Tag Archives: Splunk

WLS – Windows Boot Configuration Log (WBCL) / TCG

Leave a reply

Building on the existing reporting of the TPM status and certificates, WLS now has the ability to report the Windows Boot Configuration Log, also known as the Trusted Computing Group (TCG) measured boot logs. This is the same information used to perform Device Health Attestation (DHA) and that is logged at %windir%\Logs\MeasuredBoot\.

WLS reads this information directly via the API and reports it in the order provided by the OS. Known values are decoded where applicable, others are reported in hexadecimal up to the user specified byte count for later analysis. By default, reporting is enabled for the Current Static Root Trust of Measurement (SRTM), reporting for the Boot, Current, or Resume, SRTM or Dynamic Root Trust of Measurement (DRTM) is also available. These can be logged on startup and at a chosen interval to enable tracking over time of variations.

A Splunk dashboard has been created to analyze and decode these logs for comparison across all systems. This includes Early Launch Anti-Malware (ELAM), Bitlocker state and status changes, virtualization based security (VBS), loaded modules, Extensible Firmware Interface (EFI) actions, and more. Known Platform Configuration Registers (PCR) and common acronyms related to the WBCL can optionally be displayed for reference; the System Integrity Platform Attestation (SIPA) definition was surprisingly hard to find.

Rare loaded modules can help locate systems with a non-standard configuration and potentially malware.

EFI actions may show configuration issues and other important information.

The raw events are shown in-order with decoding for well-known items and hexadecimal to ascii decoding to show readable data where possible. This lets you trace one or more systems through boot process to analyze loaded modules, signing certificates, hypervisor policies, Bitlocker unlock status, and other settings.

This is just one of the new features coming with the WLS 3.7 update; others include shortcut/LNK parsing and reporting for new process events and command line parameters, loaded file system filters (fltmc), HTTP(s) log destinations, and Portable Executable (PE) directory names and values (debug, export, import, etc.).

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Advertisement

WLS – Remote Configuration

Leave a reply

WLS 3.7 introduces the ability to read settings from a remote location, optionally based on host attributes. This provides a dynamic way to update settings on hosts without using GPO, and the ability to deploy WLS without a base configuration file (initial.xml), separating the deployment and configuration for easier management in complex environments.

Remote Location

The remote location can be a file share or web site. It is recommended that a file share have proper ACLs applied, specified by FQDN, and DNSSEC enabled. If a web site is used, HTTPS is recommended and must have a valid certificate.

The rules.xml and any qualifying XML settings files are read and cached on the host. At the specified Interval, WLS will check for changes based on the specified UpdateCheckType. File share paths default to checking the Last Modified Date metadata. Web site paths default to checking the Last Modified Date and ETag metadata returned from a HEAD request. UpdateCheckType can be configured to require a full content comparison at each interval. If the metadata has changed a full content comparison is done and settings are only applied if the content has changed.

If the system is unable to reach the remote configuration path, the cached rules.xml will be evaluated and qualifying cached XML settings will be used as the original paths are cached as well.

Rules

The rules.xml must be located at the root of the remote location. Each rule specifies one or more conditions and a URL to read settings from for hosts that match all conditions. The URL can be relative to the remote location or an absolute path to another location. URLs evaluated from the rules.xml can contain XML settings files by any name. A rule can be set to stop processing further rules by setting continue to false.

Conditions

A condition can either be a “host” or “wmi” condition. A host condition can be the hostname, OU, DN, or any environmental variable for the “Local System” user. A WMI condition can use any WMI namespace and class available to “Local System”.

Each condition can specify one or more fields. Each field can specify zero or more values. Each value can be an exact match, wildcard (*, #, ?), or regular expression. For fields where more than one value may be returned, each value is compared against the values specified. If no value is specified all values will be used when evaluating tokens.

Tokens are optional and can be specified for one or more fields. The token can then be used as part of the URL to dynamically change the location or file name of the XML settings file to be read if all conditions are met.

Example rules.xml

The example below shows reading settings for a Dell computer in an OU named “Windows 10”. The URL is relative and based on the tokens from the conditions.

<WLS>
  <rules>
    <rule name="Dell in Win10 OU">
      <!--Just an example. URL is a relative path to RemoteConfigurationURL-->
      <host>
        <!--Example condition comment-->
        <fields>
          <field>
            <!--Example field comment-->
            <name>OU</name>
            <!--Example value comment-->
            <value>Windows 10</value>
            <token>ou</token>
          </field>
        </fields>
      </host>
      <wmi>
        <namespace>root\cimv2</namespace>
        <class>Win32_ComputerSystem</class>
        <!--Second condition comment-->
        <fields>
          <field>
            <!--wmi field comment-->
            <name>Manufacturer</name>
            <value>Dell*</value>
            <token>mfr</token>
          </field>
        </fields>
      </wmi>
      <url>$ou$\$mfr$\settings.xml</url>
    </rule>
  </rules>
</WLS>

This example shows reading settings for any manufacturer in the “Windows 10” OU. No value needs to be specified if all values for a field will be used. Failed attempted paths will be logged based on the LogMissingFiles setting.

<WLS>
  <rules>
    <rule name="Dell in Win10 OU">
      <!--Just an example. URL is a relative path to RemoteConfigurationURL-->
      <host>
        <!--Example condition comment-->
        <fields>
          <field>
            <!--Example field comment-->
            <name>OU</name>
            <!--Example value comment-->
            <value>Windows 10</value>
            <token>ou</token>
          </field>
        </fields>
      </host>
      <wmi>
        <namespace>root\cimv2</namespace>
        <class>Win32_ComputerSystem</class>
        <!--Second condition comment-->
        <fields>
          <field>
            <!--wmi field comment-->
            <name>Manufacturer</name>
            <token>mfr</token>
          </field>
        </fields>
      </wmi>
      <url>$ou$\$mfr$\settings.xml</url>
    </rule>
  </rules>
</WLS>

Settings

A settings.xml may be located at the root of the remote location. If present it will be applied to all hosts. XML settings file content is the same format as the initial.xml and the WLS Configuration Editor should be used to generate them. Settings files are processed in the order they appear in the rules.xml. Settings are overlaid such that the last setting will overwrite a previous setting.

XML Integrity and Verification

XML files should be digitally signed to ensure content has not changed. XML files can be signed with a certificate to ensure the content integrity and that it was signed by a trusted entity. The tooling to sign and verify is included with the Remote Configuration Rule Editor and the Configuration Editor.

Signing

From either tool, choose File->Sign XML. A prompt will appear asking if you have a certificate, choosing Yes will show the available certificates or let you choose one from disk and ask for the PIN/password if needed, choosing No will use a system generated certificate. Each tool can also have a default certificate chosen to avoid being prompted.

A system generated certificate will verify the content only. A user specified certificate will verify content and that the signer is trusted by the host. After signing a verification is performed and the results displayed to the user.

A signature block will be added to the end of the XML file. Any previous signature will be removed.

System generated certificate

<WLS>
  <rules>
  ...
  </rules>
<RSAKeyValue><Modulus>...</Modulus><Exponent>...</Exponent></RSAKeyValue><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>.../DigestValue></Reference></SignedInfo><SignatureValue...</SignatureValue></Signature></WLS>

User certificate

<WLS>
  <rules>
...
  </rules>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>...</DigestValue></Reference></SignedInfo><SignatureValue>...</SignatureValue><KeyInfo><X509Data><X509Certificate>...</X509Certificate></X509Data></KeyInfo></Signature></WLS>

Remote Configuration at Installation

WLS can be deployed without an initial.xml by specifying a RemoteURL as a command line parameter to msiexec.exe. The rules.xml must be signed when specified at installation.

Examples:

msiexec.exe /i setup.msi /qn RemoteURL= "\\server\WLS"
msiexec.exe /i setup.msi /qn RemoteURL= "https://server/WLS"

A minimal initial.xml that specifies the RemoteConfiguration URL may also be used.

<WLS>
  <Config>
    <RemoteConfiguration>
      <URL>https://server/WLS</URL>
    </RemoteConfiguration>
  </Config>
</WLS>

Tooling

The Remote Configuration Rule Editor is provided to help with creating the rules.xml file. XML is the native format used and it can be edited without the use of the editor. If the file is signed, editing the file will invalidate the signature until it is resigned for the new content. Rule names and any comments are for user reference only and are not used by WLS.

Rules are added and removed using the appropriate buttons. Rules can be reordered by dragging and dropping.

Where possible the editor will show available field names, values, WMI namespaces, and WMI classes. Field names, namespaces, and classes are free-form text fields and can specify values not available on the local system that may be available on other systems.

Available “host” fields
Available WMI classes
Available WMI fields for the namespace and class

Logs and Dashboard

All relevant Remote Configuration activity is logged and a Splunk dashboard is provided in the WLS App for Splunk.

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Event logs with control characters

Leave a reply

A WLS user contacted me and was having issues parsing a date from a data field in EventID 6008 (unexpected shutdown). Taking a look at my logs everything looked fine, even in a viewer like Notepad++ with Show View->Show Symbol->Show All Characters. Since I use Splunk, on the record in question I selected Event Actions->Show Source, and it looked fine there too. Next I did a right-click and Inspect on the web page and there it was: “&lrm;” aka u200e, aka E2808E, aka “Left-To-Right Mark”.

lrm

Saving the event text to a file and opening it with a hex editor also shows the control character in question (e2 80 8e):

e2808e

Indeed these control characters are included in at least 8 other events and all appear to be in date fields.

In Splunk you can use rex/sed or replace to remove control characters before attempting a strptime or other function.

`wlslogs` EventID=6008 | rex field=Data1 mode=sed "s/\p{C}//g" | eval NewDate=strptime(Data1,"%m/%d/%Y")

or

`wlslogs` EventID=6008 | eval NewDate=strptime(replace(Data1,"\p{C}",""),"%m/%d/%Y")

Finding vulnerable OpenSSL DLLs (Heartbleed) with WLS and Splunk

Leave a reply

If you are running WLS with ModuleMonitor enabled, you already have logs of all loaded DLLs.

Simply run the following search:

WLS_ModuleMonitor “openssl” FileVersion=”1.0.1*” NOT FileVersion=”1.0.1g”

Results will look similar to:

2014-04-24T11:28:38-05:00 [host] WLS_ModuleMonitor: LogType=”WindowsEventLog”, BaseFileName=”ssleay32.dll”, ChangeType=”Added”, CompanyName=”The OpenSSL Project, http://www.openssl.org/&#8221;, FileDescription=”OpenSSL Shared Library”, FileName=”C:\Program Files\MakerBot\MakerWare\ssleay32.dll”, FileVersion=”1.0.1e”, InternalName=”ssleay32″, Language=”English (United States)”, Length=”343040″, MD5=”A49B52FB216AD1524C902A41A433A1E1″, Process=”makerware”, ProductVersion=”1.0.1e”, SHA1=”F21CBCC5F291C1D841581FDBBBF854B315D71248″, WLSKey=”35505″, Zone=”0″

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

USB Device Tracking with WLS and Splunk

Leave a reply

WLS provides the option to monitor plug and play devices. When enabled, a log will be generated for each state change containing the current state and detailed device information.

Enabling Device Monitoring

If WLS is already installed, device monitoring can be enabled by changing the registry value at HKLM\Software\KCP\WLS\Config\DeviceMonitor\Enabled from 0 to 1.

EnableDeviceMonitoring

If WLS hasn’t been installed, adding (or changing) the DeviceMonitor section and setting Enabled to 1 in the initial.xml will enable this feature when WLS is installed.

<WLS>
 <Config>
  <DeviceMonitor>
   <Enabled>1</Enabled>
  </DeviceMonitor>
 </Config>
</WLS>

Reading the logs

Once device monitoring is enabled, when a device state changes, entries like the following will appear in your logs. Each entry should include at least one key/value pair that contains a product id (PID), a vendor id (VID), and a serial number as well as another key/value pair that contains the Class, SubClass, and Protocol.

Device added

Sep 18 15:15:46 [host] WLS_DeviceMonitor: LogType=”WindowsEventLog”, Caption=”USB Mass Storage Device”, ChangeType=”Added”, ClassGuid=”{36fc9e60-c465-11cf-8056-444553540000}”, CompatibleID=”USB\Class_08&SubClass_06&Prot_50″, CompatibleID1=”USB\Class_08&SubClass_06″, CompatibleID2=”USB\Class_08″, ConfigManagerErrorCode=”0″, ConfigManagerUserConfig=”False”, CreationClassName=”Win32_PnPEntity”, Description=”USB Mass Storage Device”, DeviceID=”USB\VID_1043&PID_8012604261021070038″, HardwareID=”USB\VID_1043&PID_8012&REV_0100″, HardwareID1=”USB\VID_1043&PID_8012″, Manufacturer=”Compatible USB storage device”, Name=”USB Mass Storage Device”, PNPDeviceID=”USB\VID_1043&PID_8012604261021070038″, Service=”USBSTOR”, Status=”OK”, SystemCreationClassName=”Win32_ComputerSystem”, SystemName=”[host]”, TIME_CREATED=”130240089461584098″, WLSKey=”23559″

Device removed

Sep 18 15:16:01 [host] WLS_DeviceMonitor: LogType=”WindowsEventLog”, Caption=”USB Mass Storage Device”, ChangeType=”Removed”, ClassGuid=”{36fc9e60-c465-11cf-8056-444553540000}”, CompatibleID=”USB\Class_08&SubClass_06&Prot_50″, CompatibleID1=”USB\Class_08&SubClass_06″, CompatibleID2=”USB\Class_08″, ConfigManagerErrorCode=”0″, ConfigManagerUserConfig=”False”, CreationClassName=”Win32_PnPEntity”, Description=”USB Mass Storage Device”, DeviceID=”USB\VID_1043&PID_8012604261021070038″, HardwareID=”USB\VID_1043&PID_8012&REV_0100″, HardwareID1=”USB\VID_1043&PID_8012″, Manufacturer=”Compatible USB storage device”, Name=”USB Mass Storage Device”, PNPDeviceID=”USB\VID_1043&PID_8012604261021070038″, Service=”USBSTOR”, Status=”OK”, SystemCreationClassName=”Win32_ComputerSystem”, SystemName=”[host]”, TIME_CREATED=”130240089617443014″, WLSKey=”23569″

Device error

If the device fails to load properly, the Status field will be set to Error instead of OK.

Sep 18 15:15:45 [host] WLS_DeviceMonitor: LogType=”WindowsEventLog”, Caption=”USB Mass Storage Device”, ChangeType=”Added”, ClassGuid=”{36fc9e60-c465-11cf-8056-444553540000}”, CompatibleID=”USB\Class_08&SubClass_06&Prot_50″, CompatibleID1=”USB\Class_08&SubClass_06″, CompatibleID2=”USB\Class_08″, ConfigManagerErrorCode=”0″, ConfigManagerUserConfig=”False”, CreationClassName=”Win32_PnPEntity”, Description=”USB Mass Storage Device”, DeviceID=”USB\VID_1043&PID_8012604261021070038″, HardwareID=”USB\VID_1043&PID_8012&REV_0100″, HardwareID1=”USB\VID_1043&PID_8012″, Manufacturer=”Compatible USB storage device”, Name=”USB Mass Storage Device”, PNPDeviceID=”USB\VID_1043&PID_8012604261021070038″, Service=”USBSTOR”, Status=”Error”, SystemCreationClassName=”Win32_ComputerSystem”, SystemName=”[host]”, TIME_CREATED=”130240089461584098″, WLSKey=”23558″

Add more data!

Splunk is great for combining data from multiple sources, and in this case, data will be added to decode VID, PID, Class, SubClass, and Protocol.

The best place (I’m aware of) to get VID and PID information is http://www.linux-usb.org/usb-ids.html. Download the usb.ids file, work some spreadsheet magic, and you have a nice csv file for a Splunk lookup table.

Getting the Class, SubClass, and Protocol information isn’t quite as straightforward; I started here: http://www.usb.org/developers/defined_class and generated a csv file for another Splunk lookup table. Luckily these don’t change as often as VID and PID information.

Add these csv files to Splunk by going to “Lookups” in the Splunk Manager page, then choosing “Add new” on the “Lookup table files” line.

Both lookup tables are available to download at the end of this post.

Extracting lookup data

Now that lookup tables exist, the information to lookup needs to be extracted from the source logs. I created two macros, one to extract and lookup the hardware manufacturer and model, another to extract and lookup the class, subclass, and protocol. Both macros split a single field into parts, and lookup the individual parts. I assumed that a new PID may exist for an existing VID, and that the new PID may not be in the lookup table; so a double lookup is performed and the first non-null value is returned.

Extract and lookup VID and PID

eval DeviceModelData=split(HardwareID,”\\”)
| eval USBModelData=split(mvindex(DeviceModelData,1),”&”)
| eval USBMfr=mvindex(USBModelData,0) | eval USBModel=mvindex(USBModelData,1)
| eval USBInterfaces=mvindex(USBModelData,2)
| lookup USBIDS Mfr as USBMfr Model as USBModel OUTPUT MfrName as USBMfrName ModelName as USBModelName
| lookup USBIDS Mfr as USBMfr OUTPUT MfrName as USBMfrName1
| eval USBMfrName=mvindex(coalesce(USBMfrName,USBMfrName1),0)
| eval USBMfrName=coalesce(USBMfrName,USBMfr)
| eval USBModelName=coalesce(USBModelName,USBModel)

Extract and lookup Class, SubClass, and Protocol

eval DeviceData=split(CompatibleID,”\\”)
| eval USBData=split(mvindex(DeviceData,1),”&”)
| eval USBClass=mvindex(split(mvindex(USBData,0),”_”),1)
| strcat “Class_” USBClass USBClass
| eval USBSubClass=mvindex(USBData,1)
| eval USBProtocol=mvindex(USBData,2)
| lookup USBSpec Class as USBClass SubClass as USBSubClass Protocol as USBProtocol OUTPUT ProtocolDescription as ProtocolDescription2
| lookup USBSpec Class as USBClass SubClass as USBSubClass OUTPUT SubClassDescription as SubClassDescription1,ProtocolDescription as ProtocolDescription1
| lookup USBSpec Class as USBClass OUTPUT ClassDescription,SubClassDescription,ProtocolDescription
| eval ClassDescription=mvindex(ClassDescription,0)
| eval SubClassDescription=mvindex(coalesce(SubClassDescription1,SubClassDescription),0)
| eval ProtocolDescription=coalesce(ProtocolDescription2,ProtocolDescription1,ProtocolDescription)
| strcat ClassDescription ” ” SubClassDescription ” ” ProtocolDescription FullUSBDescription

Combined Result

With all the information combined, it’s time to make a dashboard. I created one that displays each class in it’s own titled section for readability. If the lookups are able to decode the VID, PID, SubClass, and Protocol, the decode is shown, otherwise the original undecoded value is shown.

Devices

When deployed enterprise-wide, logs now exist to uniquely track any plug and play hardware across all systems and users. The PID, VID, and serial number can be used to identify new and potentially unwanted devices. Combined with a process to issue hardware from a central location, the issuer can register the device and the end-user. This reduces the noise and false positive alerts, and provides user accountability to a specific device. A word of caution, I have seen serial numbers reused, in mass.

Here are the lookup tables I’m currently using, they may be out of date. They are renamed to .xls files so WordPress would let me upload them; rename to .csv after downloading.

USBIDS
USBSpec

Have other ideas for using the data WLS provides, or data you’d like to have logged? Let me know in the comments below or via the contact form.

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Monitoring Windows security products

Leave a reply

I came across the WMI namespaces ROOT\SecurityCenter (XP) and ROOT\SecurityCenter2 (Vista+) while doing some research. These namespaces provide the product and state for AntiVirus, AntiSpyware (SecurityCenter2 only), and Firewall as recognized by Windows.

Since WLS provides a generic interface for WMI logging, I created the entries and updated the configuration. I have both XP and Windows 7 systems and each has it’s own namespace, so I’ll need two AntiVirus and Firewall entries, but only one AntiSpyware, and I’d like the information reported every 24 hours. The update to the configuration looks like this:

<WLS>
  <Config>
    <WMI>
      <AntiSpyware2>
        <Enabled>1</Enabled>
        <Class>AntiSpywareProduct</Class>
        <Interval>86400</Interval>
        <Namespace>ROOT\SecurityCenter2</Namespace>
      </AntiSpyware2>
      <AntiVirus>
        <Enabled>1</Enabled>
        <Class>AntiVirusProduct</Class>
        <Interval>86400</Interval>
        <Namespace>ROOT\SecurityCenter</Namespace>
      </AntiVirus>
      <AntiVirus2>
        <Enabled>1</Enabled>
        <Class>AntiVirusProduct</Class>
        <Interval>86400</Interval>
        <Namespace>ROOT\SecurityCenter2</Namespace>
      </AntiVirus2>
      <Firewall>
        <Enabled>1</Enabled>
        <Class>FirewallProduct</Class>
        <Interval>86400</Interval>
        <Namespace>ROOT\SecurityCenter</Namespace>
      </Firewall>
      <Firewall2>
        <Enabled>1</Enabled>
        <Class>FirewallProduct</Class>
        <Interval>86400</Interval>
        <Namespace>ROOT\SecurityCenter2</Namespace>
      </Firewall2> 
    </WMI> 
  </Config> 
</WLS>

The ROOT\SecurityCenter namespace may be invalid on Vista+, and the ROOT\SecurityCenter2 namespace is invalid on XP; WLS will report the error once at startup and disable the offending WMI entry.

The logs generated after applying the configuration look like this:

2013-09-04T16:15:50-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”8″, MonitorName=”AntiSpyware2″, WLSKey=”3635″, displayName=”Symantec Endpoint Protection”, instanceGuid=”{D8BEB080-B73A-17E3-1B37-B6B462689202}”, pathToSignedProductExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\WSCSavNotifier.exe”, pathToSignedReportingExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe”, productState=”462848″

2013-09-04T16:08:31-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”2″, MonitorName=”AntiVirus”, WLSKey=”2″, companyName=”Symantec Corporation”, displayName=”Symantec Endpoint Protection”, instanceGuid=”{FB06448E-52B8-493A-90F3-E43226D3305C}”, onAccessScanningEnabled=”True”, productUptoDate=”True”, versionNumber=”11.0.7200.155″

2013-09-04T16:15:50-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”10″, MonitorName=”AntiVirus2″, WLSKey=”3636″, displayName=”Symantec Endpoint Protection”, instanceGuid=”{63DF5164-9100-186D-2187-8DC619EFD8BF}”, pathToSignedProductExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\WSCSavNotifier.exe”, pathToSignedReportingExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe”, productState=”462848″

2013-09-04T16:08:32-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”5″, MonitorName=”Firewall”, WLSKey=”5″, companyName=”Symantec Corporation.”, displayName=”Symantec Endpoint Protection”, enabled=”True”, instanceGuid=”{BE898FE3-CD0B-4014-85A9-03DB9923DDB6}”, versionNumber=”10.0″

2013-09-04T16:15:50-05:00 [host] WLS_WMI: LogType=”WindowsEventLog”, GroupID=”13″, MonitorName=”Firewall2″, WLSKey=”3638″, displayName=”Symantec Endpoint Protection”, instanceGuid=”{5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}”, pathToSignedProductExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe”, pathToSignedReportingExe=”C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe”, productState=”266256″

The information from ROOT\Security center has fields defined such as “displayName”, “enabled”, “productUptoDate”, and “onAccessScanningEnabled”; whereas ROOT\SecurityCenter2 gives us “displayName” and “productState”. The productState is returned as a decimal representation of a hex value which contains the information we need, just encoded.

A bit more research turned up some helpful posts, notably http://neophob.com/2010/03/wmi-query-windows-securitycenter2/, which lead to the creation of a `decodeProductState` macro. The macro converts the productState to hex, trims the leading “0x”, and adds a leading 0 to pad the result to 6 digits. Each pair of digits represents a state, so I split them that way for ease of reuse. Then specific values are checked for enabled and productUptoDate and assigned to enabled2 and productUptoDate2. Since there will be mixed results from ROOT\SecurityCenter and ROOT\SecurityCenter2, coalesce will be used to keep the first non-null value of enabled or enabled2, and productUptoDate or productUptoDate2, assigning the result back to enabled and productUptoDate.

eval productStateHex=”0″.substr(tostring(productState,”hex”),3)
| eval productStateHex1=substr(productStateHex,0,2)
| eval productStateHex2=substr(productStateHex,3,2)
| eval productStateHex3=substr(productStateHex,5,2)
| eval enabled2=if(substr(productStateHex2,1,1)=”1″,”True”,”False”)
| eval productUptoDate2=if(productStateHex3=”00″,”True”,”False”)
| eval enabled=coalesce(enabled,enabled2)
| eval productUptoDate=coalesce(productUptoDate,productUptoDate2)

Finally I created a simple dashboard to display the results. This will get more refined as it’s utilized, but it’s a good starting point. This data can also be used to drive alerts if more than a certain percent or count of your hosts has outdated definitions, or to check for hosts that don’t have any products installed at all.

productexample

Have other ideas for using the data WLS provides? Let me know in the comments below or via the contact form.

What is WLS?

If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Tracking software versions with WLS and Splunk

Leave a reply

While initially intended to aid in detecting malware, the data WLS provides has many other uses. One that we use is to track software updates and outdated software being used on our network. In theory you could schedule a report similar to the ones below and automatically email people who are using incorrect software versions.

The search I used for the examples is shown below, and could easily be turned into a Splunk form where you can specify any BaseFileName for a quick report.

(EventID=4688 OR EventID=592) BaseFileName=firefox.exe  | dedup host | stats count(MD5) by CompanyName, FileVersion, ProductVersion, MD5

Breakdown:

  • Find all process creation events
    • (EventID=4688 OR EventID=592)
  • Find processess named “firefox.exe”
    • BaseFileName=firefox.exe
  • Deduplicate hosts so we only get the most recent execution
    • dedup host
  • Calculate statistics (count all the MD5s) by the fields specified
    • stats count(MD5) by CompanyName, FileVersion, ProductVersion, MD5

Example results!

firefox.exe

FirefoxVersions

chrome.exe

ChromeVersions

iexplore.exe

IExploreVersions

acrord32.exe

AcroRd32Versions

java.exe

Too embarrassing to post 😦

Have other ideas for using the data WLS provides? Let me know in the comments below or via the contact form.

What is WLS?

If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Using Splunk to watch for new binaries

11 Replies

The method presented below can be used to track any log attribute in Splunk; this example demonstrates watching MD5 hashes of executed files and loaded modules.

I’ve enabled Process Auditing via the Group Policy Editor and configured WLS to provide MD5 hashes.

standardhashes

I also enabled the “ModuleMonitor” in WLS which tracks loaded modules by process

modulemonitoron

and configured it to provide MD5 hashes for these as well.

modulehashes

Now that we are receiving hashes for all executed files and loaded modules, let’s start tracking them in Splunk.

First we’ll need to create a lookup table, there are a few ways to do this, a quick way is simply:

| outputlookup md5tracker.csv

This will create an empty csv file named “md5tracker.csv”.

emptycsv

Next, we need to search for and add the desired data to the csv file. I like to preserve some of the metadata that WLS reports with each record for later use – avoid re-searching, etc.

index=windows MD5=* | dedup MD5 | lookup md5tracker.csv MD5 as MD5 OUTPUT FirstSeen as LookupFirstSeen | where NOT LookupFirstSeen LIKE “%” | eval FirstSeen=_time  | table FirstSeen, MD5, BaseFileName, CompanyName, FileDescription, FileVersion, InternalName, Language, Signed, Length | inputlookup md5tracker.csv append=t | dedup MD5 | outputlookup md5tracker.csv

OK, let’s break this down:

Find the desired records: index=windows MD5=*

Remove duplicates: dedup MD5

Lookup the MD5s in our lookup table, returning the date first seen: lookup md5tracker.csv MD5 as MD5 OUTPUT FirstSeen as LookupFirstSeen

Remove records that already exist (field will be non-null): where NOT LookupFirstSeen LIKE “%”

Preserve the time stamp as desired output field: eval FirstSeen=_time

Format the desired fields into a table: table FirstSeen, MD5, BaseFileName, CompanyName, FileDescription, FileVersion, InternalName, Language, Signed, Length

Bring all the old data in and append it: inputlookup md5tracker.csv append=t

Remove duplicates (just in case): dedup MD5

Write out the new + old data: outputlookup md5tracker.csv

After the first run, you should have the results from your chosen time period now stored in md5tracker.csv

firstresults

You’ll want to save this search

save1

and schedule it to run every x minutes for the last x minutes; I schedule mine for every 15 minutes.

save2

Once this is complete you’ll now have a search that keeps your lookup table up-to-date. Now what?

What you do next depends on how closely you feel this needs monitored. I run a second search every x minutes that alerts on all new entries in the last x minutes (based on the FirstSeen) field.

| inputlookup md5tracker.csv | where now()-FirstSeen < 2200 | table FirstSeen, MD5, BaseFileName, CompanyName, FileDescription, FileVersion, InternalName, Language, Signed, Length

This simply take the entire table and selects all entries in the last 2200 seconds (2200 / 60 = 36.6 minutes) and formats the results into a table. I scheduled it to run every 35 minutes with some overlap time (hence 2200 instead of 2100).

save3

I also like to take an export of the hashes every so often and check them against Team Cymru’s malware hash registry – https://hash.cymru.com/

| inputlookup md5tracker.csv | table MD5

Export the results from Splunk, open the file in a spreadsheet, and copy/paste them into Team Cymru’s lookup for a quick analysis. An enterprising person might also create a custom Splunk command that uses their DNS lookup service (https://www.team-cymru.org/Services/MHR/#dns) and puts the results into the lookup table itself…

I currently have 23,537 executable hashes and 131,885 module (dll, etc) hashes, and see a few new ones at most search intervals during normal business hours. After the initial gathering, the periodic alerts are easy to quickly review, and you’ll know everything that is running on your Windows hosts.

Enhanced Windows logs example

Leave a reply

I came across a software installation that I thought would make a great example case of how valuable enhanced Windows logs are. This software is not necessarily malicious, but exhibits behavior that caught the attention of my team.

The logs below are from WLS, a logging tool created to add contextual data to Windows process execution logs and log other relevant system information.

We’ll start with the launch of the process itself. Since process auditing is on, Windows will log this for us. Internet Explorer creates a process named “Productivity_3.1_B[1].exe”, which is “Productivity_3.1_B Toolbar” by “Conduit” and is tagged as recently downloaded and zone 3 (Internet).

2013-03-05T06:22:16-06:00 [host] Security: LogType=”WLS”, BaseFileName=”Productivity_3.1_B[1].exe”, CommandLine=”‘C:\Documents and Settings\[user]\Local Settings\Temporary Internet Files\Content.IE5\96RZWQUR\Productivity_3.1_B[1].exe'”, CompanyName=”Conduit”, CreatorProcessName=”iexplore”, Domain=”[domain]”, EventID=”592″, EventRecordID=”5304892″, FileDescription=”Productivity_3.1_B Toolbar”, FileVersion=”6.10.3.27″, ImageFileName=”C:\Documents and Settings\[user]\Local Settings\Temporary Internet Files\Content.IE5\96RZWQUR\Productivity_3.1_B[1].exe”, Language=”Language Neutral”, Length=”1989472″, LogonID=”(0x0,0x47F98236)”, MD5=”F2AF78F217AD0E8A3BC0C712BCAD2C34″, NewHash=”True”, NewProcessId=”5308″, ProcessId=”4944″, Recent=”True”, SHA1=”F437FAD1624DD651F523FCA1D6A2C79F25847DD1″, Signed=”True”, UserName=”[user]”, ValidSignatureDate=”True”, Zone=”3″

Internet Explorer loads the “Microsoft COM Runtime Execution Engine”

2013-03-05T06:22:24-06:00 [host] ModuleMonitor: LogType=”WLS”, BaseFileName=”corpol.dll”, ChangeType=”Added”, CompanyName=”Microsoft Corporation”, WLSKey=”10647″, FileDescription=”Microsoft COM Runtime Execution Engine”, FileName=”c:\windows\system32\corpol.dll”, FileVersion=”2008.0.0.18702 (longhorn_ie8_rtm(wmbla).090308-0339)”, InternalName=”CORPOL.DLL”, Language=”English (United States)”, Length=”18944″, MD5=”8FCF03E4D7BE9B5587CCF11719959006″, NewHash=”True”, Process=”iexplore”, ProductVersion=”2008.0.0.18702″, SHA1=”281DF80AF9C7625586341E966467A752C9D466C3″, Zone=”0″

Productivity_3.1_B[1] loads nsdialogs.dll

2013-03-05T06:22:24-06:00 [host] ModuleMonitor: LogType=”WLS”, BaseFileName=”nsdialogs.dll”, ChangeType=”Added”, WLSKey=”10646″, FileName=”c:\docume~1\[user]\locals~1\temp\nsc431e.tmp\nsdialogs.dll”, Length=”9728″, MD5=”F7B92B78F1A00A872C8A38F40AFA7D65″, NewHash=”True”, Process=”Productivity_3.1_B[1]”, SHA1=”872522498F69AD49270190C74CF3AF28862057F2″, Zone=”0″

Productivity_3.1_B[1] loads the “Conduit Toolbar” dll

2013-03-05T06:22:24-06:00 [host] ModuleMonitor: LogType=”WLS”, BaseFileName=”nso431f.tmp.tbprod.dll”, ChangeType=”Added”, CompanyName=”Conduit Ltd.”, WLSKey=”10645″, FileDescription=”Conduit Toolbar”, FileName=”c:\docume~1\[user]\locals~1\temp\nso431f.tmp.tbprod.dll”, FileVersion=”6.10.3.27″, InternalName=”Conduit Toolbar”, Language=”English (United States)”, Length=”4495624″, MD5=”CEF32B574F8C732BACAFD93210642DBB”, NewHash=”True”, Process=”Productivity_3.1_B[1]”, ProductVersion=”6.10.3.27″, SHA1=”5C684D51F07A183EEA13D66F5C7E9630C48D93B5″, Zone=”0″

Productivity_3.1_B[1] loads system.dll

2013-03-05T06:22:24-06:00 [host] ModuleMonitor: LogType=”WLS”, BaseFileName=”system.dll”, ChangeType=”Added”, WLSKey=”10644″, FileName=”c:\docume~1\[user]\locals~1\temp\nsc431e.tmp\system.dll”, Length=”11264″, MD5=”959EA64598B9A3E494C00E8FA793BE7E”, NewHash=”True”, Process=”Productivity_3.1_B[1]”, SHA1=”40F284A3B92C2F04B1038DEF79579D4B3D066EE0″, Zone=”0″

Productivity_3.1_B[1] launches tbProd.dll via rundll32 with parameters “DllHandleUserID”

2013-03-05T06:22:37-06:00 [host] Security: LogType=”WLS”, BaseFileName=”rundll32.exe”, CommandLine=”rundll32 ‘C:\Program Files\Productivity_3.1_B\tbProd.dll’ DllHandleUserID”, CompanyName=”Microsoft Corporation”, CreatorProcessName=”Productivity_3.1_B[1]”, Domain=”[domain]”, EventID=”592″, EventRecordID=”5304893″, FileDescription=”Run a DLL as an App”, FileVersion=”5.1.2600.5512 (xpsp.080413-2105)”, ImageFileName=”C:\WINDOWS\system32\rundll32.exe”, InternalName=”rundll”, Language=”English (United States)”, Length=”33280″, LogonID=”(0x0,0x47F98236)”, MD5=”037B1E7798960E0420003D05BB577EE6″, NewProcessId=”2000″, ProcessId=”5308″, ProductVersion=”5.1.2600.5512″,  SHA1=”303A90020BF3BEAF9ACD0EA86487C853636A99A3″, Signed=”False”, UserName=”[user]”, Zone=”0″

Rundll32 completes

2013-03-05T06:22:40-06:00 [host] Security: LogType=”WLS”, BaseFileName=”rundll32.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304894″, ImageFileName=”C:\WINDOWS\system32\rundll32.exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”2000″, UserName=”[user]”

Productivity_3.1_B[1] launches tbProd.dll via rundll32 with parameters “DllSendInstallationUsage New Installation”

2013-03-05T06:22:43-06:00 [host] Security: LogType=”WLS”, BaseFileName=”rundll32.exe”, Cached=”True”, CommandLine=”rundll32 ‘C:\Program Files\Productivity_3.1_B\tbProd.dll’ DllSendInstallationUsage New Installation”, CompanyName=”Microsoft Corporation”, CreatorProcessName=”Productivity_3.1_B[1]”, Domain=”[domain]”, EventID=”592″, EventRecordID=”5304895″, FileDescription=”Run a DLL as an App”, FileVersion=”5.1.2600.5512 (xpsp.080413-2105)”, ImageFileName=”C:\WINDOWS\system32\rundll32.exe”, InternalName=”rundll”, Language=”English (United States)”, Length=”33280″, LogonID=”(0x0,0x47F98236)”, MD5=”037B1E7798960E0420003D05BB577EE6″, NewProcessId=”2672″, ProcessId=”5308″, ProductVersion=”5.1.2600.5512″,  SHA1=”303A90020BF3BEAF9ACD0EA86487C853636A99A3″, Signed=”False”, UserName=”[user]”, Zone=”0″

Productivity_3.1_B[1] launches tbProd.dll via rundll32 with parameters “DllRunIEMediumIntegrity”

2013-03-05T06:22:44-06:00 [host] Security: LogType=”WLS”, BaseFileName=”rundll32.exe”, Cached=”True”, CommandLine=”rundll32 ‘C:\Program Files\Productivity_3.1_B\tbProd.dll’ DllRunIEMediumIntegrity”, CompanyName=”Microsoft Corporation”, CreatorProcessName=”Productivity_3.1_B[1]”, Domain=”[domain]”, EventID=”592″, EventRecordID=”5304896″, FileDescription=”Run a DLL as an App”, FileVersion=”5.1.2600.5512 (xpsp.080413-2105)”, ImageFileName=”C:\WINDOWS\system32\rundll32.exe”, InternalName=”rundll”, Language=”English (United States)”, Length=”33280″, LogonID=”(0x0,0x47F98236)”, MD5=”037B1E7798960E0420003D05BB577EE6″, NewProcessId=”5592″, ProcessId=”5308″, ProductVersion=”5.1.2600.5512″, SHA1=”303A90020BF3BEAF9ACD0EA86487C853636A99A3″, Signed=”False”, UserName=”[user]”, Zone=”0″

Productivity_3.1_B[1].exe terminates

2013-03-05T06:22:45-06:00 [host] Security: LogType=”WLS”, BaseFileName=”Productivity_3.1_B[1].exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304897″, ImageFileName=”C:\Documents and Settings\[user]\Local Settings\Temporary Internet Files\Content.IE5\96RZWQUR\Productivity_3.1_B[1].exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”5308″, UserName=”[user]”

The last rundll process starts IE with parameters “hxxp://Productivity31B.OurToolbar[.]com/SetupFinish” (neutralized to avoid accidental clicks)

2013-03-05T06:22:47-06:00 [host] Security: LogType=”WLS”, BaseFileName=”iexplore.exe”, Cached=”True”, CommandLine=”‘C:\Program Files\Internet Explorer\IEXPLORE.EXE’ hxxp://Productivity31B.OurToolbar[.]com/SetupFinish”, CompanyName=”Microsoft Corporation”, CreatorProcessName=”rundll32″, Domain=”[domain]”, EventID=”592″, EventRecordID=”5304898″, FileDescription=”Internet Explorer”, FileVersion=”8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)”, ImageFileName=”C:\Program Files\Internet Explorer\iexplore.exe”, InternalName=”iexplore”, Language=”English (United States)”, Length=”638816″, LogonID=”(0x0,0x47F98236)”, MD5=”B60DDDD2D63CE41CB8C487FCFBB6419E”, NewProcessId=”4260″, ProcessId=”5592″, ProductVersion=”8.00.6001.18702″,  SHA1=”EADCE51C88C8261852C1903399DDE742FBA2061B”, Signed=”True”, UserName=”[user]”, ValidSignatureDate=”False”, Zone=”0″

Conduit creates a mutex

2013-03-05T06:22:48-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10650″, Name=”\BaseNamedObjects\CONDUIT_SHARED_MUTEX”, Type=”Mutant”

Rundll32 loads the “Conduit Toolbar” dll (this probably happened before the mutex above was created, time stamps are based on when the polling routine completes)

2013-03-05T06:22:49-06:00 [host] ModuleMonitor: LogType=”WLS”, BaseFileName=”tbprod.dll”, ChangeType=”Added”, CompanyName=”Conduit Ltd.”, WLSKey=”10652″, FileDescription=”Conduit Toolbar”, FileName=”c:\program files\productivity_3.1_b\tbprod.dll”, FileVersion=”6.10.3.27″, InternalName=”Conduit Toolbar”, Language=”English (United States)”, Length=”4495624″, MD5=”CEF32B574F8C732BACAFD93210642DBB”, NewHash=”True”, Process=”rundll32″, ProductVersion=”6.10.3.27″, SHA1=”5C684D51F07A183EEA13D66F5C7E9630C48D93B5″, Zone=”0″

IE launches another instance of itself

2013-03-05T06:22:50-06:00 [host] Security: LogType=”WLS”, BaseFileName=”iexplore.exe”, Cached=”True”, CommandLine=”‘C:\Program Files\Internet Explorer\IEXPLORE.EXE’ SCODEF:4260 CREDAT:79873″, CompanyName=”Microsoft Corporation”, CreatorProcessName=”iexplore”, Domain=”[domain]”, EventID=”592″, EventRecordID=”5304899″, FileDescription=”Internet Explorer”, FileVersion=”8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)”, ImageFileName=”C:\Program Files\Internet Explorer\iexplore.exe”, InternalName=”iexplore”, Language=”English (United States)”, Length=”638816″, LogonID=”(0x0,0x47F98236)”, MD5=”B60DDDD2D63CE41CB8C487FCFBB6419E”, NewProcessId=”6076″, ProcessId=”4260″, ProductVersion=”8.00.6001.18702″,  SHA1=”EADCE51C88C8261852C1903399DDE742FBA2061B”, Signed=”True”, UserName=”[user]”, ValidSignatureDate=”False”, Zone=”0″

Rundll32 terminates

2013-03-05T06:22:51-06:00 [host] Security: LogType=”WLS”, BaseFileName=”rundll32.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304900″, ImageFileName=”C:\WINDOWS\system32\rundll32.exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”5592″, UserName=”[user]”

IE loads it’s normal mutexes and semaphores

2013-03-05T06:22:53-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10653″, Name=”\BaseNamedObjects\OleDfRoot0613563FD”, Type=”Semaphore”

2013-03-05T06:22:53-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10654″, Name=”\BaseNamedObjects\ConnHashTable<4260>_HashTable_Mutex”, Type=”Mutant”

2013-03-05T06:22:53-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10655″, Name=”\BaseNamedObjects\IEFrame!GetAsyncKeyStateQuery!4260″, Type=”Semaphore”

2013-03-05T06:22:53-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10656″, Name=”\BaseNamedObjects\RSS Eventing Connection Database Mutex 000010a4″, Type=”Mutant”

2013-03-05T06:22:53-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10657″, Name=”\BaseNamedObjects\MSCTF.Shared.MUTEX.EGG”, Type=”Mutant”

2013-03-05T06:22:53-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10658″, Name=”\BaseNamedObjects\IEFrame!GetAsyncKeyStateReply!4260″, Type=”Semaphore”

2013-03-05T06:22:53-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10659″, Name=”\BaseNamedObjects\OleDfRoot061353668″, Type=”Semaphore”

IE loads Productivity_3.1_BToolbarHelper.exe with parameters “…DllCleanEnableExtensionDoing”

2013-03-05T06:23:00-06:00 [host] Security: LogType=”WLS”, BaseFileName=”Productivity_3.1_BToolbarHelper.exe”, CommandLine=”‘C:\Program Files\Productivity_3.1_B\Productivity_3.1_BToolbarHelper.exe’ DllRun ‘C:\Documents and Settings\[user]\Local Settings\Application Data\Productivity_3.1_B\tbProd.dll’ DllCleanEnableExtensionDoing”, CreatorProcessName=”iexplore”Domain=”[domain]”, EventID=”592″, EventRecordID=”5304902″, FileDescription=”ToolbarH Application”, FileVersion=”1, 0, 1, 0″, ImageFileName=”C:\Program Files\Productivity_3.1_B\Productivity_3.1_BToolbarHelper.exe”, InternalName=”ToolbarH”, Language=”English (United States)”, Length=”65832″, LogonID=”(0x0,0x47F98236)”, MD5=”DA11D78D765E4B8FA4CFA5A37E8A94FF”, NewHash=”True”, NewProcessId=”5704″, ProcessId=”6076″, ProductVersion=”1, 0, 1, 0″, Recent=”True”, SHA1=”E5AD99CE7C7362CA566156033ECB0F04F9437CA7″, Signed=”True”, UserName=”[user]”, ValidSignatureDate=”True”, Zone=”0″

IE loads Productivity_3.1_BToolbarHelper.exe with different parameters “…DllConnectToIE”

2013-03-05T06:23:00-06:00 [host] Security: LogType=”WLS”, BaseFileName=”Productivity_3.1_BToolbarHelper.exe”, CommandLine=”‘C:\Program Files\Productivity_3.1_B\Productivity_3.1_BToolbarHelper.exe’ DllRun ‘C:\Documents and Settings\[user]\Local Settings\Application Data\Productivity_3.1_B\tbProd.dll’ DllConnectToIE”,  CreatorProcessName=”iexplore”Domain=”[domain]”, EventID=”592″, EventRecordID=”5304903″, FileDescription=”ToolbarH Application”, FileVersion=”1, 0, 1, 0″, ImageFileName=”C:\Program Files\Productivity_3.1_B\Productivity_3.1_BToolbarHelper.exe”, InternalName=”ToolbarH”, Language=”English (United States)”, Length=”65832″, LogonID=”(0x0,0x47F98236)”, MD5=”DA11D78D765E4B8FA4CFA5A37E8A94FF”, NewHash=”True”, NewProcessId=”5976″, ProcessId=”6076″, ProductVersion=”1, 0, 1, 0″, Recent=”True”, SHA1=”E5AD99CE7C7362CA566156033ECB0F04F9437CA7″, Signed=”True”, UserName=”[user]”, ValidSignatureDate=”True”, Zone=”0″

Rundll terminates

2013-03-05T06:23:01-06:00 [host] Security: LogType=”WLS”, BaseFileName=”rundll32.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304904″, ImageFileName=”C:\WINDOWS\system32\rundll32.exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”2672″, UserName=”[user]”

Conduit creates a mutex for the IE hook containing the process id of the second IE instance

2013-03-05T06:23:03-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10660″, Name=”\BaseNamedObjects\InitIEMenuHooks_Mutex_6076″, Type=”Mutant”

Conduit creates a mutex for their “gadgets”

2013-03-05T06:23:03-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10661″, Name=”\BaseNamedObjects\ConduitGadgetsMgrMutex_CT3282120″, Type=”Mutant”

A semaphore is created

2013-03-05T06:23:03-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10662″, Name=”\BaseNamedObjects\EI_LOGIC_SEMAPHORE”, Type=”Semaphore”

A mutex is created indicating activity with the first IE instance

2013-03-05T06:23:03-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10665″, Name=”\BaseNamedObjects\TryToInjectToIe4260″, Type=”Mutant”

Another mutex indicating an API hook with the second IE instance (with a typo?)

2013-03-05T06:23:03-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10666″, Name=”\BaseNamedObjects\API_HOOK_MUTES_6076″, Type=”Mutant”

Conduit creates and deletes a named pipe (I think IE was starting to shutdown just after the pipe was created)

2013-03-05T06:23:04-06:00 [host] NamedPipeMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10667″, Name=”GadgetsManagerPipeServerCT3282120″

2013-03-05T06:23:07-06:00 [host] NamedPipeMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10668″, Name=”GadgetsManagerPipeServerCT3282120″

The second IE instance terminates

2013-03-05T06:23:07-06:00 [host] Security: LogType=”WLS”, BaseFileName=”iexplore.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304905″, ImageFileName=”C:\Program Files\Internet Explorer\iexplore.exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”6076″, UserName=”[user]”

The first IE instance terminates

2013-03-05T06:23:07-06:00 [host] Security: LogType=”WLS”, BaseFileName=”iexplore.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304906″, ImageFileName=”C:\Program Files\Internet Explorer\iexplore.exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”4260″, UserName=”[user]”

Conduit loads another dll (again, this probably happened just before IE terminated)

2013-03-05T06:23:08-06:00 [host] ModuleMonitor: LogType=”WLS”, BaseFileName=”tbprod.dll”, ChangeType=”Added”, CompanyName=”Conduit Ltd.”, WLSKey=”10669″, FileDescription=”Conduit Toolbar”, FileName=”c:\documents and settings\[user]\local settings\application data\productivity_3.1_b\tbprod.dll”, FileVersion=”6.10.3.27″, InternalName=”Conduit Toolbar”, Language=”English (United States)”, Length=”4495624″, MD5=”CEF32B574F8C732BACAFD93210642DBB”, Process=”Productivity_3.1_BToolbarHelper”, ProductVersion=”6.10.3.27″, SHA1=”5C684D51F07A183EEA13D66F5C7E9630C48D93B5″, Zone=”0″

One Productivity_3.1_BToolbarHelper.exe terminates

2013-03-05T06:23:10-06:00 [host] Security: LogType=”WLS”, BaseFileName=”Productivity_3.1_BToolbarHelper.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304907″, ImageFileName=”C:\Program Files\Productivity_3.1_B\Productivity_3.1_BToolbarHelper.exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”5704″, UserName=”[user]”

The other Productivity_3.1_BToolbarHelper.exe terminates

2013-03-05T06:23:10-06:00 [host] Security: LogType=”WLS”, BaseFileName=”Productivity_3.1_BToolbarHelper.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304908″, ImageFileName=”C:\Program Files\Productivity_3.1_B\Productivity_3.1_BToolbarHelper.exe”, LogonID=”(0x0,0x47F98236)”, ProcessId=”5976″, UserName=”[user]”

The mutexes and semaphores get cleaned up

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10670″, Name=”\BaseNamedObjects\CONDUIT_SHARED_MUTEX”, Type=”Mutant”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10671″, Name=”\BaseNamedObjects\OleDfRoot0613563FD”, Type=”Semaphore”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10672″, Name=”\BaseNamedObjects\ConnHashTable<4260>_HashTable_Mutex”, Type=”Mutant”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10673″, Name=”\BaseNamedObjects\IEFrame!GetAsyncKeyStateQuery!4260″, Type=”Semaphore”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10674″, Name=”\BaseNamedObjects\RSS Eventing Connection Database Mutex 000010a4″, Type=”Mutant”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10675″, Name=”\BaseNamedObjects\IEFrame!GetAsyncKeyStateReply!4260″, Type=”Semaphore”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10676″, Name=”\BaseNamedObjects\OleDfRoot061353668″, Type=”Semaphore”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10677″, Name=”\BaseNamedObjects\InitIEMenuHooks_Mutex_6076″, Type=”Mutant”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10678″, Name=”\BaseNamedObjects\ConduitGadgetsMgrMutex_CT3282120″, Type=”Mutant”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10679″, Name=”\BaseNamedObjects\EI_LOGIC_SEMAPHORE”, Type=”Semaphore”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10680″, Name=”\BaseNamedObjects\OleDfRoot061365026″, Type=”Semaphore”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10681″, Name=”\BaseNamedObjects\OleDfRoot061364E1D”, Type=”Semaphore”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10682″, Name=”\BaseNamedObjects\TryToInjectToIe4260″, Type=”Mutant”

2013-03-05T06:23:12-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Deleted”, WLSKey=”10683″, Name=”\BaseNamedObjects\API_HOOK_MUTES_6076″, Type=”Mutant”

Symantec runs… coincidence?

2013-03-05T06:23:49-06:00 [host] Security: LogType=”WLS”, BaseFileName=”SescLU.exe”, Cached=”True”, CompanyName=”Symantec Corporation”, CreatorProcessName=”svchost”, Domain=”[domain]”, EventID=”592″, EventRecordID=”5304909″, FileDescription=”Symantec Endpoint Security Client LiveUpdate”, FileVersion=”11.0.7200.157″, ImageFileName=”C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe”, InternalName=”SescLu”, Language=”English (United States)”, Length=”435616″, LogonID=”(0x0,0x3E7)”, MD5=”599B2D850C96B525845FA50457F0DD6E”, NewProcessId=”5348″, ProcessId=”1148″, ProductVersion=”11.0.7200.157″,  SHA1=”473CECF52718C5EC46D1EF01D2AEB90A3CB6A127″, Signed=”True”, UserName=”[host]$”, ValidSignatureDate=”True”, Zone=”0″

2013-03-05T06:23:49-06:00 [host] Security: LogType=”WLS”, Domain=”[domain]”, Domain1=”[domain]”, EventID=”600″, EventRecordID=”5304910″, ImageFileName=”C:\WINDOWS\system32\svchost.exe”, ImageFileName1=”C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe”, LogonID=”(0x0,0x3E7)”, LogonID1=”(0x0,0x3E7)”, ProcessId=”1148″, ProcessId1=”5348″, UserName=”[host]$”, UserName1=”[host]$”

2013-03-05T06:23:50-06:00 [host] WinObjectMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10684″, Name=”\BaseNamedObjects\SESCLU.EXE'”, Type=”Mutant”

2013-03-05T06:23:58-06:00 [host] Security: LogType=”WLS”, BaseFileName=”SescLU.exe”, Domain=”[domain]”, EventID=”593″, EventRecordID=”5304911″, ImageFileName=”C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe”, LogonID=”(0x0,0x3E7)”, ProcessId=”5348″, UserName=”[host]$”

Now, I know this in no way replaces traditional static or dynamic analysis, but it’s a great way to quickly assess a host and gather potential indicators; and you can search all your other host logs for the same activity. If you’d like more information on WLS, send me a note via the contact form.