Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

The above command will get the publisher (gp/get-publisher), obtain information on events that the publisher uses, and produce readable messages for each event. This command can be applied to any publisher to obtain a list of all their events. The mapping of security event IDs between Windows XP and the latest versions of Windows can be revealed by a simple addition or subtraction of 4096 10 /0x1000 16 . [67] This rule is not applicable to events dealing with successful and failed logons. [67] 7.3 Windows Remote Management Versions There have been four versions of WinRM since its introduction in Windows Server 2003 R2. The following table correlates WinRM version to Windows operating system version. [68] Version Support WinRM 0.5 Windows Server 2003 R2 * WinRM 1.0 Windows Vista WinRM 1.1 Windows Vista SP1 Windows Server 2008 Windows Server 2003 SP1 ** Windows Server 2003 SP2 ** Windows Server 2003 R2 ** Windows XP SP2 ** WinRM 2.0 Windows 7 Windows Server 2008 R2 Windows Server 2008 SP1 *** WinRM 3.0 Windows Server 2008 SP2 *** Windows Vista SP1 *** Windows Vista SP2 *** Windows XP SP3 *** Windows 8 Windows 7 SP1 **** Windows Server 2008 SP1 **** Windows Server 2008 SP2 **** Table 20: WinRM Version Correlation * = Installed from the Add/Remove System Components feature within the Hardware Management feature ** = Install WS-Management v1.1. [69] *** = Installed as part of the Windows Management Framework Core package. [70][71] This update requires at least Microsoft .NET Framework 2.0 Service Pack 1. [72] **** = Installed as part of Windows Management Framework 3.0. This update requires at least Microsoft .NET Framework 4.0. [73] Installation packages for WinRM can be found in knowledge base articles, shown below. 67 http://blogs.msdn.com/b/ericfitz/archive/2009/06/10/mapping-pre-vista-security-events-ids-to-security-events-ids-in-vista.aspx 68 http://technet.microsoft.com/en-us/library/ff520073(v=ws.10).aspx 69 https://www.microsoft.com/en-us/download/details.aspx?id=21900 70 https://www.microsoft.com/en-us/download/details.aspx?id=9864 71 https://www.microsoft.com/en-us/download/details.aspx?id=16818 72 https://www.microsoft.com/en-us/download/details.aspx?id=16614 73 https://www.microsoft.com/en-us/download/details.aspx?id=34595 51
WinRM Version (KB#) Supported OS KB URIs WinRM 1.1 (KB936059) Windows Server 2003 SP1 http://support.microsoft.com/kb/936059 + Windows Server 2003 SP2 Windows XP SP2 Windows XP SP3* WinRM 2.0 (KB968930) Windows Server 2003 SP2 Windows Server 2008 Windows Server 2008 SP2 Windows Vista SP1 Windows Vista SP2 Windows XP SP2* Windows XP SP3 http://support.microsoft.com/kb/968930 + * Requires Microsoft Windows Installer 3.1 * Requires .NET Framework 2.0 SP1 WinRM 3.0 (KB2506146) Windows 7 SP1 Windows Server R1 SP1 Windows Server 2008 SP2 Table 21: WinRM Version Update URLs http://support.microsoft.com/kb/2506146 + * Requires .NET Framework 4.0 * Update comes with Release Notes Microsoft published a knowledge base article (KB936059) [74] and an update for WinRM 1.1. [75] The knowledge base article offers additional post-installation information to the update that is not mentioned in this document. The actual update can be applied to Windows XP SP2, Windows Server 2003 SP1, Windows Server 2003 SP2, and Windows 2003 Server R2. 7.4 WinRM 2.0 Configuration Settings The quick configuration option of WinRM uses the following default configuration settings on Windows Server 2008 R2. [26][76] Default values of WinRM configuration settings are shown and referenced in this document for convenience. [26] The following WinRM command displays the configuration setting of WinRM winrm get winrm/config It produces the following example output: 74 http://support.microsoft.com/kb/936059 75 https://www.microsoft.com/en-us/download/details.aspx?id=21900 76 ([MS-WSMV]: Web Services Management Protocol Extensions for Windows Vista, 2012) 52
Page 1 and 2:
National Security Agency/Central Se
Page 3 and 4:
List of Figures Figure 1: Creating
Page 5 and 6: Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55: Microsoft’s Events and Errors Mes
Page 59 and 60: Parameters MaxEnvelopeSizekb MaxTim
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on
show all

Spotting the Adversary with Windows Event Log Monitoring

Create successful ePaper yourself

Delete template?

Save as template?