Network Security: Less Thrashing; More Queries (Part II)

These are more advanced event queries than my last post. Creating queries as psobject properties improves query speeds.More intra-message searches as calculated properties are included below.

$Elements=New-Object PSObject -Property @{
Security_515X=get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}
System=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}
Application=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}
}

if ($All_Events) {rv -ea 0 All_Events}
$global:Events= foreach ($element in $Elements) {$element}
[array]$HAElements="Security_515X","System","Application"
foreach ($element in $HAElements){$All_Events+=$Events.$element}
$a=$All_Events | Sort -desc -property TimeCreated

PS C:\> measure-command -expression {
>>
>> $Elements=New-Object PSObject -Property @{
>> Security_515X=get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}
>> System=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}
>> Application=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}
>> }
>>
>> if ($All_Events) {rv -ea 0 All_Events}
>> $global:Events= foreach ($element in $Elements) {$element}
>> [array]$HAElements="Security_515X","System","Application"
>> foreach ($element in $HAElements){$All_Events+=$Events.$element}
>> $a=$All_Events | Sort -desc -property TimeCreated
>> }
>>

Days : 0
Hours : 0
Minutes : 5
Seconds : 10
Milliseconds : 163
Ticks : 3101636859
TotalDays : 0.00358985747569444
TotalHours : 0.0861565794166667
TotalMinutes : 5.169394765
TotalSeconds : 310.1636859
TotalMilliseconds : 310163.6859

PS C:\> $All_Events.count
70000
PS C:\> $Elements | gm

TypeName: System.Management.Automation.PSCustomObject

Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Application NoteProperty System.Object[] Application=System.Object[]
Security_515X NoteProperty System.Object[] Security_515X=System.Object[]
System NoteProperty System.Object[] System=System.Object[]

PS C:\> $Elements.Application.count
10000
PS C:\> $Elements.Security_515X.count
50000
PS C:\> $Elements.System.count
10000

Parsing ports and Addresses from the message log for security events: 5156,5157,5158
(e.g.:
C:\Windows\system32>auditpol /get /subcategory:"Filtering Platform Policy Change"
System audit policy
Category/Subcategory Setting
Policy Change
Filtering Platform Policy Change Success and Failure
)

is a still a little cludgey here:

$a[0..100] | Select TimeCreated,ID,ProviderName, `
@{Name='Ext_Message';Expression={($_.Message | findstr "Address Source Port")}} `
| ft -auto -wrap

TimeCreated Id ProviderName Ext_Message
----------- -- ------------ -----------
8/25/2012 9:48:33 AM 7036 Service Control Manager
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { Source Address: 192.168.0.11, Source Port: 2672, Destination Address: 199.47.217.146, Destination
Port: 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { Source Address: 192.168.0.11, Source Port: 2672, Destination Address: 199.47.217.146, Destination
Port: 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { Source Address: 192.168.0.11, Source Port: 2672, Destination Address: 199.47.217.146, Destination
Port: 80}

This is more concise:

$a[0..100] | Select TimeCreated,ID,ProviderName, `
@{Name='Ext_Message';Expression={($_.Message | findstr "Address Source Port") `
-replace("Source Address:","") -replace("Destination Address:","") `
-replace("Source Port:","") -replace("Destination Port:","") }} `
| ft -auto -wrap

TimeCreated Id ProviderName Ext_Message
----------- -- ------------ -----------
8/25/2012 9:48:33 AM 7036 Service Control Manager
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:47:37 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:47:24 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 17500, 255.255.255.255, 17500}
8/25/2012 9:47:12 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 137, 192.168.0.255, 137}
8/25/2012 9:47:00 AM 7036 Service Control Manager
8/25/2012 9:47:00 AM 7036 Service Control Manager
8/25/2012 9:46:58 AM 5158 Microsoft-Windows-Security-Auditing { ::, 2680}
8/25/2012 9:46:58 AM 5156 Microsoft-Windows-Security-Auditing { ::1, 445, ::1, 2680}
8/25/2012 9:46:58 AM 5156 Microsoft-Windows-Security-Auditing { ::1, 2680, ::1, 445}
8/25/2012 9:46:54 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 17500, 255.255.255.255, 17500}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:46:42 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 2672, 199.47.217.146, 80}
8/25/2012 9:46:24 AM 5156 Microsoft-Windows-Security-Auditing { 192.168.0.11, 17500, 255.255.255.255, 17500}
...

08/26/2012: I've updated this post with the use of 'normalize()' to remove brackets.

Here are some methods to parse through the 70K log entries looking for connections:

$a[0..100] | Select ID,ProviderName,TimeCreated, `
@{Name="Message[10]"; Expression={($_.Message)[0,1]}}, `
@{Name="SourceAddress"; Expression={(($_.Message | findstr /C:"Source Address:").replace("Source Address:","")).Normalize()}}, `
@{Name="DestinationAddress"; Expression={(($_.Message | findstr /C:"Destination Address:").replace("Destination Address:","")).Normalize()}} `
| ft -auto -wrap

This use of the for command let the users roll through log fifty events at a time:

for ($i = 0;; $i += 50) {$a[$i..($i+50)] | ft -auto ID,ProviderName,TimeCreated,Message;pause}

for ($i = 0;; $i += 50) {$a[$i..($i+50)]| `
ft -auto -wrap ID,TimeCreated,@{Name="Ext_Message"; Expression={(($_.Message | findstr "Address Source Port")).Normalize()}};
pause;
}

This last one cleans it up and separates Source and Destination into different fields:

for ($i = 0;; $i += 50) {$a[$i..($i + 50)] |
ft -auto -wrap TimeCreated,ID,ProviderName, `
@{Name="SourceAddress";Expression={(($_.Message | findstr /C:'Source Address:').replace("Source Address:","")).Normalize()}}, `
@{Name="DestinationAddress";Expression={(($_.Message | findstr /C:'Destination Address:').replace("Destination Address:","")).Normalize()}};
pause;
}

Id ProviderName TimeCreated SourceAddress DestinationAddress
-- ------------ ----------- ------------- ------------------
7036 Service Control Manager 8/25/2012 9:48:33 AM
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:37 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:24 AM 192.168.0.11 255.255.255.255
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:47:12 AM 192.168.0.11 192.168.0.255
7036 Service Control Manager 8/25/2012 9:47:00 AM
7036 Service Control Manager 8/25/2012 9:47:00 AM
5158 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM ::
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM ::1 ::1
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:58 AM ::1 ::1
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:54 AM 192.168.0.11 255.255.255.255
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:42 AM 192.168.0.11 199.47.217.146
5156 Microsoft-Windows-Security-Auditing 8/25/2012 9:46:24 AM 192.168.0.11 255.255.255.255

...

Now we will do some quick analysis courtesy of the 'group-object' command:

$SearchResult= $a | Select ID,RecordID,TimeCreated, `
@{Name='SourceAddress';Expression={(($_.Message | findstr /C:'Source Address:').replace("Source Address:","")).Normalize()}}, `
@{Name='DestinationAddress';Expression={(($_.Message | findstr /C:'Destination Address:').replace("Destination Address:","")).Normalize()}}

$SearchResult | group -property ID -noelement | Sort -desc -property Count

Count Name
----- ----
2565 5158
2369 5156
898 1035
751 7036
66 5157
56 1
33 7042
32 7040
29 257
27 42
27 0
...

$SearchResult | Select SourceAddress,DestinationAddress | Sort -unique -desc -property SourceAddress,DestinationAddress

SourceAddress DestinationAddress
------------- ------------------
fe80::ffff:ffff:fffe ff02::2
fe80::ffff:ffff:fffe ff02::16
fe80::cddc:ceef:b717:a5ac ff02::1:3
fe80::46:eb0:3f57:fff4 ff02::2
fe80::3069:3e11:3f57:fff4 ff02::2
fe80::3069:3e11:3f57:fff4 ff02::16
fe80::1468:390c:3f57:fff4 ff02::2
fe80::1468:390c:3f57:fff4 ff02::16
255.255.255.255 0.0.0.0
239.255.255.250 127.0.0.1
224.0.0.252 192.168.0.11
224.0.0.22 192.168.0.11
199.47.216.177 192.168.0.11
192.168.0.11 98.138.49.43
192.168.0.11 98.137.49.1
192.168.0.11 98.124.156.54
192.168.0.11 96.17.239.144
192.168.0.11 96.17.237.177

$SearchResult | group -property SourceAddress,DestinationAddress -noelement | Sort -desc -property Count | ft -auto

Count Name
----- ----
2170 0.0.0.0
2000
617 192.168.0.11, 192.168.0.1
113 192.168.0.11
110 192.168.0.11, 199.47.217.146
109 ::
99 127.0.0.1
89 192.168.0.11, 255.255.255.255
81 192.168.0.11, 192.168.0.255
74 ::1
50 239.255.255.250, 127.0.0.1
48 192.168.0.11, 12.129.210.71
48 192.168.0.11, 184.73.175.201
44 192.168.0.11, 224.0.0.252
33 192.168.0.11, 224.0.0.22
28 192.168.0.11, 173.192.226.196
27 192.168.0.11, 96.17.237.177
26 255.255.255.255, 0.0.0.0
23 192.168.0.11, 64.94.107.64
....
#Note: Using Normalize() doesn't help me here...
[array[]]$Tuple=($SearchResult | group -property SourceAddress,DestinationAddress -noelement | Sort -desc -property Count | Select Name) -replace(",","") -replace(" ","")
[array[]]$Tuple=$Tuple.replace("@{Name=","") -replace("}","")

$Tuple[0..100]
0.0.0.0

192.168.0.11 192.168.0.1
192.168.0.11
192.168.0.11 199.47.217.146
::
127.0.0.1
192.168.0.11 255.255.255.255
192.168.0.11 192.168.0.255
::1
239.255.255.250 127.0.0.1
192.168.0.11 12.129.210.71
192.168.0.11 184.73.175.201
192.168.0.11 224.0.0.252
192.168.0.11 224.0.0.22
192.168.0.11 173.192.226.196
192.168.0.11 96.17.237.177
255.255.255.255 0.0.0.0
192.168.0.11 64.94.107.64
224.0.0.252 192.168.0.11
192.168.0.11 174.137.34.100
192.168.0.11 239.255.255.250
192.168.0.11 23.3.68.139
127.0.0.1 127.0.0.1
192.168.0.11 173.192.226.197
192.168.0.11 184.73.247.29
192.168.0.11 199.47.216.177
0.0.0.0 255.255.255.255

...

Network Security

Saturday, August 25, 2012

Less Thrashing; More Queries (Part II)

No comments:

Post a Comment