EvotecIT
odd results without adequate description in report.
so I've modified PSWinReporting/Examples/RunMe-Reporting.ps1 to fit my needs, and am getting strange results.
First, because I'm not sure how pertinent it is, here's the output of auditpol on my domain controllers:
C:\Windows\system32>auditpol.exe /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events No Auditing
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
User / Device Claims No Auditing
Object Access
File System Success and Failure
Registry Success and Failure
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation Success and Failure
File Share Success and Failure
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share Success and Failure
Removable Storage No Auditing
Central Policy Staging No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use Success and Failure
Detailed Tracking
Process Creation Success and Failure
Process Termination No Auditing
DPAPI Activity Success and Failure
RPC Events No Auditing
Plug and Play Events No Auditing
Policy Change
Authentication Policy Change Success and Failure
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change Success
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Audit Policy Change Success and Failure
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes Success
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
Under the section for "AD Computer Changes Detailed" happened, I have results that show these things, but I wish there was a more adequate explanation listed:
under Field Value:
TERMSRV/<PC Name> -- Terminal Server?
CmRcService/<PC Name> (directly followed by CmRcService/<PC FQDN>) -- Config Manager Remote Service?
WSMAN/<PC Name> -- Web Services for Management?
even if I add those to ignore, I'm still left with unclear results: Action: A directory service object was modified Field Changed: objectClass Field Value: 1.2.840.113556.1.3.30 -- Computer?
Action: A directory service object was modified Field Changed: userAccountControl Field Value: 4096 (and another for 4098)
Action: A directory service object was modified Action Details: Value Deleted (followed by another entry that says "Value Added") Who: NT AUTHORITY\SYSTEM Field Changed: userCertificate Field Value: %%14672 -- DNS changes?
Here is my sterilized copy with my modifications (I added a ton of notes to keep track of the windows events and what they mean.
The last thing I would request is to somehow consolidate all changes that occur when a user is created or deleted. Having a dozen lines to show all the things that were created/modified when a user is created is a little cumbersome to read. I should emphasize I AM NOT COMPLAINING I love the tool and its potential, just a humble request.
Well, I've not spent much time on each and every report and surely all can be optimized. Generally, each and every report has its own definition so no coding is required (unless we want more options). All those 3 definitions below have one thing in common - same EventID, Security Log. Now depending on needs, I'm filtering out stuff based on conditions.
https://github.com/EvotecIT/PSWinReporting/blob/fb3be603550dbfb8df09a82a7c0191a0f9ccf173/Private/Parameters/Script.ReportDefinitions.ps1#L145-L176
Compare this to:
https://github.com/EvotecIT/PSWinReporting/blob/fb3be603550dbfb8df09a82a7c0191a0f9ccf173/Private/Parameters/Script.ReportDefinitions.ps1#L177-L227
Notice Overwrite/OverwriteByField - on how and what they do. Overwrite lets you do If/else/Then on static values. Overwrite by field is If/else/then based on fields rather than a static value. So, for example, it's possible to tell if field Action contains value 'A directory service object was moved' put the value from OldObjectDN into field 'Organizational Unit'
Compare this to:
https://github.com/EvotecIT/PSWinReporting/blob/fb3be603550dbfb8df09a82a7c0191a0f9ccf173/Private/Parameters/Script.ReportDefinitions.ps1#L566-L718
This one is actually 3 different types combined into one report.
Now if you want to debug issues like that my recommendation would take a look at this:
https://github.com/EvotecIT/PSWinReporting/blob/master/Examples/RunMe-FindEventsExtended.ps1
Basically, you tell Find-Events to use $Definitions, $Target, $Times so you don't need to run the whole PSWinReporting to "work" on the report. You can tell it to scan only one server, remove Filters, remove Fields and see what is provided and how you can optimize things. You can play with overwrites and see how they work and based on that you could enhance the report to a degree you're happy with it.
I would be more than happy to get more detailed/better reports out of this :-)
Using Ignore should be your last resort thou. It's not really great implementation.
As for the last request - if you have an idea on how to combine them I'm all ears :-) I mean from even technical perspective how do you imagine combining 10 Events combined into 1 entry so that it's readable :-) When we have proposed output we can talk implementation.
as for combining details ona created/deleted user, we can look specifically for a user creation/deletion and in the user details report, we can look for the relevant user object and combine those field values that match that user at approximately the same time. My original question though wasn't about weeding out found logs, but about defining log values better.
under AD user changes, I'm getting values of %%1794 in the "Password Last Set" column, and don't know what that means.
-
under ad user changes detailed, I'm getting firstNameLastName of numbers in field value while field changed is msExchUMDtmfMap. In fact, the values shown no matter what the field is in "Field Value" if the "field changed" is msExchUMDtmfMap.
-
lockout time appears to be filetime rather than [datetime]::fromfiletime()
-
msExchSafeSendersHash is %%14672
-
msExchTextMessagingState is just numbers
-
action detail: value deleted, field changed: userAccountControl, Field Value: 546 (for example).
just having trouble translating these values to something meaningful.
Ok, well the list is incomplete:
Function ConvertFrom-OperationType {
param ([string] $OperationType)
$Known = @{'%%14674' = 'Value Added'
'%%14675' = 'Value Deleted'
'%%14676' = 'Unknown'
}
foreach ($id in $OperationType) { if ($name = $Known[$id]) { return $name } }
return $OperationType
}
That's all I have. We need to build this hashtable. with proper values. The way I did before was google...
https://system32.eventsentry.com/security/event/4741 - take a look it has some of your values.
The issue is that I read this XML:
and the values that you mention are in there usually with percent sign which makes it hard for me to translate as I'm clueless as you are about it. What you can do is try to check what Message value holds
Maybe you will find the information you need. Here's something I found: https://social.technet.microsoft.com/Forums/windows/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity
Roger that. I’ll do some homework on the non-sensical values I’m seeing and send you my findings to hopefully help flesh out your wonderful script.
Sent from my phone.
On Jun 27, 2019, at 3:03 PM, Przemysław Kłys [email protected] wrote:
Ok, well the list is incomplete:
Function ConvertFrom-OperationType { param ([string] $OperationType) $Known = @{'%%14674' = 'Value Added' '%%14675' = 'Value Deleted' '%%14676' = 'Unknown' } foreach ($id in $OperationType) { if ($name = $Known[$id]) { return $name } } return $OperationType } That's all I have. We need to build this hashtable. with proper values. The way I did before was google...
https://system32.eventsentry.com/security/event/4741 - take a look it has some of your values.
The issue is that I read this XML:
and the values that you mention are in there usually with percent sign which makes it hard for me to translate as I'm clueless as you are about it. What you can do is try to check what Message value holds
Maybe you will find the information you need. Here's something I found: https://social.technet.microsoft.com/Forums/windows/en-US/541bad5d-19eb-4de5-8ef7-1b144f0b6113/translate-xxxx-values-in-events?forum=w7itprosecurity
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.