search

EvotecIT / PSWinReporting

This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events.
MIT License
701 stars 69 forks source link

missing username in AD UserLockout events #66

Closed chavvdarrr closed 2 years ago

chavvdarrr commented 2 years ago

Using PSWinReporting 2.0.0.20 Playing with results and I noticed from time to time I get events with date/time, DC, but no username and affected computer Found these events - there is no affected computer indeed(probably these are generated from our users when connecting from gsms, or who knows) But there is username in TargetUserName/Account field. The event is absolutely normal, just the field "ComputerLockoutOn" /"Caller Computer Name" is empty user fields - "Account name" and "TargetUserName" hold the affected user. But in results no user name is returned

Tried to debug, but my knowledge is not enough. Traced that upto GetEventsTranslation user info is kept. In line 2148: $MyValue = FindEventsTo .... the info is still there... myvalue.txt

Somehow, the emptiness of Computer name clears the field for user name - its not returned

I am attaching contents of variable $MyValue[n] at mentioned line 2148 - changed sensitive data only

PrzemyslawKlys commented 2 years ago

The first issue and the workaround is described here: https://evotec.xyz/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-out/

I was thinking few times if I would be able to gather this information and track it somehow even if it's missing in events - but no time to investigate.

So the missing computer is normal and it shouldn't affect the report at all - and you're saying it does affect the user. This needs to be investigated.

chavvdarrr commented 2 years ago

Thanks for the quick answer :) Yes, missing computer is not an issue - it is missing in the event and we do have things like SSO, phones checking mail, etc. It seems you "map" a field which is empty in the event, while another field which holds the username is unused.

I can attach additional data - maybe the entire xml of such event as written in the log, or maybe the contents of $Events, eg what the script gets?

PrzemyslawKlys commented 2 years ago

ye, xml would be better. Weird that I link wrong field.

chavvdarrr commented 2 years ago

here it is /edited domain name&user/ I can send the unedited evtx & xml to contact at evotec.pl, if needed? userlocked.txt

PrzemyslawKlys commented 2 years ago

Let me see if I can reproduce it during weekend. I have to resurrect this project a bit, as I've not played with it for longer while. The problem is - i would like to change so much that I am afraid to touch it ;)

PrzemyslawKlys commented 2 years ago

Sorry it took a bit longer than expected..

I've tracked it down to PSEventViewer.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5.8.2021 9:17:45
Event ID:      4740
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:       DC2P.dc.bs.bnet
Description:
A user account was locked out.

Subject:
    Security ID:        SYSTEM
    Account Name:       DC2P$
    Account Domain:     DOMAIN
    Logon ID:       0x3E7

Account That Was Locked Out:
    Security ID:        DOMAIN\vst
    Account Name:       vst

Additional Information:
    Caller Computer Name:   
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4740</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2021-08-05T06:17:45.034896500Z" />
    <EventRecordID>85115046</EventRecordID>
    <Correlation />
    <Execution ProcessID="636" ThreadID="10628" />
    <Channel>Security</Channel>
    <Computer> bnet</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">vst</Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="TargetSid">S-1-5-21-984582052-2030474099-2552422773-11274</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName"> DC2P$</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
  </EventData>
</Event>

It seems that TargetDomainName is missing in the XML you sent me.

And in the logic that creates ObjectAffected it expects both TargetDomainName and TargetUserName to be present.

https://github.com/EvotecIT/PSEventViewer/blob/e10b7b175f43cddc02b414f15ea79aca5984a0a0/Private/ScriptBlock.ps1#L788-L790

When I look at my events:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4738</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>13824</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2022-05-17T19:21:50.725206400Z" /> 
  <EventRecordID>49985729</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="676" ThreadID="2140" /> 
  <Channel>Security</Channel> 
  <Computer>AD1.ad.evotec.xyz</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data Name="Dummy">-</Data> 
  <Data Name="TargetUserName">myname</Data> 
  <Data Name="TargetDomainName">EVOTEC</Data> 
  <Data Name="TargetSid">S-1-5-21-853615985-2870445339-3163598659-4098</Data> 
  <Data Name="SubjectUserSid">S-1-5-21-853615985-2870445339-3163598659-500</Data> 
  <Data Name="SubjectUserName">Administrator</Data> 
  <Data Name="SubjectDomainName">EVOTEC</Data> 
  <Data Name="SubjectLogonId">0x1978cb81</Data> 
  <Data Name="PrivilegeList">-</Data> 
  <Data Name="SamAccountName">-</Data> 
  <Data Name="DisplayName">-</Data> 
  <Data Name="UserPrincipalName">-</Data> 
  <Data Name="HomeDirectory">-</Data> 
  <Data Name="HomePath">-</Data> 
  <Data Name="ScriptPath">-</Data> 
  <Data Name="ProfilePath">-</Data> 
  <Data Name="UserWorkstations">-</Data> 
  <Data Name="PasswordLastSet">%%1794</Data> 
  <Data Name="AccountExpires">-</Data> 
  <Data Name="PrimaryGroupId">-</Data> 
  <Data Name="AllowedToDelegateTo">-</Data> 
  <Data Name="OldUacValue">-</Data> 
  <Data Name="NewUacValue">-</Data> 
  <Data Name="UserAccountControl">-</Data> 
  <Data Name="UserParameters">-</Data> 
  <Data Name="SidHistory">-</Data> 
  <Data Name="LogonHours">-</Data> 
  </EventData>
  </Event>

That's something that is just there. I think I need to fix PSEventViewier with additional logic

chavvdarrr commented 2 years ago

Thanks :) perhaps some of the fields are not "mandatory" ?!

PrzemyslawKlys commented 2 years ago

It's weird, but I've added that additional logic to PSEventViewer, just doing some optimizations and will release it with fixes, along with new version of PSWinReportingV2 which hopefully solves your issue.

PrzemyslawKlys commented 2 years ago

Released new version which should fix the issue