Author Archives: digirati82

WLS 3.7 Released!

WLS 3.7 is here! The latest version of vendor-agnostic Windows event log forwarding with process creation metadata and user defined contextual information, now with RemoteConfiguration for dynamic install-time and post-install settings management.

CertificateMonitor

  • TPM SRKPUB information reported if available
  • TPM information reported for EKCERT and EKNVCERT when TPM is selected as a store location to report. EKCERT may be overwritten and/or contain multiple certificates as configured by the organization/user. EKNVCERT should reflect the TPM provided certificate.  Examples:

2021-07-20T08:27:08-05:00 host WLS_CertificateMonitor: LogType=”WLS”, Archived=”False”, ChangeType=”Initial”, Critical=”1,2,3″, EnhancedKeyUsages=”Endorsement Key Certificate”, ExtensionCount=”9″, Extensions=”Authority Information Access,Key Usage,Subject Alternative Name,Basic Constraints,CRL Distribution Points,Certificate Policies,Authority Key Identifier,Enhanced Key Usage,Subject Directory Attributes”, HasPrivateKey=”False”, Issuer=”CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 042, OU=OPTIGA(TM), O=Infineon Technologies AG, C=DE”, KeyAlgorithm=”RSA”, KeyUsages=”KeyEncipherment”, NotAfter=”12/30/2034 7:05:45 AM”, NotBefore=”12/30/2019 7:05:45 AM”, PublicKeySize=”2048″, SerialNumber=”5FF96D85″, SHA1=”0D8C16C554A825CBEF8B880A4216851F0577724F”, SignatureAlgorithm=”sha256RSA”, StoreLocation=”TPM”, StoreName=”EKNVCERT“, Subject=”TPMVersion=id:0755, TPMModel=SLB 9670 TPM2.0, TPMManufacturer=id:49465800″, SubjectAlternativeName=”Directory Address:TPMVersion=id:0755, TPMModel=SLB 9670 TPM2.0, TPMManufacturer=id:49465800″, User=”Local Computer”, Version=”3″, WLSKey=”1079″

2021-07-20T08:27:07-05:00 host WLS_CertificateMonitor: LogType=”WLS”, Archived=”False”, ChangeType=”Initial”, Critical=”1,2,3″, EnhancedKeyUsages=”Endorsement Key Certificate”, ExtensionCount=”9″, Extensions=”Authority Information Access,Key Usage,Subject Alternative Name,Basic Constraints,CRL Distribution Points,Certificate Policies,Authority Key Identifier,Enhanced Key Usage,Subject Directory Attributes”, HasPrivateKey=”False”, Issuer=”CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 042, OU=OPTIGA(TM), O=Infineon Technologies AG, C=DE”, KeyAlgorithm=”RSA”, KeyUsages=”KeyEncipherment”, NewHash=”True”, NotAfter=”12/30/2034 7:05:45 AM”, NotBefore=”12/30/2019 7:05:45 AM”, PublicKeySize=”2048″, SerialNumber=”5FF96D85″, SHA1=”0D8C16C554A825CBEF8B880A4216851F0577724F”, SignatureAlgorithm=”sha256RSA”, StoreLocation=”TPM”, StoreName=”EKCERT“, Subject=”TPMVersion=id:0755, TPMModel=SLB 9670 TPM2.0, TPMManufacturer=id:49465800″, SubjectAlternativeName=”Directory Address:TPMVersion=id:0755, TPMModel=SLB 9670 TPM2.0, TPMManufacturer=id:49465800″, User=”Local Computer”, Version=”3″, WLSKey=”612″

CommandMonitor

  • Supports Windows 10 14393 and later

Database

  • Optional in-memory only log caching – intended reduce disk usage on temporal systems such as non-persistent VDI

FileMetadata enhancements

Logging

  • CPU affinity will be used to restrict the processors available to WLS when CPUAffinity or CPULimitCores is set
  • Improved filter performance and added more options. WLS App for Splunk includes Filter Data dashboard
    • FilterData
  • Event descriptions can be reported periodically (LogEventDescriptionInterval). WLS App for Splunk includes a scheduled search, lookup, and macro to build unique event descriptions and return them at search time.
  • Process “tree” information can be reported. WLS App for Splunk contains dashboards for filtering and analysis.
    • ProcessTree
  • Process ID fields present in logs can be resolved to a process name and reported as [ProcessIDField]Name

LogFormats

  • HMAC can be added to logs for later integrity verification. Secret key is encrypted after being set. WLS App for Splunk includes setup and macro for verification.

LogRouting

  • Logs can be output to a text file at a user defined destination
    • This can be the primary output, or a parallel output to other destinations

NamedPipeMonitor

  • Enhanced filtering options
  • Improved filtering performance

Print Monitor – New!

  • Log print jobs processed through the local print spooler

Process / MonitorFilter

  • Monitors that are triggered by process creation/termination can be tuned to reduce resource utilization caused by frequent, expected processes

RemoteConfiguration – New!

  • WLS settings can be read from a file or web URL
    • Remote URL can be set at installation, no predefined configuration is required for deployment
    • Support for XML digital signatures to provide verification of content and that the signing certificate is trusted
  • Rules can be used to load specific settings for hosts based on host attributes and WMI data

ServiceMonitor – New!

  • Monitor Windows services. WLS App for Splunk includes dashboard for viewing the last known status and comparing changes over time.
    • ServiceStatus

SessionMonitor

  • Log user-defined certificate fields if used for authentication
  • Log local non-loopback IP addresses (positive user/IP correlation!)
  • Log user defined WinStationClient fields
    • WLS App for Splunk provides decoding for PerformanceFlags and WSFlags

Task Monitor – New!

  • Log scheduled tasks on startup, periodically, and on-change
    • WLS App for Splunk provides a dashboard for analysis

WinObjectMonitor

  • Enhanced filtering options
  • Improved filtering performance

Misc

  • Added support for decoding additional encoded IP address fields
  • Improved finding files when user specific environmental variables are used
  • Improved finding files when files have relative paths and are located in directories specified in the PATH environmental variable

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS – Remote Configuration

WLS 3.7 introduces the ability to read settings from a remote location, optionally based on host attributes. This provides a dynamic way to update settings on hosts without using GPO, and the ability to deploy WLS without a base configuration file (initial.xml), separating the deployment and configuration for easier management in complex environments.

Remote Location

The remote location can be a file share or web site. It is recommended that a file share have proper ACLs applied, specified by FQDN, and DNSSEC enabled. If a web site is used, HTTPS is recommended and must have a valid certificate.

The rules.xml and any qualifying XML settings files are read and cached on the host. At the specified Interval, WLS will check for changes based on the specified UpdateCheckType. File share paths default to checking the Last Modified Date metadata. Web site paths default to checking the Last Modified Date and ETag metadata returned from a HEAD request. UpdateCheckType can be configured to require a full content comparison at each interval. If the metadata has changed a full content comparison is done and settings are only applied if the content has changed.

If the system is unable to reach the remote configuration path, the cached rules.xml will be evaluated and qualifying cached XML settings will be used as the original paths are cached as well.

Rules

The rules.xml must be located at the root of the remote location. Each rule specifies one or more conditions and a URL to read settings from for hosts that match all conditions. The URL can be relative to the remote location or an absolute path to another location. URLs evaluated from the rules.xml can contain XML settings files by any name. A rule can be set to stop processing further rules by setting continue to false.

Conditions

A condition can either be a “host” or “wmi” condition. A host condition can be the hostname, OU, DN, or any environmental variable for the “Local System” user. A WMI condition can use any WMI namespace and class available to “Local System”.

Each condition can specify one or more fields. Each field can specify zero or more values. Each value can be an exact match, wildcard (*, #, ?), or regular expression. For fields where more than one value may be returned, each value is compared against the values specified. If no value is specified all values will be used when evaluating tokens.

Tokens are optional and can be specified for one or more fields. The token can then be used as part of the URL to dynamically change the location or file name of the XML settings file to be read if all conditions are met.

Example rules.xml

The example below shows reading settings for a Dell computer in an OU named “Windows 10”. The URL is relative and based on the tokens from the conditions.

<WLS>
  <rules>
    <rule name="Dell in Win10 OU">
      <!--Just an example. URL is a relative path to RemoteConfigurationURL-->
      <host>
        <!--Example condition comment-->
        <fields>
          <field>
            <!--Example field comment-->
            <name>OU</name>
            <!--Example value comment-->
            <value>Windows 10</value>
            <token>ou</token>
          </field>
        </fields>
      </host>
      <wmi>
        <namespace>root\cimv2</namespace>
        <class>Win32_ComputerSystem</class>
        <!--Second condition comment-->
        <fields>
          <field>
            <!--wmi field comment-->
            <name>Manufacturer</name>
            <value>Dell*</value>
            <token>mfr</token>
          </field>
        </fields>
      </wmi>
      <url>$ou$\$mfr$\settings.xml</url>
    </rule>
  </rules>
</WLS>

This example shows reading settings for any manufacturer in the “Windows 10” OU. No value needs to be specified if all values for a field will be used. Failed attempted paths will be logged based on the LogMissingFiles setting.

<WLS>
  <rules>
    <rule name="Dell in Win10 OU">
      <!--Just an example. URL is a relative path to RemoteConfigurationURL-->
      <host>
        <!--Example condition comment-->
        <fields>
          <field>
            <!--Example field comment-->
            <name>OU</name>
            <!--Example value comment-->
            <value>Windows 10</value>
            <token>ou</token>
          </field>
        </fields>
      </host>
      <wmi>
        <namespace>root\cimv2</namespace>
        <class>Win32_ComputerSystem</class>
        <!--Second condition comment-->
        <fields>
          <field>
            <!--wmi field comment-->
            <name>Manufacturer</name>
            <token>mfr</token>
          </field>
        </fields>
      </wmi>
      <url>$ou$\$mfr$\settings.xml</url>
    </rule>
  </rules>
</WLS>

Settings

A settings.xml may be located at the root of the remote location. If present it will be applied to all hosts. XML settings file content is the same format as the initial.xml and the WLS Configuration Editor should be used to generate them. Settings files are processed in the order they appear in the rules.xml. Settings are overlaid such that the last setting will overwrite a previous setting.

XML Integrity and Verification

XML files should be digitally signed to ensure content has not changed. XML files can be signed with a certificate to ensure the content integrity and that it was signed by a trusted entity. The tooling to sign and verify is included with the Remote Configuration Rule Editor and the Configuration Editor.

Signing

From either tool, choose File->Sign XML. A prompt will appear asking if you have a certificate, choosing Yes will show the available certificates or let you choose one from disk and ask for the PIN/password if needed, choosing No will use a system generated certificate. Each tool can also have a default certificate chosen to avoid being prompted.

A system generated certificate will verify the content only. A user specified certificate will verify content and that the signer is trusted by the host. After signing a verification is performed and the results displayed to the user.

A signature block will be added to the end of the XML file. Any previous signature will be removed.

System generated certificate

<WLS>
  <rules>
  ...
  </rules>
<RSAKeyValue><Modulus>...</Modulus><Exponent>...</Exponent></RSAKeyValue><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>.../DigestValue></Reference></SignedInfo><SignatureValue...</SignatureValue></Signature></WLS>

User certificate

<WLS>
  <rules>
...
  </rules>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>...</DigestValue></Reference></SignedInfo><SignatureValue>...</SignatureValue><KeyInfo><X509Data><X509Certificate>...</X509Certificate></X509Data></KeyInfo></Signature></WLS>

Remote Configuration at Installation

WLS can be deployed without an initial.xml by specifying a RemoteURL as a command line parameter to msiexec.exe. The rules.xml must be signed when specified at installation.

Examples:

msiexec.exe /i setup.msi /qn RemoteURL= "\\server\WLS"
msiexec.exe /i setup.msi /qn RemoteURL= "https://server/WLS"

A minimal initial.xml that specifies the RemoteConfiguration URL may also be used.

<WLS>
  <Config>
    <RemoteConfiguration>
      <URL>https://server/WLS</URL>
    </RemoteConfiguration>
  </Config>
</WLS>

Tooling

The Remote Configuration Rule Editor is provided to help with creating the rules.xml file. XML is the native format used and it can be edited without the use of the editor. If the file is signed, editing the file will invalidate the signature until it is resigned for the new content. Rule names and any comments are for user reference only and are not used by WLS.

Rules are added and removed using the appropriate buttons. Rules can be reordered by dragging and dropping.

Where possible the editor will show available field names, values, WMI namespaces, and WMI classes. Field names, namespaces, and classes are free-form text fields and can specify values not available on the local system that may be available on other systems.

Available “host” fields
Available WMI classes
Available WMI fields for the namespace and class

Logs and Dashboard

All relevant Remote Configuration activity is logged and a Splunk dashboard is provided in the WLS App for Splunk.


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.6 Updated

WLS 3.6.18320 is here!

This release is primarily to address https://fpki.idmanagement.gov/truststores/microsoft/, which affected the digital signature of WLS.

CertificateMonitor

  • Added support for reporting TPM EKCERTs

FileMetadata enhancements

  • Added support for nested x509Certificate2 properties

FileTail

  • Added support for reporting the file path; none, absolute, or relative

Logging

  • Event provider metadata will now attempt to use the specified LogCulture

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.6 Released!

WLS 3.6 is here! Aside from the continual improvements to the core, here are a few highlights for this release.

ARP – New!

  • Periodically log the ARP table

DNS Cache – New!

  • Periodically log the DNS cache

CertificateMonitor

  • Log certificate information as specified by Extension FriendlyName OR OID
    • Useful for logging extra information such as the Certificate Template Information

FileMetadata enhancements

  • Added AlternateDataStreamFileMetadata
    • Specify alternate FileMetadata settings to be used for files found in AlternateDataStreams
  • Added ImpSSDeep hash
    • Fuzzy hash of all PE imported libraries and function names
  • Added GetSectionNames
    • Log the section names as defined in the PE header of the file
  • Added ZoneFields parameter to FileMetadata
  • Filtering to prevent specific metadata from being collected

Local Users – New!

  • Periodically log users with specified parameters and their groups
  • Periodically log groups with specified parameters and their users

Misc

  • Added detection for IMAGE_DEBUG_TYPE_REPRO which affects the TimeDateStamp in the file header
  • Enhanced support for alternate data streams and symlinks
  • Enhanced support for version information including languages and codepages
  • Support for TLS 1.1 with .NET 4.5+
  • Support for TLS 1.2 with .NET 4.6+

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Event logs with control characters

A WLS user contacted me and was having issues parsing a date from a data field in EventID 6008 (unexpected shutdown). Taking a look at my logs everything looked fine, even in a viewer like Notepad++ with Show View->Show Symbol->Show All Characters. Since I use Splunk, on the record in question I selected Event Actions->Show Source, and it looked fine there too. Next I did a right-click and Inspect on the web page and there it was: “&lrm;” aka u200e, aka E2808E, aka “Left-To-Right Mark”.

lrm

Saving the event text to a file and opening it with a hex editor also shows the control character in question (e2 80 8e):

e2808e

Indeed these control characters are included in at least 8 other events and all appear to be in date fields.

In Splunk you can use rex/sed or replace to remove control characters before attempting a strptime or other function.

`wlslogs` EventID=6008 | rex field=Data1 mode=sed "s/\p{C}//g" | eval NewDate=strptime(Data1,"%m/%d/%Y")

or

`wlslogs` EventID=6008 | eval NewDate=strptime(replace(Data1,"\p{C}",""),"%m/%d/%Y")

WLS 3.5 Released!

WLS 3.5 is here! Aside from the continual improvements to the core, here are a few highlights for this release.

File Tailing

This long requested feature was finally incorporated, primarily to support PowerShell v5 history and IIS logs, but should work well for a wide variety of logs. An example configuration for PowerShell v5 and IIS is included in the recommended configuration.

PE File Information

If specified, when encountered, ImpHash and the header fields defined below are now available for PE files. For non-PE files the Signature will be logged.

PE File

Example PE file with ImpHash and the compile/link time (TimeDateStamp):

[host] Security:  LogType=”WLS”, BaseFileName=”charmap.exe”, Channel=”Security”, CommandLine=”‘C:\WINDOWS\system32\charmap.exe'”, CompanyName=”Microsoft Corporation”, Computer=”[host].[domain]”, CreatorProcessName=”explorer”, EventID=”4688″, EventRecordID=”44735942″, ExecutionProcessID=”4″, ExecutionThreadID=”8992″, FileDescription=”Character Map”, FileVersion=”5.2.3668.0″, ImpHash=”7831775B376A2587FCB1CCB3E1EE37BF”, InternalName=”charmap.exe”, …, TimeDateStamp=”10/30/2015 2:37:15 AM”, TokenElevationType=”TokenElevationTypeDefault (1)”, ValidSignatureDate=”True”, Version=”2″, WindowStation=”Winsta0\Default”, Zone=”0″

Non-PE File

Example of a non-PE (16-bit!) file present in Windows 10 64-bit:

[host] WLS_FileData:  LogType=”WLS”, BaseFileName=”compobj.dll”, …, SHA1=”2BE21636F3C2899F1217C289351B106118A5E197″, Signature=”NE”, WLSKey=”3012″

Additions

  • CommandMonitor default support for netsh.exe and nslookup.exe
  • DecodeClientAddress
    • Logs with the ClientAddress field can be decoded to their actual values (IP, Port, and Scope)
  • DriveMonitor
    • Added DriveLogInterval to log drive details at regular intervals
  • ExistingProcess
    • Added the fields SubjectUserSid, SubjectUserDomain, and SubjectUserName
  • FileMetadata
    • CatHash available for PE files
    • File header fields available for PE files
    • IgnoredList option to prevent specific files from having metadata collected
    • ImpHash available for PE files
  • FileTail
    • Monitor flat files
  • Filters
    • Support for wildcard characters
  • Heartbeat
    • Reports LogsSent
  • LogRouting
    • CSV output
    • LogsSent is reported per-destination
  • LogRouting\Servers
    • SDID can be set per-server
    • UTC available via the UseUTC option
  • RegistryMonitor
    • Filtering by key Name and Value
  • PortMonitor
    • Added ResolveRemoteHostName option
  • SessionMonitor
    • Added SecurityUserID and Certificate fields

Changes

  • FileData
    • Internal logs can be routed through FileData to collect file metadata based on file names contain in logs
  • FileMetadata
    • Errors countered during metadata collection are now reported
  • FileMonitor
    • Delete events now report BaseFileName
  • PortMonitor
    • Removed port summarization
  • SSDeep (fuzzy hash)
    • Calculation was replaced. Now supports incremental hashing!

Fixes

  • CertificateMonitor
    • Certificates with invalid public key algorithms were not reported
  • CommandMonitor
    • Certain errors caused commands to not be reported
  • File permissions issues
  • FileMetadata
    • SSDeep was not calculated properly for some files
  • Filtering
    • The NewHash field wasn’t available to use in a filter
  • Heartbeat
    • Setting the interval to 0 did not disable the heartbeat
  • RegistryMonitor
    • Invalid registry paths would invalidate the entire group
  • ReplaceProviderString
    • Replacement strings containing multiple values with a comma delimiter were not replaced
  • SessionMonitor
    • SessionUser was not set to the actual session user when an invalid user was initially presented
  • Tags
    • All fields were not available to use for tagging

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Determine if a Smart Card Was Used for Logon

This method can only determine if a logon used Public Key Cryptography for Initial Authentication (PKINIT); successive locks / unlocks will continue to report the information from the initial logon.

According to this article: http://social.technet.microsoft.com/wiki/contents/articles/11844.find-out-if-a-smart-card-was-used-for-logon.aspx, a special security group is injected into the user’s access token when a smart card is used. Comparing the current user token group members between a password and smart card authenticated session revealed the group “NT Authority\This Organization Certificate” (S-1-5-65-1). (PowerShell for this below)

A search for S-1-5-65-1 returned this article: https://msdn.microsoft.com/en-us/library/cc980032.aspx, with the following information:

THIS_ORGANIZATION_CERTIFICATE

S-1-5-65-1

A SID that indicates that the client’s Kerberos service ticket’s PAC contained a NTLM_SUPPLEMENTAL_CREDENTIAL structure (as specified in [MS-PAC] section 2.6.4). If the OTHER_ORGANIZATION SID is present, then this SID MUST NOT be present. <25>

Following the link to section 2.6.4 leads to the description: “The PAC buffer type is included only when PKINIT [MS-PKCA] is used to authenticate the user”

So, by what I can find and test, the presence of “NT Authority\This Organization Certificate” (S-1-5-65-1) in the user’s access token groups positively indicates whether the initial authentication used PKINIT, e.g., smart card.

This can be tested with the following PowerShell code:

$objGroup = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-65-1")
([System.Security.Principal.WindowsIdentity]::GetCurrent()).Groups.Contains($objGroup)

WLS now uses a similar method with SessionMonitor. Any time a session changes, the AuthenticationType, CredentialProvider, and PKINIT will now be reported.

2015-11-18T07:16:54-06:00 [host] WLS_SessionMonitor: LogType=”WLS”, ApplicationName=””, AuthenticationType=”Kerberos”, BuildNumber=”0″, ClientAddress=””, ClientDirectory=””, ClientName=””, CredentialProvider=”Smartcard Credential Provider”, EncryptionLevel=”High”, HardwareId=”0″, InitialProgram=””, Message=”SessionUnlock”, PKINIT=”True”, ProductId=”0″, Protocol=”Console”, Resolution=”640×480″, SessionId=”10″, SessionName=”Console”, SourceAddress=””, SourceName=””, User=”[domain]\[user]”, WLSKey=”677″, WorkDirectory=””


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.4 Released!

New

  • CommandMonitor support for wmic.exe
    • Ability to add other binaries
  • FileMetadata
    • File buffer size
    • File size and time limits for calculating hashes and entropy
  • FileMonitor special folder support which follows the interactive user
  • Heartbeat
    • Configurable interval. Reports DBSize, ConnectionErrors, LogsWLSError, WLSVersion
  • Log filtering
    • Per log route destination
  • LogFormats
    • All formats are now defined by the configuration
    • Custom formats can be added, existing ones changed, etc.
  • LogRouting
    • Simultaneous multi-destination sending of logs with per-server log formatting
  • Performance counters
    • Filtering by condition
  • ShowEntryTypeDescription
  • ShowLogonTypeDescription
    • Defaults to True for legacy compatibility
  • TrackHashes
    • Tracking of hashes to set the NewHash=True flag can be enabled / disabled
      • Tracking hashes takes space in the database and time during database writes

Changes

  • CertMonitor – FullReportInterval for interval based reporting
  • Entropy and hash calculations integrated to reduce file iterations and support timeouts
  • FileData logs the CreatorProcessName and CreatorProcessId
  • FileMetadata searches for non-rooted files iterating through the PATH variables
  • MaxLogLength now simply truncates the log if it is oversize

Fixes

  • Command Monitor – Fixed bug with greater than 16-bit PIDs
  • ConfigurationHash calculation
  • IPv6 parsing when specified as a log destination

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Windows 7/2008 + RDP8 = Incorrect source network address

A few months ago I noticed some odd IP addresses in the WLS SessionMonitor logs for a few of our hosts. After confirming that this was not the result of a compromise I began digging further into the issue.

Our networking team had started investigating usage of RDP8 to improve the user experience for remote users, and had installed RDP8 and enabled the RDP8 protocol via policy on their Windows 7 systems. When an RDP connection was made, the Source Network Address was incorrect in Security Event ID 4624 (successful logon events), TerminalServices-RemoteConnectionManager Event ID 1149, and TerminalServices-LocalSessionManager Event ID 25. Usually this was reported as “0.0.0.0”, but sometimes contained random numbers. WLS uses WinStationQueryInformationW to retrieve the source network address for the session and it returned the same information that is reflected in the event logs.

Further testing showed that this only impacted Windows 7/2008 systems with RDP8 installed and enabled. Disabling the RDP8 protocol in the policy forces the connection to fall back to RDP7 which reports the IP address as expected. Changing the RDP transport protocols did not appear to have any effect.

The RDP8 protocol policy is located at:

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Enable Remote Desktop Protocol 8.0

The RDP transport protocols policy is located at:

 Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Select RDP transport protocols

Due to the way RDP was previously implemented, there will not be a fix provided that allows the Source Network Address to be properly reported in event logs, or a way to retrieve it via an API call. Here’s the associated KB for the issue detailed above: https://support.microsoft.com/en-us/kb/3097467

Monitoring downloaded file execution: WLS + Bro + Splunk

Bro does awesome things with network data. One of those things is performing an analysis of files on the wire, including hashing. WLS does hashing of executed files and loaded DLLs, and tracks each hash that has been seen on the host, setting “NewHash=True” for the first instance.

I wanted to track PE files that have been seen on the wire (downloaded) then executed for the first time with some basic statistics. The resulting Splunk search looks for all Bro file analysis logs of PE files that contain an MD5, matches that with WLS logs containing the same MD5, does a distinct host count, and reports the unique hash data with the distinct host count. If you have Bro monitoring internal and external traffic you’ll also see things such as managed anti-virus updates or patches. The WLS file metadata optionally includes the Zone field, which can come in handy for differentiating the source of the files.

Internet Explorer Zone Number Mapping

Value Setting
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone

Here’s the current Splunk search I’m using for alerting:

`wlslogs` NewHash=True [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5] | eval CallingProcess=coalesce(Process,CreatorProcessName) | eventstats dc(host) as hostCount by MD5 | dedup MD5 | table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone | sort -hostCount

  • `wlslogs`
    • A macro that limits the logs to indexes where WLS data is contained
  • NewHash=True
    • Only logs where NewHash is set to True
  • [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5]
    • sourcetype=bro_files
      • Only “bro_files” data
    • PE MD5
      • Bro logs containing the keywords “PE” and “MD5”
    • dedup md5
      • Remove duplicate hashes
    • rename md5 as MD5
      • Splunk is case-sensitive for field names, so rename the Bro field to what WLS uses
    • fields MD5
      • Only output the MD5 field(s)
  • eval CallingProcess=coalesce(Process,CreatorProcessName)
    • The fields differ slightly in the logs where we might find an MD5 (new process vs. loading DLL); this will return the first non-null of Process and CreatorProcessName
  • eventstats dc(host) as hostCount by MD5
    • Count the distinct number of hosts where this MD5 has been seen
  • dedup MD5
    • Remove duplicate WLS MD5 logs
  • table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone
    • Make a table of the useful fields
  • sort -hostCount
    • Sort by hostCount in decending order

Example output

hostCount CallingProcess BaseFileName CompanyName InternalName FileDescription Signed FileVersion ProductVersion Zone
124 GoogleUpdate 44.0.2403.89_43.0.2357.134_chrome_updater.exe True 0
31 GoogleUpdate GoogleUpdateSetup.exe Google Inc. Google Update Setup Google Update Setup True 1.3.28.1 1.3.28.1 0
1 GoogleUpdate 44.0.2403.89_43.0.2357.134_chrome64_updater.exe True 0
1 chrome gimp-2.8.14-setup-1.exe The GIMP Team GIMP Setup True 2.8.14 2.8.14 3
1 vlc vlc-2.2.1-win32.exe True 0
1 iexplore Silverlight_x64.exe Microsoft Corporation SFXCAB.EXE Self-Extracting Cabinet True 5.1.40620.0 5.5.0031.0 0
1 chrome chromeinstall-8u51.exe Oracle Corporation Setup Launcher Java Platform SE binary True 8.0.510.16 8.0.510.16 3

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.