search

EvotecIT / PSWinReporting

This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events.
MIT License
701 stars 69 forks source link

ADUserChangesDetailed Event ID 5139 reporting issues #68

Closed ClarkRSD closed 2 years ago

ClarkRSD commented 2 years ago

When using Find-Events to generate a report from ADUserChangesDetailed it doesn't report anything in User Object, Field Changed, and Field Value fields.

If I use Get-Events to find the event on the DC manually it generates the fields as it's supposed to, so the data is there it's just not showing in the output table. This is specifically for event 5139.

TimeCreated  : 5/17/2022 10:24:04 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 5139
Message      : A directory service object was moved.

               Subject:
                Security ID:            S-1-5-21-12345678-1234567890-1234567890-1234567
                Account Name:           User01
                Account Domain:         contoso
                Logon ID:               0x1074523af1

               Directory Service:
                Name:           contoso.com
                Type:           Active Directory Domain Services

               Object:
                Old DN:         CN=User02,OU=OldOU,DC=contoso,DC=com
                New DN:         CN=User02,OU=NewOU,DC=contoso,DC=com
                GUID:           {1413d4fe-af6c-4926-8e62-e704b1b927b2}
                Class:          user

               Operation:
                Correlation ID:                 {6eef10c2-9bed-476f-9693-e0686f75d9e7}
                Application Correlation ID:     -
Domain Controller : DC.contoso.com
Action            : A directory service object was moved.
Action Detail     :
Who               : contoso\User01
When              : 5/17/2022 10:23:54 AM
User Object       :
Field Changed     :
Field Value       :
Record ID         : 7057994215
Event ID          : 5139
Gathered From     : DC
Gathered LogName  : Security
PrzemyslawKlys commented 2 years ago

The definition of 5139 says:

            Fields      = [ordered] @{
                'Computer'                 = 'Domain Controller'
                'Action'                   = 'Action'
                'OperationType'            = 'Action Detail'
                'Who'                      = 'Who'
                'Date'                     = 'When'
                'ObjectDN'                 = 'User Object'
                'AttributeLDAPDisplayName' = 'Field Changed'
                'AttributeValue'           = 'Field Value'
                # Common Fields
                'RecordID'                 = 'Record ID'
                'ID'                       = 'Event ID'
                'GatheredFrom'             = 'Gathered From'
                'GatheredLogName'          = 'Gathered LogName'
            }

The problem comes from expecting ObjectDN when actually for 5139 it's OldObjectDN and NewObjectDN. 


Message              : A directory service object was moved.

                       Subject:
                        Security ID:            S-1-5-21-853615985-2870445339-3163598659-500
                        Account Name:           Administrator
                        Account Domain:         EVOTEC
                        Logon ID:               0x1978CB81

                       Directory Service:
                        Name:           ad.evotec.xyz
                        Type:           Active Directory Domain Services

                       Object:
                        Old DN:         CN=Test4,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
                        New DN: CN=Test4,OU=Test1,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
                        GUID:           {bdccd325-0dfc-4667-8574-f09c2745e646}
                        Class:          computer

                       Operation:
                        Correlation ID:                 {ad5c45d3-cf8e-4c94-a839-d1b6af8795ab}
                        Application Correlation ID:     -
Computer             : AD1.ad.evotec.xyz
Date                 : 17.05.2022 21:02:21
OpCorrelationID      : {ad5c45d3-cf8e-4c94-a839-d1b6af8795ab}
AppCorrelationID     :
SubjectUserSid       : S-1-5-21-853615985-2870445339-3163598659-500
SubjectUserName      : Administrator
SubjectDomainName    : EVOTEC
SubjectLogonId       : 0x1978cb81
DSName               : ad.evotec.xyz
DSType               : %%14676
OldObjectDN          : CN=Test4,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
NewObjectDN          : CN=Test4,OU=Test1,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
ObjectGUID           : {bdccd325-0dfc-4667-8574-f09c2745e646}
ObjectClass          : computer
MessageSubject       : A directory service object was moved.
Action               : A directory service object was moved.
KeywordDisplayName   : Audit Success
Who                  : EVOTEC\Administrator
GatheredFrom         : ad1
GatheredLogName      : Security
Id                   : 5139
Version              : 0
Qualifiers           :
Level                : 0
Task                 : 14081
Opcode               : 0
Keywords             : -9214364837600034816
RecordId             : 49985116
ProviderName         : Microsoft-Windows-Security-Auditing
ProviderId           : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName              : Security
ProcessId            : 676
ThreadId             : 4032
MachineName          : AD1.ad.evotec.xyz
UserId               :
TimeCreated          : 17.05.2022 21:02:21
ActivityId           : 8cdd7485-3c32-4bff-b5e4-eb6005f373e1
RelatedActivityId    :
ContainerLog         : security
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : Directory Service Changes
KeywordsDisplayNames : {Audit Success}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty...}

While it's an easy fix for 5139 itself but ADUserChangeesDetailed focuses on 5136, 5137, 5139, 5141 and I wonder how to approach it to not break it for other events that most likely target ObjectDN

PrzemyslawKlys commented 2 years ago

I believe this fix should do it. Based on the logic of ADOrganizationalUnitChangesDetailed this fix should work for ADUserChangesDetailed and ADComputerChangesDetailed.

ClarkRSD commented 2 years ago

Awesome, thank you for the quick response! I will give the changes a go and report back later today.

ClarkRSD commented 2 years ago

Yep, it works perfectly now. Thank you!