Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

Windows 7 ID Level Event Log Event Source AppLocker Block 8004 Error Application Microsoft-Windows-AppLocker SRP Block 865 Warning Application Microsoft-Windows-SoftwareRestrictionPolices Table 4: Windows 7 Whilelisting Events Windows XP ID Type Event Log Event Source SRP Block 865 Warning Application Software Restriction Policies Table 5: Windows XP Whitelisting Events 4.2 Application Crashes Application crashes may warrant investigation to determine if the crash is malicious or benign. Categories of crashes include Blue Screen of Death (BSOD), Windows Error Reporting (WER), Application Crash and Application Hang events. If the organization is actively using the Microsoft Enhanced Mitigation Experience Toolkit (EMET), then EMET logs can also be collected. Windows 7 ID Level Event Log Event Source App Error 1000 Error Application Application Error App Hang 1002 Error Application Application Hang BSOD 1000,1001 Error System Microsoft-Windows-WER- SystemErrorReporting WER 1001 Informational Application Windows Error Reporting EMET 1 2 Warning Error Application Application EMET Windows XP Table 6: Windows 7 Application Events ID Type Event Log Event Source App Error 1000,1004 Error Application Application Error App Hang 1002 Error Application Application Hang BSOD 1003 1001 Error Informational System System Error Save Dump WER 4097 Informational Application DrWatson EMET 1 Warning Application EMET 2 Error Application Table 7: Windows XP Application Events 4.3 System or Service Failures System and Services failures are interesting events that may need to be investigated. Service operations normally do not fail. If a service fails, then it may be of concern and should be reviewed by an administrator. If a Windows service continues to fail over and over on the same machines, then this may indicate that an attacker is targeting a service. 29
Windows 7 Windows Service Fails or Crashes Windows Update Failed Hotpatching Failed DCOM invalid permission ID Level Event Log Event Source 7000, 7001, Error System Service Control 7022, 7023, Manager 7024, 7026, 7031, 7032, 7034 25,31 Error Microsoft-Windows- WindowsUpdateClient/Op erational Microsoft-Windows- WindowsUpdateClient 1009 Informational Setup Microsoft-Windows- Servicing 10016 Error System Microsoft-Windows- DistributedCOM Table 8: Windows 7 System Events Windows XP Windows Service Fails or Crashes Windows Update Failed MSI Installation Failed DCOM invalid permission ID Type Event Log Event Source 7034 Error System Service Control Manager 20 Error System Windows Update Agent 11708 Informational Application MsiInstaller 11923 Error 10016 Error System DCOM Table 9: Windows XP System Events 4.4 Windows Firewall If client workstations are taking advantage of the built-in host-based Windows Firewall, then there is value in collecting events to track the firewall status. For example, if the firewall state changes from on to off, then that log should be collected. Windows 7 30
Page 1 and 2: National Security Agency/Central Se
Page 3 and 4: List of Figures Figure 1: Creating
Page 5 and 6: Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33: To configure a WinRM service to run
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57 and 58: WinRM Version (KB#) Supported OS KB
Page 59 and 60: Parameters MaxEnvelopeSizekb MaxTim
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on

Spotting the Adversary with Windows Event Log Monitoring

Create successful ePaper yourself

Delete template?

Save as template?