The top 10 windows logs event id's used v1.0

1

The Top 10 Windows Event ID's Used

To Catch Hackers In The ActMichael GoughLead Incident Response

2

What will be covered during this talk

• Windows logs are solid gold if you know what to Enable, Configure, Gather and Harvest. When hacked they can tell you what you need to know to find and harvest the malware and what occurred. This talk walks through simple commodity malware seen in SPAM and drive-bys to a Chinese advanced attack and what Top Windows Event Codes andinformation in the logs allowed us to harvest their malware and understand what, where and when they were doing it.

• Details of the attack from the logs and the queries used will be covered and shared to allow you to catch a similar type of attack. This talk will show an advanced attack at its finest, but is designed to be Blue Team Defense in nature so you can learn from those that deal with malware and advanced attacks almost daily.

• What works and why will also be discussed

3

Disclaimer

The information in this presentation and opinions are mine alone and do not reflect

those of my current or past employers.

MalwareArchaeology.com

4

INTRODUCTION


5

Who Am I

5

• Michael Gough, Malware Archaeologist

• Blue Team Ninja, Active Defense, Splunk Fu

• Blog - HackerHurricane.com

• Twitter - @HackerHurricane

• Creator of the “Malware Management Framework”

• Creator of several Logging Cheat Sheets• “Windows Logging Cheat Sheet”

• “Windows Splunk Logging Cheat Sheet”

• “Windows File Auditing Cheat Sheet”

• “Windows Registry Auditing Cheat Sheet”

• Co-Creator of Log-MD• LOG and Malicious Discovery tool for Malware Discovery & Incident

Response


6

Hackers, Malware and Logs

• I am a Logoholic

• I love malware, malware discovery and malware management

• But once I find an infected system, what happened before I found it?

• Was there more than one system involved?

• Did the Malwarian do more?

• What behavior did the system or systems have after the initial infection?

• Who was Patient 0?

• Logs are the perfect partner to malware!


7

So why listen to me?

• I have been there

• In the worst way

• Found malware quickly

• Discovered 10 months before the Kaspersky report – June 2012

• We needed more… Who, What, Where, When and How

• We found the logs were not fully enabled or configured and couldn’t get the data we needed

• Once the logs from endpoints were enabled and configured, we saw all kinds of cool stuff, it showed the How that we ALL NEED


88

So what is the problem we are trying to solve?


9

You’re Next

97,00076 Mil + 8 Mil

1000+ Businesses395

Stores

4.5 Million

25,000

4.9 Million

4.03 Million

105k trans

40 Million

40+70 Million~ $758 Mil

33 locations

650k -

2010

76,000

670,000 1900 locations

145 Million

20,000

3 Million

35,000

60,000 alerts

990,000

56 Mil

550,000

TBD

Citigroup, E*Trade Financial

Corp., Regions Financial

Crop, HSBC Holdings and

ADP

?????

?


10

What is Coming

• Statistics showing prevalence of weaponized document attacks as top threat in 4th quarter of 2015.


11

Why we should care

Mandiant M-Trends 2016 Report• Numbers always tell a story, but it’s the interpretation of those numbers

that holds the real value. The median number of days an organization was compromised in 2015 before the organization discovered the breach (or was notified about the breach) was 146. This continues a positive improvement since we first measured 416 days in 2012. Additionally, the median number was 205 days in 2014, which means we witnessed a drop of more than 50 days in 2015! Obviously, as an industry, we are getting better at detecting breaches. On a positive note, companies that detected the breach on their own had a median number of 56 days compromised. The takeaway is that we are getting better as an industry, but there is still work left to do!

• 2012 – 416 days MTTD

• 2014 – 205 days MTTD

• 2015 – 146 days MTTD

• 2015 – 56 days MTTD for companies that detected it themselves


12

Who is catching it?


Mandiant M-Trends 2016 Report

13

Compromise to Discovery


Mandiant M-Trends 2016 Report

14

Why should we care?

Let’s take a look at

real hacks caught in action

In order to understand

why we need to log things


15

An attack in the raw logs


16

Commodity malware in the raw logs

16MalwareArchaeology.com

17

Catch PowerShell Logging bypass

17

• These were 2015 Dridex payloads


18

You could catch a Crypto event


19

A walk through of Winnti

Winter 2014 campaign


20

Winnti – A campaign against the Gaming industry

• Kaspersky was the first to report on Winnti

• Then came the publically released report in 2013


• Followed up in 2014 with another wave of attacks

• Now the group is expanding

• Kaspersky Report– http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-

130410.pdf

• Novetta did a Winnti Analysis– https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf

21

Like all malware.. It and they evolve• First gaming

• Then Telecoms and BIG Pharma

• Now So. Korea, UK & Russia businesses

• We must learn and evolve with them


22

The Malware Infection

22

Malware Launch

Hiding malware

in the Registry

Modify Service


23

Escalate permission – obvious NOT your admin

23

Check the Service used

Modify Permissions

Push out malware using CMD Shell & CScript


24

Command Line logging is Priority #1

24

Update Registry

Change Registry Permissions

Change permissions on files


25

Bad behavior becomes obvious

25

Doing Recon

Going after Terminal Services

Query Users


26

You can even capture their Credentials

26

Caught THEIR

Credentials!


27

With what we have just seen

What can we do with logs?


28

More than you would have ever guessed!

•Not only detect retail PoS malware (BackOff) that hit Target, Neiman Marcus and Michael’s

•Government sponsored malware like Regin, Cleaver, Stuxnet, Duqu, Flamer, etc.

•Yes, even the really bad stuff like Winnti, well good stuff to me ;-)

•You can lower your MTTD to days if not hours

• IF... you know what to look for


29

Malware Management

• Read reports from analysts, IR firms and presentations like this

• Use the data in these reports, pull out the artifacts

• Tweak your defenses

• Lather – Rinse – Repeat

• Long list of reports at MalwareArchaeology.com

• Details found at MalwareManagementFramework.org

• Send me links to reports and your thoughts


30

Improve Security with Endpoint Data

• Great coverage with 10 events per system, not 60,000 alerts like we heard the retailers had

• If you get 10, then 20, then 30 alerts… you should be kicking into Incident Response mode

• Of course there are more, but this is where to start


31

The Windows Logging Cheat Sheet

• 6 pages on Windows Logging

• Details on how configure Windows logging and auditing

• Found at:• MalwareArchaeology.com

Also…

• Windows Splunk Logging Cheat Sheet

• Windows File Auditing Cheat Sheet

• Windows Registry Auditing Cheat Sheet


32

The 10 Windows Event ID’s everyone must monitor and

alert on


33

The Ten Command-lets

1. 4688 - New Process – Look for the obvious malicious executables like cscript.exe, sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe, psexec.exe, psexecsvc.exe, ipconfig.exe, ping.exe OR powershell.exe (SET, MetaSploit) Of course, new odd .exe’s

2. 4624 - Some account logged in. What is normal?

3. 5140 - A share was accessed. They most likely connected to the C$ share.

4. 5156 – Windows Firewall Network connection by process. Can see the process connecting to an IP that you can use GEOIP to resolve Country, Region and City.

5. 7040 - A new service has changed. Static systems don't change details of services

6. 7045 - A new service is installed. Static systems don't get new services except at patch time and new installs.

7. 4663 - File auditing must be enabled on directories you want to monitor.

8. 4657 – Registry auditing will give more Registry details than 4663 for Regitems

9. 501 – PowerShell execution

10. 4104 – PowerShell Scriptblock module loading


34

Steps you will need to take

34

• Enable Advanced Audit Policy in Windows

• The “Windows Logging Cheat Sheet”

• Audit Process Creation = Success 4688

• Audit Logon = Success & Failure 4624 & 4625

• Audit File Share = Success 5140

• Audit File System = Success 4663

• Audit Registry = Success 4657

• Audit Filtering Platform Connection = Success 5156 (Any/Any min)

• Services already captured by System Log 7045 & 7040

• Enable and Configure to capture • Process Command Line

• The #1 thing that will catch the nefarious ne’er-do-wellers


35

Enable Command Line Logging


36

Windows 7 thru 2012 (Win 10 too)

"Include command line in process creation events“

• http://technet.microsoft.com/en-us/library/dn535776.aspx

1. You must have the patch for MS15-015 (KB3031432) for Win 7 and Win 2008, From Feb 2015

2. Registry Key tweak for all versions• Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

• ProcessCreationIncludeCmdLine_Enabled

• to DWORD - 1


37

And you will see this added to your logs

37

• Only a fraction more data

• Most valuable thing to log

Additional context is important

to identify abnormal behavior


38

PowerShell – Command Line

Windows PowerShell Log: Event ID 501

Details on setting PowerShell Preference variables

• http://technet.microsoft.com/en-us/library/hh847796.aspx

1. You MUST have a default Profile for all users:

• C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1

2. Add these to your default profile.ps1 file

• $LogCommandHealthEvent = $true

• $LogCommandLifecycleEvent = $true

3. Upgrade PowerShell to version 4

• Investigating PowerShell Attacks (DefCon & Blackhat 2014)

• Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT

• Matt Hastings CONSULTANT, MANDIANT


39

PowerShell – Script Block Module loading

Microsoft-Windows -PowerShell/Operational Log:

• Event ID 4104

Details on setting PowerShell Script Block and Module logging

• http://technet.microsoft.com/en-us/library/hh847796.aspx

1. Add these Registry keys Windows 8.1 Server 2012 and later, Sorry no Windows 7 or Win 2008 yet:

• HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLoggingEnableModuleLogging = 1HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLoggingModuleNames = *

• HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLoggingEnableScriptBlockLogging = 1

2. Windows Management Framework version 5 will add more

• FireEye article on the new capabilities• https://www.fireeye.com/blog/threat-

research/2016/02/greater_visibilityt.html


40

PowerShell Logging via GPO


41

PowerShell Transcripts

• You can also specify a transcript of all PowerShell commands executed which can be located locally or on a network share

• You can add these to your Log Management solution

• Add these Registry Keys:• HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription EnableTranscription = 1

• HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription EnableInvocationHeader = 1

• HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription OutputDirectory = “” (Enter path. Empty = default)


42

Some tips to save on data that you collect with your

Log Management solution


43

Do’s and Don’ts

Reducing or excluding events (save on license)

• Event ID’s 4688 & 4689 (New Process Start/Stop) and 5156 & 5158 (Windows Firewall) will be the Top 4 Events in quantity!

• Storage and License required to gather all these events

• 4689 and 5158 CAN be excluded as least valuable that is 50% savings

• Do NOT exclude by EventID’s that you want, exclude them by the Message within the EventID

• I want 4688, but not splunk*.exe or googleupdate.exe, so exclude by New_Process_Name to reduce normal noise

• I want 5156, but not things that are normal to execute, so exclude by Application_Name


44

A sample query using Splunk for the #1 alert that ALL Log

Management solutions shouldMUST have


45

4688 (New Process Started)

You can add any or all Windows Admin Utilities

in \System32 or \SysWOW64

• index=windows source="WinEventLog:Security" (EventCode=4688) NOT (Account_Name=*$) =*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | evalShort_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message


46

New Process Information in Splunk - Normal


47

New Process to Catch the PowerShell bypass

• index=windows source="WinEventLog:Security" (EventCode=4688) (powershell* AND -ExecutionPolicy) OR (powershell* AND bypass) OR (powershell* AND -noprofile) | eval Message=split(Message,".") | evalShort_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message

• CRITICAL ALERT !!! Catch malware using PowerShell and executing a policy bypass


48

4688 (PowerShell bypass) results in Splunk


49

5156 (Win FW Connection)

Shows what process connecting to an IP

• index=windows LogName=Security EventCode=5156 NOT (Source_Address="239.255.255.250" OR Source_Address="224.0.0.*" OR Source_Address="::1" OR Source_Address="ff02::*" OR Source_Address="fe80::*" OR Source_Address="255.255.255.255" OR Source_Address=192.168.1.255) NOT (Destination_Address="127.0.0.1" OR Destination_Address="239.255.255.250" OR Destination_Address="*.*.*.255" OR Destination_Address="224.0.0.25*") NOT (Destination_Port="0") NOT (Application_Name=“\\icamsource\\" OR Application_Name="*\\bin\\splunkd.exe") | dedup Destination_AddressDestination_Port | table _time, host, Application_Name, Direction, Source_Address, Source_Port, Destination_Address, Destination_Port | sort Direction Destination_Port


50

5156 - CSV output for additional processing

50

Used to track BAD IP’s


51

Windows Firewall Logging

• Set to ANY/ANY mode if Windows Firewall not used. Filter out 5158 events as these are not needed

• Do NOT disable in Root OU, put lower so you can add and remove systems to the OU to apply this rule

• Of course enable the Win F/W everywhere and collect locally, there is no good reason not to

• Export to CSV for manual processing or (or use LOG-MD)

• Do WhoIS lookup to resolve the Company, Country, etc.

• Create a large Whitelist of good IP’s (lookup list)

• Exclude Browsers from one search. The list of IP’s will be much smaller for non browser executables talking to external IP’s


52

7045 (New Service added)

New Service has been added

• index=windows LogName=System EventCode=7045 NOT (Service_Name=tenable_mw_scan) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message

• This one alert would have caught EVERY retail PoS breach!


53

7045 (New Service added) – In Splunk


54

4663 (File Auditing) 4657 (Registry)

Filter out/exclude known good noise

• index=windows sourcetype=WinEventLog:Security EventCode=4663 NOT (Process_Name="*\\Windows\\servicing\\TrustedInstaller.exe" OR "*\\Windows\\System32\\poqexec.exe") NOT (Object_Name="*\\Users\\svc_acct\\pnp“ OR Object_Name="C:\\Users\\Surf\\AppData\\Local\\Google\\Chrome\\User Data*" NOT Object_Name="C:\\Users\\Surf\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") NOT (Object_Name="C:\\Windows\\System32\\LogFiles\\*" OR Object_Name="*ProgramData\\Microsoft\\RAC\\*" OR Object_Name="*\\Microsoft\\Windows\\Explorer\\thumbcache*" OR Object_Name="*.MAP" OR Object_Name="*counters.dat" OR Object_Name="*\\Windows\\Gatherlogs\\SystemIndex\\*") | rename Process_Name as Created_By | table _time, host, Security_ID, Handle_ID, Object_Type, Object_Name, Process_ID, Created_By, Accesses


55

4663 (File/Reg Auditing) – In Splunk

55

Using LOG-MD we were able to enable and expand File and Registry auditing and use the results to

tweak the audit locations to reduce noise or events that are not needed, saving on license and storage

If it were not for LOG-MD testing, we would have never caught Dridex creating a key on shutdown and

deleting that key on startup for persistence.!

File and Registry auditing for shutdown and startup is VERY

powerful


56

File and Registry Auditing tips

Add this slowly and keep it simple or you will create a lot of noise

• Set via the GUI (Booo)

• Or use a PowerShell script, GPO, etc.

• Or by Security Policy file• Make one for each File and Registry, apply via GPO or locally with “secedit”

• Audit only for:• Files - WriteData (or AddFile), Create folders / append data, Change permissions,

Take ownership• Registry – Set Value, Delete, Write DAC, Write Owner are optional

• NEW is what we want... Malware needs to be added

• Start with simple items like Run Keys, Firewall policy, keys that are HIGH value

• Remember there are 2 Cheat Sheets to help you with this• “Windows File Auditing Cheat Sheet”

• “Windows Registry Auditing Cheat Sheet”


57

Other valuable queries

Add these to the list

• EventID 106 – New Scheduled job

• EventID 2004, 2005, 2006 – Windows Firewall rule added, modified or deleted

• Exchange by Subject• Use to find who received a reported Phishing email

• Network logs by known Bad IP• Who visited a known Bad IP (you populate) that you discover in malware

analysis or triggered logs mentioned in previous slides


58

Other logging improvements

• Of course LOG-MD to help you refine your logging and expand it.• Also great for IR tasks, lots of other features

• Sysinternals – SYSMON• Module loading (.EXE, DLL, SYS)

• Provides Hashes of files

• Networks connections like Win FW 5156

• Windows Logging Service (WLS)• Agent to replace your logging agent

• Provides Hashes of files

• Provides some WMI and PowerShell execution

• Replaces the need for SYSMON


59

The Windows Splunk Cheat Sheet

Just for you• All the queries in this preso and a few more

• Some tips about filtering

• Found at:• MalwareArchaeology.com


60

Resources

Websites• MalwareArchaeology.com

• Cheat Sheets

• Malware Reports

• Log-MD.com• Log and Malicious Discovery tool

• Malware Analysis Report links too• To start your Malware Management program


61

Questions?

You can find me at:• MalwareArchaeology.com

• MalwareManagementFramework.org

• HackerHurricane.com (blog)

• @HackerHurricane

• Log-MD.com

• http://www.slideshare.net

• Search for MalwareArchaeology


62

We Value Your Feedback

Please take a moment to complete the brief session survey

inside of the app, and you’ll receive extra points!

The top 10 windows logs event id's used v1.0

Technology

Transcript of The top 10 windows logs event id's used v1.0