Skip to content

XML Windows Event Log Cleanup #3578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

XML Windows Event Log Cleanup #3578

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c71cc82
Remove wineventlog from source macros
ljstella Jun 24, 2025
0e4ae6a
Migrate detection to xml
ljstella Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 45 additions & 41 deletions detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl
id: 0cb847ee-9423-11ec-b2df-acde48001122
version: 7
date: '2025-05-02'
author: Mauricio Velazco, Splunk
version: 8
date: '2025-06-26'
author: Lou Stella, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects when the Kerberos Pre-Authentication flag
description:
The following analytic detects when the Kerberos Pre-Authentication flag
is disabled in a user account, using Windows Security Event 4738. This event indicates
a change in the UserAccountControl property of a domain user object. Disabling this
flag allows adversaries to perform offline brute force attacks on the user's password
Expand All @@ -14,57 +15,60 @@ description: The following analytic detects when the Kerberos Pre-Authentication
If confirmed malicious, this could lead to unauthorized access and potential compromise
of sensitive information.
data_source:
- Windows Event Log Security 4738
- Windows Event Log Security 4738
search: >
`wineventlog_security` EventCode=4738 MSADChangedAttributes="*\'Don\'t Require Preauth\'
- Enabled*" |rename Account_Name as user | table EventCode, user, dest, Security_ID,
MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`
how_to_implement: To successfully implement this search, you need to be ingesting
`wineventlog_security` EventCode=4738 UserAccountControl="*%%2096*"
| rename TargetUserName as user, SubjectUserName as actor
| stats count earliest(_time) as firstTime latest(_time) as lastTime by actor, user, dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`
how_to_implement:
To successfully implement this search, you need to be ingesting
Domain Controller events. The Advanced Security Audit policy setting `User Account
Management` within `Account Management` needs to be enabled.
known_false_positives: Unknown.
references:
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search:
'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Kerberos Pre Authentication was Disabled for $user$
risk_objects:
- field: user
type: user
score: 45
- field: user
type: user
score: 45
threat_objects: []
tags:
analytic_story:
- Active Directory Kerberos Attacks
- BlackSuit Ransomware
- Active Directory Kerberos Attacks
- BlackSuit Ransomware
asset_type: Endpoint
mitre_attack_id:
- T1558.004
- T1558.004
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log
source: WinEventLog:Security
sourcetype: WinEventLog

- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1558.004/powershell/windows-security-xml.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
7 changes: 4 additions & 3 deletions macros/wineventlog_application.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
definition: eventtype="wineventlog_application" OR Channel="application" OR source="XmlWinEventLog:Application" OR source="WinEventLog:Application"
description: customer specific splunk configurations(eg- index, source, sourcetype).
definition: eventtype="wineventlog_application" OR Channel="application" OR source="XmlWinEventLog:Application"
description:
customer specific splunk configurations(eg- index, source, sourcetype).
Replace the macro definition with configurations for your Splunk Environment.
name: wineventlog_application
name: wineventlog_application
5 changes: 3 additions & 2 deletions macros/wineventlog_rdp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
definition: (source="WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational" OR source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational")
description: customer specific splunk configurations(eg- index, source, sourcetype).
definition: (source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational")
description:
customer specific splunk configurations(eg- index, source, sourcetype).
Replace the macro definition with configurations for your Splunk environment.
name: wineventlog_rdp
5 changes: 3 additions & 2 deletions macros/wineventlog_security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
definition: eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security"
description: customer specific splunk configurations(eg- index, source, sourcetype).
definition: eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security"
description:
customer specific splunk configurations(eg- index, source, sourcetype).
Replace the macro definition with configurations for your Splunk environment.
name: wineventlog_security
5 changes: 3 additions & 2 deletions macros/wineventlog_system.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
definition: eventtype="wineventlog_system" OR Channel="system" OR source="XmlWinEventLog:System" OR source="WinEventLog:System"
description: customer specific splunk configurations(eg- index, source, sourcetype).
definition: eventtype="wineventlog_system" OR Channel="system" OR source="XmlWinEventLog:System"
description:
customer specific splunk configurations(eg- index, source, sourcetype).
Replace the macro definition with configurations for your Splunk environment.
name: wineventlog_system
7 changes: 4 additions & 3 deletions macros/wineventlog_task_scheduler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
definition: (source="XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational" OR source="WinEventLog:Microsoft-Windows-TaskScheduler/Operational")
description: customer specific splunk configurations(eg- index, source, sourcetype).
definition: (source="XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational")
description:
customer specific splunk configurations(eg- index, source, sourcetype).
Replace the macro definition with configurations for your Splunk environment.
name: wineventlog_task_scheduler
name: wineventlog_task_scheduler
Loading