Tag Archives: Splunk

Detecting malware with your proxy logs

If you use a web proxy that has categorization built-in and you log the requests to your central log system, you can add another layer of detection by alerting on multiple requests for a known malicious destination from a single source. Even though malware can come from almost any site or email, the call “home” is often to a site that is reused. This detection method caught a few infections that were not detected by anti-virus in the last month.

For this example Splunk is used to search BlueCoat logs. We’ll look for categories that indicate malicious sites and count them by user, host, and referrer. The site categories and count thresholds should be tuned to fit your needs.

index=proxy host=bluecoat “Malicious Sources” OR “Malicious Outbound Data” OR “Botnets” | stats count by cs_username, cs_host, cs_Referrer | where count > 1 | table cs_username, cs_host, cs_Referrer, count

Most of the time the results are probably benign, but it should be easy to spot when it hits. These were all for the same user, also note the blank referrer.


Schedule this to run periodically and let your logs tell you when there’s a potential infection.


Have your IOCs come to you

So, you’ve got the latest list of IOCs from a recent APT / malware report, time to kick off the scanner(s) / agent(s) of you choice and wait for the results. Wouldn’t it be nice to do a quick search of your logs and have the answer in seconds?  You’re already collecting logs from your Windows hosts (right?), shouldn’t they be doing more for you than providing logs?

Windows logging tools seem to have been stuck for a while at providing just the logs. The Splunk Universal Forwarder is an excellent example of a free, modern logging tool that does more than logs, and works with more than the Splunk server (hint hint); but even it does not provide what I believe is necessary data to support cyber security, forensics, and incident response.

Why not collect process hashes, named pipes, mutexes, semaphores, loaded modules, etc., and send them with the logs? Why not have these in real-time and be able to search your entire enterprise in seconds? There are plenty of server-side tools to collect, parse, and index  all of your logs; hosted on or off-site, free or pay. So, why not? You could know within minutes every new binary that is executed, including it’s metadata. You could know the initial infection vector, have the IOCs immediately, search all your hosts simultaneously, and that’s just the beginning!

Not finding a tool (at the time) that did what I wanted, I created WLS to provide exactly that; logs and the extra data to support answers I needed. There may be other programs that do this now (I’d love to know!), and I hope that others find this data as useful as I do.

Here are some WLS logs that answer example questions:

What did Firefox launch today that was downloaded from the internet?

Mar 15 09:05:24 [host] Security: LogType=”WLS”, BaseFileName=”Firefox Setup 19.0.2.exe”, Channel=”Security”, CommandLine=”‘C:\Users\Jason\Downloads\Firefox Setup 19.0.2.exe'”, CompanyName=”Mozilla”, Computer=”[host]”, CreatorProcessName=”firefox”, EventID=”4688″, EventRecordID=”65653″, ExecutionProcessID=”4″, ExecutionThreadID=”68″, FileDescription=”Firefox”, FileVersion=”4.42″, InternalName=”7zS.sfx”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”20564720″, Level=”0″, MD5=”68266231DF9FAF07018BAD5E028BDE67″, NewHash=”True”, NewProcessId=”0x1744″, NewProcessName=”C:\Users\Jason\Downloads\Firefox Setup 19.0.2.exe”, Opcode=”0″, ProcessId=”0xd58″, ProductVersion=”4.42″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, Recent=”True”, SHA1=”D0B0B20F1365BCDE53067012FFDAD23B52688028″, Signed=”True”, SubjectDomainName=”[host]”, SubjectLogonId=”0x25e5350″, SubjectUserName=”Jason”, SubjectUserSid=”[sid]”, Task=”13312″, TokenElevationType=”%%1938″, ValidSignatureDate=”True”, Version=”0″, Zone=”3″

Has a process with the  MD5 of 626A24ED1228580B9518C01930936DF9 executed?

Mar 22 19:29:00 [host] Security: LogType=”WLS”, BaseFileName=”GoogleUpdate.exe”, Cached=”True”, Channel=”Security”, CompanyName=”Google Inc.”, Computer=”[host]”, CreatorProcessName=”taskeng”, EventID=”4688″, EventRecordID=”67948″, ExecutionProcessID=”4″, ExecutionThreadID=”48″, FileDescription=”Google Installer”, FileVersion=”″, InternalName=”Google Update”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”133104″, Level=”0″, MD5=”626A24ED1228580B9518C01930936DF9″, NewProcessId=”0x16b4″, NewProcessName=”C:\Users\Jason\AppData\Local\Google\Update\GoogleUpdate.exe”, Opcode=”0″, ProcessId=”0xfcc”, ProductVersion=”″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, Recent=”True”, SHA1=”DCB86149B70829BB4320811B12686AE00131DBC3″, Signed=”True”, SubjectDomainName=”[host]”, SubjectLogonId=”0x25e5350″, SubjectUserName=”Jason”, SubjectUserSid=”[sid]”, Task=”13312″, TokenElevationType=”%%1938″, ValidSignatureDate=”False”, Version=”0″, Zone=”0″

What about a named pipe that starts with “chrome”?

Mar 19 23:44:51 [host] WLS_NamedPipeMonitor: LogType=”WLS”, ChangeType=”Created”, WLSKey=”10375″, Name=”chrome.5748.0.150278265″

Anything load mpengine.dll?

Mar 22 03:21:45 [host] WLS_ModuleMonitor: LogType=”WLS”, BaseFileName=”mpengine.dll”, ChangeType=”Added”, CompanyName=”Microsoft Corporation”, WLSKey=”14514″, FileDescription=”Microsoft Malware Protection Engine”, FileName=”c:\programdata\microsoft\microsoft antimalware\definition updates\{d9b17332-a27d-4442-8ff1-793d9607fc2e}\mpengine.dll”, FileVersion=”1.1.9302.0″, InternalName=”mpengine”, Language=”English (United States)”, Length=”7108640″, MD5=”9F4003841689C663254D54177EB97219″, Process=”MsMpEng”, ProductVersion=”1.1.9302.0″, SHA1=”F2F46BBE3F931B0927B2FEFE9707C0063C6872D6″, Zone=”0″

If you’d like more information on WLS, send me a note via the contact form.

Process Execution Logs (and WLS)

Something I’ve found useful when analyzing a Windows host is a record of what processes executed. If you’ve ever looked in Event Viewer, you’ll know that by default, they look like this:

(This space intentionally left blank.)

So, let’s turn process auditing on.  Enable auditing for “Audit Process Creation” and “Audit Process Termination”.


Now, anytime a process is created or terminated, you’ll get a log similar to the following:

A new process has been created.

Security ID: [domain]/[user]
Account Name: [user]
Account Domain: [domain]
Logon ID: 0x9cb68

Process Information:
New Process ID: 0x18f8
New Process Name: C:\Windows\System32\mspaint.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x1084

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

That’s an OK log, we know what executed and when, and could trace back the “Creator Process ID” to find the creating process. However, the log is rather long and contains quite a bit of useless information; this will chew up your Splunk (or other log aggregation tool) license in no time.

WLS can help us here. It will create key / value pairs from the log, add useful information, and not fill your logs with paragraphs of redundant information. The example below uses my default metadata settings for WLS, the bold text indicates the extra information WLS added to the log.

Mar 21 12:45:26 [host] Security: LogType=”WLS”, BaseFileName=”mspaint.exe”, Cached=”True”, Channel=”Security”, CommandLine=”‘C:\windows\system32\mspaint.exe’ ‘C:\Users\[user]\Desktop\blog\TurnAuditingOn.png'”, CompanyName=”Microsoft Corporation”, Computer=”[host].[domain]”, CreatorProcessName=”explorer”, Entropy=”6.17942325269204″, EventID=”4688″, EventRecordID=”1145730″, ExecutionProcessID=”4″, ExecutionThreadID=”48″, FileDescription=”Paint”, FileVersion=”6.1.7600.16385 (win7_rtm.090713-1255)”, InternalName=”MSPAINT”, Keywords=”0x8020000000000000″, Language=”English (United States)”, Length=”6676480″, Level=”0″, MD5=”458F4590F80563EB2A0A72709BFC2BD9″, NewProcessId=”0x18f8″, NewProcessName=”C:\Windows\System32\mspaint.exe”, Opcode=”0″, ProcessId=”0x1084″, ProductVersion=”6.1.7600.16385″, ProviderGuid=”{54849625-5478-4994-A5BA-3E3B0328C30D}”, ProviderName=”Microsoft-Windows-Security-Auditing”, SHA1=”3F97DC3BD1467C710C6A8D26B97BB6CF47DEB4C6″Signed=”False”, SubjectDomainName=”[domain]”, SubjectLogonId=”0x9cb68″, SubjectUserName=”[user]”, SubjectUserSid=”[sid]”, Task=”13312″, TokenElevationType=”%%1936″, Version=”0″, Zone=”0″

The standard windows log is 1,353 characters, the WLS log is 1,141 (with pretty much every optional data point added). Less data, higher quality, useful stuff. Now, what to do with all the data…

What is WLS?

The Windows Logging Service (WLS) is a Windows service that forwards your event logs, along with user defined contextual data, to your log server.

Each process execution log is augmented with:

  • Creator process name
  • Command line parameters

and optionally:

  • Any file metadata (attributes, MAC times, version, size, etc)
  • Digital signature flag
  • Entropy
  • Environmental variables (per process)
  • Hashes (MD5, RIPEMD160, SHA1, SHA256, SHA384, SHA512)
  • Zone

WLS can also log the following information to your log server:

  • Certificates
  • Devices
  • Drives
  • File system changes – including file metadata
  • Listening and connected ports, with associated process information
  • Loaded modules – including file metadata
  • Mutexes, semaphores, and other Windows objects
  • Named pipes
  • Optical media used
  • Performance counters
  • Registry changes
  • WMI information

I’ll cover the details of each of these features and configuration examples in upcoming posts, as well as provide example Splunk searches I use for day-to-day operations.

If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.