Parsing Windows Eventlogs in Powershell, (Thu, Feb 28th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Parsing Windows Eventlogs in Powershell, (Thu, Feb 28th)
Feb 282013
 

Recently, while chasing a malware, I wanted to review the local security log of a third party server to which I didnt have direct access. The administrator was willing to provide a limited export for my offline analysis.

Newer Windows versions nicely enough provide more than one option to accomplish this.

1. You can use the graphical event viewer GUI, and Save-as, to export the file in EVTX, XML, TXT or CSV Format.

2. You can use wevtutil.exe at the command line to accomplish pretty much the same, but in a scriptable fashion. Wevtutil.exe can export the entire log. It also supports an XPath filter that allows to query and export only certain log lines and attributes. Unfortunately, the syntax of these filters

wevtutil qe Security /q:*[System[Provider[@Name=Microsoft-Windows-Security-Auditing] and (EventID=4624)]]

is a mess, and not easy to stomach for someone more used to the pristine beauty of egrep and regexps :).

3. A third option is to make use of Powershell and the get-winevent or get-eventlog cmdlet

get-eventlog -logname security -newest 10000 | Export-clixml seclog.xml

is a pretty quick way to get the latest 10000 records out of the security log. This is the option I chose, because I (somewhat naively) figured that this would be the fastest way to get a quick look. Not surprisingly, the export-xml command left me with an XML file, which is again not easy to stomach for someone more used to the pristine beauty of egrep and syslog :). But Powershell isnt bad, either. On the analysis workstation, you can stuff the entire log into a variable, thusly:

PS C:\TEMP $seclog = Import-Clixml seclog.xml

and then use the power of Powershell to get a rapid tally:

PS C:\TEMP $seclog | group eventid -noelement | sort count

Count Name

—– —-

1 4662

1 5058

1 5061

1 4904

2 4648

2 5140

5 4611

6 6144

6 4735

12 4985

17 4634

19 4672

20 4674

20 4624

128 4663

175 4673

KB947226 helps to translate the EventIDs into readable information. Once we know which events are of interest, we can then extract them:

PS C:\TEMP $seclog | ? { $_.eventid -match 5140 } | fl *

[…]

Message : A network share object was accessed.

Subject:

Security ID: S-1-5-21-394181-2045529214-8259512215-1280

Account Name: TRA29C

Account Domain: AMER

Logon ID: 0x311a28b

Network Information:

Object Type: File

Source Address: 10.11.192.16

Source Port: 6539

Share Information:

Share Name: \\*\C$

Share Path: \??\C:\

[…]

All the Powershell formatting and querying and pattern match functions can now be used to cut and dice the information to find the haystalk in the cow pie.

If you have any clever Powershell Jiu-Jitsu up your sleeve to deal with unwieldy event logs, please let us know, or share in the comments below.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Getting Involved with the Local Community, (Wed, Jan 30th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Getting Involved with the Local Community, (Wed, Jan 30th)
Jan 302013
 

Handler Note

This diary is part of the path to becoming a handler. Todays peice was written by Russell Eubanks and is on his path to becoming a handler.

You can find out more at: https://isc.sans.edu/handlerroadmap.html

Russell can be reached at securityeverafter at gmail dot com.

Russells Diary

The beginning of the year is a great time to commit yourself to a local security community. These organizations exist to foster active and lively security conversations through regular meetings. Many opportunities exist, especially in larger cities to attend and participate on a regular basis.The following are many of the popular security communities that may very well be available in your area. Listings for them and their link to learn more about them follows.

Defcon Groups -https://www.defcon.org/html/defcon-groups/dc-groups-index.html

InfraGard -http://www.infragard.net/chapters/index.php?mn=3

ISSA -http://www.issa.org/?page=ChaptersContact

NAISG -http://www.naisg.org/default.asp

OWASP -https://www.owasp.org/index.php/Category:OWASP_Chapter

Security BSides -http://www.securitybsides.com/w/page/12194156/FrontPag

Every person should strongly consider becoming more involved in their local security community. Both the individual and the community will benefit in the following ways.

You will have the opportunity to meet like minded people.

You will learn something new and could very well learn a new skill.

You will be able to avoid a pitfall previously encountered by others.

You will very likely become inspired to improve yourself.

You will become known in the community as a leader.

You will improve the community by your involvement.

You will have the chance to share something you have recently learned with the community.

I have been involved with the leadership of my local InfraGard and OWASP chapters for the last five years. I have found this to be beneficial to both myself and the organizations. It has required a little bit of work every week and can start to resemble a part time job without the involvement of others. The leaders of these security communities serve by finding interesting speakers, securing a location for the meeting and by encouraging others to attend. I know from experience that the leaders would absolutely welcome your active involvement and participation by sharing the work needed to conduct a successful security community.

If you are not involved in a local security community, I encourage you to do find one and become more involved this year. If you are already a regular attender, strongly consider offering your time in a leadership position. The current leaders will certainly welcome your help. You will find this experience to be rewarding as you actively participate and give back to your local security community. Watching a local security community grow is very rewarding and will often encourage continued involvement from others.

What is keeping you from being involved in your local security community this year?

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

%d bloggers like this: