Event Log Managment

Logs .. Logs and More Logs

Tracking down ZeroAccess botnet

Normally I focus on the Windows Event Log, but today I’m going to stray into the world of firewall logs.  Over the last several months I’ve been helping customers with Proof of Concepts for LogRhythm and one the things that I have found with several of my customers has been the ZeroAccess botnet.  It’s actually very easy to track down.  One of the rules that the LogRhythm Labs has setup and comes out of the box is focused on finding any ZeroAccess bots, see fig 1.

ZeroAccess AIE Rule

Fig 1.

ZeroAccess is a peer-to-peer botnet operating over ports 16464, 16465, 16470, or 16471.  Each infected host maintains a list of 256 peers that it attempts to connect to over these ports.  Once communications are established payloads and instructions are transferred through the peers.

A simple Unique Values AIE rule was configured that looked for network connections on the appropriate ports, originating from a single host and trying to communicate with 100 or more unique hosts.  Since each infected host attempts to connect to 256 peers, 100 unique hosts was a good number, as it minimizes false positives that might be generated should a host attempt legitimate communications over any of those ports.




October 29, 2013 Posted by | Audting, Hacking, ZeroAccess | Leave a comment

Do you need to track who/where/when for activities done against the OU’s in your AD?

With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566).  With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart).

I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information).  So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy.

Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies.  The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level.  Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion.

So where do we start so that we can answer our question at the top of this discussion?

First, turn on the correct auditing.  Open up Group Policy Management Editor and drill down as seen in Fig 1.  **Take note of the green highlight.

GPO to Track OU changesFig 1

For this discussion we are focusing on DS Access and its subcategories.  We only want to turn on Audit Directory Service Changes, see Fig 2.  This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.

GPO part 2Fig 2

Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit.  This next step is done via Active Directory Users and Computers.  Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

Fig 3

Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

Fig 4

Now that our auditing is setup what type of events can we expect to see?

Here are a few examples:

In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

Fig 5

Figure 6 shows a Sub OU being created.

Fig 6

Figure 7 shows id 5139, an OU being moved.

Fig 7

Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136.

Figure 8 shows the first part of the rename process.

Fig 8

Figure 9 shows the second part of the rename process.

Fig 9

Now let’s contrast all of this with an event that is part of the good old standard auditing.   Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand.  Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.

Fig 10

With standard auditing some of the other items that we looked at would be next to impossible with auditing, such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if you did get an event.

Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.

August 16, 2012 Posted by | Audit Policy, Audting, Directory Services, Event Log, Windows 2008 | , , , , , , , , , | Leave a comment

Logging, Logging

Here lately we’ve been hearing a lot about Stuxnet and Duqu.  Well this week is no different, but there is some insight into how one of these could have been slowed down if not prevented.  In an article released on Nov 30, 2011 at eWeek.com, Duqu Attackers Wiped All Linux CandC Servers to Cover Tracks, there are some good insights even though it’s almost just a side note.  The article mainly discusses what the Duqu attackers did to help cover their tracks.  The part of the article that caught my eye was the last paragraph.

Even though there was a possibility of a zero-day, the researchers thought it was more likely that the servers’ root passwords were brute-forced, based on a log of a user attempting to log in as root multiple times over an 8-minute period from an IP address in Singapore before finally succeeding.

It all comes down to logging and then doing something with those logs.  Having a solution (www.logrhythm.com) that can help point out these types of items is critical.  Just to have logging turned on gets you nothing, you need to do something with these logs.  Having a solution in place and watching for anomalies like this could have helped to slow Duqu down.  Logs won’t stop the attackers but if we are being proactive and watching (with the correct solution) we would at least slow them down some.

As this also shows that attackers aren’t worried about people logging their activities because they know most organizations/admins aren’t doing anything with the logs until well after the fact.

One of the things that you need to be asking your SIEM/Log Management provider is how would they have picked up on something like this?  Can it be correlated/detected that it was coming from the same IP address and repeated attempts?  Most SIEM/Log Management vendors will tell you “sure we can do that”.  Well my next question would be: What if this was across multiple Operating Systems, could you detect it then?  Now for my shameless plug, with LogRhythm the answer is yes.  Some vendors expect you to be a subject matter expert across all Operating Systems, network devices and applications.  With LogRhythm you don’t need to be, our normalization handles that for you.  We can take being proactive to the next level with advanced correlation and SmartRemediation.

December 2, 2011 Posted by | Audting, Event Log, Hacking, Log Management, Uncategorized | , , , , , | Leave a comment

Event Triggers

I have been asked this question several times so I thought it would be a good time to answer it via a blog post for everyone to use.

“How can I set the Windows Event Viewer to trigger when a certain event happens?” 

Well if you want to set a trigger for something very simple such as ‘when anyone logs in’ or ‘when an account gets created’ that is very simple.  Just right click on the event in the EventViewer and select “Attach Task to This Event…”, then select if you want Windows to launch a program, send an email or display a message. 

It’s that quick and easy if you want to look for something simple.  Now the question “when anyone logs in” is not quite so easy.  Becuase if you recall from an earlier blog post, there are different types of logins.  So if we just look for logins we will be flooded with triggers because of all the network (type 3) and service (type 5) logins that happen all day everyday. 

 The question that arrises most often is “Can event viewer let me know when someone does a remote desktop to one of my servers?”  The answer to that is no.  Take the following screen shot for example.

Microsoft doesn’t give us the ability to look for anything in the event message body, such as the logon type.   But wait you say, EventViewer can do a trigger that will launch a program or script, we can just do it that way.  Not so fast, the program option doesn’t pass the event to the program or script.  So we are unable to parse the message for our logon type or other information.

So the next question comes, how can we trigger (alarm/alert) for specific information that is located in the event message.  Well you have 2 options, 1st is to write your own script (or get one from the internet) that will parse the Event Log and look for your information.  2nd would be to use a SIEM/Log Management tool such as LogRhythm.   Having done manual log management (and via scripts) for many years this could be a painful option.  I’ve been in the SIEM/Log Management business since 2004, I can tell you that many Admins have benefited from letting someone else doing all the heavy lifting of gathering the logs and then setting up alarms very quickly to do just what people have been asking me.

May 31, 2011 Posted by | Event Log, Log Management | , , , , | Leave a comment

Webinar and Training Video links

A few days ago I was asked by a customer if I had links to all of the webinars and training videos that I put togther or been apart off.  So I have started to put together that list.  The first group is for webinars hosted on the LogRhythm website; the 2nd group are webinars that I have conducted with Randy F. Smith and hosted at UltimateWindowsSecurity.com; the last group is a webinar I did for WhiteHat World.  As I conduct more webinars and training sessions I will add them to the list.


Sept 15, 2011

HIPAA & HITECH Act | Get ready for Tougher Privacy, Security Rules and Enforcement

Prism Microsystems

**Feb 14, 2011; Do to some unforseen issues at Prism I can no longer in good faith promote their product or services and I have removed all links to their website.

Ultimate Windows Security

Hosted By Randy F. Smith

December 2, 2010

5 Real World Ways to Use Anomaly Detection with Security Logs

November 11, 2010

Auditing IIS with the Windows Security Log

October 14, 2010

Building a Security Dashboard for Your Senior Executives

June 30, 2010

Taming SharePoint Audit Logs with LOGbinder SP and EventTracker

June 23, 2010

Top 5 Daily Reports for Monitoring Windows Servers

May 6, 2010

Configuring Windows Audit Policy to Minimize Noise: Provide Compliance, Support Forensics and Detect Intrusions

March 4, 2010

Security Log Exposed: Auditing Changes, Deletions and Creations in Active Directory

February 4, 2010

Insider Gone Bad: Tracking Their Steps and Building Your Case with the Security Log

October 1, 2009

Security Log Exposed: What is the Difference Between “Account Logon” and “Logon/Logoff” Events?

July 23, 2009

Using Windows Server 2008’s New Log Management Features: Archival, Forwarding, Views and Triggers

May 14, 2009

Top 9 Ways to Detect Insider Abuse with the Security Log

March 19, 2009

Leveraging the XP and Vista Security Logs to Ensure Workstation Security and Compliance

January 20, 2009

Anatomy of a Hack: Tracking an Intruder with Security Logs

WhiteHat World

February 10, 2009

Security Beyond the Windows Event Log – Monitoring Ten Critical Conditions

July 1, 2010 Posted by | Webinars | , | Leave a comment

Inside and Outside Hack Attempts

Over the last several years I have conducted quite a few webinars with Randy F. Smith on a variety of topics that relate to Windows Audit Policies and Log Management.  Two of these truly drive home the point about why you need to be looking at your logs (not just Windows but all sources; *NIX and Network Devices as well).  The first of these was conducted on Jan 20, 2009 entitled “Anatomy of a Hack: Tracking an Intruder with Security Logs” and most recently on Feb 4, 2010 entitled “Insider Gone Bad: Tracking Their Steps and Building Your Case with the Security Log “.

March 3, 2010 Posted by | Audit Policy, Audting, Event Log, Hacking, Log Management | , , , , , , , | Leave a comment

New Website: Security Scoreboard

For those of us who are on a constant lookout for security tools a new website has been started, Security Scoreboard.

From the About page

Security Scoreboard was launched in 2010 for CISOs, CIOs, IT managers, and anyone with IT security challenges. It helps busy IT security professionals cut through the flood of press releases when researching a security vendor online. By providing a central resource to start researching IT security vendors, Security Scoreboard aims to provide a vital resource for anyone starting to research information security solutions for their organization.

February 23, 2010 Posted by | Misc | Leave a comment

Tracking RDP Logons

Earlier this week a customer asked me the following question:

We came across a scenario where one of our sessions that we need to track events on, recorded only 683 events (rdp logoff) but zero 682 events (rdp logon).

I put together a detailed email explaining to him why/what was really happening and thought it would be good to share.

I want to clarify event id 682 for you, it’s not a RDP Logon event, it’s a Session Reconnected event.  That’s why you see 683 events without any 682 events.

 If you want to track when someone logs onto a system via RDP you need to look for event id 528 with a logon type of 10.

 So here is what you can expect to see in the logs (all of these events are in the Security log on the system SERVER1):

 At 9:22 am Isaac remotes into Server1:

Event ID: 528

 Successful Logon:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505AC69)
  Logon Type: 10
  Logon Process: User32
  Authentication Package: Negotiate
  Workstation Name: SERVER1
  Logon GUID: {f9c49597-2dcc-19cb-32cb-89a0e776ec9c}
  Caller User Name: SERVER1$
  Caller Domain: XXXXXXXX
  Caller Logon ID: (0x0,0x3E7)
  Caller Process ID: 2380
  Transited Services: –
  Source Network Address: xxx.xxx.xxx.145
  Source Port: 18573

 Then at 9:42:06 am Isaac clicks the “X” in the upper corner of the RDP session (does not logout, but disconnects)

Event ID: 683

 Session disconnected from winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505AC69)
  Session Name: RDP-Tcp#1
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 9:42:37 am Isaac re-connects to the RDP session on Server1

Event ID: 682

 Session reconnected to winstation:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505AC69)
  Session Name: RDP-Tcp#2
  Client Name: Workstation1
  Client Address: xxx.xxx.xxx.145

 Then at 11:56 am Isaac logs off the RDP session

Event ID: 551

 User initiated logoff:
  User Name: isaac
  Domain: XXXXXXXX
  Logon ID: (0x0,0x2505ac69)

 Now let’s analyze how we tie all these together.  The 1st event the 528 tells us how the connection was established, Logon Type: 10 (highlighted in yellow) which is a RemoteInteractive (aka RDP or Terminal Session) (for other logon types see this list).  This event also confirms that the RDP session was done to a system called Server1 (noted in the Workstation Name line), it also tells us from which system the RDP session was done xxx.xxx.xxx.145 (the Source Network Address line).  We also get the Logon ID which is a HEX code (highlighted in blue).  This Logon ID allows us to connect all of the activity that Isaac does while the RDP session is active (with the right auditing turned on), we can track what files/folders were touched, what processes were launched, etc.  It also allows us to tell if he disconnects (683) or logs off (551) the RDP session.  If he disconnects we can then also track when he reconnects (682).

Hope this helps.

December 1, 2009 Posted by | Audit Logon/Logoff, Log Management | , , | 7 Comments

Directory Services Auditing

I’ve been asked by a customer to take a look at their level of Directory Services Auditing.  I’m not able to share their screen shots but can scrub an email that I sent to them and post it here.

When it comes to Directory Services Auditing I always tell people less is more, if you already understand what the other audit policies give you then you can get 85% to 90% of what you need from those.  There are somethings that you will have to get via Directory Services Auditing there’s just no getting around it.  But just as with the case of Object Access be very carefull what you turn on or you will flood yourself with junk noise events.  The major pain is that all events generated by Directory Services use the same event id no matter what action you are doing and are very cryptic.

Here is the email:

” As we talked about on the phone today there is a lot of auditing turned on where Microsoft hasn’t given very much information about what it generates and even some that are currently not used.  Example: Intellimirror-Group is used by remote boot legacy for managing groups of server machines and is currently not used.   Based on the screen shot you sent me I can see that the objects are currently being monitored which are generating a lot of noise events for you.  You might be better suited to audit the properties instead of the objects.  Example, if you want to know when a user has been given access to someone else’s inbox you need to monitor for changes to the property: msExchMailboxSecurityDescriptor; or if you want to know who made a GPO change then you need to monitor for changes to the properties: gpLink and gPOptions.  Most of the information that you can find via MSDN in regards to these audit objects is related to developers and not what the audit trail will give you.  Keep in mind that Microsoft considers the Directory Services auditing a low level audit, so the events that are generated are pretty cryptic in nature and all use the same event id. 

 There are a few of the objects that you would want to monitor to help get a more full picture of what is happening such as: Computer, User, OU, Shares, Group objects.  Monitoring these will give you things such as what OU a user was created in, where the Account Mgmt auditing does not give you this.  Also Account Mgmt auditing does not give you OU auditing (as again Microsoft considers this to be a low level object).

 In most companies it’s easy to turn on Auditing but very difficult to get it turned off and this is where Admins get themselves and others into a painful spot.  How to prove what is not needed when Microsoft doesn’t document what the auditing does or doesn’t do.

 Other examples:

msSFU30MailAliases – represents UNIX mail file data

nisMap – contains the generic abstraction of an NIS map

oncRpc – represents an abstraction of the Open Network Computing (ONC) Remote Procedure Call (RPC) binding

msRTCSIP-EdgeProxy – this attribute is reserved for future use

msRTCSIP-TrustedWebComponentsServerData – this attribute is reserved for future use”

Here are a few of the links where I pulled this data from:




November 23, 2009 Posted by | Directory Services, Log Management | , | Leave a comment