WMI Collecting Windows Logs

WMI Collecting Windows Logs (tested on Windows 2008 Servers / Windows 7) 14.04.2011 Pascal Cronauer Version 1.0 10.11.2011 Pascal Cronauer Version 1.1

1 Introduction We are using WMI to remotely collect Microsoft Windows events and data in an agentless way. To get these logs to the AlienVault Unified SIEM (OSSIM) you have to configure a few things on OSSIM and also on the Windows machines if you want more security. We are using WMI to remotely collect Microsoft Windows events and data in an agentless way. To get these logs to the AlienVault Unified SIEM (OSSIM) you have to configure a few things on OSSIM and also on the Windows machines if you want more security. 2 Configure Windows In any case you should create a separated limited user on windows for security reason. Don t use the administrator account in an productive environment just use it for testing. In this scenario I created a limited user called wmiuser with the password wmi. To give that limited user access to remotely login and for capturing the logs, we have to configure a few permissions in the DCOM settings. To enable the using of SDEE you must have direct access to Cisco device and also administrator credentials to change configuration. Follow the next steps: 2.1. Grant DCOM remote launch and activate permissions for the new user 1. Click Start, click Run, type DCOMCNFG, and then click OK. 2. In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties. 3. Go to My Computer Properties dialog box, click the COM Security tab. 4. Under Launch and Activation Permissions (picture 1), click Edit Limits. 5. In the Launch Permission dialog box, follow these steps to add our "wmiuser" user: 6. In the Launch Permission dialog box, click Add. 7. In the "Select Users, Computers, or Groups" dialog box, add your name in the "Enter the object names to select" box, and then click OK. 8. In the Launch Permission dialog box, select our user in the "Group or user names" box. In the Allow column under Permissions for User, select Remote Launch, Local Activation and Remote Activation, and then click OK.

(picture 1) 9. Under Access Permissions (picture 2), click Edit Limits. 10. In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

(picture 2) 2.2. Set the WMIuser to the Event Log Readers Group On the Windows 2008 Server you have to do it under the Active Directory where the users are stored (picture 3). If you do it on a Windows 7 you Local Users and Groups (picture 4). (picture 3)

(picture 4) 2.3. Set namespace permissions This permissions allows you to collect the Windows security / system / application logs. 1. Click Start, click Run, type compmgmt.msc, and then click OK. 2. Go to Services and Applications 3. Right click on WMI Control, choose Properties 4. Go to Security TAB and open the Root -tree 5. Mark CLIMV2 and click on Security on the right bottom corner. 6. Add the wmiuser to the permissions list and enable the Remote Enable & Read Security sections. (picture 5)

3 Configure OSSIM Before activating the wmi plugins it is necessary to create a file with the Windows credentials and if not already installed, install the new wmic package from the repository. (apt-get install wmi-client). Attention!: Please, use the newest wmi-client if you want to get it work also on Windows 2008 Servers. Packagename: wmi-client_1%3a0.1.13-1_amd64.deb.deb. Check if you have the right version: root@ossim:~# dpkg l grep wmi-client ii wmi-client 1:0.1.13-1 DCOM/WMI client implementation If you don t have the write version, you have to upgrade to the newest version. Create the file wmi_crendentials.csv root@ossim:~# vi /etc/ossim/agent/wmi_credentials.csv Add the IP of the Windows machine(s), (domain)/users and passwords with the following formats: (Don t use password with character @ ) #without domain 192.168.1.2,user,pass 192.168.1.3,user,pass #domain 192.168.1.3,domain\\user,pass Now we can activate the wmi plugins: 1. Execute alienvault-setup 2. Go to (3) Change Sensor Settings 3. Go to (3) Select/Disable detector plugins 4. Enable wmi-application-logger 5. Enable wmi-system-logger 6. Enable wmi-securtiy-logger 7. Save and exit 8. Restart ossim-agent: root@ossim:~# /etc/init.d/ossim-agent restart That s all. Now you can view the Windows events at the framework. These events appear as Snare events with the Plugin ID 1518. They should appear in SIEM with the Signature snarewindows

4 wmi-security-logger.cfg ;; wmi testing plugin ;; Warning: events will appear as "Snare" events [DEFAULT] plugin_id=1518 [config] type=detector enable=yes source=wmi credentials_file=/etc/ossim/agent/wmi_credentials.csv sleep=10 process= start=no stop=no [start_cmd] ;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'Security'" head -n 3 tail -n 1 cut -f 2 -d \ regexp= [cmd] ;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required. OSS_COUNTER is a *must* and is the integer returned above cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'Security' and RecordNumber > OSS_COUNTER" cat start_regexp=^([^\ ]+)\ (\d+)\ ([^\ ]+)\ regexp="^(?p<system_name>[^\ ]+)\ (?P<plugin_sid>\d+)\ (?P<logfile>[^\ ]+)\ (?P<message>[^\ ] +)\ (?P<recordnumber>[^\ ]+)\ (?P<sourcename>[^\ ]+)\ (?P<timewritten>[^\ ]+)\ (?P<username>. *)$" plugin_sid={$1} userdata2={$2} userdata3={$3} userdata4={$4} userdata5={$5} userdata6={$6} username={$7}

5 wmi-application-logger.cfg ;; wmi testing plugin ;; Warning: events will appear as "Snare" events [DEFAULT] plugin_id=1518 [config] type=detector enable=yes source=wmi credentials_file=/etc/ossim/agent/wmi_credentials.csv sleep=10 process= start=no stop=no [start_cmd] ;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'Application'" head -n 3 tail -n 1 cut -f 2 -d \ regexp= [cmd] ;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required. OSS_COUNTER is a *must* and is the integer returned above cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'Application' and RecordNumber > OSS_COUNTER" cat start_regexp=^([^\ ]+)\ (\d+)\ ([^\ ]+)\ regexp="^(?p<system_name>[^\ ]+)\ (?P<plugin_sid>\d+)\ (?P<logfile>[^\ ]+)\ (?P<message>[^\ ] +)\ (?P<recordnumber>[^\ ]+)\ (?P<sourcename>[^\ ]+)\ (?P<timewritten>[^\ ]+)\ (?P<username>. *)$" plugin_sid={$1} userdata2={$2} userdata3={$3} userdata4={$4} userdata5={$5} userdata6={$6} username={$7}

6 wmi-system-logger.cfg ;; wmi testing plugin ;; Warning: events will appear as "Snare" events [DEFAULT] plugin_id=1518 [config] type=detector enable=yes source=wmi credentials_file=/etc/ossim/agent/wmi_credentials.csv sleep=10 process= start=no stop=no [start_cmd] ;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'System'" head -n 3 tail -n 1 cut -f 2 -d \ regexp= [cmd] ;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required. OSS_COUNTER is a *must* and is the integer returned above cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'System' and RecordNumber > OSS_COUNTER" cat start_regexp=^([^\ ]+)\ (\d+)\ ([^\ ]+)\ regexp="^(?p<system_name>[^\ ]+)\ (?P<plugin_sid>\d+)\ (?P<logfile>[^\ ]+)\ (?P<message>[^\ ] +)\ (?P<recordnumber>[^\ ]+)\ (?P<sourcename>[^\ ]+)\ (?P<timewritten>[^\ ]+)\ (?P<username>. *)$" plugin_sid={$1} userdata2={$2} userdata3={$3} userdata4={$4} userdata5={$5} userdata6={$6} username={$7}

7 Troubleshooting 7.1 How to check if you have a connection with the Windows machine You can check it by using the wmic command on the command line manually: Without domain: root@ossim:~# wmic U <user>%<pass> \\<windows_ip_address> select from Win32_Process Domain: root@ossim:~# wmic U <domain>\\<user>%<pass> \\<windows_ip_address> select from Win32_Process 7.2 How to check if the agent is receiving events. You can monitor agent.log and check if the events wmi events arriving. root@ossim:~# tail f /var/log/ossim/agent.log If you have a lot of logs, check it with the plugin ID: root@ossim:~# tail f /var/log/ossim/agent.log grep plugin_id= 1518 7.3 How to check if the server is receiving events. You can monitor server.log and show events. root@ossim:~# tail f /var/log/ossim/server.log