Latest Posts

Windows Event Forward and Custom Logs

First of all, this post is more about configuring custom event channels than configure WEF.

 

There is more than one way to work with event logs and the most important is to start working with event logs.

Some of the benefits is one place to find the logs for multiple systems and if someone clears, for example, the security log it’s important that you can find the log events before that happened and have alerts triggered on the clearing event.

Using the WEC (Windows Event collector) service is a free option and one of the most frequent used way to gather logs from Windows Clients.

So where do these events end up?

 

Windows Event Forward uses WinRM to forward the logs from the source to the server which runs the Windows Event Collector Service.

There are 2 different options where one option is to let the WEC server to connect to the client and poll the events and the other options is to let the client to push the events to the WEC server.

This is configured in the subscription part in Event Viewer

Besides the Subscription types you also must configure the Destination log (Default Forwarded Events) and select which events will be forwarded.

There are a few git projects for events in xml(xpath) format which you can use to automatically update the events.

 

There are more than security people which wants to be able to forward events.

IT operations and endpoint management teams would benefit from WEF by being able to collect errors and other events that might help with troubleshooting.

If you are about to publish new applocker rules you could set them in Audit mode and collect and analyze information where the rules would impact on a user.

Since we have multiple user cases for WEF you may want to separate the logs into different logs.

Security people maybe don’t want the support-.log to fill their selections of security related events.

You may want to forward the security logs into a SIEM solution like Splunk or QRADAR and don’t want to waist SIEM data license with non-security events.

 

To achieve this, we create a custom log.

Using Ecmangen.exe (provided in one of the Windows 10 SDKs, beware of that this tool is removed from the latest releases)

Save the output to c:\temp\WEF and run the following commands

“C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe” C:\temp\wef\WEFEvents.man

“C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe” -css WEFEvents.DummyEvent C:\temp\wef\WEFEvents.man

 “C:\Program Files (x86)\Windows Kits\10\bin\x64\rc.exe” C:\temp\wef\WEFEvents.rc

 “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe” /win32res:C:\temp\wef\WEFEvents.res /unsafe /target:library /out:C:\temp\wef\WEFEvents.dll C:\temp\wef\WEFEvents.cs

Copy the WEFEvents.dll and WEFEvents.man to c:\windows\system32 and register with:

wevtutil im c:\Windows\system32\WEFEvents.man

 

You will now be able to use these logs for WEF.

You can have, for example, one for servers one for clients. One with a SPLUNK forwarder and one inserted to a database with a nice custom interface which suites your need depending of what you have.

 

 

 

 

 

 

 

 

Links from our TechDays Presentation

 

Image may contain: 2 people, people smiling, people standing

Here are a link collection and some brief information from our TechDays session.

We’ll skip the wannacry part from the post because it’s everywhere anyway except for the fact that patching is extremely important.

Selecting hardware

There is no secret that Microsoft is working hard to reduce the use of passwords. It’s simple, It’s something you know and someone else can find it out.

Windows Hello Requirements
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements
https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise
Hardware Security Testability Specification
https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification

Managing firmware patches

Firmware also needs patching. You need to be able to deploy firmware patches to your clients which is already in the environment

TPM Recommendations
https://docs.microsoft.com/en-us/windows/device-security/tpm/tpm-recommendations

BitLocker mitigation plan for vulnerability in TPM

https://support.microsoft.com/en-us/help/4046783/bitlocker-mitigation-plan-for-vulnerability-in-tpm

UEFI Secure Boot


https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot

Security features

Credential guard
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

Device Guard
https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide

Windows Defender Exploit Guard

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

Attack Surface Reduction
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

This security feature really harderns the client. Especially when it comes to office applications.
As an example, one of the rules, will stop office applications form starting another process like CMD or powershell using DDE.

PowerShell Example
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled

 

Controlled Folder Access
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard

This is the new ransomware protection. It looks great but too soon to call it the silver bullet since you can still to a full disc encryption.
But ransomware’s that encrypt files this is something that has to be configured for your protection. Sec-Labs R&D will dig deeper into this feature.

PowerShell Downgrade Attacks

All new cool security features are being added in PowerShell version 5.0.
AMSI (Antimalware scan interface) – Not that many 3rd party AV vendors are supporting this which is a shame when we look at real world attacks today
Constrained Language Mode – Lock down, no api calls just legacy powershell
System Wide Transcript
Script Block Logging

PowerShell -version 2 and you’re in… (more or less)

PowerShell version 2 is deprecated since Windows 10 1709. When you install .net 3.5 it will be enabled and then you’ll have to disable it.

PowerShell downgrade attacks can be found in the event viewer, ID 400 and then the host version less than 5.0

Oldschool configurations which should already be in place

Local firewall – Enabled!

Applocker
We always get’s questions about applocker. It is builtin since Windows 7.
Build, evaluate and push a baseline to take control of executions no need for 3rd party here.

Windows Event Forwarding, WEF
When we asked, there were just a few actually using this.
There are lots of documentation on how to deploy this in an enterprise.
https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

Encrypt the harddrives, no excuses here.

DMA Protection
https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security

Antimalware
Don’t spend your money here.

LAPS Local Admin Password Solution
Make sure you don’t have the same local admin password on all clients.

https://technet.microsoft.com/en-us/mt227395.aspx
https://www.microsoft.com/en-us/download/details.aspx?id=46899

Guidelines to secure and lockdown you Internet Browsers
https://www.us-cert.gov/publications/securing-your-web-browser
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/
https://docs.google.com/document/d/1iu6I0MhyrvyS5h5re5ai8RSVO2sYx2gWI4Zk4Tp6fgc/edit
https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/#HE5XfCofMiy1S7QM.97

Windows Defender Advanded threat protection (WD ATP)

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection

Built-in Security Stack (Agent-less)

Supported on:
Windows 10 1607 (minimum)
Windows Server 2012 R2
Windows Server 2016
X-Plat Support under Investigation

Licensing
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5

 

Sysinternals Sysmon is also a great tool to deploy if you can’t use WD ATP for some reasons or just want to see more for yourself.
Should be used with Event Forwarding

Securing Privilege access
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access

 

Link to slides here

 

 

 

 

 

 

KrackAttack – Vulnerability in WPA2 – Disclosed

A security researcher Mathy Van Hoef will disclose a vulnerability in WPA2 within a few hours.

The vulnerability leaves Wi-Fi traffic open to eavesdropping and it will be possible to inject malicious content and much more.

CVE’s
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082

 

Important URLs
https://www.krackattacks.com/
https://github.com/valentijnscholten/krackattacks/

 

Van Hoef on Twitter
https://twitter.com/vanhoefm

::Updates::

From Krackattacks.com

Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):

  • Basically all Wireless networks are vulnerable and the vendors are working to get the patches out.
  • Microsoft was mitigating this on the client side in the October patch release cycle
  • If you won’t get an update to your router your really only option is to get a new one (if it’s out of support)
  • Recommendations are to apply patches as soon as they’re available.

 

 

This post will be updated

EVENT: Åtgärder mot finansiell brottslighet [Swedish Event]

 

SEC-Labs R&D will be presenting at – Åtgärder mot finansiell brottslighet – in Stockholm in December.

During the session – Digital World, Digital Criminals – From code to cash We will give you an insight to the darkest corner of the internet. We will share our knowledge about hackers and how they can get to your secret information without you even know it happened.

URL
http://insightevents.se/events/atgarder-mot-finansiell-brottslighet

 

Event: SCUG.SE – Client days in October 2017

The popular client event is back in October held by System Center User Group Sweden.

A mix of good to know and news where the field experts will share their knowledge during these two dates at the Microsoft office in Akalla – Stockholm

Most of the sessions are in Swedish

Date and Time
Thu, Oct 12, 2017, 8:30 AM –
Fri, Oct 13, 2017, 3:30 PM CEST

Location
Microsoft Sweden
36 Finlandsgatan
164 74 Akalla

Agenda (current)

Day 1

  • 0815 – Doors Open
  • 0830 – 0900 – Keynote – Future of a managed client – Jörgen & Stefan
  • 0915 – 1015 – What’s new in Configuration Manager 1706 and beyond! – Jörgen
  • 1030 – 1130 – The latest news on Windows 10 17xx modern management – TBA
  • 1130 – 1230 – Lunch
  • 1230 – 1315 – Sponsor Session
  • 1315 – 1345 – Scripting, Code and APIs the good, bad and the ugly – Fredrik Wall
  • 1400 – 1430 – Intune and PowerShell – Nickolaj Andersen
  • 1445 – 1545 – Best of Ignite – Stefan Schörling
  • 1545 – 1645 – Plan and deploy efficient content management – Andreas Hammarskjöld
  • 1645 – Q&A – Expert panel!
  • 1930 – Mingel på Stan

Day 2

  • 0815 – Doors Open
  • 0830 – 0930 – Windows 10 Enterprise Adoption – TBA
  • 0930 – 1030 – (EMS) TBA – Jan-Ketil Skanke
  • 1045 – 1115 – Using Ci’s in Configuration Manager deep-dive – Jörgen
  • 1115 – 1130 – Increase your patch compliance to 99% using ConfigMgr Health Script – Anders Rödland
  • 1130 – 1215 – TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1345 – Managing Office 365 using Configuration Manager real world challenges – Stefan Schörling
  • 1400 – 1500 – Task Sequence Optimizations and Tricks – Jörgen / Johnny / Nickolaj

Get your tickets here:
https://www.eventbrite.com/e/scugse-klientdagarna-oktober-2017-tickets-37120053078

Join SCUG.SE User group on facebook

https://www.facebook.com/groups/241438124169

/SEC-LABS R&D

 

 

TechDays Sweden – Take care of your clients, you don’t WannaCry

In October SEC-LABS R&D Crew will be presenting at the Swedish Premier Microsoft IT Event TechDays. We will be talking about how to Secure your Windows clients, we are going to walk you through the Microsoft security stack you can use to protect your Windows client with. We will be focusing not only on Windows 10 but other solutions and practices you can leverage to build a more secure client environment.

http://tdswe.se/events/take-care-of-your-clients-you-dont-wannacry/ 

We hope to see you there / Stefan and Mattias

We have embedded a video from last years event below (Swedish)

Security by obscurity is not so obscure

This scenario was discoverd in the real world.

A VPN solution which had a device verification functionality which is all fine but the problem was that the verification is executed only on the client side.

And you don’t only want to protect from external attackers but also users connecting their home PC to the internal network.

We only want managed devices on the inside and one unmanaged home device with i.e. no AV and lots of keyloggers and other malicious code running.

When this kind of verifications are executing on the client side there is no guarantee that the outcome is correct (which is why certificate based authentication is prefered as one of the factors since you can assure that it’s your internal device)

In this example there was a client side verification which was querying  (amongst other things) a file on the local system.

The endpoint compliancy failed due to some security setting

Remediation required

Let’s do the same thing again with procmon running

The service tries to query for a file in the c:\windows\system32 folder xxx.dll

So we create an empty dummy file, xxx.dll.

When we try to connect again with process monitor running we have a different result.

And we are prompted for user name and password, and hopefully this customer has an extra factor of protection, like SMS or certificate

Certificate is the best way to verify a device, to verify a user it depends on your identity management and how you choose to manage the identities and how to verify them

Massive ransomware campaign hits victims in at least 74 countries

Today reports was flooding the internet about an large scale ransomware campaign.

*** Update 2017-05-13 : Microsoft has put together a detailed post about the matter now since they have gotten the time to reverse the malware. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems
Microsoft has also released updates for Windows XP and 2003 Server that you can apply for the MS17-010 SMB Vulnerability KB4012598 http://www.catalog.update.microsoft.com/search.aspx?q=4012598

***

–his time the attack had a massive impact on the society – according to reports multiple hospitals was taken out of business in the UK with local files and network files encrypted.

The following picture from MalwareTech showing the infections which has an extreme hitrate

 

WannaCry infections (pic from malwaretech)

It’s using the NSA exploit leaked by Shadow Brokers (EternalBlue which uses a vulnerability in the SMB Protocol to spread.

This means that unpatched systems are spreading this ransomware internal on the network.

Initial infection is still not clear but most likley it’s a phishing campaing and we can’t really point out how important Security Awareness training is for your end users.

Mitigations (for this specific campaign)

  • Patching
  • Office 365 ATP (Advanced Threat Protection)
    • Office 365 ATP

    • Protecting against unsafe attachments
      all suspicious content goes through a real-time behavioral malware analysis that uses machne learning to evaluate the content for suspicious activities.
      unsafe attachments are sandboxed in a detonation chamber before being sent to recipients
      Protect your environment when users click malicious links.
      The URL s are examined in real time when a user clicks them.
    • Office 365 ATP URL SCAN

      One benefit is the reporting to so administrators can track which users clicked a link

    • For further information about Office 365 ATP please visit https://products.office.com/en-us/exchange/online-email-threat-protection
  • Security Awareness
    • Most likley this started by an email (well multiple emails) but I assume someone clicked on a link named invoice or something else
      Security awareness still very common to be overseen by secyurity teams and IT departments in general
      We can’t simple protect against every bad thing by technical means and we need to raise the awareness for the end users.
      Make sure to kick off a Security awareness program, This could be seminars, intranet information.
  • Segmentation
    • Make sure you have network segmentation to avoid spreading
    • Use a Local Firewall to block traffic usually there is no need to have SMB open against clients
  • Access to critical assets
    • Separation of duties
    • Users should only have access to what they need
    • Don’t set up a share where all users can read and write files from all departments
  • Windows 10 Device guard
    • Blocking untrusted code from executing. I bet this code wasn’t signed by a trusted certificate authority

CVE-2017-0290 – RCE in The Microsoft Malware Protection Engine

Last Friday, Tavis Ormandy and Natalie Silvanovich reported that they had discovered “the worst Windows remote code exec in recent memory”.

The vulnerability was reported to Microsoft who released an advisory: https://technet.microsoft.com/library/security/4022344.aspx

The good thing, no action is requred by the Enterprise administrators if default configuration to automatic upate definitions and the Malware Protection Engine are kept up to date.

Otherwise, patch now!

From the advisory:

Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

CVE ID Vulnerability Title Exploitability Assessment for
Latest Software Release
Exploitability Assessment for
Older Software Release
Denial of Service
Exploitability Assessment
CVE-2017-0290 Scripting Engine Memory Corruption Vulnerability 2 – Exploitation Less Likely 2 – Exploitation Less Likely Not applicable

 

To exploit this vulnerability a special crafted file has to be scanned by the system. The file can be delivered in numerous ways – Via WEB, attachment etc.

The real-time scan will automatically scan the files and this funtionality is nothing you should disable.
The real-time scan runs on file shares so this vulernability doesn not only apply on clients

Affected products

Antimalware Software Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290
Microsoft Forefront Endpoint Protection 2010 Critical
Remote Code Execution
Microsoft Endpoint Protection Critical
Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3 Critical
Remote Code Execution
Microsoft System Center Endpoint Protection Critical
Remote Code Execution
Microsoft Security Essentials Critical
Remote Code Execution
Windows Defender for Windows 7 Critical
Remote Code Execution
Windows Defender for Windows 8.1 Critical
Remote Code Execution
Windows Defender for Windows RT 8.1 Critical
Remote Code Execution
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703 Critical
Remote Code Execution
Windows Intune Endpoint Protection Critical
Remote Code Execution

 

Actions:

  • Verify that the update is installed
  • If necessary, install the update

For further information:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5