Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

Config MaxEnvelopeSizekb = 150 MaxTimeoutms = 60000 MaxBatchItems = 32000 MaxProviderRequests = 4294967295 Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts Service RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 15 EnumerationTimeoutms = 60000 MaxConnections = 25 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = false Auth Basic = false Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * IPv6Filter = * EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint Winrs AllowRemoteShellAccess = true IdleTimeout = 180000 MaxConcurrentUsers = 5 MaxShellRunTime = 2147483647 MaxProcessesPerShell = 15 MaxMemoryPerShellMB = 150 MaxShellsPerUser = 5 Each of field of the above output is described in the following sections. 7.4.1 Protocol Settings These settings are configurable options for the WS-Management protocol used by WinRM. 53
Parameters MaxEnvelopeSizekb MaxTimeoutms MaxBatchItems MaxProviderRequests Description The Simple Object Access Protocol (SOAP) data size has maximum in kilobytes Default is 150 kilobytes Each push request (not pull) has a maximum timeout. This value is in milliseconds. Default is 60000ms (60 seconds) The limit of elements used in a pull response. Default for WinRM 1.1 and earlier: 20 Default for WinRM 2.0: 32000 The limit on concurrent requests. Default for WinRM 1.1 and earlier: 25 Default for WinRM 2.0: Unsupported/Undefined Table 22: Protocol Settings 7.4.2 Client Configuration The following parameters configures on how the WinRM client operates. Parameters NetworkDelayms URLPrefix AllowUnencrypted Description A time buffer for the client computer to wait in milliseconds. Default WinRM 1.1 and earlier: 5000 Default WinRM 2.0: 5000 The type of URLPrefix used on request for HTTP or HTTPS requests. Default WinRM 1.1 and earlier: wsman Default WinRM 2.0: wsman Clients are allowed to request unencrypted traffic. Default WinRM 1.1 and earlier: false Default WinRM 2.0: false Auth Specifies which authentication method is allowed for the client computer DefaultPorts Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443 Default WinRM 2.0: HTTP = 5985, HTTPS = 5986 TrustedHosts These trusted hosts do not need to be authenticated. Table 23: WinRM Client Configuration 7.4.3 WinRM Service 54
Page 1 and 2:
National Security Agency/Central Se
Page 3 and 4:
List of Figures Figure 1: Creating
Page 5 and 6:
Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57: WinRM Version (KB#) Supported OS KB
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on
show all

Spotting the Adversary with Windows Event Log Monitoring

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?