Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

In a previous post, Monitoring Windows Networks Using Syslog, I discussed using syslog to send the event logs to a SIEM.  This post covers another technique for collecting event log data for analysis.

A new version of OSSEC (2.8) has been released that includes the ability on Windows to access event channels that were introduced in Vista. To get this  to work correctly, I had to have the agent and server on 2.8. This new ability allows admins to send some of the more interesting event logs to OSSEC in a very easy way.

 

Client Config

Setting up the config for the subscription is quite easy.  If you want to do it on an per install basis, you edit the C:\Program Files\ossec-agent\ossec.conf.  Add a new tag for local file, then under location put the XPATH channel name and the log_format as eventchannel.

 

 Microsoft-Windows-AppLocker/EXE and DLL

 eventchannel

 

 

If you want this config to be pushed out to all your Windows OS centrally, you should add the config below to the /var/ossec/etc/shared/agent.conf. This file has a added XML field for matching which system should apply the config.

 


   
       Microsoft-Windows-AppLocker/EXE and DLL
       eventchannel
   

 

Creating Rules

Once you get the logs, you need to create rules to get the alerts.  When creating the rules, you need to know what event level (e.g. Info, Error ect..) the alerts are created for the event.  To get a detailed list of the events, follow this link (hxxp://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx)

 

When creating your own rules, you should always add them to the Local_rules.xml file to make sure they do not get overwritten with updates.  These rules should start with 100000 rule ID.

 

18103

^8004

Applocker blocked program

 

 

 

I’ve posted all my AppLocker rules to my github(hxxps://github.com/tcw3bb/ISC_Posts/blob/master/OSSEC_AppLocker_Local_Rule.xml), and I’ve also submitted them to the OSSEC group to be added in the next version.  When using the local rules, you may need to change rule ID for your environment.           

 

RAW Log

Once you have the rules in place your alerts like the ones below should be created.

 

** Alert 1404571480.3095: mail  - win,

2014 Jul 05 07:44:40 (10.10.10.1) 10.10.10.1>WinEvtLog

Rule: 100021 (level 12) -> 'Applocker blocked program.'

User: tw7

2014 Jul 05 10:44:40 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: Error(8004): no source: tw7: WIN-V78V3: WIN-V78V3: %OSDRIVE%\TEMP\CA_SETUP.EXE was prevented from running.

 

Quick report

To get a report for the current day of who had blocked apps, you can run the following:

>zcat /var/ossec/log/alerts/alerts.log |/var/ossec/bin/ossec-reportd -f rule 100021 -s

 

Report completed. ==

------------------------------------------------

->Processed alerts: 449

->Post-filtering alerts: 1

->First alert: 2014 Jul 04 01:18:39

->Last alert: 2014 Jul 04 01:18:39

 

 

Top entries for 'Username':

------------------------------------------------

tw7                                                                           |1       |

 

 

Top entries for 'Level':

------------------------------------------------

Severity 12                                                                   |1       |

 

 

Top entries for 'Group':

------------------------------------------------

win                                                                           |1       |

 

 

Top entries for 'Location':

------------------------------------------------

(win7pub) 191.238.9.177->WinEvtLog                           |1       |

 

 

Top entries for 'Rule':

------------------------------------------------

100021 - Applocker blocked program.                             |1       |

 

 

Log dump:

------------------------------------------------

2014 Jul 04 01:18:39 (win7pub) 10.10.10.1->WinEvtLog

Rule: 100021 (level 12) -> 'Applocker blocked program.'

2014 Jul 04 01:18:39 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: Error(8004): no source: tw7: WIN7: win7: %OSDRIVE%\TEMP\PUTTY.EXE was prevented from running.


I also have a nxlog and an eventsys client config on my github (hxxps://github.com/tcw3bb/ISC_Posts)for additional client config.  To use these with OSSEC, you will need to have a different parser and rules.  

--

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Samsung has agreed to buy SmartThings, a two-year-old startup that makes software to connect household objects and let them be controlled from afar via smartphone.
 
A federal judge has dismissed a defamation claim against Oracle by third-party support vendor Rimini Street, saying Oracle was telling the truth when it accused the company of "massive theft" of its software.
 
Apache Subversion CVE-2014-3528 Insecure Authentication Weakness
 
The robot uprising must surely be close at hand, as Ivy League scientists are diligently working to give machines the ability to collaborate with themselves without intervention from the humans.
 
The corporate landscape captured in marketing guru Larry Weber's new book, "The Digital Marketer: Ten New Skills You Must Learn to Stay Relevant and Customer-Centric," is one where the CMO might be seen as increasingly moving onto the CIO's traditional turf. Weber sat down with IDG News Service recently to talk about how that relationship can work in the successful digital enterprise.
 
Philadelphia is set to use a slew of Salesforce.com technologies in order to create a next-generation version of its 311 system for public information and citizen reporting of nonemergency situations around the city.
 

Enterprise Organizations Need Formal Incident Response Programs
Network World
In spite of the rash of data breaches over the past few years, many large organizations still minimize incident response programs, delegate them to IT/infosec groups, or think of them as checkbox exercises! Fortunately, this is starting to change. PCI ...

 
Microsoft's decision to stop patching older versions of Internet Explorer in 17 months may not be as big a show-stopper as many assume.
 
Ferguson, Mo., the city now in the midst of protests over a fatal police shooting, runs the type of IT department that gets almost no attention.
 
AT&T topped all four national carriers for the third time in a row for customer purchase satisfaction in-store, on the phone or on the Web, according to market research firm J.D. Power.
 
Google is expanding its safe browsing technology to notify Web users of downloads that appear benign, but actually make unwanted changes to their computers.
 

Posted by InfoSec News on Aug 14

http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/

By Kashmir Hill
Forbes Staff
8/13/2014

There are technologists who specialize in “scanning the Internet.” They
are like a search team making its way through a neighborhood, but instead
of checking the knob of every door, they check Internet entrances to
online devices to see which ones are open. These people have been
screaming for some time that there is a lot of stuff...
 
Even as enterprises try to get rid of their last Windows XP machines, Gartner analysts are urging them to start planning for the end of Windows 7.
 
Ganeti 'gnt_cluster.py' Insecure File Permissions Vulnerability
 
Microsoft Internet Explorer CVE-2014-2819 Remote Privilege Escalation Vulnerability
 
[SECURITY] [DSA 3005-1] gpgme1.0 security update
 

Posted by InfoSec News on Aug 14

http://news.techworld.com/security/3536309/the-biggest-iphone-security-risk-could-be-connecting-one-to-a-computer/

By Jeremy Kirk
Techworld.com
14 August 2014

Apple has done well to insulate its iOS mobile operating system from many
security issues, but a forthcoming demonstration shows it's far from
perfect.

Next Wednesday at the Usenix Security Symposium in San Diego, researchers
with the Georgia Institute of Technology will show how...
 

Posted by InfoSec News on Aug 14

http://www.chicagotribune.com/news/local/breaking/chi-former-hedge-fund-researcher-pleads-guilty-to-helping-steal-trade-secrets-20140812-story.html

By Jason Meisner
Chicago Tribune
August 12, 2014

A former researcher with Chicago-based Citadel LLC pleaded guilty today to
helping a colleague try to hide personal computers that had been used to
steal trade secrets from the giant hedge fund’s high-speed automated
trading system.

Sahil...
 
Infor has acquired SalesLogix in a bid to compete with Salesforce.com in the cloud CRM (customer relationship management) software market, particularly for customers seeking industry-specific features.
 
As global smartphone shipments hit a historic high of 301.3 million in the second quarter, the third-ranked operating system, Windows Phone, saw its share of that pie stumble to well below 3%.
 
Even as enterprises try to get rid of their last Windows XP machines, Gartner analysts are urging them to start planning for the end of Windows 7.
 
libpng CVE-2013-7354 Multiple Heap Based Buffer Overflow Vulnerabilities
 

The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively.

PHP 5.3.29 contains about 25 potentially security related fixes backported from PHP 5.4 and 5.5.

For source downloads of PHP 5.3.29, please visit our downloads page. Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

For helping your migration to newer versions please refer to our migration guides for updates from PHP 5.3 to 5.4 and from PHP 5.4 to 5.5.

http://php.net/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Throughout the history of technology, few sectors have expanded and evolved as rapidly as today's burgeoning wearable tech market. Piles of unique and unusual, flashy and fancy -- often goofy and gimmicky -- new wearables are announced every week. There are smartwatches, smartglasses, intelligent socks and "onesies" for infants, rings for public transit payments and even "wearable tattoos."
 
When was the last time you read a privacy policy? Any kind of privacy policy? Be honest.
 

Posted by InfoSec News on Aug 14

http://arstechnica.com/information-technology/2014/08/a-portable-router-that-conceals-your-internet-traffic/

By Sean Gallagher
Ars Techica
Aug 13 2014

The news over the past few years has been spattered with cases of Internet
anonymity being stripped away, despite (or because) of the use of privacy
tools. Tor, the anonymizing “darknet” service, has especially been in the
crosshairs—and even some of its most paranoid users have made a...
 

Posted by InfoSec News on Aug 14

http://www.wired.com/2014/08/nsa-monstermind-cyberwarfare/

By Kim Zetter
Threat Level
Wired.com
08.13.14

Edward Snowden has made us painfully aware of the government’s sweeping
surveillance programs over the last year. But a new program, currently
being developed at the NSA, suggests that surveillance may fuel the
government’s cyber defense capabilities, too.

The NSA whistleblower says the agency is developing a cyber defense system...
 
Crafting a social media policy for the workplace is as much about protecting your employees as it is about limiting your business' exposure to unwanted criticism or legal issues.
 
This article provides supplemental instructions to the piece How to Expedite Continuous Testing. Specifically, it explains how to install Git, Ruby and Jenkins on Windows (as opposed to a Mac or Linux environment).
 
The prescription for continuous testing is deceptively simple: Automated unit tests, version control and a continuous integration server. We wanted to first get past the buzzwords and talk about how to actually do it, by getting started with Ruby and GitHub.
 
A well-known problem in the Internet of Things is that many connected devices operate in silos. Your Fitbit doesn't communicate with your Nest thermostat, for example.
 
Microsoft is closing the Nokia Beta Labs site, but users will still be able to test apps under development via the new Lumia Beta Apps site, designed to elicit more feedback and make it easier for users to participate.
 
With straightforward data access, automated modeling, and easy reporting tools, cloud-based Birst Enterprise is the data warehouse for the rest of us
 

Fast Company

Ready To Launch A Startup? Try This Unpopular Piece Of Advice First
Fast Company
In addition to formal training classes, employees were also mentored by the top experts in their field, who also play a key role in the larger technology and InfoSec communities. This is a considerable asset for employees, especially those new to the ...

 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Catfish, allowing local attackers to escalate their privileges.
 
Microsoft Internet Explorer CVE-2014-4050 Remote Memory Corruption Vulnerability
 
Adobe Acrobat and Reader CVE-2014-0546 Unspecified Security Bypass Vulnerability
 
MediaWiki Unspecified Clickjacking Vulnerability
 
Oracle VM VirtualBox 'crServerDispatchVertexAttrib4NubAR()' Function Memory Corruption Vulnerability
 

In the past few years the virtualization concept becomes very popular. A new study by Symantec [1] discussed the threats to the virtual environment and suggests the best practice to minimize the risk.

The study show the new security challenges with the virtual environment, threats such as that the network traffic may not be monitored by services such as IDS or DLP.    

The paper covers how malware behave in virtual environment . One example of malware that target virtual machines is W32.Crisis .This malware doesn’t exploit any specific vulnerability , basically it take the advantage of how the virtual machines are stored in the host system. Virtual machine is stored as a set of files on the storage and it can be manipulated or mounted by free tools.

The study address using VMs as a system for malicious code analysis, for example in some cases when a malicious code detects that’s its running in a virtual machine it will send a false data such as trying to connect to C&C with wrong IP.  The study show that the number of malware that detect Vmware has been increased in the past couple years. For more reliable results the study suggests that security researcher should use physical hardware in controlled network instead of virtual machines.  

In the last section of the paper it suggest the best practice to secure the virtual environment.

1 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/threats_to_virtual_environments.pdf

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Lenovo's growing presence in PCs and smartphones helped the company's net profit grow 23% in the second quarter.
 
Thirty U.S. data brokers and data management firms, including Adobe Systems, AOL and Salesforce.com, are violating privacy promises they've made regarding their handling of the personal information of EU residents, a privacy group said in a complaint to be filed Thursday.
 
Peak and Tibbr are two tools that teams can use to help track projects and improve workgroup communications.
 
The state of Wyoming is planning to discontinue most of its data center operations and move its physical equipment to commercial colocation facilities.
 
Intel has agreed to acquire for $650 million in cash a networking business and related assets from Avago Technologies, the companies said Wednesday.
 
Apple is banning the use of two toxic chemicals from final assembly processes for its products, after watchdog groups demanded the company replace the substances with safer alternatives.
 
APPLE-SA-2014-08-13-1 Safari 6.1.6 and Safari 7.0.6
 
[security bulletin] HPSBMU03090 rev.1 - HP SiteScope, running Apache Struts, Remote Execution of Arbitrary Code
 
Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect.
 
Internet Storm Center Infocon Status