Facing the Challenge(S) of Windows Logs Collection to Leverage Valuable Iocs

Facing the challenge(s) of Windows logs collection to leverage valuable IOCs .

Michel de Crevoisier Security Analyst, Radar Cyber Security

15.10.2019, Berne

Server Microsoft 3rd party Built-in roles software software

Advanced Threat ADFS Application Analytics (ATA) Ivanti software

Certification authority Exchange PowerShell Kaspersky DHCP server Skype Security DNS server SQL Server Veeam Backup System IIS web server SYSMON

[…] […] NPS Radius Defender

EVTX ETL TXT (standard Windows logs (analytical logs, like DNS (IIS, NPS, DHCP, in XML format) Server or PowerShell) PowerShell Transcript, former DNS logs)

Access method / Protocol (MS-EVEN6, RPC, WMI,…)

Push vs Pull

Agent vs Agentless

Intermediate collector VS Direct sending to receiver

Central file store vs Shared folder

Managed agent VS Unmanaged agent

• Protected users (if configured, on DCs only) Valuable event • LSA (Local Security Authority) logs disabled • IIS web server • DNS client

Event logs with • SMB server restrictive • SMB client access • IIS web server

Security Data exchange Performance Configuration Environment

• Avoid usage of • Data • High • Easy • Cloud high privileges encryption availability deployment • Domain VS • Isolation • Secured • Compression • Minimize Workgroup between authentication configuration • OT customer and method changes (Operational security • Low impact on Technology) provider operating system

WEF (Windows Event Forwarding) WEC (Windows Event Collector)

Authentication and encryption Collects and stores all requested through Kerberos in a domain or events from WEF clients according TLS certificates in a Workgroup XML subscriptions Data exchange over WinRM (push High availability capacities where or pull) clients send events to each WEC collector XML-based language to control event IDs to collect or to suppress Certain 3rd party software can also: noisy events Emulate a WEC server by spoofing a Settings control over GPO WinRM listener (e.g.: SYSLOG-NG Premium, NXLog Enterprise, AlienVault USM > actually uses NXLog) EPS control rate Manage multiple WEC servers with a central management console (e.g.: SuperCharger from Logbinder)

2017 2015

2013

2017 & 2019

Technical characteristics Limitations

Up to 4.000 source clients per All collected events are saved in collector (source: Microsoft) Forwarded Events log file Average logging is 5.000 EPS, can All events are mixed without any go up to 10.000 EPS (source: Microsoft) tagging possibilities Maximum recommended size per Only standard event logs (EVTX) event log file: 4GB can be forwarded Maximum recommended size for all Windows logs files: 16GB Compression possible with event log size reduction

Multiple event channels

• Different size and rotation strategy • Channel can be tagged for SIEM ingestion • Channel can be placed on different storage for better performance

Preconfigured subscriptions

• XML query to specify the events to collect • Specify the event channel destination

Deployment is Requires several not automatized manual actions

Potential source of incorrect configuration

Event channels Subscriptions

Automated Automated WEC server Palantir toolset role setup deployment

Covers event Adjusts log file channel and size and subscriptions location

Fixes SDDL Available on permissions on GitHub WinRM service

https://github.com/rs-dev/windows-event-collector_auto-deploy

NXLog agent Community

RSYSLOG agent JSON

Snare agent Source clients WEC collector SIEM CEF Splunk UF agent

WinCollect agent

Chosen agent software solution Winlogbeat agent Other targetOther / Externaltarget / provider /External Archiving provider solution © RadarServices // Classification: Public 15 WEF/WEC Injecting data without agent from the WEC server to your SIEM

NXLog agent Enterprise

SYSLOG-NG Premium

Source clients SIEM Certificates are required Certificates pushed on hosts on each source client ! Chosen software for WinRM server listener emulation

DNS transactions logs

Linux/Unix Windows OS Passive DNS OS

Bind, DNS server DNS client Firewall or 3rd NIDS solution Unbound, logs logs party solution Dnsmasq, … Mirrored traffic

1 2 3 DNS DNS Event SYSMON ETW ETL debugging log (ID 22) Server 2012 R2 Disabled

Very simple High impact on access performance

Only for Not supported debugging by MS for purpose production

Does not Timestamp include DNS structure may answer change

Delay before data is written No event ID (>1min)

Efficient kernel-level tracing facility that allows to save kernel or application-defined events Allows to dynamically enable or disable logging in real time without any restart of the system Great open source projects available:

KrabsETW (Microsoft) Performant C++ library to interact with ETW (https://github.com/Microsoft/krabsetw)

PowerKrabsEtw PowerShell module built around the KrabsETW APIs (https://github.com/zacbrown/PowerKrabsEtw)

TA-DNSETW Splunk plugin to collect DNS events from ETW using "KrabsETW" (https://github.com/secops4thewin/TA-DNSETW)

SilkETW (FireEye) Flexible C# ETW wrapper running as a service - Blackhat 19 (https://github.com/fireeye/SilkETW)

NXLog Community Windows agent provided with a native ETW module (im_etw). Logs can be saved in a file and/or sent to a remote target

System tools: Low impact on Event ID •Built-in: Logman, Perfmon, Netsh •Installable: Xperf, Tracelog, NetMon, performance provided Microsoft MMA, Tracelogging

DNS answer Not Splunk •App “TA-DNSETW”: read ETW using is provided compatible the KrabsETW library from Microsoft (but encoded) with WEC

Requires NXLog Community agent or script No cache file •Built-in module to read and forward installation ETW logs

ETW trace session are saved into ETL log files ETL files can be placed on a shared folder on each DNS server to be read remotely Great open source tools available:

ETL-to-EVTX PowerShell script that reads ETL logs and writes them into Windows Event Viewer (https://github.com/acalarch/ETL-to-EVTX)

ETLParser (GCPartners) Executable which can decodes several types of ETL files (https://github.com/gcpartners/ETLParser)

DNSplice Python script that parses DNS ETL files (https://github.com/nerdiosity/DNSplice) DNS Analytical App PowerShell script for Splunk UF that reads ETL logs (Splunk) (https://splunkbase.splunk.com/app/2937)

NXLog Community Windows agent provided with a native ETL module. Logs can be saved in a file and/or sent to a remote target

ETW2JSON (Microsoft) Read ETL file and convert it to JSON (https://github.com/microsoft/ETW2JSON)

System tools: Low impact on Event ID •Built-in: Tracerpt performance provided •Installable: Microsoft Message Analyzer (MMA)

ETL file can be DNS answer is Splunk placed in a provided (but •App “DNS analytical”: PowerShell shared folder encoded) script that extracts ETL logs and send it to a remote listener

Not compatible NXLog Community with WEC per •Built-in module to read and forward default (*) ETL logs (**)

*ETL-to-EVTX script can convert ETL logs to EVTX log file **Currently in preview. Will be fully released in NXLog agent v5 © RadarServices // Classification: Public according NXLog support 23 Steps and solutions overview

1: requires PowerShell script that extracts ETL content into EVTX log files 4: not recommended, requires to query SCCM SQL Server database 2: requires agent or plugin with ETL or ETW capacities 5: requires SQL Server advanced configuration 3: data in event log has no structure 6: pulling requires dealing with firewall, credentials and double NAT issues 7: only a limited set of logs are available. Per default, format and mapping are not © RadarServices // Classification: Public maintained. SCOM is not a SIEM. 25 Steps for a proper log collection

Download Palantir toolset • https://github.com/palantir/windows-event-forwarding Configure Enable

Download and run the Radar deployment script advanced audit PowerShell • https://github.com/rs-dev/windows-event-collector_auto-deploy policies auditing

Configure clients to target your WEC server(s) Enable auditing Install and configure your agent solution on your for permission WEC server(s) to forward logs to your SIEM changes (SACL)

Start gathering data in your SIEM

Thank You