Windows Event Forwarding and OSSEC — You can do this!

good afternoon we're going to talk windows event forwarding and a sec today so first thing that I want to talk about is why specifically I wanted to talk about this so one of the things about decides Augusta is that coming here over the the last several years there's a lot of defensive talks and there's a lot of people who are students or maybe starting off in their career and you come to this conference so I wanted to kind of pick something that is something that I think a lot of people can do and the title for this presentation is you can do this so just presents an organization that has less than let's say a thousand

employees okay so maybe half is anyone here support less than maybe 200 okay all right so a lot of the presentations that you see and if you're on Twitter and you are going to other conferences people are talking about supporting organizations that have 10,000 endpoints that might not those types of techniques might not be applicable to what you do so the unfortunate thing that happens is once you start engaging with the community there's this thing called the perfection fallacy or the Nirvana fallacy where if you if your solution doesn't fix everything someone is going to show up and say but that doesn't scale or you know that's not going to fix this problem it always comes up with patching

right so the one across stuff the MS 1710 you know some people come out and say just patch our machines somebody immediately comes out and says you don't know my environment well you're the best person to understand your environment and people coming out and talking about that you know immediately responding back with this perfection fallacy and all that kind of stuff is like us having a health care discussion and I say everyone needs to wash their hands and someone comes up immediately and says washing your hands doesn't cure cancer right it's it's not helpful so given that specifically in the United States the vast majority of organizations are actually really small so in my professional career I support a agency

that does economic development and a lot of the people that we interact with are actually really small so the ten thousand in point thing doesn't represent you trying to do security for an accounting firm in Augusta Georgia where you have 250 staff members right so the other thing that happens is a lot of times especially in smaller organizations IT is responsible for security or there might only be one security person or you know some combination of things like that so one of my arguments also is that the vast majority of the things that you do with security are directly applicable to traditional IT right so you have the CIA triad which is just fancy you know

that's the other thing that happens during presentations there's lots of acronyms right the CIA triad confidentiality integrity and availability integrity integrity and availability is a direct IT responsibility right machines go down IT is responsible for it so security things don't necessarily have to be so separated from security until you start to get into these big scale things and separation of duties and all that kind of stuff right so the other thing that's important is to begin to really understand what's normal in your environment and doing things like monitoring endpoint logs which is primarily what I'm going to talk about is one of the best things that you can do so we just had an excellent presentation in this room from

people doing red teaming right the those techniques that they were using would have lit up the majority of environments that are doing endpoint monitoring if those people also look at what's normal on your network right so using the theoretical example of the accounting firm in Augusta how many times is someone that works in an accounting firm gonna run Who am I never it's highly unlikely they're even going to run the net command so once you start you determine what's normal for your environment techniques like endpoint monitoring my argument is that you should immediately alert on things like who am i net the scheduled tasks stuff nedeth net sh those are not normal things for even Durer when's the last

time that you sat down at someone's desk to you know do whatever especially if you come from a helpdesk background and then went into security a executive vice president of a corporation isn't going to sit down and write and hit dirt you know type dirt so everything that I'm going to talk about is quote free meaning that it's either built into Windows or it's an open-source free project and this idea that you can do it is primarily that like what Dave Kennedy was talking about this morning y'all are the person that's eventually going to make the decisions about these things right so you want to automate as much as possible to bubble up to the person that

determines what's normal for your environment so why me I a lot of people view the about me thing so what I specifically wanted to talk about is why why do I consider myself someone that can talk about this topic I have a lot of experience with windows I'm started off you know in the NetWare days with windows 3-1 and in t35 them on all that stuff I'm one of those Gen X Slackware Linux people who you know used it when you could burn up your monitor and destroy your hard drive or whatever I like to take tests so that's the GX stuff as I said I'm an IT Director for a state agency for the state that is

across the river which you can and I don't work for the Department of Revenue and South Carolina some of you will know wow that's funny I use left with event forwarding an O SEC every day so the first part is the Windows Event for me right so how many people use Windows Event now not not very many okay so Windows Event forwarding is built into the operating system so a lot of people have talked about this over the last couple of years and that there's a variety of reasons for it and one of the the primary thing is because it's built-in it doesn't require an agent those of you who have Active Directory domains which is probably going to be

all of you these configurations can help via group policy so basically what you're doing is you're setting up an agent or sorry you're setting up a Windows Event collector server which we'll talk talk about a little bit more in a minute that the clients are gonna send their logs to you so given that this is a lightning talk and we're gonna have a ton of time to get into technical detail what I wanted to really emphasize is to learn from people they do this all the time so the nsa's IAD which now is just cybersecurity or something they changed a lot of their names created a paper five years ago maybe spotting the adversary with Windows Event log

monitoring it's an excellent paper the Australian signals Directorate also has one it gets into what what are the actual group policies that you need to set up in order for this to work all the way down to you what types of events do you want to subscribe to you and what is the reason for subscribing to those events Jessica pain works for Microsoft that's her twitter handle jane MSFT she has a presentation called monitoring what matters it's a video where she talks about when his event monitoring she also is the sponsor of this thing called the waffles project which is a probably a I mean it is it's not a it's a Microsoft tool that's used but it's

not something that you can buy on its own github and then Palantir regardless of what you think about what the work that Palantir you know whatever the internal windows team at Palantir is awesome so they have a github which has everything that they use event forwarding for in addition to some papers on how to set it up all of these papers are going to be similar to the NSA paper the Palantir paper is a little bit newer they're they're using this actually to monitor in the neighborhood of 10,000 endpoints i believe so even though i'm talking about using it at a smaller scale it's it is scalable microsoft's recommendation is do not put not put more than 10,000 endpoints on

one collector so if you're supporting 250 machines only requires one vm so the other thing is bucyk right so a lot of you anyone at a sec or know about a sec okay this site has been around for quite a while it was originally written by Daniel CID it's all log based it's job is to it's a host intrusion detection system it's basically reading logs off of whatever device you know the logs come from and then performing some kind of action so the majority of the time what that's going to be is an alert although in the UNIX base you know what a Linux BSD it can fire off active response so if you're using it on the

web server you can use it to write to you IP tables there are some stuff that you can do in Windows but it doesn't work very well so the server is Linux based generally the Windows client Windows is the only thing that requires a client the rest of them you basically have to compile but it's it's not difficult if you're used to you doing stuff in Linux atomic core is actually kind of the current maintainer of a lot of the Oh sex stuff there was a lot of forks of Oh sec but its first three atomic core was uh or wazoo however you want to pronounce at alienvault the wazoo and alienvault actually have a a

suit like a pseudo sim kind of environment that is using Oh suck and then my favorite of course since we're here in Augusta is security onion so you've seen it mentioned in 401 and 504 if you take sans classes the other thing that comes up sometimes when you're talking about those sec is why not use OS query so go ahead is my argument whatever you're going to use to be your endpoint monitoring it's better to begin down a path and then iterate you know so we chose to go the Oh sec path some people made to choose to go os query there's a lot of functionality that's the same like OS career you can do you

follow integrity monitoring and things like that but my personal preference is those that cuz I've used it for a long time so the two things together right so one of the problems with OSAC is key management maintaining a set clients isn't fun so what what you what you do is you're enrolling an agent with the OS X server and then the communication gets set up so that the log information gets sent via the agent to the OS X server and then there's a log monitor that is going to do the interpretation based off of your rules and then perform whatever kind of action there is so the architecture that I'm proposing to use in this case is use Windows event

forwarding set up the policies based off of the things that are written in those papers yet all of your logs going to one collector and then maintain the connection between your Windows Event collector and the OS X server that way you don't have to put agents on your endpoints you still have to monitor the Windows Event collector to determine whether or not you have agents dropping off and things like that are sorry you have clients dropping off but you don't have to do the key management you don't have to do any of that kind of stuff so use the guidance from the those papers NSA Palantir Microsoft has excellent guidance security logs application crashes app Locker device car or task

scheduler all that kind of stuff the other thing that I highly recommend that you integrate with this is sis Mon so sis Mon can be extremely chatty but disk space as they say is relatively cheap so if we're also talking about smaller environments it might not be bad to start out with getting more data and then pull it back as needed because the more information that you get the better off you're going to be you can make the determination of you you don't need this anymore or whatever so the examples from earlier today like Dave Kennedy was talking about PowerShell talking out to the Internet you can get that kind of information from sis Mon right a rule and O SEC and

get an alert without no special devices required no nothing but brain power so the way to do this is the typical way that you go about doing any kind of ite or security infrastructure project take a small number of machines I would argue that part of this process you need to evaluate your tiers of computers right so you have you have computers that have access to certain types of data and in your environment you might have some group of computers that has access to PII like your accounts payable or your HR people or whatever set everything in two tiers and then start working from that everything's done via group policy as I said once the stuff starts coming

through you can actually go into the event log viewer on the collector and user you know just look at it to make sure that stuff's working in this case you can do a push or pull which the papers will talk about I would suggest using the pull push method so your clients check in with the collector they get the subscription that says please send me your 46:24 from the security log once that once they've done the check-in they have some period of time where they're going to send their logs to the collector so that can handle theoretically it could handle remote clients that are going to be out and come back in stuff like that it uses win

RM which you might be familiar with with PowerShell remoting 5985 or 59 to 86 who knows the difference between the two of those and it's not that one of them isn't encrypted

59 86 uses TLS right so 5985 doesn't however which this comes up at capably and I believe Jason folson talks about this in his in his Windows class once the connection is set up in on 45985 the communication actually is encrypted with a EES symmetric key so even though the initial connection isn't encrypted between the endpoint and the other side either with PowerShell remoting or with this the communications actually are encrypted so OSAC the asian itself is fairly lightweight you are going to produce a lot of logs doing this right so disk disk space those cheap as I said osek itself is included with security onion including some visualizations in the new elasticsearch Kabana stuff I would argue that you need to

monitor your domain controllers and the wefts collector so installing the OSAC agent actually on the domain controller will get you things like all of your logins going to your OS X Server and the built-in rules with osek are gonna include things like security group changed so if someone changes the content of the domain admins group without doing any kind of customization at all you're going to get an alert that this security group changed New Year's is logging in you can use a functionality in a sec that are lists so that you have a list of all of your sensitive accounts and if you see an interactive log in from a higher tiered user onto a end-users machine like a

domain admin should not login to a workstation right so you can actually make those SEC alert on something like that so that you because you have an operational problem the clients talk over 15:14 UDP which actually in this case uses a very bad algorithm but Daniel SIDS argument about that is he's never seen any exploits against those SEC agent using Blowfish for encryption however apparently that is a PCI problem so what's happened recently is virtual security who maybe in Virginia area is working with atomic Corp to introduce perfect forward secrecy support using we socket which is part is what signal uses so those of you that are concerned about Oh SEC using blue fish to encrypt its traffic they

will they'll soon be a implementation using and we suck it use the base line rules just like with with then porting at the beginning so then what happens is like what we were talking about how likely is it that somebody's gonna run Who am I not very likely so there's no rule in OSAC for Who am I so what you have to do is you have to go in there and start writing rules based off of your environment and so I want to show a few different examples of some custom rules so this is actually showing so you've got a you've got a user GIS dude on your domain they're running ESRI product product yes awry for some reason doesn't sign

their dll's so this is showing that AppLocker blocked DLL load on one of your endpoints no endpoint agent on gif dudes computer that AppLocker log is getting sent to the collector and then the collector is talking to Oh sack and sex giving you the alert it's actually not very difficult to do it all to write a rule like that and there's tons of examples so one of the other things that has been talked about today is app Locker bypasses application whitelisting dice bypasses using built in whatever they're called law bins is one word that people use living off the land stuff using native tools if you're using system on and there obviously there's going to be ways of getting around this

right but if you don't fall for the perfection fallacy having this rule is better than not knowing about it at all and then it might be that this is a developer and you need to turn it off for their machine msbuild running on an accountant's machine is a problem right there's no need there's no reason for somebody to do that multiple windows error events in this case windows of day failed to check for updates I'm pretty sure that that is a indicating that it couldn't talk to the debian sus machine so that that's useful for security and it's also useful for IT not talking to wsus is bad and then on the security side because they're not getting patches

not talking to wsus as bad on the IT side why are that why it cannot talk to it the other thing PowerShell everyone loves to talk about how PowerShell can be used and abused I would say that you could probably in a small environment if you're using system on you can turn on PowerShell detection and just see what happens and you will be surprised probably that once you get rid of the alerts that are going to be based off of the things that the OS is doing nobody's using power developers are gonna use PowerShell you just put them into a category on their own um admins are gonna be using PowerShell put them on a category on their own in

this case you've got a client why does Dropbox create a scheduled task to update itself and do you even know that that happens whenever they somebody puts drop Dropbox on their machine once you set up these rules you will start to detect you know why does this Intel graphics driver run PowerShell to talk out over the Internet doesn't you know doesn't make any sense actually they're just assuming that they can do whatever they want but it's your network so once you start alerting on it then you can make decisions about what you want to do alright so the overall thing is getting more endpoint visibility using built-in stuff those sec has a ton of alerts built in already

like the group changes all that kind of stuff writing more rules for things like speed that windows changes occur right so you've got things like Windows Defender Network guard or whatever that stuff is going to get written to somewhere in the Windows Event log and if it's written to the event log then you can write an alert for it so once something comes out you figure out what B if event log entry is and write an alert the other thing that's going to happen by virtue of you doing this is that you're going to learn more about your network and you're going to have a ton of data so while you begin with using OSAC to get alerts you can

also take all that event log data and start putting it into a sim once you get one or if you already have them on put it in there use elq security onion whatever whatever you want to use fortunately i'm almost out of time so i'm i will be you answer questions outside but I'm gonna ask y'all a couple of questions say that you can get these books Don Murdock who was in the back of the room and left has an excellent book called the blue team handbook incident response Edition so the first question that I'm gonna ask is about networking so it's it's not entry-level but it kind of is what protocols number is UDP gentleman

in the orange shirt yeah you yep either either yeah one yeah 17 or 11 depending on your number system all right so is there anyone in here that considers themselves to be a super Windows guru yeah all right well I'll ask this question and we'll see if anybody what all system

be fully realized except for in partially sequel server that is not it but it's related to that and FS so who said that okay so it's actually Windows a future store with us re FS is the one that you can actually use but when FS I think gates identified as one of his biggest disappointments cuz it was being bit Vista kind of sucked but alright having one more thing what a big yes yep yep yeah actually has nothing to do with computers byte order or all that kind of stuff a lot of the old school computer Wizards were literary nerds lots of jokes and stuff like that so it actually comes from Gulliver's Travels alright so

I want to thank you and thank besides Augusta and like I said I'll be outside if y'all want to talk about this and I'm on Twitter the Twitter's fr Columba or you can email me at InfoSec at epicycle org [Applause]