WLS 3.4 Released!

Leave a reply

New

  • CommandMonitor support for wmic.exe
    • Ability to add other binaries
  • FileMetadata
    • File buffer size
    • File size and time limits for calculating hashes and entropy
  • FileMonitor special folder support which follows the interactive user
  • Heartbeat
    • Configurable interval. Reports DBSize, ConnectionErrors, LogsWLSError, WLSVersion
  • Log filtering
    • Per log route destination
  • LogFormats
    • All formats are now defined by the configuration
    • Custom formats can be added, existing ones changed, etc.
  • LogRouting
    • Simultaneous multi-destination sending of logs with per-server log formatting
  • Performance counters
    • Filtering by condition
  • ShowEntryTypeDescription
  • ShowLogonTypeDescription
    • Defaults to True for legacy compatibility
  • TrackHashes
    • Tracking of hashes to set the NewHash=True flag can be enabled / disabled
      • Tracking hashes takes space in the database and time during database writes

Changes

  • CertMonitor – FullReportInterval for interval based reporting
  • Entropy and hash calculations integrated to reduce file iterations and support timeouts
  • FileData logs the CreatorProcessName and CreatorProcessId
  • FileMetadata searches for non-rooted files iterating through the PATH variables
  • MaxLogLength now simply truncates the log if it is oversize

Fixes

  • Command Monitor – Fixed bug with greater than 16-bit PIDs
  • ConfigurationHash calculation
  • IPv6 parsing when specified as a log destination

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Advertisement

Windows 7/2008 + RDP8 = Incorrect source network address

Leave a reply

A few months ago I noticed some odd IP addresses in the WLS SessionMonitor logs for a few of our hosts. After confirming that this was not the result of a compromise I began digging further into the issue.

Our networking team had started investigating usage of RDP8 to improve the user experience for remote users, and had installed RDP8 and enabled the RDP8 protocol via policy on their Windows 7 systems. When an RDP connection was made, the Source Network Address was incorrect in Security Event ID 4624 (successful logon events), TerminalServices-RemoteConnectionManager Event ID 1149, and TerminalServices-LocalSessionManager Event ID 25. Usually this was reported as “0.0.0.0”, but sometimes contained random numbers. WLS uses WinStationQueryInformationW to retrieve the source network address for the session and it returned the same information that is reflected in the event logs.

Further testing showed that this only impacted Windows 7/2008 systems with RDP8 installed and enabled. Disabling the RDP8 protocol in the policy forces the connection to fall back to RDP7 which reports the IP address as expected. Changing the RDP transport protocols did not appear to have any effect.

The RDP8 protocol policy is located at:

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Enable Remote Desktop Protocol 8.0

The RDP transport protocols policy is located at:

 Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Select RDP transport protocols

Due to the way RDP was previously implemented, there will not be a fix provided that allows the Source Network Address to be properly reported in event logs, or a way to retrieve it via an API call. Here’s the associated KB for the issue detailed above: https://support.microsoft.com/en-us/kb/3097467

Monitoring downloaded file execution: WLS + Bro + Splunk

Leave a reply

Bro does awesome things with network data. One of those things is performing an analysis of files on the wire, including hashing. WLS does hashing of executed files and loaded DLLs, and tracks each hash that has been seen on the host, setting “NewHash=True” for the first instance.

I wanted to track PE files that have been seen on the wire (downloaded) then executed for the first time with some basic statistics. The resulting Splunk search looks for all Bro file analysis logs of PE files that contain an MD5, matches that with WLS logs containing the same MD5, does a distinct host count, and reports the unique hash data with the distinct host count. If you have Bro monitoring internal and external traffic you’ll also see things such as managed anti-virus updates or patches. The WLS file metadata optionally includes the Zone field, which can come in handy for differentiating the source of the files.

Internet Explorer Zone Number Mapping

Value Setting
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone

Here’s the current Splunk search I’m using for alerting:

`wlslogs` NewHash=True [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5] | eval CallingProcess=coalesce(Process,CreatorProcessName) | eventstats dc(host) as hostCount by MD5 | dedup MD5 | table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone | sort -hostCount

  • `wlslogs`
    • A macro that limits the logs to indexes where WLS data is contained
  • NewHash=True
    • Only logs where NewHash is set to True
  • [ search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5]
    • sourcetype=bro_files
      • Only “bro_files” data
    • PE MD5
      • Bro logs containing the keywords “PE” and “MD5”
    • dedup md5
      • Remove duplicate hashes
    • rename md5 as MD5
      • Splunk is case-sensitive for field names, so rename the Bro field to what WLS uses
    • fields MD5
      • Only output the MD5 field(s)
  • eval CallingProcess=coalesce(Process,CreatorProcessName)
    • The fields differ slightly in the logs where we might find an MD5 (new process vs. loading DLL); this will return the first non-null of Process and CreatorProcessName
  • eventstats dc(host) as hostCount by MD5
    • Count the distinct number of hosts where this MD5 has been seen
  • dedup MD5
    • Remove duplicate WLS MD5 logs
  • table hostCount, CallingProcess, BaseFileName, CompanyName, InternalName, FileDescription, Signed, FileVersion, ProductVersion, Zone
    • Make a table of the useful fields
  • sort -hostCount
    • Sort by hostCount in decending order

Example output

hostCount CallingProcess BaseFileName CompanyName InternalName FileDescription Signed FileVersion ProductVersion Zone
124 GoogleUpdate 44.0.2403.89_43.0.2357.134_chrome_updater.exe True 0
31 GoogleUpdate GoogleUpdateSetup.exe Google Inc. Google Update Setup Google Update Setup True 1.3.28.1 1.3.28.1 0
1 GoogleUpdate 44.0.2403.89_43.0.2357.134_chrome64_updater.exe True 0
1 chrome gimp-2.8.14-setup-1.exe The GIMP Team GIMP Setup True 2.8.14 2.8.14 3
1 vlc vlc-2.2.1-win32.exe True 0
1 iexplore Silverlight_x64.exe Microsoft Corporation SFXCAB.EXE Self-Extracting Cabinet True 5.1.40620.0 5.5.0031.0 0
1 chrome chromeinstall-8u51.exe Oracle Corporation Setup Launcher Java Platform SE binary True 8.0.510.16 8.0.510.16 3

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.3 Released

Leave a reply

New

  • Burn folder support for FileMonitor
  • FileData
    • Log file metadata for files found in command line parameters and event logs
  • Fixed (non-removable) disk monitoring
  • Load balancing
  • Network location awareness by joined domain
  • Optional host name set by DNS resolution
  • Optional alternate static host name
  • Monitoring UDF optical media changes
  • Support for non-FIPS hashing algorithms when FIPS mode is enabled
  • Suspended process checking (potential process hollowing)

Changes

  • Command line string handling
  • Database quota handling and maintenance
  • Error reporting
  • Event log extra data parsing
  • Event log XML parser
  • Installer
  • Network adapter reporting
  • New event log provider string resources (dynamic loading)
  • NewHash checking accuracy
  • Optimized syslog string generation
  • SessionMonitor reporting
    • All available session data logged for each session change event
    • Source IP address, optional source name (by resolution)
  • SQLite driver update
  • WMI reporting
    • Array handling
    • Nested WMI object support
    • Result count and index

Fixes

  • Database over quota issues
  • Drive monitor errors for unsupported file systems (HFS+, etc.)
  • Event log subsystem error detection
  • Potential WTS memory leak

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Adding HFS+ read support to Windows

Leave a reply

Recently I had a coworker request the ability to read an HFS+ formatted drive with Windows. I found a few scattered articles that pointed to Apple’s “Boot Camp Support Software” including an HFS+ driver, and it does.

How to add read only HFS+ support to Windows (64-bit) using Apple’s HFS+ drivers

Download the latest “Boot Camp Support Software”

Search the Apple support site for “boot camp support software”

BootCamp

I used “Boot Camp Support Software 5.1.5640”

Extract BootCamp.msi from \BootCamp\Drivers\Apple\

BootCamp.msi

Opening the msi with Orca revealed two drivers as well as the registry entries required to make them work.

Orca_Component Orca_Registry

Extract the files from BootCamp.msi

(I used 7-Zip)

ExtractFiles

Copy the drivers

Copy AppleHFS.sys and AppleMNT.sys to c:\windows\system32\drivers

Files

Add registry entries

Based on the information from BootCamp.msi I created the following registry entries.

AppleHFS AppleMNT

Copy the text below into a .reg file and execute it to add the required entries.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AppleHFS]
“ErrorControl”=dword:00000001
“Group”=”File System”
“Start”=dword:00000000
“Type”=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AppleMNT]
“ErrorControl”=dword:00000001
“Group”=”System Bus Extender”
“Start”=dword:00000000
“Type”=dword:00000001

Reboot!

WLS 3.2 – new process creation data: ConsoleProcessId, SessionId, WindowStation

Leave a reply

WLS 3.2 introduces a few new pieces of data for process creation events.

ConsoleProcessId

A process can define an associated console process. The value, if provided by the process, is logged.

[host] Security: LogType=”WLS”, BaseFileName=”cmd.exe”, Channel=”Security”, CommandLine=”‘C:\Windows\system32\cmd.exe'”, CompanyName=”Microsoft Corporation”, Computer=”[host].[domain]”, ConsoleProcessId=”0xd08″, CreatorProcessName=”explorer”, EventID=”4688″, EventRecordID=”13010758″, ExecutionProcessID=”4″, ExecutionThreadID=”64″, FileDescription=”Windows Command Processor”, FileVersion=”6.1.7601.17514 (win7sp1_rtm.101119-1850)”, InternalName=”cmd”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”345088″, Level=”0″, MD5=”5746BD7E255DD6A8AFA06F7C42C1BA41″, NewProcessId=”0x1250″, NewProcessName=”C:\Windows\System32\cmd.exe”, Opcode=”0″, ProcessId=”0x15a4″, ProductVersion=”6.1.7601.17514″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, SessionId=”2″, SHA1=”0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8″, Signed=”Catalog”, SSDeep=”6144:NVl7yDR2iaGcsVXFBM6IT77aVebJWC1jIdDWCoCX9Sm:jdyDRwpmFq6ITSebJWwjIdDbNS”, SubjectDomainName=”[domain]”, SubjectLogonId=”0x940ee”, SubjectUserName=”[user]”, SubjectUserSid=”[SID]”, Task=”13312″, TokenElevationType=”TokenElevationTypeDefault (1)”, ValidSignatureDate=”False”, Version=”0″, WindowStation=”Winsta0\Default”, Zone=”0″

[host] Security: LogType=”WLS”, BaseFileName=”conhost.exe”, Cached=”True”, Channel=”Security”, CommandLine=”\??\C:\Windows\system32\conhost.exe ‘-1619064235-21228482731568564810739129054211757705058345892-390116831-1302099848#000″, CompanyName=”Microsoft Corporation”, Computer=”[host].[domain]”, CreatorProcessName=”csrss”, EventID=”4688″, EventRecordID=”13010759″, ExecutionProcessID=”4″, ExecutionThreadID=”64″, FileDescription=”Console Window Host”, FileVersion=”6.1.7600.16385 (win7_rtm.090713-1255)”, InternalName=”ConHost”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”338432″, Level=”0″, MD5=”BF95EA5809E3BBF55370F7CB309FEBD0″, NewProcessId=”0xd08″, NewProcessName=”C:\Windows\System32\conhost.exe”, Opcode=”0″, ProcessId=”0x1194″, ProductVersion=”6.1.7600.16385″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, SessionId=”2″, SHA1=”1BD846AA22B1D63A1F900F6D08D8BFA8082AE4DB”, Signed=”Catalog”, SSDeep=”6144:MvAVUtrTB1pzQdTOKnJoWafxXyn1U+8kbYzwFH1mbRBlOxm:MaaTpzSLSffxXyp8kb5ElY”, SubjectDomainName=”[domain]”, SubjectLogonId=”0x3e7″, SubjectUserName=”[host]$”, SubjectUserSid=”S-1-5-18″, Task=”13312″, TokenElevationType=”TokenElevationTypeDefault (1)”, ValidSignatureDate=”False”, Version=”0″, WindowStation=”Winsta0\Default”, Zone=”0″

SessionId

Previous versions of WLS provided data in regards to session information which could be correlated with the environmental variable SESSIONNAME, but was a bit awkward when viewing child processes that carry forward these variables even when the session has changed. SessionId is now reported for each process and can positively correlate to the correct session, without worrying about inherited environmental variables.

WindowStation

WindowStation is now reported for each process, providing insight into how the process was executed. WinSta0 can display a user interface and can receive user input. Other window stations are non-interactive, and can be used to enforce security restrictions, such as providing a sandboxed environment.

Chrome, for example, makes use of other window stations:

[host] Security: LogType=”WLS”, BaseFileName=”chrome.exe”, Cached=”True”, Channel=”Security”, CLIENTNAME=”[remote_host]”, CommandLine=”‘C:\Program Files (x86)\Google\Chrome\Application\chrome.exe’ –type=renderer –lang=en-US –force-fieldtrials=’BrowserBlacklist/Enabled/ChromeSuggestions/Most Likely with Kodachrome/EmbeddedSearch/Group6 pct:10f stable:pp2 prefetch_results:1 reuse_instant_search_base_page:1/ExtensionInstallVerification/Enforce/GoogleNow/Enable/OmniboxBundledExperimentV1/StandardR4/Prerender/PrerenderEnabled/PrerenderLocalPredictorSpec/LocalPredictor=Disabled/QUIC/Disabled/SafeBrowsingIncidentReportingService/Default/ShowAppLauncherPromo/ShowPromoUntilDismissed/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-Population-Restrict/normal/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_10/UMA-Uniformity-Trial-1-Percent/group_06/UMA-Uniformity-Trial-10-Percent/group_08/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_03/UMA-Uniformity-Trial-5-Percent/group_12/UMA-Uniformity-Trial-50-Percent/group_01/VoiceTrigger/Install/’ –extension-process –renderer-print-preview –device-scale-factor=1 –enable-threaded-compositing –enable-delegated-renderer –channel=’616.4.232552611\176135091′ /prefetch:673131151″, CompanyName=”Google Inc.”, Computer=”[host].[domain]”, CreatorProcessName=”chrome”, EventID=”4688″, EventRecordID=”13010449″, ExecutionProcessID=”4″, ExecutionThreadID=”64″, FileDescription=”Google Chrome”, FileVersion=”37.0.2062.103″, InternalName=”chrome_exe”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”852808″, Level=”0″, MD5=”0706DDBD4EA0D122CA069FF2552E20FD”, NewProcessId=”0x1d84″, NewProcessName=”C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”, Opcode=”0″, ProcessId=”0x268″, ProductVersion=”37.0.2062.103″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, SessionId=”2″, SESSIONNAME=”RDP-Tcp#0″, SHA1=”627A52C64711BE8132E1D32FD482178E7422CF4F”, Signed=”True”, SSDeep=”12288:59obX26I5VZVX5LTqLEOtPf5R/38i//lIaJJ7XtvKiI245OtCYQpl/ARG4KHFBnk:59GLtXtTRolaKlBnk”, SubjectDomainName=”[domain]”, SubjectLogonId=”0x940ee”, SubjectUserName=”[user]”, SubjectUserSid=”[SID]”, Task=”13312″, TokenElevationType=”TokenElevationTypeDefault (1)”, ValidSignatureDate=”True”, Version=”0″, WindowStation=”Service-0x0-940ee$\sbox_alternate_desktop_0x268″, Zone=”0″

MSDN – Window Stations

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.2 Released

Leave a reply

Performance

  • Replaced WMI calls with native API calls where applicable
  • Faster database maintenance procedures

Features

  • CPU utilization tracking and reporting
  • New process metadata
    • ConsoleProcessId
    • SessionId
    • WindowStation

Fixes

  • Disconnected client resource utilization
  • Additional handling of SEHExceptions
  • Errors for EventRecordIDs > int32.Max

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.1 Released

Leave a reply

Performance

  • Over 10x increase in internal throughput
  • Reduced internal latency
  • Improved read/write concurrency
  • Reduced I/O writes

Features

  • Advanced log filtering
  • Detailed statistic logs of log filter matches
  • Certificate monitoring enhanced – all stores now available
  • Configuration hashing – ensure hosts are running the correct configuration
  • Enhanced CommandMonitor – Faster memory searches, includes process name, support for cmd, powershell, and more!
  • Detailed network interface logs on start-up and network change
  • Display names for coded values
  • ETL monitoring for Event Logs and files
  • Per server bandwidth and maximum log length settings
  • Full SSL connection details logged on first connection
  • Input rate limiting – prevent unexpected log floods
  • PrivateMBLimit – prevent WLS from consuming resources on a troubled system
  • SSDeep hashing
  • SessionMonitor – now includes all remote session details for RemoteConnect
  • User SID resolution to user name when present in log
  • Versioning changed – Major.Minor.[Year][DayOfYear].[MinuteOfDay]
  • Registry and file locations now restricted to Local System and Administrators

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.