KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event UAC Flag Parser

Query

//Creates a parser for all user account control changes changing the code into a readable message

//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent

SecurityEvent
| where isnotempty(UserAccountControl) and UserAccountControl != "-"
| where AccountType == "User"
| extend x = extract_all(@"([0-9]{4})", UserAccountControl)
| mv-expand x
| extend ['User Account Flag Description'] = case
    (
    x == "2048", strcat("Account Enabled"),
    x == "2049", strcat("Home Directory Required - Disabled"),
    x == "2050", strcat("Password Not Required - Disabled"),
    x == "2051", strcat("Temp Duplicate Account - Disabled"),
    x == "2052", strcat("Normal Account - Disabled"),
    x == "2053", strcat("MNS Logon Account - Disabled"),
    x == "2054", strcat("Interdomain Trust Account - Disabled"),
    x == "2055", strcat("Workstation Trust Account - Disabled"),
    x == "2056", strcat("Server Trust Account - Disabled"),
    x == "2057", strcat("Don't Expire Password - Disabled"),
    x == "2058", strcat("Account Unlocked"),
    x == "2059", strcat("Encrypted Text Password Allowed - Disabled"),
    x == "2060", strcat("Smartcard Required - Disabled"),
    x == "2061", strcat("Trusted For Delegation - Disabled"),
    x == "2062", strcat("Not Delegated - Disabled"),
    x == "2063", strcat("Use DES Key Only - Disabled"),
    x == "2064", strcat("Don't Require Preauth - Disabled"),
    x == "2065", strcat("Password Expired - Disabled"),
    x == "2066", strcat("Trusted To Authenticate For Delegation - Disabled"),
    x == "2067", strcat("Exclude Authorization Information - Disabled"),
    x == "2068", strcat("Undefined UserAccountControl Bit 20 - Disabled"),
    x == "2069", strcat("Protect Kerberos Service Tickets with AES Keys - Disabled"),
    x == "2070", strcat("Undefined UserAccountControl Bit 22 - Disabled"),
    x == "2071", strcat("Undefined UserAccountControl Bit 23 - Disabled"),
    x == "2072", strcat("Undefined UserAccountControl Bit 24 - Disabled"),
    x == "2073", strcat("Undefined UserAccountControl Bit 25 - Disabled"),
    x == "2074", strcat("Undefined UserAccountControl Bit 26 - Disabled"),
    x == "2075", strcat("Undefined UserAccountControl Bit 27 - Disabled"),
    x == "2076", strcat("Undefined UserAccountControl Bit 28 - Disabled"),
    x == "2077", strcat("Undefined UserAccountControl Bit 29 - Disabled"),
    x == "2078", strcat("Undefined UserAccountControl Bit 30 - Disabled"),
    x == "2079", strcat("Undefined UserAccountControl Bit 31 - Disabled"),
    x == "2080", strcat("Account Disabled"),
    x == "2081", strcat("Home Directory Required - Enabled"),
    x == "2082", strcat("Password Not Required - Enabled"),
    x == "2083", strcat("Temp Duplicate Account - Enabled"),
    x == "2084", strcat("Normal Account - Enabled"),
    x == "2085", strcat("MNS Logon Account - Enabled"),
    x == "2086", strcat("Interdomain Trust Account - Enabled"),
    x == "2087", strcat("Workstation Trust Account - Enabled"),
    x == "2088", strcat("Server Trust Account - Enabled"),
    x == "2089", strcat("Don't Expire Password - Enabled"),
    x == "2090", strcat("Account Locked"),
    x == "2091", strcat("Encrypted Text Password Allowed - Enabled"),
    x == "2092", strcat("Smartcard Required - Enabled"),
    x == "2093", strcat("Trusted For Delegation - Enabled"),
    x == "2094", strcat("Not Delegated - Enabled"),
    x == "2095", strcat("Use DES Key Only - Enabled"),
    x == "2096", strcat("Don't Require Preauth - Enabled"),
    x == "2097", strcat("Password Expired - Enabled"),
    x == "2098", strcat("Trusted To Authenticate For Delegation - Enabled"),
    x == "2099", strcat("Exclude Authorization Information - Enabled"),
    x == "2100", strcat("Undefined UserAccountControl Bit 20 - Enabled"),
    x == "2101", strcat("Protect Kerberos Service Tickets with AES Keys - Enabled"),
    x == "2102", strcat("Undefined UserAccountControl Bit 22 - Enabled"),
    x == "2103", strcat("Undefined UserAccountControl Bit 23 - Enabled"),
    x == "2104", strcat("Undefined UserAccountControl Bit 24 - Enabled"),
    x == "2105", strcat("Undefined UserAccountControl Bit 25 - Enabled"),
    x == "2106", strcat("Undefined UserAccountControl Bit 26 - Enabled"),
    x == "2107", strcat("Undefined UserAccountControl Bit 27 - Enabled"),
    x == "2108", strcat("Undefined UserAccountControl Bit 28 - Enabled"),
    x == "2109", strcat("Undefined UserAccountControl Bit 29 - Enabled"),
    x == "2110", strcat("Undefined UserAccountControl Bit 30 - Enabled"),
    x == "2111", strcat("Undefined UserAccountControl Bit 31 - Enabled"),
    "Unknown")
| project
    TimeGenerated,
    TargetAccount,
    Actor=SubjectAccount,
    UserAccountControl=x,
    ['User Account Flag Description']

Explanation

This query extracts user account control changes from Windows Security Events and converts the code into a readable message. It filters for user accounts and extracts the relevant information. It then expands the extracted information and assigns descriptions to each code. Finally, it projects the relevant fields for analysis.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityEvent

Keywords

SecurityEvent,UserAccountControl,AccountType,TimeGenerated,TargetAccount,Actor,['UserAccountFlagDescription']

Operators

whereisnotempty!===extendextract_allmv-expandcasestrcat=project

Actions