Background
In collaboration with Adam Swan (@acalarch), in our spare time, we have been setting up Windows Event Forwarding collections and looking at the thousands of windows logs. We then rate their corresponding volume and level of confidence related to information security (as well as for windows system admins and helpdesk). We also have been collaborating this same information with Florian Roth (@cyb3rops) who is working on essentially the same thing.
This post assumes
that you have set up the basics of Windows Event Forwarding / Windows
Event Framework / Windows Event Collection / Windows Event
Subscriptions. (relevant side note: Microsoft apparently hasn’t
identified a common lexicon when talking about windows events &
subscriptions).
The Problem
While we were attempting to collect logs from certain clients we would notice that they had software that had windows event log locations which were not on the WEF server. When you create a subscription to a computer and you go to select an event channel to pull from, the list of event channels is populated by what is available on the subscriber (the server collecting the events). Therefore, if a channel exists on a client being collected from but not on the subscriber, the channel will not be available (see figure x). Also, performing registry hack may sometimes cause instability. (ie: In HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers;HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels;HKLM\System\CurrentControlSet\Control\WMI\Autologger).
While we were attempting to collect logs from certain clients we would notice that they had software that had windows event log locations which were not on the WEF server. When you create a subscription to a computer and you go to select an event channel to pull from, the list of event channels is populated by what is available on the subscriber (the server collecting the events). Therefore, if a channel exists on a client being collected from but not on the subscriber, the channel will not be available (see figure x). Also, performing registry hack may sometimes cause instability. (ie: In HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers;HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels;HKLM\System\CurrentControlSet\Control\WMI\Autologger).
Client
on the left, Sysmon channel available. Subscriber on the right,
Sysmon Channel Not Available. How do I subscribe to a channel that
doesn’t exist locally??
The Solution
The solution, is
to add the missing channels to the subscriber. You can do this by
installing the manifest for missing windows event channel OR the much simpler way of adding the channel subscription in XML form. Also, https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-custom-windows-event-forwarding-logs/ may be of help. First
we’ll dig into a little bit of background knowledge for your sanity
and then we’ll provide a step-by-step on how to create a provider
for either type.
Background on Windows Events
There are
basically two ways to create a channel… Classic and Manifest Based
[https://msdn.microsoft.com/en-us/library/windows/desktop/aa364161(v=vs.85).aspx].
This post will describe how to create the channel for either.
Creating a Classic Channel:
This
will only work for Logs that are NOT under the“Application and
Services Logs” path.
This is an easy
one liner in powershell “new-eventlog –Logname
“ThelognameIwanttocreate” –Source “TheSourceIwishTocreate”
[http://stackoverflow.com/questions/446691/how-to-create-windows-eventlog-source-from-command-line]
Creating a Manifest Based Channel:
This Involves Two
Steps:
-
Collect the manifest off of a computer where the channel exists already or from the executable that creates the channel
-
Install Manifest using wevtutil im manifest.name
Background for Manifest
The manifest for a channel is an XML document that describes a provider. The provider name becomes, the name for your channel as you are used to seeing in the Windows Event log. [https://msdn.microsoft.com/en-us/library/windows/desktop/dd996930(v=vs.85).aspx]
Obtaining the Manifest You Need
There are several ways of going about getting the manifest. It may be published online. In the case of sysmon, simply running “sysmon –m” will install the event manifest and nothing else. Other times it can be quite tricky to find it. Here are some methods we’ve tested and had success with.
There are several ways of going about getting the manifest. It may be published online. In the case of sysmon, simply running “sysmon –m” will install the event manifest and nothing else. Other times it can be quite tricky to find it. Here are some methods we’ve tested and had success with.
Windows PerfView
The easiest way
is to try your luck with PerfView by Windows
[https://www.microsoft.com/en-us/download/details.aspx?id=28567].
Perfview has a
command “dumpRegisteredManifest”. This command will dump the
Manifest for the specified channel into the current working
directory. This worked for most channels, we tested.
Running
“perfview /nogui /accepteula userCommand DumpRegisteredManifest
[Channel-Name]” on a host to obtain the desired manifest.
Notepad++
(or any of your favorite IDE/text
editor)
Another way to
obtain the windows event manifest is to search for it inside the
executable you believe contains the manifest. Notepad++ has a decent
search utility that will allow you to search for the manifest. Try
keywords that should exist in the manifest for each of the
executables associate with the channel such as “eventman.xsd”
(you may also want to try “e.v.e.n.t.m.a.n.\..x.s.d” as the
manifest may be stored in Unicode).
Sysmon
Manifest found within the executable.
Installing the Manifest
Luckily
installing the manifest is a simple one liner. The resources could
not be found error should be expected as we are installing the
manifest without installing sysmon, the channel will still appear in
the windows event viewer.
“wevtutil im
mymanifest.whatever”
Final Thoughts
It’d really be
nice if Microsoft would go ahead and just make the manifests
exportable without installing additional tools. Additionally, if you
are a developer be a scholar like Mark Russinovich (sysmon) and
publish your manifest or make it easily installable.
tag:Add Client Log Channel to WEF Server
No comments:
Post a Comment