{"id":6365,"date":"2019-05-30T23:42:14","date_gmt":"2019-05-30T23:42:14","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6365"},"modified":"2019-05-30T23:46:55","modified_gmt":"2019-05-30T23:46:55","slug":"event-event-on-the-wall-whos-the-fairest-of-them-all-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/05\/30\/event-event-on-the-wall-whos-the-fairest-of-them-all-part-2\/","title":{"rendered":"Event, Event on the wall, who\u2019s the fairest of them all? Part 2"},"content":{"rendered":"\n<p>In <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/03\/29\/event-event-on-the-wall-whos-the-fairest-of-them-all\/\">part 1<\/a> I highlighted possible unexplored areas where we can look for additional interesting Events. Programmatic access to Event Log templates that <a href=\"https:\/\/twitter.com\/bmmaloney97\">Brian<\/a> pointed me to makes these analysis even more straightforward (and desirable!).<\/p>\n\n\n\n<p>Let&#8217;s start with the bad news first.<\/p>\n\n\n\n<p>After exporting all the <a href=\"https:\/\/hexacorn.com\/examples\/fields.txt\">unique field names<\/a> on Windows 10 I realized there are over 600 unique items across all these available templates. That&#8217;s a lot. Hard to find common denominator between all of them.<\/p>\n\n\n\n<p>These fields will be most likely localized (not sure if they finally fixed it in new versions of Windows, or plan to, because it&#8217;s a major pain in the neck).<\/p>\n\n\n\n<p>Also, if you study the output file (generated via the powershell bit shared in the part 1) you will notice that these templates exist in different versions, hence some of the fields will not always be available in the logs we have. It makes ingestion of these logs a bit more problematic too (parsers need to cater for different versions). Plus, your queries will have to take it into account as well.<\/p>\n\n\n\n<ul><li>4688 version 0<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"977\" height=\"390\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_1.png\" alt=\"\" class=\"wp-image-6367\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_1.png 977w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_1-300x120.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_1-768x307.png 768w\" sizes=\"(max-width: 977px) 100vw, 977px\" \/><\/figure>\n\n\n\n<ul><li>4688 version 1<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"975\" height=\"408\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_2.png\" alt=\"\" class=\"wp-image-6368\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_2.png 975w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_2-300x126.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_2-768x321.png 768w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<ul><li>4688 Version 2<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"965\" height=\"533\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_3.png\" alt=\"\" class=\"wp-image-6369\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_3.png 965w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_3-300x166.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/05\/evt_3-768x424.png 768w\" sizes=\"(max-width: 965px) 100vw, 965px\" \/><\/figure>\n\n\n\n<p>Finally, there is a long way for these field names to be delivered to your log aggregation system in a way they were originally named.  It is almost for granted that these fields will be named differently than in these original templates (e.g. <em>AccountName<\/em> will become <em>AcctName<\/em>, <em>acct<\/em>, <em>useraccount<\/em>, etc.). Hence, you need to dig up the actual field names used by your log aggregation system and match them against templates. If you are only just starting to use a log aggregation system pay attention and influence the decisions that will ensure these fields are named the same way as in the templates, wherever possible!<\/p>\n\n\n\n<p>Last, but not least &#8211; not all of these events will be set up (won&#8217;t be logged), not all of them will be properly forwarded even if logged, not all of them will be delivered in an unified way across all the systems. This means constant battle to ensure we audit our log sources to confirm that we still &#8216;see&#8217; things, and on all the assets we want. <\/p>\n\n\n\n<p>For the better news.<\/p>\n\n\n\n<p>In my previous post I mentioned Event IDs that include references to process names. These process names not always mean exactly the same thing (sometimes it&#8217;s a full file path, sometimes a DLL name, or a component name), but we at least kinda know what to expect:<\/p>\n\n\n\n<ul><li>CallerProcessName<\/li><li> LogonProcessName<\/li><li> NewProcessName<\/li><li> ParentProcessName<\/li><li> ProcessName<\/li><li> TargetProcessName<\/li><\/ul>\n\n\n\n<p>With that info we can very quickly sift through our data and see what useful events we can find. From there, it&#8217;s not far to actual alerts and dashboards. <\/p>\n\n\n\n<p>Here&#8217;s an example SPL query for statistics of events that include process name one way or another:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>EvID=4611 OR EvID=4615 OR EvID=4616 OR EvID=4624 OR EvID=4625 OR EvID=4648 OR <br> EvID=4649 OR EvID=4656 OR EvID=4657 OR EvID=4658 OR EvID=4660 OR EvID=4661 OR <br> EvID=4663 OR EvID=4670 OR EvID=4673 OR EvID=4674 OR EvID=4688 OR EvID=4689 OR <br> EvID=4696 OR EvID=4703 OR EvID=4798 OR EvID=4799 OR EvID=4818 OR EvID=4904 OR <br> EvID=4905 OR EvID=4907 OR EvID=4911 OR EvID=4913 OR EvID=4985 OR EvID=5039 OR <br> EvID=5050 OR EvID=5051 OR EvID=5712 OR EvID=6417 OR EvID=6418 <br> | stats count by EvID<\/p><\/blockquote>\n\n\n\n<p>We can also look at top 100 events:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>EvID=4611 OR EvID=4615 OR EvID=4616 OR EvID=4624 OR EvID=4625 OR EvID=4648 OR EvID=4649 OR EvID=4656 OR EvID=4657 OR EvID=4658 OR EvID=4660 OR EvID=4661 OR EvID=4663 OR EvID=4670 OR EvID=4673 OR EvID=4674 OR EvID=4688 OR EvID=4689 OR EvID=4696 OR EvID=4703 OR EvID=4798 OR EvID=4799 OR EvID=4818 OR EvID=4904 OR EvID=4905 OR EvID=4907 OR EvID=4911 OR EvID=4913 OR EvID=4985 OR EvID=5039 OR <br>EvID=5050 OR EvID=5051 OR EvID=5712 OR EvID=6417 OR EvID=6418 <br> | fillnull=&#8221;&#8221; CallerProcessName, LogonProcessName, NewProcessName, <br>   ParentProcessName, ProcessName, TargetProcessName <br> | head 100  <br> | table _time, EvID, CallerProcessName, LogonProcessName, NewProcessName, <br>   ParentProcessName, ProcessName, TargetProcessName <\/p><\/blockquote>\n\n\n\n<p>As you run it in e.g. Splunk (Verbose mode), you can start adding additional fields that show up, and also remove Event IDs that are too noisy (put them on a side for more targeted analysis). <\/p>\n\n\n\n<p>The goal is to find rare events for immediate alerts, noisy events, but with good filtering opportunities, and finally any others that can enrich our detections, even if just being simply present on a detailed timeline.<\/p>\n\n\n\n<p>Here&#8217;s a list of other interesting field groups to play with:<\/p>\n\n\n\n<ul><li>Network IP\/Addresses<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>ClientAddress, ClientIPAddress, DestAddress, IpAddress, IpAddresses, IpPort, IpProtocol, LocalAddress, NASIPv4Address, NASIPv6Address, PeerPrivateAddress, RemoteAddress, RemoteIpAddress, RemotePrivateAddress, SourceAddr, SourceAddress, SourcePort, TargetName, TargetServer, TargetServerName<\/p><\/blockquote>\n\n\n\n<ul><li>Paths<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>HomePath, KeyFilePath, ObjectPath, ObjectVirtualPath, ProfilePath, ScriptPath, ShareLocalPath<\/p><\/blockquote>\n\n\n\n<ul><li>Algorithms<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>AlgorithmName, CryptoAlgorithms<\/p><\/blockquote>\n\n\n\n<ul><li>Status\/Result<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>AuditStatusCode, EAPErrorCode, Error, ErrorCode, FailureCode, FailureReason, LoggingResult, QuarantineSystemHealthResult, ReplicationStatusCode, SecurityError, Status, StatusCode, SubStatus<\/p><\/blockquote>\n\n\n\n<ul><li>Packages<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>AuthenticationPackageName, LmPackageName, NotificationPackageName, PackageName,  SecurityPackageName<\/p><\/blockquote>\n\n\n\n<ul><li>Dates\/Timestamps<\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>ClientCreationTime, Duration, ExpirationTime, LockoutDuration, MembershipExpirationTime, MMLifetime, NewDate, NewTime, PreviousDate, PreviousTime, ProcessCreationTime, QuarantineGraceTime, TGT Lifetime<\/p><\/blockquote>\n\n\n\n<p>Unfortunately, I don&#8217;t have a ready-to-use recipe for all the events extracted from templates (400+ IDs!). Some are obviously uninteresting, some are interesting, but not feasible to use due to volumes. Others could be very interesting, but legitimate software written in an old-school way is indirectly abusing them (e.g. requesting higher privileges than needed by default and this is immediately logged, often many times per minute).<\/p>\n\n\n\n<p>Another thing is that even within a single Event there may be subgroups that we could focus on (e.g. trivial example with filtering by LogonType can narrow down logon events, but there is more).<\/p>\n\n\n\n<p>Still, we can try to come up with some bundles of interesting events:<\/p>\n\n\n\n<p><strong>Code Integrity related:<\/strong><\/p>\n\n\n\n<ul><li>5038    Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized<\/li><li>6281    Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without<\/li><li>6410    Code integrity determined that a file does not meet the security requirements to load into a process. <\/li><\/ul>\n\n\n\n<p><strong>Attack-related:<\/strong><\/p>\n\n\n\n<ul><li>4618    A monitored security event pattern has occurred.<\/li><li>4649    A replay attack was detected.<\/li><li>4961    IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack<\/li><li> 5148    The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack<\/li><li> 5149    The DoS attack has subsided and normal processing is being resumed.<\/li><li> 5479    The IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack expose the computer to potential security risks.<\/li><\/ul>\n\n\n\n<p><strong>Policy-violation related:<\/strong><\/p>\n\n\n\n<ul><li>6423    The installation of this device is forbidden by system policy.<\/li><li>6424    The installation of this device was allowed, after having previously been forbidden by policy.<\/li><\/ul>\n\n\n\n<p><strong>Other possibly interesting:<\/strong><\/p>\n\n\n\n<ul><li>4793    The Password Policy Checking API was called.<\/li><li>4612    Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.<\/li><li>4695    Unprotection of auditable protected data was attempted.<\/li><li>4793    The Password Policy Checking API was called.<\/li><li>4797    An attempt was made to query the existence of a blank password for an account.<\/li><li>4864    A namespace collision was detected.<\/li><\/ul>\n\n\n\n<p>And as I am finishing this post I am really curious if anyone has ever attempted to build flowcharts that would map Event IDs to actual lifecycle of activities happening on Windows. While some events are atomic (e.g. system time change), many of events are clustered together around the lifecycle of network, system, logon, services, accounts, groups, tickets, policies, certificates, etc. events. <\/p>\n\n\n\n<p>Finally, one thing that makes for an interesting observation: grepping the templates for words like &#8216;virus&#8217;, &#8216;malware&#8217;, &#8216;threat&#8217; I find nothing. This confirms that the primary role of Windows Events is not supporting threat hunting activities. While we all suffer and complain about the noise they generate, let&#8217;s be grateful that they are out there. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In part 1 I highlighted possible unexplored areas where we can look for additional interesting Events. Programmatic access to Event Log templates that Brian pointed me to makes these analysis even more straightforward (and desirable!). Let&#8217;s start with the bad &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/05\/30\/event-event-on-the-wall-whos-the-fairest-of-them-all-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[79],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6365"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6365"}],"version-history":[{"count":8,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6365\/revisions"}],"predecessor-version":[{"id":6376,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6365\/revisions\/6376"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}