Tactical Security Day 3

What is a Windows log channel?

"A channel is basically a sink that collects events." Channels act as receivers of specific events Act as a high-level category Applications/scripts can define their own channels .Important for collection Windows Logs Intended to classify event types Application Event logs require an ID Security Setup System Usually unique to the specific channel Forwarded Event

Linux audit.rules example

# First rule delete all # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 -a exit, always -F arch=b64 -S sethostname -S setdomain -k testrulel w /etc/passwd -p wa -k testrule2 -W /sbin/ifconfig -p x -k testrule3

Syslog example

/var/log/auth.log Jan 4 14:43:13 logparser sudo: jhenderson 1 incorrect password attempt ; TTY=pts/1 PWD=/var/log USER=root; COMMAND=/bin/su When transported over network: <81>Jan 4 14:43:13 logparse sudo: jhenderson 1 incorrect password attempt ; TTY=pts/1 ; PWD=/var/log; USER=root; COMMAND=/bin/su

Common Linux log files are and location

/var/log/messages Global messages (general activity) /var/log/auth.log - Authentication-related logs /var/log/boot.log - Boot time events /var/log/daemon.log - Background process events /var/log/kern.log Kernel messages (often used for troubleshooting) /var/log/cron.log - Events related to scheduled tasks /var/log/secure - Events related to su or sudo access

How to enable analytical and debug logging

1. Show Analytic and Debug Logs 2. Enable logging

Syslog log breakdown

<81>Jan 4 14:43:13 logparse sudo: jhenderson incorrect password attempt ; TTY=pts/1 PWD=/var/log USER root; COMMAND=/bin/su PRI = <81> Time/date = Jan 4 14:43:13 Source host = logs parse Source process sudo Message = henderson : incorrect password attempt TTY=pts/1; PWD=/var/ USER=root ; COMMAND=/bin/su Sometimes includes process ID such as CRON[1464]

What is the SIEM goals?

A goal of SIEM is to provide early detection Similar to the importance of early cancer detection This requires data to analyze and timeliness A decision on where to collect becomes critical Given common attacks, what logs are important?

Tactical SIEM

A tactical SIEM is one that is designed to win THE PRACTICE OF NETWORK SECURITY MONITORING To win the war is paramount To win each battle is a goal Design needs to include battle tactics "... if adversaries gain unauthorized access to an organization's computers, but can't get the data they need before defenders remove them, then what did they really achieve?"

Remote location -- agentless

An agentless architecture is similar in design with the exception being that most logs are pe pushed. In this diagram, a server at the central location is authenticating against the Windows/Linux workstations and server at the remote location and retrieving logs. The switch and the remote site firewall would still use syslog. A central file server is also listed with NXLog to monitor for log files being saved to an drop box. This is because agentless servers tend not to scale well if monitoring log files across thousands of systems or more while still a simple architecture, things are slightly more complicated. In this layout, syslog will need to be allowed from the remote site through both firewalls to the log aggregator. Also, the server for agentless collection will need firewall rules allowing access to the Windows/Linux workstations and server. Most likely, Windows file sharing ports and SSH will need to be allowed for this to work. On top of this, the endpoint systems will need to allow the connections through whatever host-based firewall they are using. Finally, a valic user account with proper permissions to logs will need to be used. In this architecture, syslog systems can lose logs during Internet or VPN outages. However, this is still a fairl simple design and works well.

Account logon/off details

Audit Account Lockout - This records both successful and failed logins when a login re locked-out account. Audit Logoff - This records both successful and failed logoff attempts. This is useful fo was user XYZ still logged in at the time of an incident? Audit Login-This records successful and failed login attempts. Failed login attempts a brute force attempts, and successful login attempts are great for profiling user activity This may manifest as credentials being used during abnormal hours or creating large nu Audit Other Logon/Logoff Events - This records successful and failed logon/logoff terminal service or screen saver sessions. Audit Special Logon - This records requests to logon for accounts added to special monitored groups. For this policy to be effective you must find the SID of any groups to be monitored and add them to HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa\Audit\Special Groups. This key does not exist by default and should be set to string. For more information see KB article 947223.

SCM account management details

Audit Application Group Management Monitors changes to application groups. Application groups are us to tie roles using Windows Authorization Manager Audit Computer Account Management - Monitors changes to computer accounts Audit Distribution Group Management Monitors changes to Active Directory distribution groups. While this can record details about groups being modified such as Domain Admins, it is not needed. The Audit Security Group Management records more information that is helpful and specific. Audit Other Account Management Events - Monitors special changes such as a password hash of a user account being accessed or changes to the password policy or lockout policy Audit Security Group Management - Monitors changes to standard security groups. Audit User Account Management - Monitors changes to user accounts.

Differences between Windows audit policies

Audit Policy Basic log settings Available for Windows Advanced Audit Policy 2000+ Provides granular control of log Requires Server 2008 R2 or Windows 7 and later

Rsyslog vs. syslog-ng side-by-side comparison

Both configuration files in this slide are examples of forwarding all logs to a server called Logstash over TCP. Each also includes an example of basic filtering options and are set to ignore logs with the message com "ignore string." While similar in functionality, the syntax is completely different. Syslog-NG is lengthier be much easier to read and write In the event you are using older Linux/Unix systems, likely the only option available is to forward logs over standard UDP. In this case, the syntax may be as simple as below: ** @logstash This is a simple example of forwarding all logs to the server logstash.

What are the various built-in syslog variants?

Built-in syslog agent varies Rsyslog and Syslog-NG are most robust and full-featured Common to systems built for functionality (like one Syslogd is also common and provides basic functionality Primarily used for systems built around security or designed to limit surface footprint (like CentOS, RHEL, or FreeBSD) Depending on business requirements may need to switch to a third-party agent or Rsyslog or Syslog-NG

Audit detailed tracking

Can generate vast amounts of logs-proceed with caution Has built-in monitoring of processes Default behavior does not include command line logging Windows 10/Server 2016 also includes plug and play monitoring

SIEM compliance questions

Compliance is a costly and confusing beast Example: PCI DSS Requirement 10 Log all "in scope" assets Must have 1-year retention 3 months of accessible logs Above is straightforward, what must be logged is not. Track and monitor all access to network resource cardholder data" <- Does not mean log everything

Windows Nxlog configuration breakdown

Configuration Breakdown Input specifies what logs to pick up ); Allows filtering and augmentation Can convert logs into new formats such as JSON, XML, or syslog Output specifies where to send logs Defines port and protocol Can specify TLS encryption Route maps inputs to outputs Multiple inputs/outputs allowed

Nxlog autoconfig

Created by Justin Henderson to overcome log agent deficiencies and as a functional proof of concept https://github.com/SMAPPER/NXLog-AutoConfig Checks systems each day looking for components (II If found, automatically configures for consistency Or initial configuration... Then, sets up an agent to start shipping logs Largest deployment maintained > 12K systems

Endpoint collection strategies

Deciding what to collect and from where is a major task Different systems require different levels of logging Compliance requirements often affect a subset of system Collection and retention also varies There is also the problem of how to collect Each problem above has multiple solutions Multiple wrong answers and multiple right answer Module focus is on collection points and how to handle.

Default behavior of Windows advanced audit policies

Default settings prefer audit policy rather than advanced audit policy If using advanced audit policy, remember to change this Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options Enable "Audit: Force audit policy subcategory settings"

What does Snoopy logger do?

Designed to log command line entries to syslog Snoopy maintainers: "Snoopy is not a reliable auditing solution. Rogue users can easily manipulate environment to avoid logging by Snoopy"1 So worthless to enable? Beware of the perfect fallacy solution This can ultimately lead to catching an adversary More on command line logging to be covered...

SIEM logging level questions.

Different systems can have different logging levels But should assets of different sensitivity have the sam logs collected? What about desktops vs. servers? Decision primarily based on the organizational setup 100% tactical probably has the same logging level ac all systems Compliance or sensitivity may dictate varying log le is acceptable to have a policy with multiple logging

Evt vs evtx fields

EVT - Fixed Fields! typedef struct EVENTLOGRECORD DWORD Length; DWORD Reserved; DWORD RecordNumber; DWORD TimeGenerated; DWORD TimeWritten; DWORD EventID WORD EventType; WORD NumStrings; WORD EventCategory; WORD Reserved Flags; DWORD ClosingRecordNumber; DWORD String Offset; DWORD UserSidLength; DWORD UserSidoffset; DWORD DataLength; DWORD DataOffset; EVENTLOGRECORD, PEVENTLOGRECORD; EVTX- Default "Properties"2 typedef enum Ebt System Providername Ebt System Provider id, EventSystem Event ID EventSystem Qualifiers, Ebt system Level, Ebt system Task, Evm System Opcode, Ebt System keywords, Event System TimeCreated, Ebt System Event Record Id, Ebt system ActivityID, Ebt System Related Activity ID Ebt System Process ID, Ebt System Thread ID, Ebt System Channel, EventSystem Computer, Ebt System User ID Ebt System Version, Ebt System Property IDEND ) EVT SYSTEM PROPERTY ID;

What are some ways/implements to eliminate SIEM noise?

Elimination of noisy events can be filtered in various way At the log aggregation point Overhead exists at the central point Easy to maintain and update At the endpoint Scales well by decentralizing filter overhead Requires strong asset management and change control At both the endpoints and log aggregators

Need for endpoint logs

Endpoint logs exist to tell what happened Level of detail and information is vast Multiple, specific data sources available Large amount of user-attributable data These logs are not just for operational use Useful for detecting compromised systems Useful for hunt teaming Useful to piece together what happens

Pro/Cons of endpoint log visibility

Endpoint visibility A large number of devices Management is difficult Focused visibility footprint Broad focus (network, memory, processes, etc.) Many data points Time-consuming analysis Data encrypted at endpoint

Underlying systems

Endpoints can run on various operating systems Windows is most prevalent in enterprise environments Linux/Mac is common (Linux often used for servers) Understanding operating systems is important Necessary to know what to collect and filter Helpful to perform informed analysis Data is a paperweight if you cannot interpret it Many free sources to help implement and understand

Facility and severity for Linux logs? Describe

Facility (0-23) kernel UUCP user clock daemon mail system security/auth system FTP daemon daemons NTP security/auth log audit syslogd log alert line printer clock daemon network news local use (0-7) Severity (0-7) Emergency: system is unusable Alert: action is needed Critical: critical conditions Error: error conditions Warning: warning conditions Notice: normal but significant Informational: informational messages Debug: debug-level messages

Pro/con collecting desktop vs. server logs?

Fear of collecting desktop logs is due to costs If the cost of logs from a server is X, then the cost of 10,000 desktops must be X times 10,000 Yet desktops log significantly less than server Desktops generate fewer logs and filtering can be specific. Only specific events need to be collected Key is to focus on tactical data only Volume of logs can be kept extremely low.

How to implement some advanced SIEM filtering?

Filtering does not need to be high-level Some events generate tons of traffic, but only a fraction of the logs actually matter Example: Collecting new service creation events You probably only care about new or blacklisted Means that 99%+ of logs are likely not to matter Machine A installs Chrome... Google Update Service #1 - Machine B installs Chrome... Google Update Service #2

What are the 4 Windows event channel types

Four types: Admin, operational, analytic, and debug Admin and operational most common (.evtx) Admin events consist of well-known and documented events Operational events typically used for human analysis Analytic and debug often off by default (.etl) Due to the high volume of events generated when enabled Often requires stopping prior to the ability to read events Possible to obtain while running using third-party tools

Who wrote sysmon and what can it do?

Free download from Windows Sysinternals Written by Mark Russinovich and Thomas Garnier Runs as a Windows system service and device driver Monitors: Processes Modifications of file creation times Network connections Process access Driver and DLL loading Raw disk access Provides process hashes and parent processes for analysis

What type if sysmon granular logging available?

Granular logging available Uses XML config Can include or exclude on: Path Process/Image Digital Signature Integrity Level

Linux audit example breakdown

Here's a breakdown of the events and logs: 1. The user with a user ID of 1000 logs into the system. 2. This user then runs the command "ifconfig" 3. Auditd generates the first log in this slide. It contains auid=4294967295 uid=100 is a generated ID associating all session activity back to the original user, which with the user ID of 1000 4. The user with a user ID of 1000 then changes user accounts by running sudo su. Root has a user ID of 0. 5. This user then runs the command "ifconfig". 6. Auditd generates the second log in this slide. It contains auid 4294967295 uid- that the action was performed as root (uid=0); yet the session and subsequent a user ID 1000. This can be traced by looking at the matching audi field

What are the gains for finding and eliminating SIEM noise?

Increases performance Increases analysis speed Decreases costs Is easy to do...

SIEM collection strategies - servers only.

Log All Input-driven Overwhelming amount of logs Targeted Output-driven Significantly fewer logs > 80% reduction)

Log collection review strategies

Logs from both workstations and servers are important Do not force yourself into a single strategy for logging It Is not difficult to support multiple levels of logging This saves time and money Where possible filter noise (regardless of collection strategy) Consider using a log agent for collection

Linux logging summary

Logs in Linux are significantly different than Win Syslog is the standard format for logs Built-in syslog agents such as rsyslog and sys common in modern operating systems Open source applications are available to exeter logging capabilities such as: Auditd Snoopy

Audit account logon/logoffs

Many attacks involve credential theft and reus Therefore, tracking logons is critical Too many failed login attempts show brute fo misconfigurations, or password spraying Too many successful logins means the end is near... Or that legit credentials are being used to crawl the network

How Windows systems store logs?

Modern Windows systems store logs as .evtx Contrary to the name, EVTX uses a binary format EVTX logs are the primary Windows log source Addition of XML allows for custom log schemas Allows applications to specify additional properties/fields EventData/UserData sections contain these fields It is possible to convert legacy .evt files to .evtx

Windows logs

Multiple built-in log sources exist across Windows platform 2003/XP and earlier use Windows Event Log (EVT) 2008/Vista+ use Windows XML Event Log (EVTX) 2000+ supports Event Tracing for Windows (ETW) Used to generate Event Trace Logs (ETL) Commonly used for debugging and troubleshooting High performance and often use memory buffers 400+ trace logs in Vista and over 1000+ in Windows 10

Nxlog capabilities

NXLog works for both Windows and Linux • Configuration forma configuration format is consistent between platforms Filtering capabilities are advanced Contains lots of functionality and commercial support Used as the example due to consistency across platform Recommend evaluating it as well as other agents Used for demonstration, as free agent tends to meet most organization's requirements

Pro/Cons of network log visibility

Network - visibility A small number of devices Less to manage Easier to maintain A large amount of data Purpose-built for network Limited data points Allows for quick analysis Blinded by encryption

What auditpol.exe can do

Non-domain joined systems can be configured with auditpol.exe System audit policy auditpol Get/category: auditpol /get /category:* auditpol /set /subcategory:"file system" / success:enable /failure:enable

Audit object access

Object access is one of the most misunderstood settings Such as audit file system ... it does not log all file access Object Access Object access controls log for quite a few things. If you wish to audit files, registry keys, or network shares, you must enable the auditing capability first. For example, after turning on Audit File System, it grants Windows the ability to audit things like files or folders being accessed but only if an ACL is placed on them telling what to audit. In the past, there was a wide misconception that enabling this would generate an event for every file accessed This audit policy also controls things such as Windows Firewall logging to a log channel and file access on removable drives. In Active Directory, many things are considered objects (users, groups, files, folders, registry keys, etc.). This policy even controls certificate-related events.

What is syslog-ng?

One common Linux syslog daemon is Syslog-NG Capable of handling 600K+ messages a second Enhanced with many filtering and custom parsing capabilities Contains many output modules Such as Elasticsearch, AMQP, and Apache Kafka Supports transport over TCP, UDP, SSL, and TLS Configuration file does not conform to syslog format The format is clean and easy to read unlike syslog format

Syslog background

Originally developed in the 1980s by Eric Allman Initially was designed for sendmail Limited feature set Basic output options such as console, file, or remote Facility used to classify logs and severity used to define log level Syslog often used by network devices Typically, only supports UDP transport (default port 514) Modern systems use rsyslog or syslog-ng2

Linux audit example

PID is process id of executable, PPID is for parent process UID is user id of the user AUID is the audit user id (tracks actions against login even if the user changes with su or sudo type=SYSCALL msg=audit(1483384182.643:128): arch=C000903e syscall=59 success=yes exit=0 a0=1765008 a1=1758108 a 2=18e 1008 a3=7ffeb4617eco items=2 ppid=3165 pid=4 565 Quid=4294967295 U1d=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 s gid=1000159101000 tty=pt59 ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" key=(null) type=SYSCALL msg audit(1483384111.147:144): arch=c000003e syscall=59 success=yes exit= a 05639061 d8e78 al-5639061def28 a 25639061 d86a0 a3-7ffd5c3bd7e0 items 2 ppid 4566 pid 4567 auid 4294967295 uid grg euid 0 suid-0 fsuid 0 egid 0 sgid =0 fsgid=0 tty=pt 59 ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" key=(null)

How to generate a custom Windows log with powershell

PowerShell makes writing custom logs easy Simply use Write-EventLog to generate a custom log If you want a custom channel, first, use New-EventLog New-Eventlog -LogName My Custom Logs-Source "IP Logger" write-Eventlog -LogName MyCustomLogs -Source "MyPSLogger" -EventId 31337 -EntryType Warning Message "Sec555 is too cool to handle" Can be used to generate logs that even basic log collectors can collect May remove the need for special log agents

What can Linux auditd do?

Provides a customizable Linux Auditing System Monitors: File access Security events (such as System calls failed logins) Program execution Network access File changes Granular monitoring allows advanced use cases Also, adds complexity and performance overhead

SIeM agent/agent less ways to collect logs?

Recommend using log agent over agentless Either built-in agent (event forwarding op Or third-party agent (commercial SIEM agent, nxlog, Beats, etc.) Things to consider: Filtering capabilities Functionality and flexibility Management overhead

What is rsyslog?

Rsyslog stands for rocket-fast system for log processing Supports original syslog configuration format Handles 1 million messages per second to local destinations Contains many capabilities and features similar to Syslog-NG However, performance is faster especially with filtering and parsing2 Yet syntax can be hard to read and write Supports a highly reliable transport method called RELP (Reliable Event Logging Protocol)

Security compliance manager (SCM)

Security Compliance Manager is a free tool from Microsoft Used to evaluate and implement security baselines Creates/compares baselines vs. group policy objects (GPO) Recommends audit policy settings More importantly, explains why Microsoft places emphasis on denial of service via logging Recommendations are suggestions-tune to your environment after reading SCM setting reasoning

What are some 3rd party Linux logging programs?

Similar to Windows, there are third-party programs that can provide additional logging Linux Auditing System - An access monitoring and accounting system maintained by Red Hat Snoopy Logger2 A command line logging tool Scripting can also be used to create logs Other third-party programs exist

Windows power shell tuning

Some channels default to off Group policy does not have the option to enable them But group policy and asset management tools can invoke PowerShell Enabling extra logging via PowerShell is as simple as: $1ogName ='Microsoft-windows-DriverFrameworks-userMode/Operational $log=New-object system.Diagnostics.Eventing.Reader.EventLog Configuration $logName Slog. IsEnabled=True # change to False if disabling $log.SaveChanges () PowerShell is also great to dynamically tune systems

Additional Windows logging that is recommended

Sometimes additional logging is necessary or recommended This can be achieved through: Writing and using PowerShell scripts Developing custom applications, drivers, or services Installing third-party programs A common and free program that provides additional logging is Sysmon' by Windows Sysinternals

Primary Linux log and describe logs

Syslog is the primary method of logging for Linux/Unix e The default behavior is to listen using a local socket Multiple syslog daemons exist Default log location is /var/log/ • File names such as auth or kern specify log category Log level specified by severity in daemon configuration Daemon can be configured to accept and to send logs

Syslog priority

Syslog messages sent over network store facility and severity in the computed PRI field PRI is 1-5 characters surrounded by <> Example <189> Facility PRI / 8 rounded down to whole number Example: 189 / 8 = 23.625 so facility 23 or local7 Severity PRI - (Facility * 8) Example 189 - (8 * 23) 5 so severity = 5 or notice

System call rules do what!

System call rules monitor system calls from processes or users. In this slide, the first cus of a system call rule. It takes place after the -D and -b control rules.

Linux audit.rules composed of 3 types of rules

The audit rules file is composed of three types of rules: control rules, filesystem rules, and system call rules Control rules are used to define configuration settings for the audit system.

EVT vs. EVTX Fields

The key takeaway is that EVT has fixed fields. EVTX defines the old EVT fixed fields as main properties and then allows the EventData/UserData section to have additional properties (fields).

Viewing sample EVTX logs

The top breaks out the System Properties section. These are the main fields for every event. The bottom shows the EventData section. This is where custom fields such as New Process Name are stored. To view the XML of a Windows login to a Vista or later operating system first open Windows Event Viewer and then open the log you wish to analyze. The log will have a tab for General and a tab for Details. Click on Details and then switch from Friendly View to XML View.

Pro/con of SIEM hybrid collection approach

There may be value in new or unknown logs No collection means no capability for future use Yet, collecting everything is not cost effective Good approach is to collect everything and analyze Frequently occurring events that do not add value should be omitted This should become an ongoing process This methodology can also aid in lowering complainnc costs

Syslog config example

This example is from the default Ubuntu 16.04 rsyslog configuration file. The traditional syslog format is compatible with the newer rsyslog format. This example follows the traditional syslog format for specifying what gets logged and where. The left column specifies the facility and severity levels to log, and the right column specifies the destination auth authpriv. /var/log/auth.log This takes any logs with a facility of auth or authpriv and sends them to /var/log/auth.log. The asterisk referenced means all severities authpriv warning @ 1055510 This takes any logs with a facility of authpriv and a severity of warning and sends them over UDP port 514 to 1055510 The equals sign specifies an exact match on severity so only a severity of warning will be included. cron.info /var/log/cron.log This takes any logs with the cron facility that have a severity of info or lower and writes to /var/log/cron.log. linfo /var/log/verbose.log This takes any logs with any facility that have a severity of info or lower (which would include info and emergency severities) and writes them to /var/log/verbose.log. cron, warning /var/log/eron log This takes any logs with a facility of cron and a severity of warning or higher (error, critical, alert, or emergency) and sends them to /var/log/cron.log kern. -/var/log/kern.log This takes any logs with a facility of kern and with any severity level and sends them to /var/log/kern.log.TH dash before /var/log/kern.log means that syslog does not have to flush the log to disk after each log. This is used for log files that receive a lot of logs. Having to confirm the write to disk could cause unacceptable performance issues. However, should a system crash with this setting enabled, it is possible that logs may have been committed to the log file and thus, can be lost.

Remote location -- Advanced setup

This slide demonstrates a more advanced deployment for log collection. In this case, the remote location is using log agents to forward logs. One system at the remote location is running NXLog, and all the sending logs to it. This includes the remote agents to forward logs. One system at the remote location is running NXLog, and all the local sending logs to it. This includes the remote switch and remote firewall. It then takes these message them on to the log aggregator. Because of this, if the Internet or VPN goes down, NXLog will buffer logs until they are back online. In this case, even the syslog messages will not be lost. This architecture also has a few added benefits. For one thing, it lowers the amount of network connection log aggregator has to handle increasing overall performance. Also, it easily allows for per location terms and augmentation. Then, since all the logs are from NXLog encryption, compression, etc. can be applied to all logs from NXLog onward. Note that this layout also works for Windows systems using Windows Event Forwarding. NXLog Enterprise can also act as a Windows Event Collector. When in this mode, it can be configured to accept messages forwarded from systems. It does not support pulling logs as an Event Collector but can be configured to do so over WMI (not recommended). The best part about NXLog as an event collector is that it still supports HTTPS and Kerberos authentication. The downside is the same XML used to create an event log subscription must be used to tell endpoints what to send over. Once the logs are collected, NXLog can process them like normal.

Remote location - log agents

This slide demonstrates a traditional setup for log collection using log agents. In this diagram, agents on the Windows or Linux desktops and single server forward logs across a VPN to a log aggregator. In this slide, the remote switch and remote firewall would me y send logs to the log aggregator over syslog UDP port 514 This is because not all devices will support log agents. traditional setup and is simplistic in nature. Simply make sure the firewalls allow traffic from the remote site over to the log aggregator, and things should work. The main downside to this layout is that the switch and firewall use standard syslog over UDP. In the event the Internet or VPN tunnel goes down, logs fr the switch and firewall will be lost. Occasionally, central management software for firewalls and switches includes a special non-syslog method for collecting logs, but unless that is the case, logs can be lost. The advantage is it is easy to maintain. Simply deploy agents to Windows and Linux systems and configure syslog devices to forward logs. In this design, all logs point to the same log aggregator. While this slide show Logstash and Elasticsearch on the right, the architecture is the same for other SIEM products.

SIEM Collection strategies -- all endpoints

This slide is a visual demonstration of the two main collection strategies in regard o Windo This slide represents monitoring both servers and desktops. When following the input-driven (collect everything) strategy, the inclusion of desktop sy prohibitive. In this case, approximately 80-90 percent of logs are likely to come from des that historically only collect logs from servers, this could increase costs by almost ten tim On the other hand, following an output-driven (collect only specific events) strategy is li minimal impact when adding workstation logs. With this strategy, workstations will often percent of the total logs.

What is 2 step process to collect logs using Windows event forwarding?

To collect logs using Windows event forwarding is a no step process An event collector must be set up Then, either the collector must be configured to pull events or endpoints must be configured to push events GPO is used to tell endpoints what logs to push Configuration of event selection is similar for push/pull The end destination is intended to be Windows, not SIEM

What are two windows event forwarding subscription options available to configure?

To set up which logs to push/pull, an event subscription must be created. When doing this, two opti available: the GUI (shown in on the left) and custom XML (shown on the right). While the GUI is it also is basic in nature. To do more advanced things, such as looking for login attempts from the to local machine, using a non-domain account requires the use of XML.

Why are desktop logs sometimes not collected by in SIEM?

Today, client-side attacks are more common Means the attack occurs at the desktop Yet cost of desktop logs is considered too high If the strategy is collect everything, it is true If the strategy is to stay nimble and tactics! it is more expensive not to log ... If desktops are the main point of attack ... you might need them.

SCM account management

Used to track changes to groups, users, and computers Needed to monitor key groups for modifications Such as new members added to Domain Admins Powerful when combined with change control system

SIEM tactical vs. total strategies

Visually, it is easy to see the difference in input-driven (all-inclusive logging) vs. selective, logging). This slide visually represents how much data would need proc on the model of collection. For example, if you were to collect logs from desktop logs that you knew were useful they, collectively, will still be much smaller tha servers only.

Pro/cons Windows and Linux logs

Windows Many desktops and servers Proprietary logging EVT, EVTX, ETL Logging control Group Policy or Local Police PowerShell Use of Sysmon or other applications Linux Mostly servers and cloud hosting Syslog logging Logging control Syslog configuration Scripting Use of Audit or other applications

How to manage Windows logging

Windows audit policies control what to log Can be defined locally or centrally through group policy Audit policies are broken down into log categories Logging enabled by selecting to log success or failure an event's occurrence Additional logging = additional overhead

What is blind drop Windows event forwarding?

Windows event forwarding cannot ship file logs Only handles native Windows events Business requirement may require no third-party agents Can be handled by using a blind file share Requires a single file server to have a third-party agent or PowerShell script Share is created with write permissions only Log files are then saved to this share

Windows logging summary

Windows logs come in multiple formats EVT, EVTX, and ETL Current operating systems use EVTX, which is XML-based This allows for unlimited fields and granular logs What gets logged is controlled by audit policies Custom logs can be created by software or scripts, such as with PowerShell

Event tracing for Windows ETW

Windows natively supports system tracing Trace logs stored as .etl files Provides kernel-level, high-performance monitoring Disabled by default due to performance and # of events May require disabling in order to view events Potential capability for deep system-level monitoring Trace files can be standalone or registered to a channel

Xml field structure

XML contains mainstream fields EventData and UserData are further structured into other XML fields (infinite possibility of fields) XML does not require traditional parsing... Older collection methods (syslog) may cause visibility loss For example, logs from 10 Windows devices are likely to hav over 500 fields Use of XML structure provides robust logging capabilities