What To Look For In Windows And Firewall Logs

[Valsacar]

So, I was reading Mubix's blog a little while back and he wrote about how PSEXEC shows up in the events log. It got me thinking, why can't I find a list anywhere of things like that which should be red flags in event, and other, logs?

Anyone care to help build such a list?

I'm starting off with what Mubix mentioned (though, I'm sure it will get changed later) and another obvious one.

Windows Server 2003 Event ID 552 - when someone uses something such as RUNAS, it could be a sysad doing their job or an attacker doing something else, but worth looking into.

What other things can we all think of? Assuming a network that has a centralized log management server, so all server (say Windows 2003/2008 and maybe some Linux or Solairs ones) logs can be easily alerted off of, as well as firewall events. Anything that's an obvious red flag (like PSEXEC) or warrants further research.

[digip]

Problem is, PsExec is a legit tool for sysadmins to use it as well - http://technet.micro...s/bb897553.aspx so if you flag it as a possible attack, you couild be chasing your tail in circles.A lot of things we do require auditing, and thats one reason you hire consultants, or in house people to have things in place to check for this sort of stuff. The ability to monitor every time its used across your entire lan/wan, would become pretty difficult to distinguish between legit and illegitimate uses if you blindly viewed all usage of the tool as possible breaches. If you had a policy in place, that forbids the use of it, and event logging and alerts set to notify admins of its possible event, that would be a different story, but lots of admins use tools like that on a daily basis, so you would need a way to differentiate between the good and the bad times its used.

Edited August 1, 2012 by digip

[Valsacar]

Ah, well I was thinking of a relatively mature organization where all actions are logged in some sort of tracking system (trouble tickets, or the like) where it would be fairly easy to know if it's legit or not. So in the example of psexec, a quick search of the ticket/work log system would tell me that a sysad is working on those systems and therefore it is pretty safe to assume that it's not an attacker. Of course, if it's not in the logs it would require further investigation, but that's kind of the point of this exercise, identify specific log entries that definitely warrant looking into vs those that are pretty benign. For example, if I were to audit logon events (which is a good thing to log, if something comes up later) I wouldn't want to investigate each one, as that would be a huge waste of time and resources. Something like psexec, or 552, would be relatively easy to deconflict if you had a good, centralized, tracking system of all admin type work.

[digip]

Well, if you limited use of PsExec to change control notifications, or required as part of policy, any admin that uses the tool, send out a Change Control notice to all admins/management, you definitely can mitigate loose ends. Then, in the event one is logged and no change control was issued, you investigate. I'm sure there is a way to hook into the event viewer and use some group policy/audit fu to build out a notifier for admins to monitor certain event id's. I'd never given it much thought, and haven't touched a Windows server in years since I started my own business working from home, I don't really mess with that stuff any more. Technet might have something on how to set that up though. I mean, whats the point of logging an event ID, if you can't hook into that for audits or admin alerts to severity issues concerning a server or workstation, so I'm sure something exists to do what you want.

Edited August 1, 2012 by digip

[DaisyChain]

Valsacar, did you get anywhere with this?