacl['grantee'])) { + ctx.related.user.add(newSacl['grantee']); + } + } + } + } + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList al = new ArrayList(); + def sidList = sids.splitOnToken(" "); + ctx.winlog.event_data.put("SidList", sidList); + for (def i = 0; i < sidList.length; i++ ) { + al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + } + ctx.winlog.event_data.put("SidListDesc", al); + } + + if (ctx.event?.code == null || + !["4670", "4817", "4907", "4908"].contains(ctx.event.code)) { + return; + } + if (ctx.winlog?.event_data?.OldSd != null) { + enrichSDDL(ctx.winlog.event_data.OldSd, "OldSd", params, ctx); + } + if (ctx.winlog?.event_data?.NewSd != null) { + enrichSDDL(ctx.winlog.event_data.NewSd, "NewSd", params, ctx); + } + if (ctx.winlog?.event_data?.SidList != null) { + splitSidList(ctx.winlog.event_data.SidList, params, ctx); + } + + - set: + field: file.name + copy_from: winlog.event_data.RelativeTargetName + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.RelativeTargetName != null && + ctx.winlog.event_data.RelativeTargetName != "" + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.path + value: "{{file.directory}}\\{{file.name}}" + if: ctx.file?.name != null && ctx.file?.directory != null + - set: + field: file.directory + copy_from: winlog.event_data.ShareLocalPath + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareLocalPath != null && + ctx.winlog.event_data.ShareLocalPath != "" + - set: + field: file.target_path + value: "{{winlog.event_data.ShareName}}\\{{file.name}}" + if: |- + ctx.event?.code != null && + ["5140", "5145"].contains(ctx.event.code) && + ctx.winlog?.event_data?.ShareName != null && + ctx.winlog.event_data.ShareName != "" && + ctx.file?.name != null + - script: + description: Adds file information. + lang: painless + if: ctx.file?.name != null + source: |- + def extIdx = ctx.file.name.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = ctx.file.name.substring(extIdx+1); + } + - convert: + field: winlog.record_id + type: string + ignore_missing: true + + - convert: + field: winlog.event_id + type: string + ignore_missing: true + + - set: + field: ecs.version + value: '8.0.0' + + - set: + field: log.level + copy_from: winlog.level + ignore_empty_value: true + ignore_failure: true + if: ctx.winlog?.level != "" + + - date: + field: winlog.time_created + tag: "time_created_date" + formats: + - ISO8601 + if: ctx.winlog?.time_created != null + on_failure: + - remove: + field: winlog.time_created + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + + #Cleanup _temp fields as it is not needed anymore + - remove: + field: _temp + ignore_missing: true + ignore_failure: true + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml index 03ed45832bb2..efec7a6246df 100644 --- a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -5,7 +5,7 @@ processors: - set: field: ecs.version - value: '8.0.0' + value: '8.17.0' - script: description: Remove all empty values from event_data. lang: painless