Hackin9

As an incident responder, I love high value logs. We all know Windows event logs can be super chatty, but with the right tuning they can be very useful.  I’ve tried out several utilties for sysloging Windows event logs, but I’ve found event-to-syslog (code.google.com/p/eventlog-to-syslog) to be my favorite due to the simple config and install.  

If you are not logging anything from your Windows clients and you suddenly turn on everything, you will be overwhelmed. I’m going to cover a couple of logs to start looking at in this post and go into more detail on my next post.   AppLocker, EMET (http://support.microsoft.com/kb/2458544/en-US) ,Windows Defender and application error logs are some of the most valuable logs when looking for compromised systems. These are what we are going to cover today.

AppLocker Setup

If you haven’t set up AppLocker in your environment, now would be a great time to get started. Microsoft has a great document that covers it in complete detail (

http://download.microsoft.com/download/B/F/0/BF0FC8F8-178E-4866-BBC3-178884A09E18/AppLocker-Design-Guide.pdf)  For most, using the Path Rules will get you what you need.  The pros and cons of each ruleset are covered  in section 2.4.4 pg.17-22.

The MS doc is quite extensive, but for a quick start guide try the NCSC Guide (http://ncsc.govt.nz/sites/default/files/articles/NCSC%20Applocker-public%20v1.0.5.pdf)

The basic idea of the path rules is to allow things to run from normal folders (e.g. Program Files and Windows Folders) and block everything else. The NSA SRP guide (YEA YEA, I know) gives a good list of rules  to use with Applocker (www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf).‎ You will run into some issues with Chrome and other apps (Spotify) that run from the users AppData folder,but  that is where the syslog auditing comes into play.  First deploy this in audit mode and then once you are comfortable, move to prevent mode.  If you already have a software inventory product, you will be able to leverage that information to feed into your policy. Much has been written about this, but I wanted to cover the basics.

EventLog-to-Syslog Installation

Download the software from (https://code.google.com/p/eventlog-to-syslog/)

1. To install it as a service its simple run:

c:>evtsys.exe -i -h <Syslog Server IP>

2. Copy the evtsys.cfg  to C:\windows\system32\ directory. (More on this below)

3. Restart the service.

c:>Net stop evtsys

c:>Net start evtsys

Thats it, you should be ready to get logs.

Evtsys.cfg Setup

A basic version of the evtsys.cfg can be found on my Github (http://goo.gl/79spGK). This config file is for Windows 7 and Up. Please rename the file to Evtsys.cfg before using. This file uses XPATH for the filters, which makes creating new ones easy. Here is a quick way to create your own.

1. In the Windows Event Viewer, select the Event logs you wish to create a rule from.

2. Click the Details Tab and Select XML View.

3. Determine the Channel for the Event along with any specific Event ID you want from that channel.

In this case the Windows Defender Channel is:

<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>

The event ID’s we want are: 1005,1006,1010,1012,1014,2001,2003, 2004, 3002,5008

4.  Putting it all together. The format for the rules are:XPath:<PathtoChannel>:<Select statement> and the rule must be on one line. In the channel name it’s ok to have spaces, but the Select statement has to have double quotes.

5. Click the Filter Current Log Button on the side of the Event View and enter the additional data you want to use to filter. Then Click on the XML tab at the top. You can cut and paste the entire <SELECT PATH portion into your filter.

XPath:Microsoft-Windows-Windows Defender/Operational:<Select Path=”Microsoft-Windows-Windows Defender/Operational\”>*[System[(EventID=1005 or EventID=1006 or EventID=1010 or EventID=1012 or EventID=1014 or EventID=2001 or EventID=2003 or EventID=2004 or EventID=3002 or EventID=5008)]]</Select>

 

Other Items that will be syslogged are:

  • Application Crashes

  • Emet

  • Windows Defender

  • Account Lockouts

  • User Added to Privileged Group

Finished Product

The  raw syslog for a blocked AppLocker log looks like below.

Jan  3 12:59:35 WIN-C AppLocker: 8004:  %OSDRIVE%\TEMP\bob\X64\AGENT.EXE was prevented from running.

 

Raw syslog for allowed programs.

Jan  3 14:37:51 WIN-CC AppLocker: 8002: %SYSTEM32%\SEARCHPROTOCOLHOST.EXE was allowed to run.

 

Simple Stats

To get a list of all applications that have been blocked, use the following command:

$cat /var/log/syslog |fgrep AppLocker |fgrep prevent|awk ‘{print $7}’ |sort|uniq -c

1 %OSDRIVE%\TEMP\bob\X64\AGENT.EXE

 

Next Time on ISC..

In the next post I’ll cover more comprehensive config file to detect attackers and integrate logs for reporting.

--

Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A U.S. surveillance court has renewed its approval of a National Security Agency program that collects U.S. residents' telephone records in bulk.
 
If recent history is any indication, 2014 will be a busy year for the enterprise applications industry as vendors jockey for position and customers ponder moves from legacy ERP and CRM implementations to cloud-based services. Here's a look at what some of the sector's main players are likely to do as the year unfolds.
 
A 77-inch television with a curved screen and resolution four times better than today's high-definition TV will be a centerpiece of LG Electronics' product line-up at next week's International CES in Las Vegas.
 
The U.S. Department of Justice will appeal a district judge's opinion saying a phone records collection program at the National Security Agency likely violates the U.S. Constitution.
 
An analysis of the NSA's controversial bulk telephone records collection initiative suggests that the cost of running and maintaining the effort may far outweigh any benefits.
 
Microsoft CEO Steve Ballmer was nearly $3.2 billion richer yesterday than he was a year ago, his good fortune driven by a 34.5% increase in Microsoft's share price during 2013.
 
Facebook is being sued for allegedly intercepting users' private messages, following links and sharing the information with advertisers and marketers, but analysts doubt the accusations will be enough to make users abandon the social networking site.
 
Computerworld
 
Computerworld's complete coverage of CES 2014
 
Lizard-like robots with sticky feet may one day work on spacecraft like the International Space Station, saving astronauts from making as many dangerous spacewalks.
 
Microsoft CEO Steve Ballmer was nearly $3.2 billion richer yesterday than he was a year ago, his good fortune driven by a 34.5% increase in Microsoft's share price during 2013.
 

7 InfoSec Predictions for 2014: Good, Bad & Ugly
InformationWeek
7 InfoSec Predictions for 2014: Good, Bad & Ugly. First, the bad news: Windows XP doomsday, escalating ransomware, botnet-driven attacks, emerging SDN threats. The good news: Threat intelligence goes mainstream. Predicting the future, of course, ...

and more »
 
Mozilla has again pushed back the release date for a touch-enabled version of Firefox that will run in Windows 8's "Modern" user interface, with the new target in mid-March.
 
Facebook is being sued for allegedly intercepting users' private messages, following links and sharing the information with advertisers and marketers, but analysts doubt the accusations will be enough to make users abandon the social networking site.
 
A plaintext draft of an encrypted e-mail saved on Gmail servers, despite settings for no drafts to be saved.

If you're sending encrypted e-mail with the default Mail app on OS X Mavericks, your setup may be saving plaintext messages on the mail server. Mac-based users of the GPG encryption app began noticing this unfortunate behavior in October when using Gmail. Even after unchecking the "Store draft messages on the server" and "Store sent messages on the server" checkboxes, the changes would mysteriously vanish.

On Thursday, independent privacy and security researcher Ashkan Soltani was shocked to make the same discovery after finding that GPG-protected e-mails he received from others were stored unencrypted in the drafts folder of his Gmail account. The messages had been automatically saved immediately after he hit the reply button, just below where he would type his response. Like other Mavericks users, he had specifically configured his system not to save such messages when using the Internet Message Access Protocol (IMAP) in Gmail. Without warning, the unchecked checkmarks inexplicably reappeared.

"This is an example of things falling apart at the seams at the integration points," Soltani told Ars. "A lot of people don't use the Gmail browser. They just use Gmail for IMAP. I just happened to have Gmail in the browser opened. Most people wouldn't know about it. I was really shocked."

Read 3 remaining paragraphs | Comments

 
Apple will move upmarket to an iPad Pro tablet, perhaps this year, as it faces pressure from Android device makers searching for profits, an analyst said today.
 
Acer's going beyond conventional high-definition with its latest all-in-one PC, which at a list price of US$1,099.99, is one of the most expensive Android devices available.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 
LinuxSecurity.com: Several security issues were fixed in the kernel.
 

The servers for Steam, Origin, Battle.net, and League of Legends were brought down temporarily overnight by apparent DDoS attacks that seem to be related to a swatting attack on an individual known for streaming games. All of those services appear to be working normally as of this writing.

A hacker group going by the handle DERP Trolling claimed responsibility for the Origin attack on Twitter, saying it used a "Ion Cannon" DDoS tool it's calling the "Gaben Laser Beam," after Valve founder Gabe Newell. DERP claimed responsibility for similar attacks on Battle.net, League of Legends, World of Tanks, EA.com, and more earlier this week. Meanwhile, a pair of Twitter users are claiming responsibility for last night's attack on Steam.

All of these efforts to take down various games and platforms seem to be related to a swatting attack directed at YouTube user PhantomL0rd. A thread on reddit lays out how those attacks advanced from targeting the games PhantomL0rd was playing (and monetizing through ads) to more personal harassment after his address and details were released online. In a recent stream, PhantomL0rd reported on being handcuffed after having police called to his address.

Read 2 remaining paragraphs | Comments

 

7 InfoSec Predictions For 2014: Good, Bad & Ugly
InformationWeek
7 InfoSec Predictions For 2014: Good, Bad & Ugly. First, the bad news: Windows XP doomsday, escalating ransomware, botnet-driven attacks, emerging SDN threats. The good news: Threat intelligence goes mainstream. Predicting the future, of course, ...

and more »
 
IT leaders should take the phrase 'out with the old and in with the new' to heart as they consider their plans for the New Year. Old software, old vendors and old habits that get in the way of your company's progress should all be shown the door.
 
We most often hear of the security breaches due to cross site scripting and SQL injection attacks, after the related vulnerabilities have been successfully exploited. But what could we do to prevent such attacks occurring in the first place?
 
Chromebooks are gaining popularity at the expense of Windows machines, and Acer is cashing in with a touchscreen laptop based on Google's Chrome OS.
 
Gitolite 'Rc.pm' Information Disclosure Vulnerability
 
When Kanye West wrote the lyric, "I'm chilling, trying to stack these millions," he probably did not mean digital currency. But a new technology might give him pause, or at least have him scratching his head.
 
FireEye, a major enterprise security company, is hoping to better shield its customers from cyberattacks through its acquisition of privately held Mandiant for nearly $1 billion.
 
Snapchat, reeling from a recent hack that exposed millions of user names and partially redacted phone numbers of its members, will now let users back out of the feature that hackers abused.
 
Archos is showing two low-cost Android-based smartphones next week at the International CES trade show, including the 45 Helium 4G, which is priced at $200 without a contract.
 
Facebook has been accused of intercepting private messages of its users to provide data to marketers, according to a class-action lawsuit filed in a federal court in California.
 
MediaTek is planning to show off its latest chipsets for LTE smartphones with wireless charging, wearables and 4K TVs at the International CES trade show in Las Vegas next week.
 
The U.S. National Security Agency is attempting to build a new breed of supercomputer that theoretically could make short work of cracking most keys used for encrypted communications.
 
After a postponement last month, NASA has rescheduled the launch of a commercial cargo ship that will carry nearly 3,000 pounds of supplies to the International Space Station next week.
 

Posted by InfoSec News on Jan 03

http://www.usni.org/magazines/proceedings/2014-01/time-us-cyber-force

Proceedings Magaizine - January 2014
Vol. 140/1/1,331

By Admiral James Stavridis, U.S. Navy (Retired)
and David Weinstein

Instead of each armed service having its own version of a cyber command,
why not create a separate entity altogether that would serve all branches?
In November 1918, U.S. Army Brigadier General Billy Mitchell made the
following observation: “The day...
 

Posted by InfoSec News on Jan 03

http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html

By Steven Rich and Barton Gellman
The Washington Post
January 2, 2014

In room-size metal boxes ­secure against electromagnetic leaks, the
National Security Agency is racing to build a computer that could break
nearly every kind of encryption used to...
 

Posted by InfoSec News on Jan 03

http://www.zdnet.com/how-to-be-notified-that-your-password-has-been-stolen-7000024674/

By Larry Seltzer
Zero Day
ZDNet News
January 2, 2014

About a month ago I told you about have i been pwned?, a new site at which
you could learn if your email address was included in one of several large
data breaches.

The main improvement that needed to be added to the site, as its creator
Troy Hunt himself acknowledged, was a notification service to...
 

Posted by InfoSec News on Jan 03

http://www.healthcareitnews.com/news/four-year-long-hipaa-data-breach-discovered

By Erin McCann
Associate Editor
Healthcare IT News
January 2, 2014

In the world of HIPAA privacy and security breaches, 2013 was a big year,
and the last days of December proved no exception.

The five-hospital Riverside Health System in southeast Virginia announced
earlier this week that close to 1,000 of its patients are being notified
of a privacy breach that...
 

Posted by InfoSec News on Jan 03

http://www.nytimes.com/2014/01/03/technology/fireeye-computer-security-firm-acquires-mandiant.html

By NICOLE PERLROTH and DAVID E. SANGER
New York Times
January 2, 2014

SAN FRANCISCO -- In a deal that may have broad repercussions for companies
and governments fending off sophisticated hackers and state-sponsored
digital attacks, FireEye, a provider of security software, has acquired
Mandiant, a company known for emergency responses to...
 
Internet Storm Center Infocon Status