{"id":6071,"date":"2019-03-29T00:43:33","date_gmt":"2019-03-29T00:43:33","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6071"},"modified":"2019-03-30T00:37:33","modified_gmt":"2019-03-30T00:37:33","slug":"event-event-on-the-wall-whos-the-fairest-of-them-all","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/03\/29\/event-event-on-the-wall-whos-the-fairest-of-them-all\/","title":{"rendered":"Event, Event on the wall, who\u2019s the fairest of them all?"},"content":{"rendered":"\n<p><strong>Update<\/strong><\/p>\n\n\n\n<p>After I posted it, <a href=\"https:\/\/twitter.com\/bmmaloney97\">Brian<\/a> (thx!) pointed me to a very neat research by <a href=\"https:\/\/twitter.com\/SecHubb\">John Hubbard<\/a> who takes similar concept to a completely new level. It turns out PowerShell gives us a programmatic access to Windows Event templates and we can use it to access all the info &#8211; here is the <a href=\"https:\/\/twitter.com\/SecHubb\/status\/1072973907630661632\">tweet<\/a> demonstrating it. <\/p>\n\n\n\n<p>We can write it all down to a file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$provider = get-winevent -ListProvider Microsoft-Windows-Security-Auditing<br><br>$provider.events | Out-File -FilePath \"eventdump.txt\"<\/pre>\n\n\n\n<p>We can then do same exercise as I did before and get this nice list (Windows 7):<\/p>\n\n\n\n<ul><li>4611    LogonProcessName <\/li><li>4615    ProcessName <\/li><li>4616    ProcessName <\/li><li>4616    ProcessName <\/li><li>4624    LogonProcessName <\/li><li>4624    ProcessName <\/li><li>4625    LogonProcessName <\/li><li>4625    ProcessName <\/li><li>4648    ProcessName <\/li><li>4649    LogonProcessName <\/li><li>4649    ProcessName <\/li><li>4656    ProcessName <\/li><li>4656    ProcessName <\/li><li>4657    ProcessName <\/li><li>4658    ProcessName <\/li><li>4660    ProcessName <\/li><li>4661    ProcessName <\/li><li>4661    ProcessName <\/li><li>4663    ProcessName <\/li><li>4670    ProcessName <\/li><li>4673    ProcessName <\/li><li>4674    ProcessName <\/li><li>4688    NewProcessName <\/li><li>4688    NewProcessName <\/li><li>4689    ProcessName <\/li><li>4696    TargetProcessName <\/li><li>4696    ProcessName <\/li><li>4904    ProcessName <\/li><li>4905    ProcessName <\/li><li>4907    ProcessName <\/li><li>4985    ProcessName <\/li><li>5039    ProcessName <\/li><li>5050    CallerProcessName <\/li><li>5051    ProcessName <\/li><li>5712    ProcessName <\/li><\/ul>\n\n\n\n<p>And Windows 10 gives us this:<\/p>\n\n\n\n<ul><li>4611    LogonProcessName <\/li><li>4615    ProcessName <\/li><li>4616    ProcessName <\/li><li>4616    ProcessName <\/li><li>4624    LogonProcessName <\/li><li>4624    ProcessName <\/li><li>4624    LogonProcessName <\/li><li>4624    ProcessName <\/li><li>4624    LogonProcessName <\/li><li>4624    ProcessName <\/li><li>4625    LogonProcessName <\/li><li>4625    ProcessName <\/li><li>4648    ProcessName <\/li><li>4649    LogonProcessName <\/li><li>4649    ProcessName <\/li><li>4656    ProcessName <\/li><li>4656    ProcessName <\/li><li>4657    ProcessName <\/li><li>4658    ProcessName <\/li><li>4660    ProcessName <\/li><li>4661    ProcessName <\/li><li>4661    ProcessName <\/li><li>4663    ProcessName <\/li><li>4663    ProcessName <\/li><li>4670    ProcessName <\/li><li>4673    ProcessName <\/li><li>4674    ProcessName <\/li><li>4688    NewProcessName <\/li><li>4688    NewProcessName <\/li><li>4688    NewProcessName <\/li><li>4688    ParentProcessName <\/li><li>4689    ProcessName <\/li><li>4696    TargetProcessName <\/li><li>4696    ProcessName <\/li><li>4703    ProcessName <\/li><li>4798    CallerProcessName <\/li><li>4799    CallerProcessName <\/li><li>4818    ProcessName <\/li><li>4904    ProcessName <\/li><li>4905    ProcessName <\/li><li>4907    ProcessName <\/li><li>4911    ProcessName <\/li><li>4913    ProcessName <\/li><li>4985    ProcessName <\/li><li>5039    ProcessName <\/li><li>5050    CallerProcessName <\/li><li>5051    ProcessName <\/li><li>5712    ProcessName <\/li><li>6417    ProcessName <\/li><li>6418    ProcessName <\/li><\/ul>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>This post started with a bold idea inspired by the song &#8216;I want it all&#8217; by Queen. Not really, I made it up, but the mood is similar. <\/p>\n\n\n\n<p>No one, at least to my knowledge, has ever enabled all the possible event logs for testing purposes. We are obviously very used to the known Event IDs e.g. 4688 (<em>A new process has been created<\/em>), 4689 (<em>A process has exited<\/em>), but perhaps there is more&#8230; For example, how many of us enabled <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/event-6410\">6410 <\/a>(<em>Code integrity determined that a file does not meet the security requirements to load into a process<\/em>)?<\/p>\n\n\n\n<p>Obviously, I was wondering what would happen if we enabled them all, but also, which of them would have a practical meaning to our defensive efforts.<\/p>\n\n\n\n<p>In my attempt to answer the question I went in two different directions. <em>I was not aware there was a even better direction &#8211; one that I mentioned at the top of this post and which relies on research of John Hubbard. Since John&#8217;s approach is better, you can ignore my &#8216;manual&#8217; data extraction process described below, and just use powershell to extract all the info you need. TL;DR; you don&#8217;t need to read the stuff below \ud83d\ude42<\/em><\/p>\n\n\n\n<p>First, a bit of a background. I don&#8217;t know if you know, but the Microsoft web site provides an awesome feature that helps reading their docs. It allows you to download pages and sections of their documentation as a PDF. It is contextual. Wherever you are, you can just download what&#8217;s there + everything lower in the documentation hierarchy in one go. Seriously, this is one of the coolest features ever and if you have not used it before, you gonna love it&#8230;<\/p>\n\n\n\n<p>Say you find the description of the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/event-4688\">Event ID 4688<\/a>. If you look at the left corner of your browser, there is a &#8216;Download PDF&#8217; button. <\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/download.png\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/download.png\" alt=\"\" class=\"wp-image-6072\" width=\"219\" height=\"78\"\/><\/a><\/figure>\n\n\n\n<p>Yup. You can download this specific page as a PDF. Now go to the parent node, and climb up the hierarchy. Now you can download the whole section that page belongs to. With that, I downloaded the whole <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/security-auditing-overview\">Security Auditing<\/a> section.<\/p>\n\n\n\n<p>Secondly, the documentation for Windows Events is pretty good. One thing that I remembered seeing before was that it contained a systematic description of actual fields related to specific events. The nice folks at Microsoft define these fields using a standard syntax:<\/p>\n\n\n\n<p><em>FieldName<\/em> [Type = <em>FieldType<\/em>]: <em>description<\/em><\/p>\n\n\n\n<p>For example:<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/fields.png\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/fields.png\" alt=\"\" class=\"wp-image-6073\" width=\"396\" height=\"227\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/fields.png 791w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/fields-300x172.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/fields-768x440.png 768w\" sizes=\"(max-width: 396px) 100vw, 396px\" \/><\/a><\/figure>\n\n\n\n<p>Now I got the whole PDF full of descriptions of all events featured in that aforementioned Security Auditing section and&#8230; I know I can parse it. <\/p>\n\n\n\n<p>I converted the PDF to text, and wrote a simple perl script that produced this nice <a href=\"https:\/\/hexacorn.com\/examples\/security_audit_1.txt\">log<\/a>. There are duplicates there, plus some data is truncated (you will see below), but:<\/p>\n\n\n\n<ul><li>such data set is instantly available (took me 5 minutes)<\/li><li>can immediately support threat hunting and may lead us to uncharted territories (this is where we want to go, right?)<\/li><\/ul>\n\n\n\n<p>Let&#8217;s have a look at an example.<\/p>\n\n\n\n<p>We can load this data set into Excel, and then filter by a keyword <em>Process Name<\/em> &#8211; I hope you will agree that any field with such a name is interesting to us from a detection perspective:<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/filter1.png\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/filter1.png\" alt=\"\" class=\"wp-image-6074\" width=\"201\" height=\"359\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/filter1.png 268w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/filter1-168x300.png 168w\" sizes=\"(max-width: 201px) 100vw, 201px\" \/><\/a><\/figure>\n\n\n\n<p>This produces a nice list of Events that refer to process names one way or another:<\/p>\n\n\n\n<ul><li>4799(S): A security-enabled local group membership    Process Name<\/li><li>4798(S): A user&#8217;s local group membership was    Process Name<\/li><li>4688(S): A new process has been created.    New Process Name<\/li><li>4688(S): A new process has been created.    Creator Process Name [Version 2]<\/li><li>4696(S): A primary token was assigned to process.    Process Name<\/li><li>4696(S): A primary token was assigned to process.    Target Process Name<\/li><li>4689(S): A process has exited.    Process Name<\/li><li>4937(S): A lingering object was removed from a    Process Name<\/li><li>4932(S): Synchronization of a replica of an Active    Caller Process Name<\/li><li>4624(S): An account was successfully    Process Name<\/li><li>4624(S): An account was successfully    Caller Process Name<\/li><li>4648(S): A logon was attempted using explicit    Process Name<\/li><li>5144(S): A network share object was deleted.    Process Name<\/li><li>4658(S): The handle to an object was closed.    Process Name<\/li><li>4660(S): An object was deleted.    Process Name<\/li><li>4663(S): An attempt was made to access an object.    Process Name<\/li><li>4985(S): The state of a transaction has changed.    Process Name<\/li><li>4670(S): Permissions on an object were changed.    Process Name<\/li><li>4690(S): An attempt was made to duplicate a handle    Process Name<\/li><li>4663(S): An attempt was made to access an    Process Name<\/li><li>4657(S): A registry value was modified.    Process Name<\/li><li>4818(S): Proposed Central Access Policy does not    Process Name<\/li><li>4907(S): Auditing settings on object were changed.    Process Name<\/li><li>4904(S): An attempt was made to register a security    Process Name<\/li><li>4905(S): An attempt was made to unregister a    Process Name<\/li><li>4703(S): A user right was adjusted.    Process Name<\/li><li>4911(S): Resource attributes of the object were    Process Name<\/li><li>4913(S): Central Access Policy on the object was    Process Name<\/li><li>6144(S): Security policy in the group policy objects    Process Name<\/li><li>4611(S): A trusted logon process has been registered    Logon Process Name<\/li><\/ul>\n\n\n\n<p>We can apply other filters e.g. <em>file<\/em>, <em>path<\/em>, <em>object<\/em>, etc. and come up with additional events that may be worth exploring! <\/p>\n\n\n\n<p>In other words, we don&#8217;t need to enable all audit policies to cherry-pick some interesting events, and then can simply just focus on targeted analysis!<\/p>\n\n\n\n<p>Time for the take two.<\/p>\n\n\n\n<p>If you ever wondered where the Event Logs come from, and I don&#8217;t mean all these magic unicorns that write them, or aggregate them, but the templates that are used to ensure their &#8216;look and feel&#8217; is always the same &#8211; read below. (a note here: to be accurate, the layout of templates changes across OS versions &#8212; 4688 is a great example of it with its additional fields <a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventID=4688\">added in Windows 10\/2016<\/a>).<\/p>\n\n\n\n<p>So, where do these templates come from?<\/p>\n\n\n\n<p>Searching Windows 10 binaries one can quickly find files that refer to these event log templates &#8212; they are stored inside the Security Audit Schema DLL and its associated MUI file:<\/p>\n\n\n\n<ul><li>\\Windows\\System32\\adtschema.dll<\/li><li>\\Windows\\System32\\en-US\\adtschema.dll.mui<\/li><\/ul>\n\n\n\n<p>If you open any of them inside the Resource Hacker you will immediately spot this very Message Table:<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/msg_table.png\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/msg_table.png\" alt=\"\" class=\"wp-image-6075\" width=\"431\" height=\"110\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/msg_table.png 861w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/msg_table-300x76.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/03\/msg_table-768x195.png 768w\" sizes=\"(max-width: 431px) 100vw, 431px\" \/><\/a><\/figure>\n\n\n\n<p>The table is organized in a neat way and it&#8217;s easy to extract all the Event templates from the file as IDs refer to specific Event IDs.<\/p>\n\n\n\n<p>Once you do it, there are a few interesting research avenues to pursue here:<\/p>\n\n\n\n<ul><li>If you use a localized version of OS, you can extract templates for languages other than English; this may sound silly, but many &#8216;native&#8217; fields in Event Logs are unfortunately localized \ud83d\ude41 it&#8217;s a very expensive mistake that localization teams did at Microsoft long time ago and stuck to it. It makes writing queries e.g. in Splunk harder, because you need to coalesce a number of localized field names if you are dealing with Events coming to you in multiple languages, and if some of them happen to use the localized template.<\/li><li>Secondly, we can try to duplicate the analysis I did for the PDF and extract interesting event IDs that might have escaped the attention of security community till now<\/li><li>Thirdly, we can extract templates from various OS versions and compare them, building a superset schema for all OS versions and Event versions (may come handy with generic parsing)<\/li><li>Finally, if we are quick and look at the latest version of OS there is always a possibility we may come across new event ID or templates that have not been documented yet<\/li><\/ul>\n\n\n\n<p>If you are curious about the second bullet point, here&#8217;s a result for a <em>Process Name<\/em> filter:<\/p>\n\n\n\n<ul><li>4611    A trusted logon process has been registered with the Local Security Authority<\/li><li>4624    An account was successfully logged on<\/li><li>4625    An account failed to log on<\/li><li>4648    A logon was attempted using explicit credentials<\/li><li>4649    A replay attack was detected<\/li><li>4656    A handle to an object was requested<\/li><li>4657    A registry value was modified<\/li><li>4658    The handle to an object was closed<\/li><li>4660    An object was deleted<\/li><li>4661    A handle to an object was requested<\/li><li>4663    An attempt was made to access an object<\/li><li>4670    Permissions on an object were changed<\/li><li>4673    A privileged service was called<\/li><li>4674    An operation was attempted on a privileged object<\/li><li>4688    A new process has been created<\/li><li>4689    A process has exited<\/li><li>4696    A primary token was assigned to process<\/li><li>4703    A token right was adjusted<\/li><li>4798    A user&#8217;s local group membership was enumerated<\/li><li>4799    A security-enabled local group membership was enumerated<\/li><li>4818    Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy<\/li><li>4904    An attempt was made to register a security event source<\/li><li>4905    An attempt was made to unregister a security event source<\/li><li>4907    Auditing settings on object were changed<\/li><li>4911    Resource attributes of the object were changed<\/li><li>4913    Central Access Policy on the object was changed<\/li><li>4985    The state of a transaction has changed<\/li><li>5039    A registry key was virtualized<\/li><li>5050    An attempt to programmatically disable Windows Firewall using a call to INetFwProfile<\/li><li>5051    A file was virtualized<\/li><li>6417    The FIPS mode crypto selftests succeeded<\/li><li>6418    The FIPS mode crypto selftests failed<\/li><\/ul>\n\n\n\n<p>I hope some of you will find it interesting and will explore some of these new Event IDs. This requires a bit of a patience &amp; time, because in some cases re-creating conditions in which these events trigger may be non-trivial.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update After I posted it, Brian (thx!) pointed me to a very neat research by John Hubbard who takes similar concept to a completely new level. It turns out PowerShell gives us a programmatic access to Windows Event templates and &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/03\/29\/event-event-on-the-wall-whos-the-fairest-of-them-all\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[79],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6071"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6071"}],"version-history":[{"count":14,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6071\/revisions"}],"predecessor-version":[{"id":6094,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6071\/revisions\/6094"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}