Basic Monitors Ing. Ondřej Ševeček GOPAS a.s. MCM:Directory MVP:Enterprise Security CEH:Certified Ethical Hacker CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com www.sevecek.com GOPAS: info@gopas,cz www.gopas.cz www.facebook.com/p.s.gopas Targeting SCOM objects Hosted objects Windows Computer Windows Server Windows Domain Controller Windows Operating System Windows DNS Server Windows DNS Zone Active Directory Domain Controller Server 2008 Computer Role Unhosted objects (including Groups) monitors running on SCOM MS not always provide all necessary parameters 1
Choosing targets Physical presence on a computer All requested parameters computer name, domain name, PDC emulator name,... Targeting groups (unhosted objects) always target the members directly override monitor Enabled/Disabled for a group Target references filled by workflow manager and replaced in configuration and alert parameters only # Actual values from the target object $Target/Property[Type="Win!Microsoft.Windows.Computer"]/DomainDnsName$ $Target/Host/Host/Property[Type="Win!Microsoft.Windows.Computer"]/DomainDnsNa me$ # IDs for each attribute, not actual values $MPElement[Name="System!System.Entity"]/DisplayName$ $MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$ # Alert parameters from the last composite module in case of System.PropertyBagData <OutputType> $Data/Context/...$ $Data/Context/Property[@Name='BinaryPathName']$ 2
System.PropertyBag XML example property-bag-01-single-dataitem.ps1 property-bag-02-complex-dataitem.ps1 property-bag-03-multiple-dataitems.ps1 Simple service queries Service system name Check startup type monitors only if Automatic override CheckStartupType member using GUI set <CheckStartupType> element using XML 3
Service property bags # Condition expressions - # Alert replacements $Data/Context/Property[@Name='BinaryPathName']$ Event log monitoring Log system name System, Application,... Microsoft-Windows-TerminalServices- LocalSessionManager/Admin Source (PublisherName) name in system format Netlogon Microsoft-Windows-Security-Auditing Microsoft-Windows-ActiveDirectory_DomainServices Can use parameter names since Windows 6.0+ or use the Parameter1,... on older systems 4
Event log monitoring EventLevel 0 = Success 1 = Error 2 = Warning 4 = Information 8 = Audit Success 16 = Failure Audit EventCategory examples 13826 = Security Group Management 13824 = User Account Managent 13825 = Computer Account Management 14337 = Kerberos Service Ticket 14339 = Kerberos Authentication Service 14336 = Credentials Validation XPath primer States/State States/State[1] States//State States/*/State //State[population>30] //State[@code='CZ'] //State[population>30 and @continent='eu'] //State[@language] //State[@continent='EU' and landlocked] States/State[last()] //State[last()] States/State[last()-1] States/State[position() > 5] //State[@code='cz'] //State[translate(@code,'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvw xyz')='cz'] 5
XPath primer //*[name()='state']/display //*[local-name()='state']/display //*[name()='state' and population>30]/display # Default namespace: xmlns="http://sevecek.com" //*[name()='state' and namespace-uri()='http://sevecek.com']/display # Namespace prefix: xmlns:sevecek="http://sevecek.com" //sevecek:state/displayname Event log property bags # Rules put the topmost DataItem contents into root element $Data/EventCategory$ # Monitors put the topmost DataItem XML into /Context $Data/Context/EventCategory$ $Data/Params/Param[1]$ # XPath indexes start with 1 # The EventData/Data use a different XML namespace # use name() or local-name() functions (the same result) $Data/Context/EventData/DataItem/*[name()='EventData']/*[name()='Data' and @Name='TargetSid']$ In conditions, use only the XPathQuery EventData/DataItem/*[name()='EventData']/*[name()='Data' and @Name='TargetSid'] 6
WMI performance queries SELECT * FROM Win32_LogicalDisk WHERE DeviceId = "F:" Get-WmiObject -Query 'SELECT * FROM Win32_LogicalDisk WHERE DeviceId = "F:"' # Object: Sevecek Disk F: Low Space # Counter: FreeSpace # Property: $Data/Property[@Name='FreeSpace']$ # Instance: Disk F: WMI event queries SELECT * FROM InstanceCreationEvent WITHIN 35 WHERE TargetInstance ISA "Win32_Process" AND TargetInstance.Name = "mspaint.exe" # InstanceCreationEvent # InstanceDeletionEvent # InstanceModificationEvent # InstanceOperationEvent # In conditions, does not work with MP Simulator, do not use $Data/...$ # Filter: # Collection[@Name='TargetInstance']/Property[@Name='Name'] # Collection[@Name= PreviousInstance ]/Property[@Name='FileSize'] Register-WmiEvent -Query... -SourceIdentifier waitingformsp Wait-Event -SourceIdentifier waitingformsp 7
Example monitoring bad password trials vs. account lockout (monitors vs. rules) file size with CIM_DataFile free F: disk size Stop-Service KDC Stop-Service ADWS repadmin /options +DISABLE_OUTBOUND_REPL # verify that it does not monitor # HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters # Allow Replication with Divergent and Corrupt Partner # Strict Replication Consistency # Repl Perform Initial Synchronizations # verify that it does not monitor Smart Card service Elementary module types <ModuleImplementation> <Native>GUID</Native> <Managed>Assembly,Type</Managed> <Composite> <MemberModules>......... </ModuleImplementation> <InputType> <OutputType> 8
Composite modules (simple composition) parameter 1 parameter 2 parameter 3 A data stream parameter 4 parameter 5 B data stream parameter 6 parameter 7 parameter 8 C Composite modules (complex composition) parameter 1 parameter 2 parameter 3 A data stream parameter 4 parameter 5 B data stream parameter 9 Parallel D data stream parameter 6 parameter 7 parameter 8 C 9
Composite modules (scripted performance data collection with conditions) Frequency Synchronize Simple Scheduler DataSource System.BaseData ScriptName ScriptBody Timeout Script PropertyBag Probe ProbeAction System.PropertyBagData Expression ConditionDetection System. Expression Filter - Collect Performance Data WriteAction Object Counter Instance Value System. Performance. System.Performance.Data DataGeneric Mapper ConditionDetection System.BaseData <MemberModules> composition DataSource Microsoft.Windows.BaseEventProvider Microsoft.Windows.FilteredRegistryDiscoveryProvider Microsoft.Windows.RegistryDiscoveryProvider System.Discovery.Scheduler Microsoft.Windows.NTServiceStateProvider Microsoft.Windows.WmiEventProvider ProbeAction Microsoft.Windows.RegistryProbe Microsoft.Windows.WmiProbe Microsoft.Windows.WmiTriggerProbe System.PassThroughProbe System.CommandExecuterProbe Microsoft.Windows.ScriptPropertyBagProbe Microsoft.Windows.PowerShellDiscoveryProbe ConditionDetection returns the same output type as its input type, does not have <OutputType> System.ExpressionFilter WriteAction change system state (script, registry write,...) change OpsMgr dataset (write event, create alert,...) System.CommandExecuter System.Health.GenerateAlert Microsoft.SystemCenter.CollectPerformanceData 10
Two state unit monitor in PowerShell Microsoft.Windows.PowerShellPropertyBagProbe <TypeDefinitions> <UnitMonitorType> <MonitorTypeStates> <Configuration> <OverridableParameters> <MonitorImplementation> <MemberModules> <DataSource TypeID="System!System.SimpleScheduler"> <ProbeAction TypeID="Windows!Microsoft.Windows.PowerShellPropertyBagProbe"> <MemberModules> <ConditionDetection TypeID="System!System.ExpressionFilter"> <ConditionDetection TypeID="System!System.ExpressionFilter"> </MemberModules> <RegularDetections> <RegularDetection MonitorTypeStateID="Error"> <Node ID="ErrorFilter"> <Node ID="Script"> <Node ID="DataSource"> <RegularDetection MonitorTypeStateID="Success"> <Node ID="SuccessFilter"> <Node ID="Script"> <Node ID="DataSource"/> PowerShell scripts as parameter values in VSAE <ScriptBody>$IncludeFileContent/...ps1$</ScriptBody> 11