Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

InfoSec Tue, 21 Feb 2017 10:03:26 -0800

The field names.

Instead of what is being collected,


2017 Feb 21 13:33:23 WinEvtLog: Security: AUDIT_SUCCESS(4627): 
Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: 
S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Username HOSTNAME 0x22d8dd8 
7 1 1 <LF><CR>
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX}
<TAB><TAB>%{S-1-1-0}
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX}
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX}
<TAB><TAB>%{S-1-5-32-562}
<TAB><TAB>%{S-1-5-32-578}
<TAB><TAB>%{S-1-5-32-556}
<TAB><TAB>%{S-1-5-32-555}
<TAB><TAB>%{S-1-5-32-545}
<TAB><TAB>%{S-1-5-4}
<TAB><TAB>%{S-1-2-1}
<TAB><TAB>%{S-1-5-11}
<TAB><TAB>%{S-1-5-15}
<TAB><TAB>%{S-1-5-113}
<TAB><TAB>%{S-1-2-0}
<TAB><TAB>%{S-1-5-64-10}
<TAB><TAB>%{S-1-16-8448}<SPACE> 

The event should be logged as follows (parts in Red are missing, without 
them an operator has *no clue* as to what the various pieces of information 
contained in the event are, unless he looks at a similar one in native 
Windows Event Viewer):

2017 Feb 21 13:33:23 WinEvtLog: Security: AUDIT_SUCCESS(4627): 
Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: Group 
Membership. Subject:  Security ID: S-1-5-18  Account Name: HOSTNAME$  Account 
Domain: DOMAIN  Logon ID: 0x3e7  Target User SID: 
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Target User Name: Username  
Target 
Domain Name: HOSTNAME Target Logon ID: 0x22d8dd8  Logon Type: 7  Event IDX: 
1  Event Count:  1   Group Membership:<LF><CR>
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX}
<TAB><TAB>%{S-1-1-0}
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX}
<TAB><TAB>%{S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX}
<TAB><TAB>%{S-1-5-32-562}
<TAB><TAB>%{S-1-5-32-578}
<TAB><TAB>%{S-1-5-32-556}
<TAB><TAB>%{S-1-5-32-555}
<TAB><TAB>%{S-1-5-32-545}
<TAB><TAB>%{S-1-5-4}
<TAB><TAB>%{S-1-2-1}
<TAB><TAB>%{S-1-5-11}
<TAB><TAB>%{S-1-5-15}
<TAB><TAB>%{S-1-5-113}
<TAB><TAB>%{S-1-2-0}
<TAB><TAB>%{S-1-5-64-10}
<TAB><TAB>%{S-1-16-8448}<SPACE>
--------------------------------------------------------------------------------------------------------------
*Event ID 4703*:

*Reported in archives.log*
2017 Feb 21 17:31:27 (W10EntDsktp) 192.168.16.1->WinEvtLog 2017 Feb 21 
19:31:13 WinEvtLog: Security: AUDIT_SUCCESS(4703): 
Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: 
S-1-5-18 DESKTOP$ COMPUCENTER 0x3e7 S-1-5-18 DESKTOP$ COMPUCENTER 0x3e7 
C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe 0x11dc 
SeSecurityPrivilege -

What should have been logged as (missng bits in red):
2017 Feb 21 17:31:27 (W10EntDsktp) 192.168.16.1->WinEvtLog 2017 Feb 21 
19:31:13 WinEvtLog: Security: AUDIT_SUCCESS(4703): 
Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: A user 
right was adjusted. Subject:  Security ID: S-1-5-18 Account Name: HOSTNAME$ 
Account 
Domain:  DOMAIN  Logon ID: 0x3e7  Target: Security ID: S-1-5-18  Account 
Name: HOSTNAME$ Account Domain:  DOMAIN  Logon ID: 0x3e7  Process Name: 
C:\Program 
Files (x86)\OSSEC-Agent\ossec-agent.exe  Process ID: 0x11dc Enabled 
Security Privilege: SeSecurityPrivilege  Disabled Security Privilege: -
--------------------------------------------------------------------------------------------------------------
*AppLocker Event ID: 8002*

In OSSEC Archive log:
2017 Feb 21 17:24:04 (AgentName) 192.168.X.Y->WinEvtLog 2017 Feb 21 
19:23:45 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: 
INFORMATION(8002): Microsoft-Windows-AppLocker: Username: HOSTNAME: 
Hostname: %SYSTEM32%\DLLHOST.EXE was allowed to run.

Without the missing information, the logged event is of *little security 
value*. It is the missing information that allows the event to be 
correlated with other types of events: Process ID, Logon ID, Security ID. 
The AppLocker Policy/Rule Details are critical for troubleshooting.

*What should have been logged*:
2017 Feb 21 17:24:04 (AgentName) 192.168.X.Y->WinEvtLog 2017 Feb 21 
19:23:45 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: 
INFORMATION(8002): Microsoft-Windows-AppLocker:  Rule and File Data: 
 Policy Name: EXE  Rule ID:  {06EB0E7E-0F84-4D34-BF02-E59A8CAF9D61}  Rule 
Name:  Drive C:: INTERNET EXPLORER signed by O=MICROSOFT CORPORATION, 
L=REDMOND, S=WASHINGTON, C=US  Rule SDDL:  D:(XA;;FX;;;S-1-5-11;((Exists 
APPID://FQBN) && ((APPID://FQBN) >= ({"O=MICROSOFT CORPORATION, L=REDMOND, 
S=WASHINGTON, C=US\INTERNET EXPLORER\*",3096224743817216}))))  Target User 
SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX  Target Process ID: 
1148  File Path: %SYSTEM32%\DLLHOST.EXE  File 
Hash: 32527C58E1ED8888E4A8C5AEEF30BD9AECD584E9DD03976F83A8498C30EF3936 
 FQBN:  O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET 
EXPLORER\IELOWUTIL.EXE\11.0.10240.16384  Target Logon ID:  0x42c61d

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

Reply via email to