x-pack/winlogbeat/modules/security: fix UAC attribute bit table (#37009)

The previous table was incorrect. Table data comes from MS-SAMR: Security Account Manager (SAM) Remote Protocol (Client-to-Server) version 46.0[1], 2.2.1.12 USER_ACCOUNT Codes. [1]https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SAMR/%5bMS-SAMR%5d-230828.docx (cherry picked from commit c0a647a)
elastic · Nov 1, 2023 · baf2a15 · baf2a15
1 parent 8a258a4
commit baf2a15
Show file tree

Hide file tree

Showing 90 changed files with 39 additions and 151 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -149,6 +149,7 @@ is collected by it.
 
 *Winlogbeat*
 
+- Fix User Account Control Attributes Table values for Security module. {issue}36999[36999] {pull}37009[37009]
 
 *Elastic Logging Plugin*
 

diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml
@@ -836,30 +836,30 @@ processors:
       tag: Set User Account Control
       description: Set User Account Control
       # User Account Control Attributes Table
-      # https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
+      # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380
       params:
-        "0x00000001": SCRIPT
-        "0x00000002": ACCOUNTDISABLE
-        "0x00000008": HOMEDIR_REQUIRED
-        "0x00000010": LOCKOUT
-        "0x00000020": PASSWD_NOTREQD
-        "0x00000040": PASSWD_CANT_CHANGE
-        "0x00000080": ENCRYPTED_TEXT_PWD_ALLOWED
-        "0x00000100": TEMP_DUPLICATE_ACCOUNT
-        "0x00000200": NORMAL_ACCOUNT
-        "0x00000800": INTERDOMAIN_TRUST_ACCOUNT
-        "0x00001000": WORKSTATION_TRUST_ACCOUNT
-        "0x00002000": SERVER_TRUST_ACCOUNT
-        "0x00010000": DONT_EXPIRE_PASSWORD
-        "0x00020000": MNS_LOGON_ACCOUNT
-        "0x00040000": SMARTCARD_REQUIRED
-        "0x00080000": TRUSTED_FOR_DELEGATION
-        "0x00100000": NOT_DELEGATED
-        "0x00200000": USE_DES_KEY_ONLY
-        "0x00400000": DONT_REQ_PREAUTH
-        "0x00800000": PASSWORD_EXPIRED
-        "0x01000000": TRUSTED_TO_AUTH_FOR_DELEGATION
-        "0x04000000": PARTIAL_SECRETS_ACCOUNT
+        "0x00000001": USER_ACCOUNT_DISABLED
+        "0x00000002": USER_HOME_DIRECTORY_REQUIRED
+        "0x00000004": USER_PASSWORD_NOT_REQUIRED
+        "0x00000008": USER_TEMP_DUPLICATE_ACCOUNT
+        "0x00000010": USER_NORMAL_ACCOUNT
+        "0x00000020": USER_MNS_LOGON_ACCOUNT
+        "0x00000040": USER_INTERDOMAIN_TRUST_ACCOUNT
+        "0x00000080": USER_WORKSTATION_TRUST_ACCOUNT
+        "0x00000100": USER_SERVER_TRUST_ACCOUNT
+        "0x00000200": USER_DONT_EXPIRE_PASSWORD
+        "0x00000400": USER_ACCOUNT_AUTO_LOCKED
+        "0x00000800": USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED
+        "0x00001000": USER_SMARTCARD_REQUIRED
+        "0x00002000": USER_TRUSTED_FOR_DELEGATION
+        "0x00004000": USER_NOT_DELEGATED
+        "0x00008000": USER_USE_DES_KEY_ONLY
+        "0x00010000": USER_DONT_REQUIRE_PREAUTH
+        "0x00020000": USER_PASSWORD_EXPIRED
+        "0x00040000": USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
+        "0x00080000": USER_NO_AUTH_DATA_REQUIRED
+        "0x00100000": USER_PARTIAL_SECRETS_ACCOUNT
+        "0x00200000": USER_USE_AES_KEYS
       source: |-
         if (ctx?.winlog?.event_data?.NewUacValue == null) {
           return;

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json
@@ -10,7 +10,6 @@
         "process"
       ],
       "code": "1100",
-      "ingested": "2022-06-08T06:21:07.784686200Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "1102",
-      "ingested": "2022-06-08T06:21:07.838072400Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "1104",
-      "ingested": "2022-06-08T06:21:07.850785400Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "1105",
-      "ingested": "2022-06-08T06:21:07.856253Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4670",
-      "ingested": "2022-06-08T06:21:07.861752100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json
@@ -10,7 +10,6 @@
         "configuration"
       ],
       "code": "4706",
-      "ingested": "2022-06-08T06:21:07.908218700Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json
@@ -10,7 +10,6 @@
         "configuration"
       ],
       "code": "4707",
-      "ingested": "2022-06-08T06:21:07.915673700Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json
@@ -10,7 +10,6 @@
         "configuration"
       ],
       "code": "4713",
-      "ingested": "2022-06-08T06:21:07.921167700Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json
@@ -10,7 +10,6 @@
         "configuration"
       ],
       "code": "4716",
-      "ingested": "2022-06-08T06:21:07.926829100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4717",
-      "ingested": "2022-06-08T06:21:07.932459300Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4718",
-      "ingested": "2022-06-08T06:21:07.938661600Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4719",
-      "ingested": "2022-06-08T06:21:07.944221400Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4719",
-      "ingested": "2022-06-08T06:21:07.955823800Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json
@@ -10,7 +10,6 @@
         "configuration"
       ],
       "code": "4739",
-      "ingested": "2022-06-08T06:21:07.963089600Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4741",
-      "ingested": "2022-06-08T06:21:07.970367200Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",
@@ -55,8 +54,9 @@
         "HomePath": "-",
         "LogonHours": "%%1793",
         "NewUACList": [
-          "SCRIPT",
-          "ENCRYPTED_TEXT_PWD_ALLOWED"
+          "USER_ACCOUNT_DISABLED",
+          "USER_PASSWORD_NOT_REQUIRED",
+          "USER_WORKSTATION_TRUST_ACCOUNT"
         ],
         "NewUacValue": "0x85",
         "OldUacValue": "0x0",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4742",
-      "ingested": "2022-06-08T06:21:07.984310900Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",
@@ -56,7 +55,8 @@
         "HomePath": "-",
         "LogonHours": "-",
         "NewUACList": [
-          "ENCRYPTED_TEXT_PWD_ALLOWED"
+          "USER_PASSWORD_NOT_REQUIRED",
+          "USER_WORKSTATION_TRUST_ACCOUNT"
         ],
         "NewUacValue": "0x84",
         "OldUacValue": "0x85",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4743",
-      "ingested": "2022-06-08T06:21:07.989281200Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4744",
-      "ingested": "2022-06-08T06:21:07.994556700Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4745",
-      "ingested": "2022-06-08T06:21:08.002640900Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4746",
-      "ingested": "2022-06-08T06:21:08.017662600Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4747",
-      "ingested": "2022-06-08T06:21:08.025768800Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4748",
-      "ingested": "2022-06-08T06:21:08.030353100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4749",
-      "ingested": "2022-06-08T06:21:08.034749600Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4750",
-      "ingested": "2022-06-08T06:21:08.039233400Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4751",
-      "ingested": "2022-06-08T06:21:08.051295Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4752",
-      "ingested": "2022-06-08T06:21:08.057508500Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4753",
-      "ingested": "2022-06-08T06:21:08.063346200Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4759",
-      "ingested": "2022-06-08T06:21:08.069524100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4760",
-      "ingested": "2022-06-08T06:21:08.074975800Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4761",
-      "ingested": "2022-06-08T06:21:08.080868Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4762",
-      "ingested": "2022-06-08T06:21:08.086379300Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json
@@ -10,7 +10,6 @@
         "iam"
       ],
       "code": "4763",
-      "ingested": "2022-06-08T06:21:08.092821300Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4817",
-      "ingested": "2022-06-08T06:21:08.101661100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4902",
-      "ingested": "2022-06-08T06:21:08.110215500Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4904",
-      "ingested": "2022-06-08T06:21:08.115118100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4905",
-      "ingested": "2022-06-08T06:21:08.119957100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4906",
-      "ingested": "2022-06-08T06:21:08.124490200Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4907",
-      "ingested": "2022-06-08T06:21:08.129757100Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",

diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json
@@ -11,7 +11,6 @@
         "configuration"
       ],
       "code": "4908",
-      "ingested": "2022-06-09T04:25:10.390738Z",
       "kind": "event",
       "module": "security",
       "outcome": "success",