Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

Parameters RootSDDL MaxConcurrentOperations MaxConcurrentOperationsPerUser EnumerationTimeoutms MaxConnections MaxPacketRetrievalTimeSeconds AllowUnencrypted Description The security descriptor for remotely accessing the listener Default WinRM 1.1 and earlier: O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD) Default WinRM 2.0: O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)S:P(AU;FA;GA;;;WD) The maximum number of concurrent operations. Default WinRM 1.1 and earlier: 100 Default WinRM 2.0: replaced with MaxConcurrentOperationPerUser The limit of concurrent operation for each user on the same system. Default WinRM 1.1 and earlier: Not available Default WinRM 2.0: 15 The idle timeout between pull messages in milliseconds. Default WinRM 1.1 and earlier: 60000 Default WinRM 2.0: 60000 The maximum number of simultaneous active requests that can be processed. Default WinRM 1.1 and earlier: 5 Default WinRM 2.0: 25 The limit on the number of seconds to retrieve a packet. Default WinRM 1.1 and earlier: Not available Default WinRM 2.0: 120 Clients are allowed to request unencrypted traffic. Default WinRM 1.1 and earlier: false Default WinRM 2.0: false Auth Specifies which authentication method is allowed for the client computer. DefaultPorts Default WinRM 1.1 and earlier: HTTP = 80, HTTPS = 443 Default WinRM 2.0: HTTP = 5985, HTTPS = 5986 IPv(4/6) Filter The IP for the WinRM service to listen on. Default WinRM 1.1 and earlier: Any Default WinRM 2.0: Any EnableCompatibilityHttpListener Service listens on port 80 and port 5985. WinRM 1.1 and earlier: Not supported 55
EnableCompatibilityHttpsListener Service listens on port 443 and port 5986. CertificateThumbprint WinRM 1.1 and earlier: Not supported The certificate thumb print used for https. WinRM 1.1 and earlier: Not supported Table 24: WinRM Service 7.4.4 WinRS Windows Remote Shell (WinRS) is turned on by default. The recommendation is to disable it. Each of the parameters for WinRS will use the default value if no policy is configured. [77][26] Parameters AllowRemoteShellAccess IdleTimeout MaxConcurrentUsers MaxShellRunTime MaxProcessesPerShell MaxMemoryPerShellMB MaxShellsPerUser Description Permit remote shell access The time, in milliseconds, before a shell connection is terminated. Maximum number of users that can request shell access at one time Maximum duration, in milliseconds, that command can run for. This value is not configurable in WinRM 2.0. Maximum number of processes that a single shell can create. Maximum number of memory that a single shell can use. Maximum number of shells a user can create. Table 25: WinRS Configuration Settings 7.5 WinRM Registry Keys and Values Throughout this document, registry keys can be used for verification purposes only. Do not to modify any registry keys as this may cause unforeseen problems and possible system corruption. The registry keys and values below apply to both Windows XP and Windows 7 when configured using GPO. These keys are found by viewing the following GPO Administrative Template (ADM) files located at %WINDIR%\system32\GroupPolicy\Adm on Windows XP: Event Forwarding: EventForwarding.adm Windows Remote Management: windowsremotemanagement.adm Windows Remote Shell: WindowsRemoteShell.adm The policies registry keys appears once a Domain Controller configures WinRM via Group Policies. 77 http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx 56
Page 1 and 2:
National Security Agency/Central Se
Page 3 and 4:
List of Figures Figure 1: Creating
Page 5 and 6:
Disclaimer This Guide is provided "
Page 7 and 8:
Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47 and 48: Windows Kernel Driver Errors (Kerne
Page 49 and 50: User Account Added to Privileged Gr
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57 and 58: WinRM Version (KB#) Supported OS KB
Page 59: Parameters MaxEnvelopeSizekb MaxTim
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on
show all

Spotting the Adversary with Windows Event Log Monitoring

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?