Presentation is loading. Please wait.

Presentation is loading. Please wait.

Simple SIEMan met a WMIman

Published byTheodor Beck Modified over 5 years ago

Similar presentations

Presentation on theme: "Simple SIEMan met a WMIman"— Presentation transcript:

1 Simple SIEMan met a WMIman
Easy ways to add context to your logs Craig Bowser @shad0wtrackers

2 Introduction 15+ years in InfoSec
Worked mainly in DoD with some DOJ and now DOE experience GSEC GCED CISSP, yeah! Christian, Father, Husband, Geek, Scout Leader who also does some woodworking To Do List > To Do Open Slots 2

3 Background Bringing in logs from various MS Windows machines
Monitoring logons, logoffs, print activity, etc But AD has a ton of information that I'm not using Question: What low hanging fruit can I get that will add context and increase visibility?

4 Each idea will have four parts
Information: What I'm getting, how I'm getting it and where I'm using it

5 Each idea will have four parts
Information: What I'm getting, how I'm getting it and where I'm using it Why is this important?

6 Each idea will have four parts
Information: What I'm getting, how I'm getting it and where I'm using it Why is this important? Suggestions/Solutions

7 Each idea will have four parts
Information: What I'm getting, how I'm getting it and where I'm using it Why is this important? Suggestions/Solutions Level of Effort

8 The following commands will gather all disabled accounts into an csv
Active Inactive Accounts The following commands will gather all disabled accounts into an csv Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation OR  Search-ADAccount -AccountDisabled | select samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation  Monitor for deleted accounts and add those

9 The following commands will gather all disabled accounts into an csv
Active Inactive Accounts The following commands will gather all disabled accounts into an csv Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation OR  Search-ADAccount -AccountDisabled | select samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation  Why is this important? Attackers will use already created accounts to help hide their activity. If the account has the access to their target, they don't need to perform privilege escalation

10 The following commands will gather all disabled accounts into an csv
Active Inactive Accounts The following commands will gather all disabled accounts into an csv Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation OR  Search-ADAccount -AccountDisabled | select samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation  Solution Delete accounts as soon as they are not needed. For occasional workers, notify the SOC regarding who has been authorized to be re-enabled

11 The following commands will gather all disabled accounts into an csv
Active Inactive Accounts The following commands will gather all disabled accounts into an csv Get-ADUser -Filter {Enabled -eq $false} | FT samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation OR  Search-ADAccount -AccountDisabled | select samAccountName | export-csv C:\Data\InactiveAccounts.csv -NoTypeInformation  Level of Effort Minimum

12 Service Account Activity
Get-aduser –Filter * -searchbase “OU=service, DC=you” | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation OR -filter {name LIKE “svc*”} | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation however you identify your services accounts. | select name | export-csv C:\Data\ServiceAccounts.csv -NoTypeInformation 

13 Service Account Activity
Get-aduser –Filter * -searchbase “OU=service, DC=you” | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation OR -filter {name LIKE “svc*”} | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation however you identify your services accounts. | select name | export-csv C:\Data\ServiceAccounts.csv -NoTypeInformation  Split these accounts into three (3) groups: 1. Accounts that do some type of scanning. Few sources, many destinations 2. Accounts used for applications that phone home. Many sources, few destinations 3. Accounts whose use doesn't fall into 1 or 2. Few sources, few destinations Many sources, many destinations

14 Service Account Activity
Get-aduser –Filter * -searchbase “OU=service, DC=you” | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation OR -filter {name LIKE “svc*”} | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation however you identify your services accounts. | select name | export-csv C:\Data\ServiceAccounts.csv -NoTypeInformation  Why is this important? Service accounts often have uber permissions Tend to be fire and forget efforts Passwords tend not to be changed

15 Service Account Activity
Get-aduser –Filter * -searchbase “OU=service, DC=you” | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation OR -filter {name LIKE “svc*”} | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation however you identify your services accounts. | select name | export-csv C:\Data\ServiceAccounts.csv -NoTypeInformation  Solution ID how and when and where each account is used. If possible, block everywhere else. Purchase a tool to automatically change password everywhere on a regular basis

16 Service Account Activity
Get-aduser –Filter * -searchbase “OU=service, DC=you” | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation OR -filter {name LIKE “svc*”} | export-csv C:\Data\serviceaccounts.csv -NoTypeInformation however you identify your services accounts. | select name | export-csv C:\Data\ServiceAccounts.csv -NoTypeInformation  Level of Effort Major Who owns each account? Tools are expensive and hard to install and configure. Lots of tweaking to get monitoring with high fidelity.

17 Last Reboot Time wmic /node:\COMPUTER OS Get LastBootUpTime
* multiple ways to skin this cat. Also can monitor for event ID 6005

18 Last Reboot Time wmic /node:\COMPUTER OS Get LastBootUpTime
* multiple ways to skin this cat. Also can monitor for event ID 6005 Why is this important? Help verify patches have been applied and/or configurations updated Also, catch unexpected reboots

19 Use SIEM to create a report and track history.
Last Reboot Time wmic /node:\COMPUTER OS Get LastBootUpTime * multiple ways to skin this cat. Also can monitor for event ID 6005 Solution Use SIEM to create a report and track history.

20 Last Reboot Time wmic /node:\COMPUTER OS Get LastBootUpTime
* multiple ways to skin this cat. Also can monitor for event ID 6005 Level of Effort Minimum – Medium

21 Accounts with passwords set to never expire
Accounts that have never been accessed Search-ADAccount –PasswordNeverExpires | export-csv C:\Data4Splunk\noexpirepassword.csv -NoTypeInformation get-aduser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)} | export-csv C:\Data4Splunk\neverloggedon.csv -NoTypeInformation

22 Accounts with passwords set to never expire
Accounts that have never been accessed Why is this important? Accounts with non-expiring passwords – ripe for brute force attacks Unused accounts tend to be forgotten Could be used as entry points into and around network Search-ADAccount –PasswordNeverExpires | export-csv C:\Data4Splunk\noexpirepassword.csv -NoTypeInformation get-aduser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)} | export-csv C:\Data4Splunk\neverloggedon.csv -NoTypeInformation

23 Accounts with passwords set to never expire
Accounts that have never been accessed Solution Never give an account a non-expiring password. Set up to rotate periodically (see tool suggestions from II. Monitor like a hawk. If an account isn't being used, disable or delete Search-ADAccount –PasswordNeverExpires | export-csv C:\Data4Splunk\noexpirepassword.csv -NoTypeInformation get-aduser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)} | export-csv C:\Data4Splunk\neverloggedon.csv -NoTypeInformation

24 Accounts with passwords set to never expire
Accounts that have never been accessed Search-ADAccount –PasswordNeverExpires | export-csv C:\Data4Splunk\noexpirepassword.csv -NoTypeInformation get-aduser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)} | export-csv C:\Data4Splunk\neverloggedon.csv -NoTypeInformation Level of Effort Minimum

25 File/Folder monitoring
Example to monitor the finance department fileserver: get-aduser -filter { “all finance users” } | select samAccountName | export-csv C:\Data4Splunk\finance.csv -NoTypeInformation Add any users not in this OU that have legit access to this fileserver. Monitor for anyone outside this group who tries to access the fileserver. Do the same with HR, R&D and any other departments as required.

26 File/Folder monitoring
Example to monitor the finance department fileserver: get-aduser -filter { “all finance users” } | select samAccountName | export-csv C:\Data4Splunk\finance.csv -NoTypeInformation Why is this important? Assists with Insider Threat. If an adversary compromises an account, odd behavior is more easily detected.

27 File/Folder monitoring
Example to monitor the finance department fileserver: get-aduser -filter { “all finance users” } | select samAccountName | export-csv C:\Data4Splunk\finance.csv -NoTypeInformation Solution DLP Enable windows file/folder auditing Network segmentation

28 File/Folder monitoring
Example to monitor the finance department fileserver: get-aduser -filter { “all finance users” } | select samAccountName | export-csv C:\Data4Splunk\finance.csv -NoTypeInformation Level of Effort Maximum

29 Users who always logged on
Psloggedon -l \\COMPUTER Then find all users who have been logged on for more 5 days

30 Users who always logged on
Why this is important? More troubleshooting than for security. HD can use this before escalating issues. Can possibly show persistence if attacker is careless/stupid. Psloggedon -l \\COMPUTER Then find all users who have been logged on for more 5 days

31 Users who always logged on
Psloggedon -l \\COMPUTER Then find all users who have been logged on for more 5 days Solution Forced reboots minimum once per week

32 Users who always logged on
Psloggedon -l \\COMPUTER Then find all users who have been logged on for more 5 days Level of Effort Minimum

33 Collect local accounts
wmic /node:<remote-ip> /user:<username> useraccount list full Or wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name,Domain

34 Collect local accounts
Why is this important? Malware uses to propagate or maintain persistence. Alert on new local accounts. Alert when these accounts try to access domain resources wmic /node:<remote-ip> /user:<username> useraccount list full Or wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name,Domain

35 Collect local accounts
Solution Users shouldn’t create local accounts. List what local accounts are on each machine and that list should be short. Investigate new accounts. Investigate and enabled disabled account. Investigate local accounts trying to access network resources. wmic /node:<remote-ip> /user:<username> useraccount list full Or wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name,Domain

36 Collect local accounts
wmic /node:<remote-ip> /user:<username> useraccount list full Or wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name,Domain Level of Effort Medium

37 Track a specific windows patch
wmic qfe where hotfixid="KB958644" list full

38 Track a specific windows patch
wmic qfe where hotfixid="KB958644" list full Why is this important? Spot check vulnerability of enterprise to current attacks

39 Track a specific windows patch
wmic qfe where hotfixid="KB958644" list full Solution Ideal for tracking specific patch effort

40 Track a specific windows patch
wmic qfe where hotfixid="KB958644" list full Level of Effort Medium

41 Conclusion and Way Forward
Don't settle for simply ingesting logs, use AD, Powershell, WMI, etc to enhance and contextualize what you see and monitor Continue to determine how else information obtainable with WMI and AD can be compared to account and network activity

42 Slides and Scripts will be posted at
Questions/Suggests/Comments @shad0wtrackers

Download ppt "Simple SIEMan met a WMIman"

Similar presentations

Expose the Vulnerability Paul Hogan Ward Solutions.

Expose the Vulnerability Paul Hogan Ward Solutions.
LeadManager™- Internet Marketing Lead Management Solution May, 2009.

LeadManager™- Internet Marketing Lead Management Solution May, 2009.
CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.

CREATING USER ACCOUNTS Group accounts simplify administration by organizing user accounts into a single administrative unit. They provide a convenient.
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Using the Windows Event Viewer and Task Scheduler Chapter 5.

Using the Windows Event Viewer and Task Scheduler Chapter 5.
Account Reset Console Delegated and secure self password resets Joe Vachon Sales Engineer.

Account Reset Console Delegated and secure self password resets Joe Vachon Sales Engineer.
Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.

Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.
Ch 11 Managing System Reliability and Availability 1.

Ch 11 Managing System Reliability and Availability 1.

Similar presentations

Ads by Google