WMI Collecting Windows Logs

(1)

14.04.2011

Pascal Cronauer Version 1.0

10.11.2011

Pascal Cronauer Version 1.1

WMI – Collecting Windows Logs

(2)

1 Introduction

We are using WMI to remotely collect Microsoft Windows events and data in an

agent-less way. To get these logs to the AlienVault Unified SIEM (OSSIM) you have to

configure a few things on OSSIM and also on the Windows machines if you want more

security. We are using WMI to remotely collect Microsoft Windows events and data in an

agentless way. To get these logs to the AlienVault Unified SIEM (OSSIM) you have to

configure a few things on OSSIM and also on the Windows machines if you want more

security.

2 Configure Windows

In any case you should create a separated limited user on windows for security reason.

Don’t use the administrator account in an productive environment just use it for testing.

In this scenario I created a limited user called wmiuser with the password wmi. To give

that limited user access to remotely login and for capturing the logs, we have to

configure a few permissions in the DCOM settings. To enable the using of SDEE you

must have direct access to Cisco device and also administrator credentials to change

configuration. Follow the next steps:

2.1. Grant DCOM remote launch and activate permissions for the new

user

1. Click Start, click Run, type DCOMCNFG, and then click OK.

2. In the Component Services dialog box, expand Component Services, expand

Computers, and then right-click My Computer and click Properties.

3. Go to My Computer

Properties dialog box, click the COM Security tab.

4. Under Launch and Activation Permissions (picture 1), click Edit Limits.

5. In the Launch Permission dialog box, follow these steps to add our "wmiuser"

user:

6. In the Launch Permission dialog box, click Add.

7. In the "Select Users, Computers, or Groups" dialog box, add your name in the

"Enter the object names to select" box, and then click OK.

8. In the Launch Permission dialog box, select our user in the "Group or user

names" box. In the Allow column under Permissions for User, select Remote

Launch, Local Activation and Remote Activation, and then click OK.

(3)

(picture 1)

9. Under Access Permissions (picture 2), click Edit Limits.

10. In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

(4)

(picture 2)

2.2. Set the WMIuser to the “Event Log Readers” Group

On the Windows 2008 Server you have to do it under the Active Directory where the

users are stored (picture 3). If you do it on a Windows 7 you “Local Users and

Groups” (picture 4).

(5)

(picture 4)

2.3. Set namespace permissions

This permissions allows you to collect the Windows security / system / application

logs.

1. Click Start, click Run, type “compmgmt.msc”, and then click OK.

2. Go to “Services and Applications”

3. Right click on “WMI Control”, choose “Properties”

4. Go to Security TAB and open the “Root”-tree

5. Mark “CLIMV2” and click on “Security” on the right bottom corner.

6. Add the “wmiuser” to the permissions list and enable the “Remote Enable” &

“Read Security” sections. (picture 5)

(6)

3 Configure OSSIM

Before activating the wmi plugins it is necessary to create a file with the Windows

credentials and if not already installed, install the new wmic package from the

repository. (apt-get install wmi-client).

Attention!: Please, use the newest wmi-client if you want to get it work also on

Windows 2008 Servers. Packagename: “wmi-client_1%3a0.1.13-1_amd64.deb.deb”.

Check if you have the right version:

root@ossim:~# dpkg –l |grep wmi-client

ii wmi-client 1:0.1.13-1 DCOM/WMI client implementation

If you don’t have the write version, you have to upgrade to the newest version.

Create the file wmi_crendentials.csv

root@ossim:~# vi /etc/ossim/agent/wmi_credentials.csv

Add the IP of the Windows machine(s), (domain)/users and passwords with the following formats: (Don’t use password with character “@”)

#without domain 192.168.1.2,user,pass 192.168.1.3,user,pass #domain

192.168.1.3,domain\\user,pass

Now we can activate the wmi plugins: 1. Execute alienvault-setup

2. Go to “(3) Change Sensor Settings” 3. Go to “(3) Select/Disable detector plugins” 4. Enable “wmi-application-logger”

5. Enable “wmi-system-logger” 6. Enable “wmi-securtiy-logger” 7. Save and exit

8. Restart ossim-agent:

root@ossim:~# /etc/init.d/ossim-agent restart

That’s all. Now you can view the Windows events at the framework. These events

appear as Snare events with the Plugin ID 1518. They should appear in SIEM with the

Signature “snarewindows”

(7)

4 wmi-security-logger.cfg

;; wmi testing plugin

;; Warning: events will appear as "Snare" events [DEFAULT] plugin_id=1518 [config] type=detector enable=yes source=wmi credentials_file=/etc/ossim/agent/wmi_credentials.csv sleep=10 process= start=no stop=no [start_cmd]

;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'Security'" | head -n 3 | tail -n 1 | cut -f 2 -d \| regexp=

[cmd]

;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required. OSS_COUNTER is a *must* and is the integer returned above

cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select

ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'Security' and RecordNumber > OSS_COUNTER" | cat start_regexp=^([^\|]+)\|(\d+)\|([^\|]+)\| regexp="^(?P<system_name>[^\|]+)\|(?P<plugin_sid>\d+)\|(?P<logfile>[^\|]+)\|(?P<message>[^\|] +)\|(?P<recordnumber>[^\|]+)\|(?P<sourcename>[^\|]+)\|(?P<timewritten>[^\|]+)\|(?P<username>. *)$" plugin_sid={$1} userdata2={$2} userdata3={$3} userdata4={$4} userdata5={$5} userdata6={$6} username={$7}

(8)

5 wmi-application-logger.cfg

;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'Application'" | head -n 3 | tail -n 1 | cut -f 2 -d \| regexp=

[cmd]

ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'Application' and RecordNumber > OSS_COUNTER" | cat start_regexp=^([^\|]+)\|(\d+)\|([^\|]+)\| regexp="^(?P<system_name>[^\|]+)\|(?P<plugin_sid>\d+)\|(?P<logfile>[^\|]+)\|(?P<message>[^\|] +)\|(?P<recordnumber>[^\|]+)\|(?P<sourcename>[^\|]+)\|(?P<timewritten>[^\|]+)\|(?P<username>. *)$" plugin_sid={$1} userdata2={$2} userdata3={$3} userdata4={$4} userdata5={$5} userdata6={$6} username={$7}

(9)

6 wmi-system-logger.cfg

;; OSS_WMI_USER, OSS_WMI_PASS and OSS_WMI_HOST should be used if substitutions are required cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'System'" | head -n 3 | tail -n 1 | cut -f 2 -d \| regexp=

[cmd]

ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'System' and RecordNumber > OSS_COUNTER" | cat start_regexp=^([^\|]+)\|(\d+)\|([^\|]+)\| regexp="^(?P<system_name>[^\|]+)\|(?P<plugin_sid>\d+)\|(?P<logfile>[^\|]+)\|(?P<message>[^\|] +)\|(?P<recordnumber>[^\|]+)\|(?P<sourcename>[^\|]+)\|(?P<timewritten>[^\|]+)\|(?P<username>. *)$" plugin_sid={$1} userdata2={$2} userdata3={$3} userdata4={$4} userdata5={$5} userdata6={$6} username={$7}

(10)

7 Troubleshooting

7.1 How to check if you have a connection with the Windows machine

You can check it by using the “wmic” command on the command line manually:

Without domain:

root@ossim:~# wmic –U <user>%<pass> \\<windows_ip_address> “select from Win32_Process”

Domain:

root@ossim:~# wmic –U <domain>\\<user>%<pass> \\<windows_ip_address> “select from Win32_Process”

7.2 How to check if the agent is receiving events.

You can monitor agent.log and check if the events wmi events arriving.

root@ossim:~# tail –f /var/log/ossim/agent.log

If you have a lot of logs, check it with the plugin ID:

root@ossim:~# tail –f /var/log/ossim/agent.log |grep „plugin_id=”1518”‟

7.3 How to check if the server is receiving events.

You can monitor server.log and show events.

root@ossim:~# tail –f /var/log/ossim/server.log