Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Monitoring Windows Networks Using Syslog (Part One)

Published: 2014-01-04
Last Updated: 2014-01-04 01:09:15 UTC
by Tom Webb (Version: 1)
5 comment(s)

As an incident responder, I love high value logs. We all know Windows event logs can be super chatty, but with the right tuning they can be very useful.  I’ve tried out several utilties for sysloging Windows event logs, but I’ve found event-to-syslog (code.google.com/p/eventlog-to-syslog) to be my favorite due to the simple config and install.  

If you are not logging anything from your Windows clients and you suddenly turn on everything, you will be overwhelmed. I’m going to cover a couple of logs to start looking at in this post and go into more detail on my next post.   AppLocker, EMET (http://support.microsoft.com/kb/2458544/en-US) ,Windows Defender and application error logs are some of the most valuable logs when looking for compromised systems. These are what we are going to cover today.

AppLocker Setup

If you haven’t set up AppLocker in your environment, now would be a great time to get started. Microsoft has a great document that covers it in complete detail (

http://download.microsoft.com/download/B/F/0/BF0FC8F8-178E-4866-BBC3-178884A09E18/AppLocker-Design-Guide.pdf)  For most, using the Path Rules will get you what you need.  The pros and cons of each ruleset are covered  in section 2.4.4 pg.17-22.

The MS doc is quite extensive, but for a quick start guide try the NCSC Guide (http://ncsc.govt.nz/sites/default/files/articles/NCSC%20Applocker-public%20v1.0.5.pdf)

The basic idea of the path rules is to allow things to run from normal folders (e.g. Program Files and Windows Folders) and block everything else. The NSA SRP guide (YEA YEA, I know) gives a good list of rules  to use with Applocker (www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf).‎ You will run into some issues with Chrome and other apps (Spotify) that run from the users AppData folder,but  that is where the syslog auditing comes into play.  First deploy this in audit mode and then once you are comfortable, move to prevent mode.  If you already have a software inventory product, you will be able to leverage that information to feed into your policy. Much has been written about this, but I wanted to cover the basics.

EventLog-to-Syslog Installation

Download the software from (https://code.google.com/p/eventlog-to-syslog/)

1. To install it as a service its simple run:

c:>evtsys.exe -i -h <Syslog Server IP>

2. Copy the evtsys.cfg  to C:\windows\system32\ directory. (More on this below)

3. Restart the service.

c:>Net stop evtsys

c:>Net start evtsys

Thats it, you should be ready to get logs.

Evtsys.cfg Setup

A basic version of the evtsys.cfg can be found on my Github (http://goo.gl/79spGK). This config file is for Windows 7 and Up. Please rename the file to Evtsys.cfg before using. This file uses XPATH for the filters, which makes creating new ones easy. Here is a quick way to create your own.

1. In the Windows Event Viewer, select the Event logs you wish to create a rule from.

2. Click the Details Tab and Select XML View.

3. Determine the Channel for the Event along with any specific Event ID you want from that channel.

In this case the Windows Defender Channel is:

<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>

The event ID’s we want are: 1005,1006,1010,1012,1014,2001,2003, 2004, 3002,5008

4.  Putting it all together. The format for the rules are:XPath:<PathtoChannel>:<Select statement> and the rule must be on one line. In the channel name it’s ok to have spaces, but the Select statement has to have double quotes.

5. Click the Filter Current Log Button on the side of the Event View and enter the additional data you want to use to filter. Then Click on the XML tab at the top. You can cut and paste the entire <SELECT PATH portion into your filter.

XPath:Microsoft-Windows-Windows Defender/Operational:<Select Path=”Microsoft-Windows-Windows Defender/Operational\”>*[System[(EventID=1005 or EventID=1006 or EventID=1010 or EventID=1012 or EventID=1014 or EventID=2001 or EventID=2003 or EventID=2004 or EventID=3002 or EventID=5008)]]</Select>

 

Other Items that will be syslogged are:

  • Application Crashes

  • Emet

  • Windows Defender

  • Account Lockouts

  • User Added to Privileged Group

Finished Product

The  raw syslog for a blocked AppLocker log looks like below.

Jan  3 12:59:35 WIN-C AppLocker: 8004:  %OSDRIVE%\TEMP\bob\X64\AGENT.EXE was prevented from running.

 

Raw syslog for allowed programs.

Jan  3 14:37:51 WIN-CC AppLocker: 8002: %SYSTEM32%\SEARCHPROTOCOLHOST.EXE was allowed to run.

 

Simple Stats

To get a list of all applications that have been blocked, use the following command:

$cat /var/log/syslog |fgrep AppLocker |fgrep prevent|awk ‘{print $7}’ |sort|uniq -c

1 %OSDRIVE%\TEMP\bob\X64\AGENT.EXE

 

Next Time on ISC..

In the next post I’ll cover more comprehensive config file to detect attackers and integrate logs for reporting.

--

Tom Webb

5 comment(s)
Diary Archives