Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

3.1 WinRM Authentication Hardening Methods WinRM configuration is divided into two parts: service and client. The service configuration is used to manage the WinRM service that receives WS-Management requests from clients. [22] The following are acceptable methods used to authenticate with WinRM: [23] Basic Authentication Digest Authentication Credential Security Support Provider (CredSSP) Negotiate Authentication Kerberos Authentication Client Certificate-based Authentication Channel Binding Token The authentication methods for the WinRM client and service can be located by navigating to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM). WinRM Service and WinRM Client authentication methods are respectively shown in Figure 21 and Figure 22. The client has the option to set Digest Authentication, while the service does not. Additionally, the service can allow hardening of WinRM TLS connections using channel binding tokens. Figure 21: WinRM Service Authentication Policies Figure 22: WinRM Client Authentication Policies The Allow unencrypted traffic policy is not part of authentication. Default value for both Client and Service configuration: Disabled Setting this policy to Disabled is recommended. 22 http://technet.microsoft.com/en-us/library/cc775103(v=ws.10).aspx 23 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372(v=vs.85).apsx 23
3.1.1 Basic Authentication The client can use basic authentication to communicate with a WinRM service. Setting the Allow Basic authentication to Disabled is recommended. Default Client Configuration: True Default Service Configuration: False Setting both to False is recommended. 3.1.2 Digest Authentication This mode of authentication is a challenge-response scheme. The client will initiate the request and in response, the server will send a server-specified token string to the client. After the token string has been received, the client will append the resource request with the username of the client, the hash of the username’s password, and the token string to the response message. [23] This method of authentication is abused by attackers using a technique called Pass the Hash. Pass the Hash is a way for an attacker to use the password hashes to authenticate as the user without ever discovering the user’s actual password. [24] The WinRM service does not accept digest authentication as shown in Figure 21. [25][26] Default Service Configuration: Not Applicable Default Client Configuration: True Setting the client configuration to False is recommended. Setting the Disallow Digest Authentication policy to Enabled is recommended. 3.1.3 Credential Security Support Provider Credential Security Support Provider (CredSSP) provides a secure way to delegate a user’s credentials from a client to a target server. [23][27][28] The SSP provides the capability of Single Sign-on (SSO) in Terminal Services sessions. [28] This option is only available for WinRM 2.0. Setting the Allow CredSSP authentication policy to Disabled is recommended. Default Client Configuration: False Default Service Configuration: False Setting both to False is recommended. 24 http://computer-forensics.sans.org/blog/2012/03/09/protecting-privileged-domain-accounts-disabling-encrypted-passwords 25 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384295(v=vs.85).aspx 26 http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372(v=vs.85).aspx 27 ([MS-CSSP]:Credential Security Support Provider (CredSSP) Procotol) 28 http://technet.microsoft.com/en-us/library/cc749211(WS.10).aspx 24
Page 1 and 2: National Security Agency/Central Se
Page 3 and 4: List of Figures Figure 1: Creating
Page 5 and 6: Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27: 1. Open Services MMC snap-in 2. Rig
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57 and 58: WinRM Version (KB#) Supported OS KB
Page 59 and 60: Parameters MaxEnvelopeSizekb MaxTim
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on

Spotting the Adversary with Windows Event Log Monitoring

Create successful ePaper yourself

Delete template?

Save as template?