Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

Figure 8: Enabling WinRM listeners Figure 9: WinRM listener's IP Filter Options Within the Allow automatic configurations of listeners dialog, the IPv4/IPv6 filter values should be set to *. This ensures that WinRM starts running and listens on the “any” IP address (IPv4 is 0.0.0.0 and IPv6 is “::”) for both protocols. The IPv6 filter is not required to enable a WinRM listener. Enabling an IPv6 listener is an administrative decision. The WinRM service only listens on an IPv4 address when no IPv6 address (or *) is supplied for the filter. 2.4.3 Enabling Event Forwarding Policy The source needs to be configured to forward events to the targeted subscription manager. The subscription manager (collector) hosts all the subscriptions created on the collector. The source needs to contact the manager to retrieve the list of subscriptions. These subscriptions specify the events to forward. Once the source gathers all the events pertaining to these subscriptions, the events will be delivered to the collector. The Configure the server address, refresh interval, and issuer certificate authority of a target policy sets the configuration settings on how to communicate with the collector. This policy sets the collector’s internet address, how often to send events to the collector, and a thumbprint of the client’s certificate if using HTTPS. This policy must be enabled to forward events. Event Forwarding is the main component for enabling event monitoring in an enterprise. Event Forwarding policies can be located by navigating to Computer Configuration > Policies > Administrative Templates > Windows Components > Event Forwarding. To enable Event Forwarding: 1. Set the Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager policy to Enabled 2. Click the Show… button 13
Figure 10: Enable SubscriptionManager The SubscriptionManagers dialog has several options that can be set to configure event forwarding. The only requirement of this policy is to set the Server option. Any additional options can be omitted. The syntax of SubscriptionManagers value is: Server=[http|https]://HOSTNAME[:PORT][/wsman/SubscriptionManager/WEC[,Refresh=SEC ONDS][,IssuerCA=THUMBPRINT]] Each option for the SubscriptionManager is a comma delimited string containing the following parts: Server: FQDN or Hostname Refresh: The number of seconds to send events to the server IssuerCA: Thumbprint of the client authentication certificate [16] Figure 11 shows an example Subscription Manager value. The refresh interval should be determined by administrative requirements. Using the default refresh interval is recommended. In a network solely using WinRM 2.0, the Server option needs to specify port 5985, otherwise it will send traffic to port 80. Server=http://HOSTNAME:5985/wsman/SubscriptionManager/WEC When both WinRM 2.0 and WinRM 1.1 are intermixed and the collector has enabled compatibility mode, remove the explicit port from the Subscription Manager Uniform Resource Locator (URL). Server=http://HOSTNAME/wsman/SubscriptionManager/WEC 16 http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx 14
Page 1 and 2: National Security Agency/Central Se
Page 3 and 4: List of Figures Figure 1: Creating
Page 5 and 6: Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17: The WinRM service can be found by n
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57 and 58: WinRM Version (KB#) Supported OS KB
Page 59 and 60: Parameters MaxEnvelopeSizekb MaxTim
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70:
Failed to open subscription. Error
Page 71 and 72:
When a WinRM connection arrives on
show all

Spotting the Adversary with Windows Event Log Monitoring

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?