1. Understanding the Event Log for a more secured environment Dave Millier Chuck Ben-Tzur

2. Overview Introducing the Event Log Why Monitor Logs Enabling Event Logging Real Time Monitoring Example: Security Log Tampering Auditing and Analysis Archiving Events Example: File Modification Investigation Event Log Limitation Vista Event Log Example: Creating Log File Using Event Triggered Tasks Resources and Questions

3. IntroducingEvent Log Centralized log service to allow applications and the operating system to report events that have taken place. Introduced with Windows NT 4 (1993). Main Windows Logs Application (example: Database message) System (example: driver failure) Security (example: Logon attempt, file access) A Windows 2003 domain controller will also include Directory Service (example: Active Directory connection problem) File Replication (example: domain controller information updates) DNS Vista has introduced a lot of changes

4. Why Should We Monitor Logs We dont NEED to We HAVE to Organizations are obligated by regulations to gather and audit systems activity logs. HIPPA (Health Industry) Regulatory review of system activity to ensure that a user information remains private but accessible Identify, respond and document security incidents GLBA (Financial) Dual control procedures Segregation of duties SOX (Financial) Record Retention and availability Accountability

5. Why Should We Monitor Logs (cont.) To comply with the regulations organizations require the following forms of log monitoring Real-time monitoring Identify attack attempts in progress and if a security breach has occurred. Audit and analysis Periodic reports and analysis for regulation compliance (due diligence). Archiving Again regulations compliance (log retention) Forensic investigation of an incident The event log should also enable the organization to implement internal security policies.

6. Enabling Event Logging Each event category is controlled by audit policies: Account logon events (for domain accounts) Account management (group and account events) Directory service access Logon events (local machine events) Object access (user accessing an object such as file, folder, printer) Policy change (changes in the audit, user rights and trust policies) Privilege use (user exercising one or more of his rights) Process tracking (detailed tracking information) System events (events that affect the system security or log) Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.

7. Audit Policies (Member Server)

8. Real-Time Monitoring Successful events that grant the user high level privileges (either by spoofing identity or elevation of privileges) Events to monitor Successful high profile user account / group management events #636 Group member added or removed Successful logon events of high profile user accounts #680 Logon attempt Successful logon events to a domain controller Operations on specific high profile resources (files, folder) #560 (Object Access), #564 (Object Deleted) Successful policy change events #612 Audit Policy Change (logs no more) All system events #517 security log was cleared

9. Example: Event #517 (Clear Security Log) Security Log

10. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs

11. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs (and not event save it)

12. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created

13. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created The Event Contains the User Name

14. Real-Time Monitoring (cont.) Tracking and analysing event failure patterns may indicate a range of malicious attack attempts Failed logon activity (e.g. brute force attack) #675 Pre Auth, failed with Kerberos code 24 (Bad password) #539 - logon failure due to account lockout (if systematic may be an indication of DoS) Failed account management activity (e.g. password reset events) All failed system events #517 Audit log cleared Note: Most of the auditing policies, by default, are set to log successful events only. Local policies may be set to no auditing at all.

15. Real-Time Monitoring (cont.) Possible issues Flood of events (domain controller and member server event duplication, detailed tracking events) Solution: Consolidate log information for better analysis Unmonitored systems (e.g. unaudited events on a file server) Solution: Threat modeling, identifying assets in organization Unmonitored events (detailed user and process activity) Solution: Organization security program and policies False positives due to configuration problems (e.g. expired service password) Solution: Knowledge of the network, components and assets (Human Factor)

16. Auditing and Analysis Most regulations require a periodic review of important events (not critical or show stoppers) for two reasons: A second chance to reveal malicious activity originally undetected (and unaccountable for). Audit the ongoing activity to verify no major changes have taken place. The data is usually reviewed in the form of reports (detailed and summarized) Example of Events to Monitor (A short list) #529 to #535 and #539 Logon failure (different reasons) #629 User account Disabled #644 User account Locked Out

17. Auditing and Analysis (cont.) Possible issues Finding a critical event that was not detected by the real-time monitoring processes Solution: Investigate the incident to eliminate or mitigate any results of malicious activity. Duplicated events (Domain controller and Local Server) Solution: Correlate and consolidate events using external system Lack of security policies to help and identify events to be audited (e.g. Messenger) Solution: Define security policies to determine which event types need to be audited on a regular basis. Report requirements are unclear and affect the log detail level Solution: Define auditing processes to determine what type of logs and details are required (TIP: when in doubt, use graphs)

18. Archiving Events Event Archiving is done for two main reasons: Log retention compliance (e.g. SOX) Forensic investigation of a security incident (chain of evidence) In general, all system events should be logged. However, by default, not all audit policies are set to generate logs. In particular, detailed tracking of high profile objects (such as files, folders, printers, etc.) is turned off by default. A common misconception is that regular object access events provide this information.

19. Example: Detailed Event Tracking Detailed Event tracking can include the following events: #528 Successful Login (The user authenticate to the system) #592 A new process has been created (application is launched) #560 Object Open (a file is requested) #567 Object Access (the file is modified and saved) #564 Object Deleted #562 Handle Closed (the file has been closed) #593 A Process Has Exited (the application was terminated)

20. Example: Detailed Event Tracking Enabling Audit Policies Object Access Logon (Local and Domain) Privilege Use Process Tracking

21. Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server)

22. Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server) The folder contains files we wish to monitor (compliance, sensitive information, etc.)

23. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself

24. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced

25. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab

26. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add

27. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add

28. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited

29. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete)

30. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete) Each user/group will require additional settings

31. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40

32. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39

33. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 Filter who was logged in during that time

34. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D

35. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916

36. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644

37. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644

38. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39

39. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed

40. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated

41. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated Matching Modification Times

42. Archiving Events (cont.) Possible issues Volume of events (can reach several million events a day from a busy server) Solution: Transfer logs to long-term storage (compressed, digitally signed, etc.) Lack of security policies to help and identify events and processes to be audited (e.g. Messenger) Solution: Define security policies to determine which processes and their relevant events need to be logged on a regular basis. The event logs are just a portion of the chain of evidence Solution: Define auditing processes to ensure that all the required logs are being gathered and associated (e.g. a unique ID or a time stamp). For example: associate firewall logs through the Windows event logs and to the database logs.

43. Know Your Event Log Limits Size matters (and its never enough) Solution: For long term logging, use an external storage system.

44. Know Your Event Log Limits (cont.) Log Analysis and correlation (especially when using automatic systems like SEM and SIM) often result in a large number of false positives. Solution: Knowledge of the network and assets to refine alerts, ongoing tuning Logs are a detective measure and are not an IPS (Intrusion prevention system) on their own Solution: Vista has a partial solution. For complicated responses, leverage external solution to gather and analyze logs Not all events are logged on the domain controller. These events require a log gathering process Solution: Vista has presented a solution. Otherwise, use external log gathering system.

45. Know Your Event Log Limits (cont.) Security event logs monitor only the authentication and authorization mechanisms of the operating system. Solution: Most applications write (or should) logs to the Windows event log. These logs can be used to enhance the monitoring capabilities. Custom application logs neglect to provide information regarding the log details or the severity or of the event. Solution: Educate your developers, develop an API, buy something better

46. Vista Event Log More More Event Categories Sources

47. Vista Event Log Redesigned

48. Vista Event Log Redesigned XML Based

49. Vista Event Log Redesigned XML Based Simple to Understand

50. Vista Event Log Redesigned XML Based Simple to Understand.

51. Vista Event Log Redesigned XML Based Simple to Understand..??

52. Vista Event Log Redesigned XML Based Simple to Understand.

53. Event Log Tasks (Vista) Select an Event

54. Event Log Tasks (Vista) Select an Event to open the Wizard

55. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic)

56. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action

57. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action e-mail settings

58. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action

59. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Launch a process

60. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings

61. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings A New Task is Born

62. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler

63. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler (new Tasks Category)

64. Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined.

65. Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined. The next example will: Trigger on successful logon events of a specific group Create a file with a list of users that logged on Highlight username with Admin string

66. Event Log Tasks (Vista) Create a New Task

67. Event Log Tasks (Vista) Create a New Task Select the User Group

68. Event Log Tasks (Vista) Create a New Task Select the User Group Triggers Tab > New

69. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event

70. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom

71. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter

72. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter Select Event Logs

73. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter Select Event Logs (Multiple Logs!)

74. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) and Keywords

75. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified)

76. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified) The Task Action will be Select a Program

77. Event Log Tasks (Vista) This VB script search for Admin string in the logged user name and add a notes beside it.

78. Event Log Tasks (Vista) The output of three different users logging to the machine

79. Event Log @ Vista New Event Viewer (interface) Over 50 new Event categories Over 2400 policies (over 1000 in W2K3) XML based Events are still written locally Critical Events can be forwarded Expanded to serve as single location for all events (using Windows Remote Manager) Events can launch system tasks

80. Resources TechNet Auditing Overview (http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55- 29c089ade6381033.mspx?mfr=true) EventID.net (http://www.eventid.net/search.asp) Randy Franklin Smiths Windows Security Log Encyclopedia (http://www.ultimatewindowssecurity.com/encyclopedia.html)

81. Company: Private Canadian company Toronto based Providing Security consulting and networking solutions for over 10 years Business model focused on delivering timely security information to all areas of an organization (CEO down to administrator) Dynamic, agile response to client needs Experience with customers in multiple verticals Experienced management team Consistent Approach: Provide snapshot security information for senior executives Provide detailed security to-do lists for follow-up by onsite personnel Proven & Scalable Solutions: Phased Delivery method ensures client satisfaction Successful deployments with large organizations Clients need fewer in-house qualified security professionals Minimize manual, mundane daily client tasks Leverages both Proprietary and Industry Best-of-Breed Technologies Extensible Framework: Adheres to ISO 17799 Framework, Security & Industry Best Practices The Sentry Dashboard is an enabler for any security subsystem Can be adapted to present information from non-security sources (network availability and trending, HR reporting, etc.) Engages all areas of an organization, from Senior Executives and security officers, to hands-on systems and network administrators

82. Questions?