Translate Windows security descriptor to readable ...

coenvandijk · ‎07-05-2017

Im working on using Splunk for Windows auditing. In events 4670, 4656 and 4663 one (or more) security descriptors are present.

These descriptors are very cryptic and look like D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)

I want to translate these (either at index, parse or searchtie) to a reable format. Is this possible? If so, how can I do this?

Thanks in advance,
Coen

wenthold · ‎07-05-2017

I think what you would wind up doing is breaking out each ACE and creating lookups for each of the different components. I think the quickest approach would be to extract each ACE, which will lead to the ACE field often being a multivalue field. Then use mvexpand which will then allow lookups against each of the ACE components. There number of ACEs in a security descriptor is variable, doing this in search is going to be somewhat complex.

Here's a link to a good breakdown of how each ACE is constructed and what the strings mean:

ACE strings on MSDN

Linked in the ACE strings page but easy to miss: ACE SID strings

And here's a decent (but old) blog post on deciphering security descriptors in this format that ties it all together:

MS SDD blog post

coenvandijk · ‎07-05-2017

Thank your the answer.

I was allready afraid that I would need to do something like this. It would have been nice if the Splunk Windows TA would already do this automagically

Translate Windows security descriptor to readable format

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!