Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

netsh advfirewall firewall set rule name=”Windows Remote Management (HTTP-In)” new enable=yes If an error message “A specific value is not valid” appears, verify the rule’s name. The alternative approach is to enter the netsh context, followed by the advfirewall context, and the firewall context. In the firewall context, repeat the command for the specific rule. 2.6.2 Source Firewall When WinRM is executed with the quickconfig option, it creates a default firewall rule that allows inbound WinRM traffic. The firewall rule automatically sets the required port (80 or 5985) depending on the WinRM version. Configuring WinRM locally on sources is discouraged as using Group Policy is more manageable. 2.6.2.1 WinRM 2.0 Sources using WinRM 2.0 require that port 5985 is allowed through the firewall. The predefined rule Windows Remote Management (HTTP-In) should only be enabled on a computer using WinRM 2.0. The steps for enabling the firewall rule via GPO for the sources can be done by following the Windows Firewall with Advanced Security Group Policy section. This rule should be applied to Windows Vista and beyond as it uses Windows Firewall with Advanced Security. WinRM firewall rule for Windows XP sources are detailed in the Windows XP WinRM 2.0 Clients section. Figure 17: Predefined Rule for WinRM 2.0 Once the WinRM firewall rule is enabled, update the group policy changes using gpupdate. Events should be populating the collector’s log. If no events are received, then troubleshooting techniques are provided in the Troubleshooting section. 2.6.2.2 Windows XP WinRM 2.0 Clients Windows Firewall consists of two profiles: Domain and Standard. [19] The Domain Profile policy does not provide a graphical advantage for configuring firewall rules. Expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile. To enable WinRM firewall rules: 1. Select Windows Firewall: Define inbound port exceptions policy 2. Select Enabled and click Show… A port exception needs to be manually inserted. The syntax of the port exception is Port:Transport:Scope:Status:Name as detailed in the policy. Port specifies the targeted port in which this rule applies. The transport rule specifies TCP or UDP. The scope details the IP address (or any IP with ‘*’) that can connect to the port. Status indicates if the rule is enabled or disabled. Name is used to set a name for the rule. 19 http://technet.microsoft.com/en-us/library/bb490626.aspx 19
3. In the Show Contents windows, enter 5985:TCP:*:Enabled:Windows Remote Management 4. Click OK and click OK On the client, this rule will be enabled and allow any connection to port 5985 using TCP. 2.7 Restricting WinRM Access The default rules permit connections from any IP address to the specific WinRM port. An attacker who has presence on a network can possibly move laterally between machines and servers by accessing WinRM services. Mitigation to this attack is customizing the predefined rules to only allow connections between collectors and sources. A policy for specifying the IP scope for both source and collector machine is discussed in this section. These configurations apply to the WinRM predefined firewall rules under Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules. 2.7.1 Source Firewall Modifications To enable WinRM firewall rules on the sources: 1. Right-click the predefined WinRM firewall rule and select Properties 2. Navigate to the Scope tab 3. In the Remote IP Address area and select the These IP addresses option 4. Click the Add… button 5. Select the This IP address or subnet option and enter the IP address of the collector 6. Click OK Figure 18: Adding Selective IP addresses Figure 19: Add IP of Event Collector Configuring a whitelist, which accepts WinRM traffic only from the collector, is recommended. 2.7.1.1 Windows XP Source Firewall Modifications The procedures are identical to the Windows XP WinRM 2.0 Clients section with the exception that the scope uses the IP of the collector. For example, assume the IP of the collector is 192.168.1.2. The port exception rule must be as follows: 20
Page 1 and 2: National Security Agency/Central Se
Page 3 and 4: List of Figures Figure 1: Creating
Page 5 and 6: Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23: Figure 12: GPO Inbound Firewall Rul
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57 and 58: WinRM Version (KB#) Supported OS KB
Page 59 and 60: Parameters MaxEnvelopeSizekb MaxTim
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on

Spotting the Adversary with Windows Event Log Monitoring

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?