Custom Windows Decoders

[gp85...@gmail.com]

Hello,

I was wondering if there is a guide on how to write decoders for Windows Server 2008 and 2012 Security logs. I am more interested in the standard raw Windows log. With UNIX it is very straight forward because of the standard syslog output, but Windows without knowing how the raw log entry looks like, it seems to be impossible to write the regular expressions needed to parse a message.  For example on Linux, an auditd log entry has a known format:

/var/log/audit/audit.log:type=USER_START msg=audit(1457067617.649:348): pid=2326 uid=0 auid=1000 ses=1 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_console,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring acct="master" exe="/usr/libexec/gdm-session-worker" hostname=? addr=? terminal=/dev/tty2 res=success

while Windows has a different log format. Looking at a Windows Security event log in CSV, TXT, XML or event snare the format looks different from each other.

Example of the CSV  and TXT format of Windows log

3/3/2016 5:12:44 PM,Microsoft-Windows-Security-Auditing,5158,Filtering Platform Connection,"The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
    Process ID:        2560
    Application Name:    \device\harddiskvolume2\program files (x86)\ossec-agent\ossec-agent.exe

Network Information:
    Source Address:        0.0.0.0
    Source Port:        54639
    Protocol:        17

Filter Information:
    Filter Run-Time ID:    0
    Layer Name:        Resource Assignment
    Layer Run-Time ID:    36"

Snare sends Windows logs to rsyslog in the following format

 Mar 05 23:26:31    WIN2012    5905    4656 (File System)    Security
Microsoft-Windows-Security-Auditing    WIN2012\Administrator    N/A    Success Audit    A handle to an object was requested. Subject: Security ID: S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator Account Domain: WIN2012 Logon ID: 0x25CD8 Object: Object Server: Security Object Type: File Object Name: C:\Users\Administrator\Desktop\AuditTest\F1 Handle ID: 0x1238 Resource Attributes: - Process Information: Process ID: 0xa3c Process Name: C:\Windows\explorer.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;OICIID;FA;;;WD) Access Mask: 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0

OSSEC log from a windows agent

2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  WIN2012$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon Type:   2  New Logon:  Security ID:  S-1-5-21-2958751065-1811596663-815683548-500  Account Name:  Administrator  Account Domain:  WIN2012  Logon ID:  0x36294  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1ac  Process Name:  C:\Windows\System32\winlogon.exe  Network Information:  Workstation Name: WIN2012  Source Network Address: 127.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.

My question in other words should probably be, how is the format of a Windows log expected by OSSEC from a Windows agent? As you can  see not all fields are in the same location as the last sample of the OSSEC log, and this is why I am encountering difficulty in creating a proper  custom decoder for Windows.

Cheers,
George

 

[Jesus Linares]

Hi George,

how is the format of a Windows log expected by OSSEC from a Windows agent?

Your last example is the format. Try wiht ossec-logtest:

2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  WIN2012$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon Type:   2  New Logon:  Security ID:  S-1-5-21-2958751065-1811596663-815683548-500  Account Name:  Administrator  Account Domain:  WIN2012  Logon ID:  0x36294  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1ac  Process Name:  C:\Windows\System32\winlogon.exe  Network Information:  Workstation Name: WIN2012  Source Network Address: 127.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.

**Phase 1: Completed pre-decoding.
       full event: '2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  WIN2012$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon Type:   2  New Logon:  Security ID:  S-1-5-21-2958751065-1811596663-815683548-500  Account Name:  Administrator  Account Domain:  WIN2012  Logon ID:  0x36294  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1ac  Process Name:  C:\Windows\System32\winlogon.exe  Network Information:  Workstation Name: WIN2012  Source Network Address: 127.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.'
       hostname: 'LinMV'
       program_name: '(null)'
       log: '2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  WIN2012$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon Type:   2  New Logon:  Security ID:  S-1-5-21-2958751065-1811596663-815683548-500  Account Name:  Administrator  Account Domain:  WIN2012  Logon ID:  0x36294  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x1ac  Process Name:  C:\Windows\System32\winlogon.exe  Network Information:  Workstation Name: WIN2012  Source Network Address: 127.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.'


**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'AUDIT_SUCCESS'
       id: '4624'
       extra_data: 'Microsoft-Windows-Security-Auditing'
       dstuser: 'Administrator'
       system_name: 'WIN2012'


**Phase 3: Completed filtering (rules).
       Rule id: '100011'
       Level: '5'
       Description: 'Bad user'
**Alert to be generated.

If you want, you can create specific decoders for other format, but I don't see why you need that.

Regards.

Jesus Linares.