Field Format Changed

215 views
Skip to first unread message

John Carry

unread,
Feb 6, 2023, 1:50:22 AM2/6/23
to Wazuh mailing list
 Hello Team,
While referring AD event ID 4624 observed the value of Elevated Token : Yes is parsed into some other format like the value shown is %%1842, Could you please help me out of how to convert that to YES or how to make its understanding?

Elevated1.PNG

Elevated2.PNG

Regards,
John Carry 

Federico Gustavo Galland

unread,
Feb 6, 2023, 5:14:33 AM2/6/23
to Wazuh mailing list
Hello John,

Wazuh actually uses the raw XML output of the EventChannel event. If you take a look, the actual value for yes is indeed %%1842

2023-02-06_07-05.jpg

However, if you needed to match the actual word "Yes" within that field, you could probably get around this by matching the data.win.system.message field instead:

2023-02-06_07-08.jpg



From this message on microsoft forums:


The actual conversion table is internal to the c:\windows\system32\msobjs.dll file. I have not been able to find official documentation on the subject, though.


Let me know if this helped.

Regards,
Federico

John Carry

unread,
Feb 6, 2023, 11:15:37 PM2/6/23
to Wazuh mailing list
OK, I got your point, but as you said in-order to get around it is to use  data.win.system.message field but I think it won't be beneficial as this particular field is actual the entire the raw payload that wouldn't help in any of rules field matching.

You are requested to please confirm the XML based value  %%1842 will always be equal to YES ? so that we could create a matching case for it in our rules.

Regards,
John Carry 

Federico Gustavo Galland

unread,
Feb 7, 2023, 6:01:06 AM2/7/23
to John Carry, Wazuh mailing list
The  data.win.system.message field indeed includes the whole event's information, but you can match parts of it using regex fairly easily.

I searched through Microsoft's documentation and I couldn't find a source saying that %%1842 will always correspond to YES. However, as stated in the link on my first reply, the conversion seems to happen with the help of c:\windows\system32\msobjs.dll, so we can probably expect it to stay the same unless that file is modified.

I hope this helped.

Regards,
Federico

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/nulTeeehs6s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f15cdc99-b1e2-4ccb-919f-d81029a20534n%40googlegroups.com.


--
Reply all
Reply to author
Forward
0 new messages