Filter computer object password changes

WilGG · September 20, 2021, 6:21pm

Good Afternoon Everyone,

We are been overwhelmed by computer objects password changes. Does anyone know how to filter this events so we do not skip actual user object password change events ?

Thank you!

warkolm · September 21, 2021, 1:13am

Is there a particular event code for those?

WilGG · September 21, 2021, 12:24pm

Event code : 4724
Password changed by admin
This event also generates legit user object password changes but includes tones of computer object password change as well.

warkolm · September 21, 2021, 9:32pm

What does each event look like then, we're after something that distinguishes the two so you can use that to filter them out.

WilGG · September 21, 2021, 11:10pm

1000's of these computer object password changes are due to VDI feature "refresh on logoff" which causes VIEW desktops to change passwords. so the only distinguishing factor is VIEW_"DESKTOP_NAME".

is there a method where we can filter view_desktop in Kibana or in the forward events.

Thank you!

warkolm · September 21, 2021, 11:23pm

See the little + and - buttons in your picture? That will show beside other fields and you can exclude (the -) that field value from the viz/dashboard.

WilGG · October 1, 2021, 2:47pm

Is there a way to filter computer objects related evnts in the YML file before it gets shipped to Elasticsearch ?

Reason: to avoid consumption of space on the ELK stack

mazoutte · October 1, 2021, 3:23pm

Hello,

Two solutions:

Keep the config and the data, and filter in Kibana Search Bar, here is the filter in KQL :
NOT (winlog.event_data.SubjectUserName.keyword : *$)
or
NOT (winlog.event_data.TargetUserName.keyword : *$)

Depending on which Event you need to filter.
You are speaking about 4724 and changing password. But 4724 is for resetting passwords, not changing passwords (which is 4723)

Drop the events you don't need on the winlogbeat agents solution as follow.

You can use a drop processor in the winlogbeat.yml config file, here is an example with other events.
Modify it for passwords, Change TargetUserName with SubjectUserName, according to your needs, depending on the desired event.
4723: An attempt was made to change an account's password
4724: An attempt was made to reset an accounts password

processors:
- drop_event.when.or:   
    # Remove Computers from 4625 events
    - and:
      - equals.winlog.event_id: 4625
      - regexp.winlog.event_data.TargetUserName: '.*\$'

    # Remove Computers from 4771 events
    - and:
      - equals.winlog.event_id: 4771
      - regexp.winlog.event_data.TargetUserName: '.*\$'

I would suggest the links below to understand the 2 events, you'll find detailed information about SubjectUserName and TargetUserName.
Windows Security Log Event ID 4723 - An attempt was made to change an account's password (ultimatewindowssecurity.com)
Windows Security Log Event ID 4724 - An attempt was made to reset an accounts password (ultimatewindowssecurity.com)

You can check this site for the other security events as well, it's a gold mine !

WilGG · October 15, 2021, 6:37pm

Thank you so much!!!!!!!!

system · November 12, 2021, 8:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.