Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing attributes from eventid 4738, correlation of 4738, 4768 and PIV CA CN

Havealoha
New Member
‎04-18-2018 05:45 AM

We disable User Principal Name Mapping, enable User Name Hints and modify altsecurityidenties attribute with the same PIV properties for multiple user objects, IT privileged, IT less privileged and for assuming a users identity instead of asking for their password or resetting it.

Because we do this, we audit whenever a ticket is granted based on smartcard and whenever anyone edits the altsecurity attribute. We also audit processes so we know what processes were launched by the IT staff member that has assumed an identity.

Even after enabling advanced account management auditing, when a users object altsecurityidentities attribute is modified, there is an event but the event does not contain that attribute. You have to use repadmin to see if that attribute was the one modified.

We also enable advanced Kerberos Authentication Service auditing but the only data that relates to the smartcard certificate is issuer, serial number, and thumbprint. It is not readily apparent whos certificate was used without cross referencing the PIV CA.

Is there a way to add additional attributes to security event ID 4738? Is there a way to get the CN/Subject into Security event ID 4768? We need to be able to tie this all together so that we can be better informed,

Tags (2)
0 Karma
Reply

Havealoha
New Member
‎04-30-2018 09:05 PM

I've got a good start on 4738 at SO https://stackoverflow.com/questions/50083944/powershell-how-to-use-findonecontext-locatoroptions-fla...

For additional 4768 data, the original smart card login event, task xml, powershell and ultimate event are below. Similar methods were used for 4738 as posted on SO above. Feel free to make any code contributions in the comments. The code could use some error handling and try catches.

<System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4768</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14339</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2018-05-01T05:01:26.527879000Z" /> 
  <EventRecordID>588856793</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="460" ThreadID="1364" /> 
  <Channel>Security</Channel> 
  <Computer>workstation.contoso.com</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data Name="TargetUserName">havealoha</Data> 
  <Data Name="TargetDomainName">contoso.com</Data> 
  <Data Name="TargetSid">S-1-5-21-##</Data> 
  <Data Name="ServiceName">krbtgt</Data> 
  <Data Name="ServiceSid">S-1-5-21-##</Data> 
  <Data Name="TicketOptions">0x40810010</Data> 
  <Data Name="Status">0x0</Data> 
  <Data Name="TicketEncryptionType">0x12</Data> 
  <Data Name="PreAuthType">15</Data> 
  <Data Name="IpAddress">::ffff:##</Data> 
  <Data Name="IpPort">35665</Data> 
  <Data Name="CertIssuerName">CONTOSO-CA</Data> 
  <Data Name="CertSerialNumber">##</Data> 
  <Data Name="CertThumbprint">##</Data> 
  </EventData>
  </Event>

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2018-04-29T22:28:37.297254</Date>
    <Author>Contoso\havealoha</Author>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[(EventID=4768)]]
    and
    *[EventData[Data[@Name='PreAuthType'] and (Data='15')]]
    or
    *[EventData[Data[@Name='PreAuthType'] and (Data='16')]]
    &lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="certIssuerName">Event/EventData/Data[@Name="CertIssuerName"]</Value>
        <Value name="certSerialNumber">Event/EventData/Data[@Name="CertSerialNumber"]</Value>
        <Value name="eventRecordID">Event/System/EventRecordID</Value>
        <Value name="eventTimeCreated">Event/System/TimeCreated/@SystemTime</Value>
        <Value name="targetUserName">Event/EventData/Data[@Name="TargetUserName"]</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell.exe</Command>
      <Arguments>C:\Windows\AuditSecurityEventID4768.ps1 -targetUserName $(targetUserName) -eventTimeCreated $(eventTimeCreated) -eventRecordID $(eventRecordID) -certIssuerName $(certIssuerName) -certSerialNumber $(certSerialNumber)</Arguments>
    </Exec>
  </Actions>
</Task>

Param(
   [string]$targetUserName,
   [string]$eventTimeCreated,
   [string]$eventRecordID,
   [string]$certIssuerName,
   [string]$certSerialNumber
)
$nl = [Environment]::NewLine
if ($certIssuerName -like "*Contoso-CA*") {
$cert = certutil -view -restrict "Serial Number=$($certSerialNumber)" -out "upn,serialnumber,distinguishedname,commonname" | Select-String "Row 1" -Context 0,5
$cert = $cert -replace "> Row 1:", "Smart Card Certificate Information:"
}
if ($cert -like "*$($targetUserName)*") {
$entryType = "Information"
}
else {
$entryType = "Warning"
}

if ([System.Diagnostics.EventLog]::SourceExists("Contoso Security") -eq $False) {
    New-EventLog –LogName "Application" –Source "Contoso Security"
   }
Write-EventLog -LogName "Application" -Source "Contoso Security" -EntryType $entryType -EventID 64768 -Message "$nl Target User Name: $targetUserName $nl Event Date: $eventTimeCreated $nl Referring Event ID: $eventRecordID $nl $cert"


<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Contoso Security" /> 
  <EventID Qualifiers="0">64768</EventID> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2018-05-01T05:01:22.000000000Z" /> 
  <EventRecordID>1115534</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>workstation.contoso.com</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data>Target User Name: havealoha Event Date: 2018-05-01T05:01:19.168Z Referring Event ID: 588856789 Smart Card Certificate Information: User Principal Name: "havealoha@Contoso.com" Serial Number: "##" Issued Distinguished Name: "CN=havealoha, OU=Accounts, DC=contoso, DC=com" Issued Common Name: "havealoha"</Data> 
  </EventData>
  </Event>
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...