Using Splunk to Search LDAP & Monitor for Last Time Password Was Set by Active Users on Windows OS

by Patricia Orea-Arebun, Splunk Consultant II

This use case helps to monitor active user accounts on Windows OS that have not updated their passwords in the client system in more than “n” number of days. The “n” number of days depends on organizational policy. Using your Splunk instance is the best way to search for changes and monitor active updates.

Risk

The risk involved in having active user accounts with passwords not changed is that the organization might be susceptible to brute force attacks. A brute force attack is where an attacker will be trying to access a company’s network by trying all possible passwords until they get lucky (dangerous!!!!).

Control

Using LDAP can help set monitoring in place for active users whose passwords are yet to be changed or nearing expiration (based on organization policy). LDAP, or Lightweight Directory Access Protocol, is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. LDAP is used in Microsoft’s Active Directory but can also be used in other tools. Querying the LDAP directory requires using the Supporting Add-on for Active Directory (SA-ldapsearch) from Splunkbase in order to use the ldapsearch command. The ldapsearch command will display the users, their respective organizational units, lastLogonTime, created date, pwdLastset and so on.

SPL Query

Begin your query like this:

|ldapsearch domain=<**your company domain**> search="(&(objectClass=user)(!(objectClass=computer)))" 
| search userAccountControl!=ACCOUNTDISABLE 
| rex "OU=(?<OU>[a-zA-Z\s]+)\,DC" 
| eval lasttime=strptime(pwdLastSet,"%Y-%m-%dT%H:%M:%S.%6N")
|eval diff=round(((now() - lasttime)/86400),2)  
| eval timediff = n - diff 
| stats values(whenCreated) as "Created Date" latest(lastLogonTimestamp) as "LastLogonTime" values(OU) as OU values(sAMAccountName) as sAMAccountName values(pwdLastSet) as PWDLastSet values(timediff) as "Time left to change password"  by displayName
SPL Analysis
| ldapsearch domain=<**your company domain**>   search="(&(objectClass=user)(!(objectClass=computer)))"

This is querying the ldap tree for users, service accounts and not computers.

| search userAccountControl!=ACCOUNTDISABLE

This is searching for the active users and service accounts and ignoring disabled accounts

| rex "OU=(?<OU>[a-zA-Z\s]+)\,DC"

This is optional and depends on the use case. This is a field extraction for the list of “Organizational Unit” that each user or service accounts belongs to in the ldap tree.

| eval lasttime=strptime(pwdLastSet,"%Y-%m-%dT%H:%M:%S.%6N")

Converts the “pwdLastSet” timestamp field to current Unix epoch time to allows make further comparisons by creating a field “lasttime”.

|eval diff=round(((now() - lasttime)/86400),2)

Converts the “lasttime” (the last time password was set in days) by creating a new field called “diff”.

| eval timediff = n - diff

Assuming your organizational policy for password change is “90 days” where n = number of days. This will calculate the “the time left to change password after n days”.

| stats values(whenCreated) as "Created Date" latest(lastLogonTimestamp) as "LastLogonTime" values(OU) as OU values(sAMAccountName) as sAMAccountName values(pwdLastSet) as PWDLastSet values(timediff) as "Time left to change password" by displayName

This search will tabulate resulting fields by the User’s displayname.

Result

Any user/service account that is non-compliant or has not changed the password within the Organization’s policy will have a negative sign (-) before the accrued number of days, signifying the number of days their password has been not being changed. The user accounts that are compliant will have a positive sign (+) before the number of days, signifying the number of days left to change their password.

Example: Dashboard Panel of Active User Accounts

This can be turned into the following knowledge objects.

Alert
Splunk will send an email alert to the admin with list of user/service accounts with negative sign (-) to take action and user/service accounts with the number days left to change password.

Dashboard Panel
This can form part of a Splunk dashboard that will be constantly monitored by an Admin.

Report
Splunk can be set to send a report to the admin on a monthly or quarterly basis with the list of active user accounts and how much time left to change their password.

That will do it! Now you’ll equip your team with brute force security monitoring for passwords using Splunk. If you would like more details, please contact us using the form below. Happy Splunking!