Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] AccessMaskDescription field needs a more granular approach #41439

Open
matthewscherer opened this issue Oct 24, 2024 · 1 comment
Open

[BUG] AccessMaskDescription field needs a more granular approach #41439

matthewscherer opened this issue Oct 24, 2024 · 1 comment
Labels
8.15.0 Team:Security-Windows Platform Windows Platform Team in Security Solution

Comments

@matthewscherer
Copy link

** Related Issue **
https://github.com/elastic/sdh-beats/issues/5277

Describe the bug
We are currently parsing the AccessMask field of all incoming security events and applying the descriptions below to the AccessMaskDescription field. For most events this is correct, however, in the case of event 4663 it is not. The code in question is here https://github.com/elastic/beats/blob/main/x-pack/winlogbeat/module/security/ingest/security.yml#L2203-L2232 and is released as the logs-system.security-1.61.1-standard ingest pipeline.

"AccessMaskDescriptions": {
  "0x00000001": "Create Child",
  "0x00000002": "Delete Child",
  "0x00000004": "List Contents",
  "0x00000008": "SELF",
  "0x00000010": "Read Property",
  "0x00000020": "Write Property",
  "0x00000040": "Delete Treee",
  "0x00000080": "List Object",
  "0x00000100": "Control Access",
  "0x00010000": "DELETE",
  "0x00020000": "READ_CONTROL",
  "0x00040000": "WRITE_DAC",
  "0x00080000": "WRITE_OWNER",
  "0x00100000": "SYNCHRONIZE",
  "0x00F00000": "STANDARD_RIGHTS_REQUIRED",
  "0x001F0000": "STANDARD_RIGHTS_ALL",
  "0x0000FFFF": "SPECIFIC_RIGHTS_ALL",
  "0x01000000": "ADS_RIGHT_ACCESS_SYSTEM_SECURITY",
  "0x10000000": "ADS_RIGHT_GENERIC_ALL",
  "0x20000000": "ADS_RIGHT_GENERIC_EXECUTE",
  "0x40000000": "ADS_RIGHT_GENERIC_WRITE",
  "0x80000000": "ADS_RIGHT_GENERIC_READ"
}

An example event is here. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4663
This event has an access mask of 0x6 which mean WriteData and AppendData but we're applying Delete Child and List Contents.

Expected behavior
We will need to parse the AccessMask field based on the event id number and apply the correct descriptions.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 24, 2024
@matthewscherer matthewscherer added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Oct 24, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
8.15.0 Team:Security-Windows Platform Windows Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elasticmachine @matthewscherer