Network Security

One liners for retrieving Windows TCP/IP and IP Address information

2011-12-18T20:46:00.000-08:00

One liners for retrieving Windows IP Address information from Powershell v3.0:

gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}}
gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}} | fl *
gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input | Select -ea 0 IP,DHCP,DNS,WINS}}
gwmi -class Win32_NetworkAdapter | % {If ($_.NetEnabled) {$input | Select Caption, Name, Speed, TimeOflastReset,Net*}}
gwmi -class Win32_NetworkAdapterConfiguration | % {If ($_.IPAddress -ne $null) {write "$($_.caption) $($_.IPAddress) $($_.SettingID)"}}
gwmi -class Win32_PerfRawData_Tcpip_NetworkInterface | % {if ($_.BytesReceivedPersec -ne 0) {write "$($_.Name) $($_.BytesReceivedPersec) $($_.BytesSentPersec)"} }

and a function for retrieve 'PropertySets' of IP information for a list of computers; provided that you can make remote Powershell connectivity work:

function Global:Show-IPinfo {

[CmdletBinding()]

Param(

[Parameter(ValueFromPipeline=$true)]

[array]$HostList=@("localhost"),

[array]$PropertySets=@("IP","DHCP","DNS")

)

$HostList | % {

$HostIP=gwmi -computer $input -class Win32_NetworkAdapterConfiguration |

% {if ($_.IPAddress -ne $null) {$input}}

$PropertySets |

% {foreach ($i in ($HostIP.$input).ReferencedPropertyNames) {write "$($i) : $($HostIP.$i)"}}

}

FileVersionInfo Part II

2011-12-10T14:50:00.000-08:00

# Powershell v3.0 code
# Recurses current directory to gather file version information of a boolean property
# Returns number of Debug,Patched,PreRelease,Private,Special builds
# Creates csv of those properties in current directory
# Takes up to three arguments:
# [mandatory]$filename (e.g. *.dll),$exportflag (e.g. "0" to output csv;default is off), $filetime (default is now)

function Global:Get-fileinfo {
[CmdletBinding()]
    Param(
        [Parameter(ValueFromPipeline=$true)]
        [object]$filename,
        [bool]$exportflag=1,
        $filetime=[DateTime]::Now.ToFileTime()
         )
 
$Files=ls -Filter $filename -recurse -File 
## $Files=ls -ea 0 -Filter $filename -recurse #remove '-File' to create 2.0 code. Add '-ea 0' as desired.

$FileInfo=$Files | 
% {[System.Diagnostics.FileVersionInfo]::GetVersionInfo("$(($_.DirectoryName)+"\"+($_.Name))")}


$Global:DebugBuild=$FileInfo | %  {if ($_.IsDebug) {$_}}
$Global:PatchedBuild=$FileInfo | %  {if ($_.IsPatched) {$_}}
$Global:PrereleaseBuild=$FileInfo | %  {if ($_.IsPreRelease) {$_}}
$Global:PrivateBuild=$FileInfo | %  {if ($_.IsPrivateBuild) {$_}}
$Global:SpecialBuild=$FileInfo | %  {if ($_.IsSpecialBuild) {$_}}

[hashtable]$Global:Report=@{
"DebugBuild" = '$DebugBuild';
"PatchedBuild" = '$PatchedBuild';
"PrereleaseBuild" = '$PrereleaseBuild';
"PrivateBuild" = '$PrivateBuild';
"SpecialBuild" = '$SpecialBuild' }

if ($exportflag -eq 0)
    {
    [array]$hasharray=foreach ($i in $Report){$i.Values}
    foreach ($i in $hasharray) {invoke-expression $($i.trimEnd("$")) | Export-Csv -ea 0 -Path $filetime$i.csv }
    }

write "Total files: $(($Files).count)"
write "Marked Debug: $(($DebugBuild).count)"
write "Marked Patched: $(($PatchedBuild).count)"
write "Marked Prerelease: $(($PrereleaseBuild).count)"
write "Marked Private: $(($PrivateBuild).count)"
write "Marked Special: $(($SpecialBuild).count)"
}

FileVersionInfo Part I

2011-12-10T14:40:00.000-08:00

Retrieving FileVersionInfo in Powershell involves calling [System.Diagnostics.FileVersionInfo]::GetVersionInfo(). "ls ' or 'Get-childitem' has a scriptproperty named "VersionInfo" that can be used for this:

PS C:\ps1> $a=ls -recurse | % {$_.VersionInfo}

TypeName : System.IO.FileInfo
Name : VersionInfo
MemberType : ScriptProperty
Definition : System.Object VersionInfo {get=[System.Diagnostics.FileVersionInfo]::GetVersionInfo($this.FullName);}

System.Diagnostics.FileVersionInfo contains five boolean properties for Debug,Patched,PreRelease,Private,Special builds:

PS C:\ps1> $a | gm

TypeName: System.Diagnostics.FileVersionInfo

Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
Comments Property System.String Comments {get;}
CompanyName Property System.String CompanyName {get;}
FileBuildPart Property System.Int32 FileBuildPart {get;}
FileDescription Property System.String FileDescription {get;}
FileMajorPart Property System.Int32 FileMajorPart {get;}
FileMinorPart Property System.Int32 FileMinorPart {get;}
FileName Property System.String FileName {get;}
FilePrivatePart Property System.Int32 FilePrivatePart {get;}
FileVersion Property System.String FileVersion {get;}
InternalName Property System.String InternalName {get;}
IsDebug Property System.Boolean IsDebug {get;}
IsPatched Property System.Boolean IsPatched {get;}
IsPreRelease Property System.Boolean IsPreRelease {get;}
IsPrivateBuild Property System.Boolean IsPrivateBuild {get;}
IsSpecialBuild Property System.Boolean IsSpecialBuild {get;}
Language Property System.String Language {get;}
LegalCopyright Property System.String LegalCopyright {get;}
LegalTrademarks Property System.String LegalTrademarks {get;}
OriginalFilename Property System.String OriginalFilename {get;}
PrivateBuild Property System.String PrivateBuild {get;}
ProductBuildPart Property System.Int32 ProductBuildPart {get;}
ProductMajorPart Property System.Int32 ProductMajorPart {get;}
ProductMinorPart Property System.Int32 ProductMinorPart {get;}
ProductName Property System.String ProductName {get;}
ProductPrivatePart Property System.Int32 ProductPrivatePart {get;}
ProductVersion Property System.String ProductVersion {get;}
SpecialBuild Property System.String SpecialBuild {get;}

We can select for these booleans easy enough:

PS C:\ps1> $a | Select Filename,Is* | fl *| more
{ls -recurse | % {$_.VersionInfo} | Select Filename,Is* | fl *| more}

FileName : C:\ps1\CTPv3\app.config
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False

FileName : C:\ps1\CTPv3\AssemblyInfo.cs
IsDebug : False
IsPatched : False
IsPrivateBuild : False
IsPreRelease : False
IsSpecialBuild : False

...

Muxing System.Diagnostics.Process with System.Security.AccessControl

2011-09-06T17:38:00.000-07:00

# three functions that produce filepath,Owner,Access,SDDL

# for the binaries listed by ps ("get-process")
# All rights reserved Ryan M. Ferris @ RMF Network Security
# Version r5:21 PM 9/6/2011

function Get-PSACL
{
ps | get-acl -ea 0 | Select pschildname,owner,AccessToString,Sddl
}

function Get-PEX
{
[array]$global:ps_list=ps
[array]$global:acl_list=$ps_list | get-acl -ea 0
$acl_list | Select @{label="FilePath"; Expression={ls $_.PsPath}},Owner,AccessToString,Sddl
}

function Get-PIDACL 
{
foreach ($id in $(ps)) 
    {$id | Select Name,ID,
    @{Label="Owner";Expression={get-acl $id.Path | % {$_.Owner}}},
    @{Label="Access";Expression={get-acl $id.Path | % {$_.AccessToString}}},
    @{Label="SDDL";Expression={get-acl $id.Path | % {$_.SDDL}}}
    }
}

Get-PSACL
Get-PEX
Get-PIDACL


Two other functions as well:

function FindSDDL
{
foreach ($i in (ls)) {$i|  % {
  $_.getaccesscontrol()} | 
  Select @{name="Path";Expression={$i | % {$_.Name}}},
  @{name="Type";Expression={$i | % {$_.gettype().Name}}},
  Owner,
  Access,
   SDDL }
}

function RecurseSDDL
{
foreach ($i in (ls -recurse)) {$i|  % {
  $_.getaccesscontrol()} | 
  Select @{name="Name";Expression={$i | % {$_.Name}}},
  @{name="Path";Expression={$i | % {$_.PSParentPath}}},
  @{name="Type";Expression={$i | % {$_.gettype().Name}}},
  Owner,
  Access,
   SDDL }
}

(or maybe better):

function FindSDDL
{
foreach ($i in (ls)) {$i.getaccesscontrol() | 
  Select -property  Owner,Access,SDDL,
  @{name="Path";Expression={$i.Name}},
  @{name="Type";Expression={$i.gettype().Name}}
  }
}

function RecurseSDDL
{
$lsr=ls -recurse
foreach ($i in $lsr) {$i.getaccesscontrol() | 
Select -property Owner,Access,SDDL,
  @{name="Name";Expression={$i.Name}},
  @{name="Path";Expression={$i.PSParentPath}},
  @{name="Type";Expression={$i.gettype().Name}}
}
}

Muxing AccessControl and FileInfo objects

2011-08-31T09:52:00.000-07:00

Most of us know the members (partially printed at bottom) of System.Security.AccessControl and System.IO.FileInfo. And most of us know they both share the PS* NoteProperty items:

PSChildName NoteProperty System.String PSChildName=test.txt
PSDrive NoteProperty System.Management.Automation.PSDriveInfo PSDrive=C
PSParentPath NoteProperty System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\
PSPath NoteProperty System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\test.txt
PSProvider NoteProperty

These 'NoteProperty' may be what makes co-operation between 'get-childitem' (alias 'ls' or 'gci') and 'get-acl' straightforward:
[gci * | get-acl]

However, this produces a System.Security.AccessControl object only. What if you need to see both FileInfo properties and AccessControl properties in the same object? For this we will have to do something more clever. Calculated Properties help us mux AccessControl and FileInfo objects into one, giving us an output of all files with their AccessControl information sorted by LastAccessTime. This is easier to do because AccessControl and FileInfo objects share the 'PSChildName' NoteProperty which acts here as a type of primary key:

function Check-RecentAccess {
[CmdletBinding()]
    Param(
        [Parameter(ValueFromPipeline=$true)]
           [int]$days=1
    )
$StartTime = (get-date) - (new-timespan -days $days)
$List=gci * | where {!$_.psiscontainer}
$Query= foreach ($i in $List) { gci $i |Select FullName,*Time, @{Label="Access";Expression={get-acl $_.PSChildName | % {$_.AccessToString}}}, @{Label="Owner";Expression={get-acl $_.PSChildName| % {$_.Owner}}}}
$Query | Select LastAccessTime,CreationTime,FullName,Owner,Access| where {$_.LastAccessTime -gt $StartTime} |Sort -descending LastAccessTime
}

I have uploaded:

Check-RecentAccess
Check-RecentAccessRecurse

TypeName: System.Security.AccessControl.FileSecurity

Name MemberType Definition
---- ---------- ----------
Access CodeProperty System.Security.AccessControl.AuthorizationRuleCollection Access{get=GetAccess;}
Group CodeProperty System.String Group{get=GetGroup;}
Owner CodeProperty System.String Owner{get=GetOwner;}
Path CodeProperty System.String Path{get=GetPath;}
Sddl CodeProperty System.String Sddl{get=GetSddl;}
....

TypeName: System.IO.FileInfo

Name MemberType Definition
---- ---------- ----------
Mode CodeProperty System.String Mode{get=Mode;}
AppendText Method System.IO.StreamWriter AppendText()
CopyTo Method System.IO.FileInfo CopyTo(string destFileName), System.IO.FileInfo CopyTo(string destFileName, bool overwrite)
Create Method System.IO.FileStream Create()
CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
...

New-Object -ComObject Shell.Application

2011-08-26T22:12:00.000-07:00

Here are some notes on exposing the Shell as a ComObject with Powershell. Here, I trace down the cookies folder:

$a = New-Object -ComObject Shell.Application
$b=1..100
foreach ($i in $b) {write "$i $($a | % {$_.Namespace($i).Self.Path})"}
....
32 C:\Users\rferrisx\AppData\Local\Microsoft\Windows\Temporary Internet Files
33 C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Cookies
34 C:\Users\rferrisx\AppData\Local\Microsoft\Windows\History
...
($a | % {ls -recurse $_.Namespace(33).Self.Path }).count
2385

($a | % {ls -recurse $_.Namespace(33).Self.Path | gc }) | more

__utma
173272373.1981518736.1312989611.1312989611.1312989656.2
google.com/mail/help/
1088
187792384
30315796
433027780
30168945
*
...

Powershell gives us some opportunities to look at Windows file structure internals. The output of these commands gives us the objects referenced by the file system for the Windows Shell:

$a = New-Object -ComObject Shell.Application

$b=0..60

foreach ($i in $b) {write "$i $($a | % {$_.Namespace($i).Title})"}
foreach ($i in $b) {write "$i $($a | % {$_.Namespace($i).Self.Path})"}

I can line them up in spreadsheet (as below). Some are file paths give as GUIDs (or CLSIDs?). Others are blank:

0	Desktop	C:\Users\rferrisx\Desktop
1	The Internet	::{871C5380-42A0-1069-A2EA-08002B30309D}
2	Programs	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
3	All Control Panel Items	::{26EE0668-A00A-44D7-9371-BEB064C98683}\0
4	Printers	::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}
5	My Documents	C:\Users\rferrisx\Documents
6	Favorites	C:\Users\rferrisx\Favorites
7	Startup	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
8	Recent Items	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Recent
9	SendTo	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\SendTo
10	Recycle Bin	::{645FF040-5081-101B-9F08-00AA002F954E}
11	Start Menu	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Start Menu
12	12
13	My Music	C:\Users\rferrisx\Music
14	My Videos	C:\Users\rferrisx\Videos
15	15
16	Desktop	C:\Users\rferrisx\Desktop
17	Computer	::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
18	Network	::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
19	Network Shortcuts	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Network Shortcuts
20	Fonts	C:\Windows\Fonts
21	Templates	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Templates
22	Start Menu	C:\ProgramData\Microsoft\Windows\Start Menu
23	Programs	C:\ProgramData\Microsoft\Windows\Start Menu\Programs
24	Startup	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
25	Public Desktop	C:\Users\Public\Desktop
26	Roaming	C:\Users\rferrisx\AppData\Roaming
27	Printer Shortcuts	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
28	Local	C:\Users\rferrisx\AppData\Local
29	Startup	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
30	Startup	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
31	Favorites	C:\Users\rferrisx\Favorites
32	Temporary Internet Files	C:\Users\rferrisx\AppData\Local\Microsoft\Windows\Temporary Internet Files
33	Cookies	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Cookies
34	History	C:\Users\rferrisx\AppData\Local\Microsoft\Windows\History
35	ProgramData	C:\ProgramData
36	Windows	C:\Windows
37	System32	C:\Windows\System32
38	Program Files	C:\Program Files
39	My Pictures	C:\Users\rferrisx\Pictures
40	rferrisx	C:\Users\rferrisx
41	SysWOW64	C:\Windows\SysWOW64
42	Program Files (x86)	C:\Program Files (x86)
43	Common Files	C:\Program Files\Common Files
44	Common Files	C:\Program Files (x86)\Common Files
45	Templates	C:\ProgramData\Microsoft\Windows\Templates
46	Public Documents	C:\Users\Public\Documents
47	Administrative Tools	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
48	Administrative Tools	C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
49	Network Connections	::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
50	50
51	51
52	52
53	Public Music	C:\Users\Public\Music
54	Public Pictures	C:\Users\Public\Pictures
55	Public Videos	C:\Users\Public\Videos
56	Resources	C:\Windows\Resources
57	409	C:\Windows\Resources\0409
58	OEM Links	C:\ProgramData\OEM Links
59	Temporary Burn Folder	C:\Users\rferrisx\AppData\Local\Microsoft\Windows\Burn\Burn

What are those GUID (or CLSID) paths? The 49th appears to be the non-browsable folder:
"All Control Panel Items"\"Network Connections"

$a | % {$_.Namespace(49).ParentFolder.Self.GetFolder.Self}

Application : System.__ComObject
Parent : System.__ComObject
Name : All Control Panel Items
Path : ::{21EC2020-3AEA-1069-A2DD-08002B30309D}
GetLink :
GetFolder : System.__ComObject
IsLink : False
IsFolder : True
IsFileSystem : False
IsBrowsable : False
ModifyDate : 12/30/1899 12:00:00 AM
Size : 0
Type : System Folder

$a | % {$_.Namespace(49).ParentFolder.Self.GetFolder.Self.Name}
All Control Panel Items

$a | % {$_.Namespace(49).Self.GetFolder.Self}

Application : System.__ComObject
Parent : System.__ComObject
Name : Network Connections
Path : ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
GetLink :
GetFolder : System.__ComObject
IsLink : False
IsFolder : True
IsFileSystem : False
IsBrowsable : False
ModifyDate : 12/30/1899 12:00:00 AM
Size : 0
Type : System Folder

$a | % {$_.Namespace(49).Self.GetFolder.Self.Name}
Network Connections

Sorting Windows events by UserID: Part II (Building a Module)

2011-08-11T17:34:00.000-07:00

I am a bit late to some v2.0 functionality. I made my first attempt at creating a module, in this case a six function script that queries general information from an event log. I ran into at least two problems:

(a) get-winevent is slow for high volume queries
(b) modules so encapsulate their variables in functions that I could not find how to call all functions globally from an internal or external script.

You can find the system module locations with:

$env:PSModulePath
(($env:PSModulePath -split(";"))[0])

$env:PSModulePath
C:\Users\rferrisx\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

(($env:PSModulePath -split(";"))[0])
C:\Users\rferrisx\Documents\WindowsPowerShell\Modules

After you have created your functions for your module, you can import them into your session:

Import-Module .\UserIDEventsModule.psm1

If you change your module you can remove it:

remove-module UserIDEventsModule

While your module is imported, you can list your functions:

$commands=(get-module UserIDEventsModule).ExportedCommands
$list=(($commands).Values) | %{$_.Name} | Sort
$list

0Check-EventLogsBySize
1Check-EventLogsByLastWrite
2Count-Providers
3Find-UniqueUserIDs
4UserID-filter
5Event-filter
logtime
Run-AllModFunc

I constructed an internal function to run all the modules that declared all the specific variables to the functions. However, whether I run such a function from as part of a module or an external script, I cannot alter the individual module function variables globally. Setting the variables global with AllScope (as below) does not help:

function Global:Run-AllModFunc {

[CmdletBinding()]

    Param(

        [Parameter(ValueFromPipeline=$true)]

        [int]$Global:hours=1,

        [string]$Global:filter = "ID",

        [array]$Global:logs = @("Security","System","Application"),

        [string]$Modpath = (($env:PSModulePath -split(";"))[0]),

        $NoRun="Run-AllModFunc",

        $FileTime=[DateTime]::Now.ToFileTime()

        )



sv -Name hours -Option AllScope

sv -Name filter -Option AllScope

sv -Name logs -Option AllScope



$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,1000)

Import-Module $Modpath\UserIDEventsModule.psm1

$commands=(get-module UserIDEventsModule).ExportedCommands

$list=(($commands).Values) | %{$_.Name} | Sort

logtime | out-file -append  -encoding ascii -FilePath $($Filetime)

foreach ($func in $list) {if ($func -eq $NoRun ){} else {$($func;logtime); &($func) | ft -auto -wrap |  out-file -append  -encoding ascii -FilePath $($Filetime) }}

}

The module runs and produces a text file of critical information, but in the case of a security audit configuration as below, it processes events somewhat slowly, most obviously because of the volume of large amounts 'Filtering Platform Connections' events:

auditpol /get /category:* | findstr Success
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success and Failure
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Filtering Platform Connection Success
Sensitive Privilege Use Success
Process Termination Success
Process Creation Success
Authentication Policy Change Success
Filtering Platform Policy Change Success

Run-AllModFunc
0Check-EventLogsBySize

2011 8 11 11 19 7 611

1Check-EventLogsByLastWrite

2011 8 11 11 19 12 741

2Count-Providers

2011 8 11 11 19 13 828

3Find-UniqueUserIDs

2011 8 11 11 20 10 522

4UserID-filter

2011 8 11 11 20 25 843

5Event-filter

2011 8 11 11 20 47 190

logtime

2011 8 11 11 21 7 207

If you will run the module as a job you must use the parameter 'initializationScript' to import the module into the job session:

start-job -name AllModFunc -initializationScript {import-module .\UserIDEventsModule.psm1} -scriptblock {Run-AllModFunc}

Sorting Windows events by UserID

2011-07-29T13:07:00.000-07:00

Sorting Windows events by UserID is a critical piece of auditing. In the code and examples below, I concentrate on:

$Logs="System","Application","Microsoft-Windows-GroupPolicy/Operational"

purposefully leaving out the Security log. We can create a simple function that allows us to check all events logs on any machine sorted by file size:

function CheckEventLogsBySize
{
get-winevent -listlog * | Sort -desc FileSize |
ft -auto LogName,@{Label="FileLogSize(MB)"; Expression={$_.FileSize/1MB}},@{Label="MaxLogSize(MB)"; Expression={$_.MaximumSizeINBytes/1MB}},LastWriteTime,IsLogFull
}

This gives us a clear view of all log file size, maximum log size, last write time:

We can also sort by 'LastWriteTime'.

function CheckEventLogsByLastWrite
{
get-winevent -listlog * | Sort -desc LastWriteTime |
ft -auto LogName,LastWriteTime,@{Label="FileLogSize(MB)"; Expression={$_.FileSize/1MB}},@{Label="MaxLogSize(MB)"; Expression={$_.MaximumSizeINBytes/1MB}},IsLogFull
}

We can create a 'filterhashtable' array that searches multiple logs for event instances where there is an associated UserID. N.B.: 'ea -0' replaces 'erroraction silentlycontinue' or '$erroractionpreference=silentlycontinue'. '-Max 10000' limits the data collection to the last 10K events.

$Logs="System","Application","Microsoft-Windows-GroupPolicy/Operational"
$a=get-winevent -ea 0 -filterhashtable @{Logname=@($Logs)} -Max 10000

$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,1000)
$a | where {$_.UserID} | ft TimeCreated,LogName,RecordID,ID,UserID,Message -auto | more

Following from above we can sort for all unique UserIDs:.

$b=$a | Select TimeCreated,LogName,RecordID,ID,UserID,Message | where {$_.UserID}
$c=$b | Select -unique UserID
$c | more

UserId
------
S-1-5-19
S-1-5-18
S-1-5-21-3270194588-3457409491-1468880025-1004
S-1-5-20

Next we create a list of the UserIDs of which we wish to search:

$UserIDs="S-1-5-18","S-1-5-19","S-1-5-20"
$a | where {($_.UserID -eq $UserIDs[0]) -or ($_.UserID -eq $UserIDs[1]) -or ($_.UserID -eq $UserIDs[2])} |ft TimeCreated,LogName,ID,RecordID,UserID,Message -auto | more

We can also create a function (as below) to accomplish the same output:

function UserID-filter
{
$Logs="System","Application","Microsoft-Windows-GroupPolicy/Operational"
$UserIDs="S-1-5-18","S-1-5-19","S-1-5-20"
$Global:Query=get-winevent -ea 0 -filterhashtable @{Logname=@($Logs)} -max 10000
$Query | Select TimeCreated,LogName,ID,RecordID,UserID,Message | where {($_.UserID -eq $UserIDs[0]) -or ($_.UserID -eq $UserIDs[1]) -or ($_.UserID -eq $UserIDs[2])}
}

Get-Winevent Part III: Querying the Event Log for Logons (Part E)

2011-07-14T19:30:00.000-07:00

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events. Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons. In Part D, I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis. In Part E (below), I tie in additional auditing events, specifically connections permitted by the Windows Filtering Platform:

'Auditpol' allows the administrator to add additional events to be collected by the Event Viewer. To see all potential categories:

auditpol /get /category:*

[partial list:]
System audit policy
Category/Subcategory Setting
System
Security System Extension Success
System Integrity Success and Failure
IPsec Driver Success
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success
...
A quick trick to set all categories and their subcategories for auditing:

auditpol /set /category:*

After some time, we query the Security log and notice event 5156 for further monitoring:

get-winevent Security -max 100 | ft -auto -wrap | more

7/14/2011 6:59:55 PM Microsoft-Windows-Security-Auditing 5156 The Windows Filtering Platform has permitted a connection.

Application Information:Process ID: 3588Application Name: \device\harddiskvolume3\program files (x86)\opera\opera.exe
Network Information:Direction: OutboundSource Address: 192.168.0.11Source Port: 51199Destination Address: 199.59.149.243Destination Port: 80Protocol: 6

...
$5156=get-winevent -filterhashtable @{logname='security';id=5156} -max 1000
foreach ($event in $5156) {($event | Select TimeCreated,Message | fl * | findstr /G:Search5156.lst) -replace " ","" -join "," | out-file -append 5156.csv}

where Search5156.lst:
TimeCreated
Source
Destination

Now we can add some headers and create some filters in our spreadsheet:

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part III

2011-07-14T17:28:00.000-07:00

Microsoft has exposed substantial providers since XP. With Windows 7, Microsoft has increased the number of providers substantially over previous versions of Windows and added 'netsh trace' functionality to enable tracing, conversion, batching of these kernel level counters. In the commands below, I have mixed cmd shell, powershell, cygwin cmds to parse ETL files. In general, parsing etl files with 'get-winevent' and powershell takes a while... You can understand 'netsh' filtering best with 'netsh trace show CaptureFilterHelp', however I recommend setting your 'netsh trace start maxSize=' parameter at 150 MB or less. (The default is an almost unworkable 250MB.)

From cmd.exe, a variable for date/time (e.g. timestamp) could be useful:

realtd.cmd
@echo off
set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set realtime=%realtime:* =%
set timestamp=%realdate%_%realtime%

From cmd.exe we can start the trace:

netsh trace start provider=Microsoft-Windows-Kernel-Network provider=Microsoft-Windows-Kernel-Process provider=Microsoft-Windows-Security-Auditing provider=Microsoft-Windows-Security-Netlogon provider=Microsoft-Windows-TCPIP persistent=yes traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace%timestamp%.etl

and stop the trace:

netsh trace stop

If we choose we can covert the trace with 'netsh' we can dump it to a text or csv dump with:

netsh trace convert input=NetTrace07.07.2011_1.38.09.40.etl output=NetTrace07.07.2011_1.38.09.40.txt dump=TXT

Next we can try parsing a particular provider from Powershell. Here I choose "Microsoft-Windows-TCPIP" provider. I adjust the screen buffer size to help 'format-table' catch all of the trace line:

$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,1000)
$Providers="Microsoft-Windows-TCPIP"
$FileName="NetTrace07.07.2011_1.38.09.40.etl"
foreach ($ProviderName in $Providers) {get-winevent -path "$FileName" -oldest | where {$_.ProviderName -eq "$ProviderName"} | ft TimeCreated, Message| out-file -encoding ASCII -file "$FileName$ProviderName.txt"}

I find I can not make GNUWin32 gawk work as advertised inside Powershell.
The following line does not work in Powershell:

## grep -i -w "remote" "$FileName$ProviderName.txt" | tr -s ' ' | gawk '{print $1" "$2" "$3","$4" "$5" "$6" "$7" "$8" "$9}' | out-file -encoding ASCII -append "$ProviderName.csv"

But this will work just fine in Cygwin:

grep -i -w "remote" NetTrace07.07.2011_1.38.09.40.etlMicrosoft-Windows-TCPIP.txt | tr -s ' ' | gawk '{print $1" "$2" "$3","$4" "$5" "$6" "$7" "$8" "$9}' >> NetTrace07.07.2011_1.38.09.40.etlMicrosoft-Windows-TCPIP.csv

and we are looking at a spreadsheet like this:

Get-Winevent Part III: Querying the Event Log for Logons (Part D)

2011-07-05T16:43:00.000-07:00

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events. Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons. In this post (Part D), I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis.

Here I get the desired 'logon' events into spreadsheet format:

$EventLogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='security';Id=@($EventLogonIDs)}
foreach ($item in $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test5.csv }

where search.lst :

TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:

Now I get the desired 'sleep' events into spreadsheet format. (My original concern was understanding a why my Windows 7 PC spontaneously "resumes from sleep" by itself and seemingly commences a log-on.)

$EventLogonIDs="1","42"
$MultipleIDLogEntries=Get-WinEvent -FilterHashtable @{Logname='system';Id=@($EventLogonIDs)}
foreach ($item in $MultipleIDLogEntries) {($item | Select TimeCreated, Message | fl * | findstr /I /G:search.lst) -replace" ","" -join "," | out-file -append test6.csv }

where search.lst :

TimeCreated
sleep

Now I mux the two data sets and output the combined csv:

$a=gc .\test5.csv
$b=gc .\test6.csv
$c=$a+$b
$c | out-file test7.csv

Once I translate the csv to a spreadsheet's native format, add column headers, format the Date/Time Column (the unique identifier for our purposes) and sort by Date/Time, I have a story book of events for the muxed security (e.g. 'logon') and system (e.g. 'sleep') events:

Next we need to discuss how to add additional Security auditing events to our storybook in Part E.

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

2011-07-02T21:16:00.000-07:00

To list Opcodes, Event IDs, Event Descriptions from any group of provider's (e.g. Securit*) events, you can use:

$ProviderNames=get-winevent -listprovider microsoft-windows-Securit* | % {$_.Name}
$ProviderNames | % {((get-winevent -listprovider $_).events) | format-table @{Name="Opcode"; Expression = {$_.Opcode.Name}},ID,Description -auto -wrap}

To create a list of EventIDs from the Security Log for which want more information, we could download "Windows 7 and Windows Server 2008 R2 Security Event Descriptions" or we could select the string log from our provider query:

$ProviderNames | % {((get-winevent -listprovider $_).events) | format-table @{Name="Opcode"; Expression = {$_.Opcode.Name}},ID,Description | findstr "win:"} | out-file SecurityIDs.txt
Select-string "log" -path SecurityIDs.txt | ft -auto Line

4611 A trusted logon process has been registered with the Local ...
4624 An account was successfully logged on....
4625 An account failed to log on....
4634 An account was logged off....
4647 User initiated logoff:...
4648 A logon was attempted using explicit credentials....
4672 Special privileges assigned to new logon....
4774 An account was mapped for logon....
4775 An account could not be mapped for logon....
4908 Special Groups Logon table modified....
4964 Special groups have been assigned to a new logon....

Now we query all of our particular IDs in question using the search list for findstr below:

$LogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
foreach ($item in $LogonIDs) {(Get-WinEvent -max 100 -FilterHashtable @{Logname='security';Id=$item} | Select TimeCreated,Message | fl * | findstr /G:search.lst) -replace" "," " | out-file -append "$item.txt" }

where search.lst :

TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:

This gives us some hits for the EventID numbers in separate files which contain entries that look like this:

PS C:\ps1> more 4624.txt
TimeCreated : 7/2/2011 7:25:59 PM
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7
Logon Type: 5
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\services.exe
....
But this type of query isn't very fast. So we can tuck our array of events inside a '-FilterHashtable' array and then query the message field with 'findstr':

$LogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
$MultipleIDLogEntries=Get-WinEvent -max 100 -FilterHashtable @{Logname='security';Id=@($LogonIDs)}
($MultipleIDLogEntries | Select TimeCreated,Message | fl * | findstr /G:search.lst) -replace" "," " | out-file -append Events_all.txt

This output also contain entries that look like this:

PS C:\ps1> more Events_all.txt
TimeCreated : 7/2/2011 7:25:59 PM
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
TimeCreated : 7/2/2011 7:25:59 PM
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7
Logon Type: 5
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Name: C:\Windows\System32\services.exe

But what we really need is a way to parse this output into a csv... so on to Get-Winevent Part III: Querying the Event Log for Logons (Part D)

Get-Winevent Part III: Querying the Event Log for Logons (Part B)

2011-07-01T07:22:00.000-07:00

This is a long post that I've edited from a answer I gave on Stack Overflow. Although the post is about how to audit logon information in the Security log of Windows 7, it is also about discovering methods to extract critical information from the 'Message' field of a "Logon Type" (ID=4624).

Get-WinEvent -max 100 | where { $_.Message | findstr /C:"Logon Type"} | Select Message | fl * | findstr /C:"Logon Type"

Logon Type: 5
Logon Type: 7
Logon Type: 7
Logon Type: 7
Logon Type: 7
Logon Type: 5
...

Get-WinEvent Security -max 100 | Select ID,Level,Message | where { $_.Message | findstr /C:"Logon Type"} | ft -auto -wrap | more

Id Level Message
-- ----- -------
4624 0 An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7

Logon Type: 5
....
Now I introduce '-FilterHashtable' parameter which greatly speeds up queries. Below are two commands which do essentially the same thing in about the same period of time:

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | ft TimeCreated,MachineName,Message -auto -wrap | more

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | ft -auto -wrap | more

TimeCreated MachineName Message
----------- ----------- -------
6/29/2011 12:36:35 PM rmfvpc An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7

Logon Type: 5
...

Get-WinEvent -max 100 -FilterHashtable @{Logname='security';ID=4624} | Select TimeCreated,MachineName,Message | Select-string "Logon Type" | more

@{TimeCreated=06/29/2011 12:36:35; MachineName=rmfvpc; Message=An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: RMFVPC$
Account Domain: RMFDEVELOPMENT
Logon ID: 0x3e7

Logon Type: 5
...
This last script allows me to dump pre-selected information from the logon events Message field into a spreadsheet. Very useful.

$LogonTypes=Get-WinEvent -FilterHashtable @{Logname='security';Id=4624}
foreach ($item in $LogonTypes) {($item | Select TimeCreated, Message | fl * | findstr /G:search.lst) -replace" ","" -join "," | out-file -append test3.csv }

where search.lst :

TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:

The result is a spreadsheet that looks like this:

However, what I need is to be able to search the message field of multiple 'logon' events types...so on to

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

Get-Winevent Part III: Querying the Event Log for Logons (Part A)

2011-06-28T12:44:00.000-07:00

The following is a digression on using Powershell's where-object (filter) to query System and Administrative events with 'Get-WinEvent'. I like this method of querying the event logs because it is "pipeline" oriented and allows me to re-use/amend/copy previous syntax. I was having some concern understanding a mysterious problem: my Windows 7 PC spontaneously un-sleeps itself and seemingly commences a log-on. I wanted to understand why this happened and if there was evidence of ex-filtration or malware.


With Powershell's 'where-object', I am going to filter select events. I can query the entire set of all Windows events, but limit the query with the '-max' parameter, otherwise the query will take much to long. To look at events with "Pnp" in the message body, I found I need 'findstr':

get-winevent -max 100 | where {$_.Message | findstr "Pnp"} | Select Timecreated,ID,RecordID, Message | ft -auto -wrap

TimeCreated Id RecordId Message
----------- -- -------- -------
6/28/2011 10:15:16 AM 2102 14420 Forwarded a finished Pnp or Power operation (22, 2) to the lower driver for device WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_RIMSPCI#DISK&VEN_RIC
OH&PROD_MEMORYSTICKSTORAGE&REV_1.00#MS0001# with status 0xC00000BB.
6/28/2011 10:15:16 AM 2100 14419 Received a Pnp or Power operation (22, 2) for device WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_RIMSPCI#DISK&VEN_RICOH&PROD_MEMORYSTICKSTORAGE&REV
_1.00#MS0001#.
6/28/2011 10:15:16 AM 2102 14418 Forwarded a finished Pnp or Power operation (22, 2) to the lower driver for device WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_RISD#DISK&VEN_RICOH&
PROD_SD#MMCSTORAGE&REV_2.00#0001# with status 0xC00000BB.
6/28/2011 10:15:16 AM 2100 14417 Received a Pnp or Power operation (22, 2) for device WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_RISD#DISK&VEN_RICOH&PROD_SD#MMCSTORAGE&REV_2.00#00
01#.
6/27/2011 10:48:10 PM 2102 14416 Forwarded a finished Pnp or Power operation (22, 2) to the lower driver for device WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_RISD#DISK&VEN_RICOH&
PROD_SD#MMCSTORAGE&REV_2.00#0001# with status 0xC00000BB.
6/27/2011 10:48:10 PM 2100 14415 Received a Pnp or Power operation (22, 2) for device WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_RISD#DISK&VEN_RICOH&PROD_SD#MMCSTORAGE&REV_2.00#00
01#.
6/27/2011 10:48:10 PM 2102 14414 Forwarded a finished Pnp or Power operation (22, 2) to the lower driver for device WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#_??_RIMSPCI#DISK&VEN_RIC
OH&PROD_MEMORYSTICKSTORAGE&REV_1.00#MS0001# with status 0xC00000BB.


But I can also look at "sleep" events with the '-imatch' operator:

get-winevent -max 1000 | Select ProcessID,TimeCreated,ID,Task,TaskDisplayName,KeywordsDisplayNames,Message | where {$_.Message -imatch "sleep"} | ft -wrap -auto

ProcessId TimeCreated Id Task TaskDisplayName KeywordsDisplayNames Message--------- ----------- -- ---- --------------- -------------------- -------
1608 6/28/2011 10:15:24 AM 1 0 {} The system has resumed from sleep.

Sleep Time: ‎2011‎-‎06‎-‎28T05:47:49.589233900Z
Wake Time: ‎2011‎-‎06‎-‎28T17:15:17.711126400Z

Wake Source: Unknown
4 6/27/2011 10:48:05 PM 42 64 {} The system is entering sleep.

Sleep Reason: Hibernate from Sleep
1608 6/27/2011 10:47:54 PM 1 0 {} The system has resumed from sleep.

Sleep Time: ‎2011‎-‎06‎-‎28T05:47:49.589233900Z
Wake Time: ‎2011‎-‎06‎-‎28T05:47:49.587233800Z

Wake Source: S4 Doze to Hibernate
4 6/27/2011 4:47:43 PM 42 64 {} The system is entering sleep.

Sleep Reason: Button or Lid
1608 6/27/2011 3:55:48 PM 1 0 {} The system has resumed from sleep.

Sleep Time: ‎2011‎-‎06‎-‎27T07:04:00.443168300Z
Wake Time: ‎2011‎-‎06‎-‎27T22:55:37.240099500Z

Since the 10:15 AM login is my recent interactive logon and I know I did not logon interactively at 10:48 PM (the night before), I wanted to understand why that was happening at that odd hour in the evening. The next series of commands helped me see if my ID was responsible for a "Logon" or "Special Logon" for that 10:48 PM "Pnp" or "resume from sleep" event:

get-winevent -ProviderName "Microsoft-Windows-Security-Auditing" -max 100 | Select ProcessID,TimeCreated,ID,Task,TaskDisplayName,KeywordsDisplayNames | where {$_.TaskDisplayName -like "Logon"} | ft -wrap -auto | more

ProcessId TimeCreated Id Task TaskDisplayName KeywordsDisplayNames
--------- ----------- -- ---- --------------- --------------------
632 6/28/2011 10:31:34 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:25:19 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:25:05 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:22:18 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:20:55 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:20:54 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:18:52 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:18:34 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:18:34 AM 4624 12544 Logon {Audit Success}
632 6/28/2011 10:18:34 AM 4648 12544 Logon {Audit Success}
632 6/27/2011 3:58:55 PM 4624 12544 Logon {Audit Success}
632 6/27/2011 3:56:07 PM 4624 12544 Logon {Audit Success}
632 6/27/2011 3:56:07 PM 4624 12544 Logon {Audit Success}
632 6/27/2011 3:56:07 PM 4648 12544 Logon {Audit Success}
....

get-winevent -ProviderName "Microsoft-Windows-Security-Auditing" -max 100 | Select ProcessID,TimeCreated,ID,Task,TaskDisplayName,KeywordsDisplayNames | where {$_.TaskDisplayName -like "Special Logon"} | ft -wrap -auto | more

ProcessId TimeCreated Id Task TaskDisplayName KeywordsDisplayNames
--------- ----------- -- ---- --------------- --------------------
632 6/28/2011 10:31:34 AM 4672 12548 Special Logon {Audit Success}
632 6/28/2011 10:25:19 AM 4672 12548 Special Logon {Audit Success}
632 6/28/2011 10:25:05 AM 4672 12548 Special Logon {Audit Success}
632 6/28/2011 10:22:18 AM 4672 12548 Special Logon {Audit Success}
632 6/28/2011 10:20:55 AM 4672 12548 Special Logon {Audit Success}
632 6/28/2011 10:20:54 AM 4672 12548 Special Logon {Audit Success}
632 6/28/2011 10:18:52 AM 4672 12548 Special Logon {Audit Success}
632 6/28/2011 10:18:34 AM 4672 12548 Special Logon {Audit Success}
632 6/27/2011 3:58:55 PM 4672 12548 Special Logon {Audit Success}
632 6/27/2011 3:56:07 PM 4672 12548 Special Logon {Audit Success}
...

No evidence of a "Logon" or "Special Logon" at the 10:00 PM hour yesterday!
As a side note, if I wanted to see more information about "Special Logon" attempts, I could structure a provider query as below, pumping all the information to out-gridview which I could paste and copy into a spreadsheet.

get-winevent -ProviderName "Microsoft-Windows-Security-Auditing" -max 1000 | Select ProcessID,TimeCreated,ID,Task,TaskDisplayName,KeywordsDisplayNames | where {$_.TaskDisplayName -like "Special Logon"} | ogv

If I want to look a little more thoroughly at "Special Logon" events, I can use:

get-winevent -ProviderName "Microsoft-Windows-Security-Auditing" -max 10 | Select ProcessID,TimeCreated,ID,Task,TaskDisplayName,KeywordsDisplayNames | where {$_.TaskDisplayName -like "Special Logon"} | fl * | more

ProcessId : 632TimeCreated : 6/28/2011 10:44:30 AM
Id : 4672
Task : 12548
TaskDisplayName : Special Logon
KeywordsDisplayNames : {Audit Success}

ProcessId : 632
TimeCreated : 6/28/2011 10:31:34 AM
Id : 4672
Task : 12548
TaskDisplayName : Special Logon
KeywordsDisplayNames : {Audit Success}
...

If I want to look at all details of "Special Logon" event entries:

get-winevent -ProviderName "Microsoft-Windows-Security-Auditing" -max 100 | Select * | where {$_.TaskDisplayName -like "Special Logon"} | fl * | more

...

Message : Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Id : 4672
Version : 0
Qualifiers :
Level : 0
Task : 12548
Opcode : 0
Keywords : -9214364837600034816
RecordId : 16766
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 632
ThreadId : 752
MachineName : rmfvpc
UserId :
TimeCreated : 6/28/2011 10:44:30 AM
ActivityId : 4f32adc8-0278-0270-8105-0000ca77ff7e
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Special Logon
KeywordsDisplayNames : {Audit Success}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty...}

...

This last command is important because it gives a complete readout of the entire event log entry and query fields. But really, I just want to know what happened yesterday around the time my system un-hibernated. For this, I can run a "match" query on a particular date:

get-winevent -max 1000 | Select ProcessID,TimeCreated,ID,Task,TaskDisplayName,KeywordsDisplayNames | where {$_.TimeCreated -match "6/27/2011"} | ft -wrap -auto | more

Alternatively,I can add the "message" to the query. For security reasons, I will leave this as an exercise for the reader:

get-winevent -max 400 | Select ProcessID,TimeCreated,ID,Task,TaskDisplayName,KeywordsDisplayNames,Message | where {$_.TimeCreated -match "6/27/2011"} | ft -wrap -auto

At this point, I still do not know what caused the "resume from sleep" event. Please see
Get-Winevent Part III: Querying the Event Log for Logons (Part B)

Is Digital Security Possible?

2011-06-14T11:37:00.000-07:00

"Africa is not a continent which is any longer isolated. It is not a place where people are uninformed. It is the fastest growing market for cellular phones. Information, whether it is in the townships or wherever, now passes very quickly... And this is not an issue which is going to go away. Nor is it an issue that is trivial for those of us that live here as we do here."

JAMES WOLFENSOHN ex-President of the World Bank

Below is a philosophical comment I posted on Dark Reading today:

"It has occurred to me lately (because of the advances and volume increase in penetration and ex-filtration) that the digital industry has falsely assumed that data can be kept private in a networked world; that perhaps the concept of "data security" or "network security" is not achievable or (at best) not achievable at current levels of technology, internet reach, network topology.
If this is the case, we will have to rethink our current goals. Is data security possible? If so, at what costs? Can commercial interests or individual privacy be protected on the internet? If so, what would be the true costs for such protection?
Social and economic inequality, the true driver behind nation state and organized criminal penetration and ex-filtration, may not be an affordable reality in a networked world. Conversely, a secure, networked world may be not an achievable reality in a world of social and economic inequality. Either conclusion has gross implications for the global economy as it now exists."

For some long time, in the moments between burying my head in code or research, this rather somber thought has occurred to me. If digital security is not truly possible, would the current world of security architects be able to recognize the futility of their own profession? Probably not, I would answer. Good engineers that we are (in a profit hungry market capitalism), we simply just keep chasing the next big thing or fixing the last defect. But what if it were the case that digital security is not an existential possibility? What if it were the case that the next abstraction, the next algorithm always begat the next penetration or ex-filtration? What if digital security was never truly achievable for any moment but a single point in time?

Such a realization might change the very nature of system and network architecture. First, we would have to assume that in a networked world there will always be data. The old Unix administrators motto ("There are two types of computer users: those who have lost data and those who will."), would be the starting point for developing the integrity of information systems. How would this effect privacy, commerce, and secrecy? It would tend to devalue the importance of all three. In effect, it would mean we would live in a very public world where the emphasis of commerce and nation building would have to be the equality of social and economic justice. The competitive battles of nation state hackers, spies, and terrorists would have to be devalued. In their place something non-private, non-commercial, and very public would have to come to assume world wide importance.

I will avoid (as much as possible) tendencies to describe a utopian socialist reality that co-opts the urges of the very bright and nationalistic to commit computer crime. But I will concentrate instead on what the costs of extended information warfare could become in the future to nation states and its peoples. Clearly, we are not going to feed, house,clothe or co-exist very well with the nine billion people the World Bank says will inhabit the Earth by 2050 without evolutionary advances in world health, resource sharing, energy production, climate control or food production.

Clearly technology and information sharing will be critical to prevent perpetual regional wars and oppression. And yet we cannot continue to possess a much higher standard of living here in the West because of more substantive and efficient network technologies without incurring the jealousy and wrath of those who struggle with much less. If an American corporation invented a 10x improvement in photo-voltaic efficiency tomorrow, could we really keep China, Brazil or Russia or India from ex-filtrating, copying, or co-opting that technology? Recent history would say no and (for better or worse) the concept that a great idea should remain private for the profit of singular developers may be a concept that is now obsolete. (Suddenly, I hear Richard Stallman cheering in the background.)

Perhaps the networked world of commerce and thought now forces us to deal with a not so surprising conclusion: that there is no way to not know the thoughts and need of our brothers and sisters in this world, no matter how far away. But if our thoughts and needs are now ubiquitous, of what use is digital security anyway? We don't maintain security in our families and communities by arming ourselves or walling off our lives from interaction with others. We maintain our prosperity locally by allying and befriending those we know the most. In short, as a species, we function as a pack, tribe, or herd; we take care of the people that are closest to us. How will this ethic function in a world where a rapidly expanding global internet erases those boundaries?

We are not thinking about this as security professionals. We just keep thinking about the next fix, the newest hack, the next market opportunity, the next solution. At this rate, we are going to code ourselves into irrelevance. We will no more solve "network security" with our current approach than medical technology can "cure cancer". At some point we will have to deal with the reality that our current security paradigms don't work and that the improvement we see in our fixes provides only temporary solutions to a very intransigent and structural set of problems.

Security Process Document

2011-05-02T12:55:00.000-07:00

I've created four separate documents outlining The Security Process for a consultant. The documents detail work flow from initial client meeting, to engaging The Security Process, and transitioning to monitoring/training of completed work. My text is intended as an outline for consultants and clients interested in understanding the steps of the The Security Process. The text is intended to function as a guideline to the process of developing security independent of operating system, network or company size. Additionally, the document is designed to function independently of associated disciplines of computer security: cryptography, network security, auditing, forensics, REM (reverse engineering of malware), secure authentication, etc. This document is an outline only at present. I hope to update it with more information.

Chapters include:

First Contact: Small Business Work Flow for The Security Process

Designed to help screen client needs during the first phone call or meeting.

Second Contact: Templates for Managing Expectation For All Clients

Designed to generate ideas for the first PowerPoint Presentation.

The Phases of the Security Process

A brief overview of the phases in The Security Process.

Frequently Asked Questions

A list of questions you should be able to respond to with some level of competence.

Collating and parsing netmon capture files

2011-02-28T00:49:00.000-08:00

I have added a Powershell function that uses logparser to mux all the netmon capture files in a directory and list unique IPs and Ports.

Parsing Windows 7 Firewall Logs

2011-02-15T16:10:00.000-08:00

I've talked quite a bit about on this blog about parsing Microsoft's Windows Firewall:

There are a number of Microsoft sites with more information on Windows Firewall:

This is the report output of two scripts (1, 2) designed to help suggest a "Windows Firewall Log Parsing" Framework.

There are several issues with parsing information from Windows Firewall logs:

Windows Firewall is one of three native sources of network data offered by Microsoft, the other two being Network Monitor and ETL (Kernel TCP/IP and NDIS Capture)Tracing,
Windows Firewall must be configured for complete logging and the logging file rotates only one file (*.old) by default.
The log file can be exceptionally large depending on configuration.

Processing the 'pfirewall.log'[1] with Powershell was a lengthly affair until multi-core processors and V2. These two scripts (1, 2) , one which uses only Powershell and the other which depends upon Microsoft's logparser2.2, could serve as templates for further processing and analysis. The next step would be to develop a series of rulesets that would parse and count the unique results for ' anomalous' activity. What kind of rule-sets? Here are some thoughts:

A comparison of destination IPs to the external Firewall 'Block' list.
A comparison of destination or source IPs to the ISCs (daily list) of top 100 IPs.
A comparison of destination or source IPs to the "Stop Badware" database.
A subset of IPs known as business competitors.
A chronology of outbound activity on "known suspect" ports.
A chronology of outbound activity on "known good" ports used for suspect activity.
A chronology of outbound activity on either "known good" or "known suspect ports" to targets that are not part of "previously known profile" for those ports.

Additional rulesets could be developed based on 'tuple' analysis. For example, given the following ordered set:
'DROP UDP 192.168.0.15 255.255.255.255 68 67 RECEIVE'

Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255")?

Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255") on dstPort ("68")?

What is the expected 'action' for either case? (e.g. DROP or ALLOW)?

For now, I leave this as an exercise for the user. Also I will leave as an exercise for the user any 'vissec' presentations of this data.. Powershell V2 and Logparser 2.2 are the engines for these scripts, but other data mining techniques (PERL, GAWK, T-SQL, etc) could be more scaleable and useful. Powershell has the advantage of being (1) native to Windows 7, (2) configurable for remote invocation of scripts, (3) configurable as domain based scripting.

[1] By default located at 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log'

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part II

2011-02-02T15:30:00.000-08:00

Working with Windows Tracing (ETL) logs
This is part of ongoing research project to understand how improved tracing providers in Windows 7 can help detect the presence of malware. Microsoft has been improving event tracing for a number of years. The latest versions allows netsh to invoke multiple providers. After you have chosen your providers, you start the trace either by referencing the provider name or GUID. 'Netsh trace start' allows for keyword or capture filters, which can be useful if you know what specific events for which you need to trace. For this example, we will not create an NDIS capture ('capture=yes') nor will we select keywords or levels for the filters. After a few busy hours, this leads to quite a bit tracing.

[Cmd.exe]
netsh trace show providers | findstr "Network Security IP"
{6E7A2FC0-9244-4EE4-804F-E812924ABF26} Windows NetworkMap Trace
{D9131565-E1DD-4C9E-A728-951999C2ADB5} Network Profile Manager
{6B510852-3583-4E2D-AFFE-A67F9F223438} Security: Kerberos Authentication
{CC85922F-DB41-11D2-9244-006008269001} Local Security Authority (LSA)
{6D04BF88-60A5-4D02-BC5C-94A20BA490EC} IPBusEnum Service Trace
{94335EB3-79EA-44D5-8EA9-306F49B3A040} Downlevel IPsec Service
{94335EB3-79EA-44D5-8EA9-306F49B3A041} Downlevel IPsec API
{EB004A05-9B1A-11D4-9123-0050047759BC} TCPIP Service Trace
{A7EB57F6-145E-4F18-BD75-DBBF6F7E23A7} WMP Network Sharing Service
{6165F3E2-AE38-45D4-9B23-6B4818758BD9} Security: TSPkg
{37D2C3CD-C5D4-4587-8531-4696C44244C8} Security: SChannel
{FB6A424F-B5D6-4329-B9D5-A975B3A93EAD} Security: WDigest
{E4FF10D8-8A88-4FC6-82C8-8C23E9462FE5} Downlevel IPsec NetShell Plugin
{5BBB6C18-AA45-49B1-A15F-085F7ED0AA90} Security: NTLM Authentication

netsh trace show providers | findstr "NTLM Security Protocol"
{C92CF544-91B3-4DC0-8E11-C580339A0BF8} NTLM Security Protocol

netsh trace start provider=Microsoft-Windows-Kernel-Network provider=Microsoft-Windows-Kernel-Process provider=Microsoft-Windows-Security-Auditing provider=Microsoft-Windows-Security-Netlogon provider=Microsoft-Windows-TCPIP provider="{C92CF544-91B3-4DC0-8E11-C580339A0BF8}"

In Powershell V2, 'Get-Winevent' is your ticket to parsing the trace (ETL) file. As a note, you can easily export the ETL format to (the new log format) ETVX and view either file format in Event Viewer. You can also export the file with 'netsh trace convert'. The size of the file increases greatly with the ETVX format. I don't recommend this unless you have a need. Even a 50 MB ETL takes a while to process in Powershell (see below). However, you can view the file and filter per eventID, provider, or otherwise inside the Event Viewer interface and then save the filtered events to a separate log. Below, I show the respective file sizes of an ETL vs. and ETVX format. I then load the 54 MB ETL into a Powershell variable and export it into an ASCII format. This takes eleven minutes on an i5 core laptop.

[Powershell]
(ls NetTrace.etl | % {$_.length})/1MB
54.875

measure-command {netsh trace convert input=NetTrace.etl output=knpasntlm.evtx dump=EVTX}
Days : 0
Hours : 0
Minutes : 8
Seconds : 15
....

(ls .\knpasntlm.evtx | % {$_.length})/1MB
883.06640625

measure-command {$KNPASNTLM=get-winevent -path 'NetTrace.etl' -oldest}
Days : 0
Hours : 0
Minutes : 11
....

Analyzing the Trace

'Get-Winevent' has both XPath and Filterhashtable query options for working with event logs. But for working with raw tracing logs, we also have other some other options. Logparser 2.2, a six year old 'sql' parser works with ETL logs. Once the file is loaded into a Powershell variable, we can query based on properties below. However, rather than create those queries right now, let us look at the properties of our variable and export variable contents to an ASCII file. Once again, this takes some time on a five core laptop.

$KNPASNTLM | gm | Select Name

Name
----
....
Message
ActivityId
Bookmark
ContainerLog
Id
Keywords
KeywordsDisplayNames
Level
LevelDisplayName
LogName
MachineName
MatchedQueryIds
Opcode
OpcodeDisplayName
ProcessId
Properties
ProviderId
ProviderName
Qualifiers
RecordId
RelatedActivityId
Task
TaskDisplayName
ThreadId
TimeCreated
UserId
Version

measure-command {$KNPASNTLM | Select TimeCreated,ID,RecordID, Message | ft -autosize | out-file -encoding ASCII knpasntlm.ASCII.txt}
Days : 0
Hours : 0
Minutes : 6
...

Now we have a file we can look at in Linux, BSD, or Cygwin with wc, less, head, tail, awk, grep, etc.:
[Cygwin]
$ wc -l knpasntlm.ASCII.txt
491392 knpasntlm.ASCII.txt

$ head knpasntlm.ASCII.txt
TimeCreated Id RecordId Message
----------- -- -------- -------
1/31/2011 1:31:02 PM 1300 0 TCP: connection 0xfffffa8008e79170 (local=192.168.0.11:1193 remote=74.125.224.23:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300 1 TCP: connection 0xfffffa8004489cf0 (local=192.168.0.11:1076 remote=74.125.224.54:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300 2 TCP: connection 0xfffffa8004531cf0 (local=192.168.0.11:1037 remote=74.125.127.100:80) exists. State = CloseWaitState. PID = 4376.
1/31/2011 1:31:02 PM 1202 3 IP: Interface rundown: Index = 1, Linkspeed = 0 bps, PhysicalMediumType = NdisPhysicalMediumUnspecified, IP Address = 127.0.0.1 .
1/31/2011 1:31:02 PM 1202 4 IP: Interface rundown: Index = 12, Linkspeed = 54000000 bps, PhysicalMediumType = NdisPhysicalMediumNative802_11, IP Address = 192.168.0.11 .
1/31/2011 1:31:02 PM 1202 5 IP: Interface rundown: Index = 1, Linkspeed = 0 bps, PhysicalMediumType = NdisPhysicalMediumUnspecified, IP Address = 0.0.0.0 (Ignore IPv4 address), IPv6 address...
1/31/2011 1:31:02 PM 1202 6 IP: Interface rundown: Index = 12, Linkspeed = 54000000 bps, PhysicalMediumType = NdisPhysicalMediumNative802_11, IP Address = 0.0.0.0 (Ignore IPv4 address), IPv...

$ tail knpasntlm.ASCII.txt
1/31/2011 7:53:22 PM 0 491379
1/31/2011 7:53:22 PM 0 491380
1/31/2011 7:53:22 PM 0 491381
1/31/2011 7:53:22 PM 0 491382
1/31/2011 7:53:22 PM 0 491383
1/31/2011 7:53:22 PM 0 491384
1/31/2011 7:53:22 PM 0 491385
1/31/2011 7:53:22 PM 0 491386

$ grep connection knpasntlm.ASCII.txt | wc -l
150079

$ grep connection knpasntlm.ASCII.txt | less
1/31/2011 1:31:02 PM 1300 0 TCP: connection 0xfffffa8008e79170 (local=192.168.0.11:1193 remote=74.125.224.23:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300 1 TCP: connection 0xfffffa8004489cf0 (local=192.168.0.11:1076 remote=74.125.224.54:443) exists. State = EstablishedState. PID = 5776.
1/31/2011 1:31:02 PM 1300 2 TCP: connection 0xfffffa8004531cf0 (local=192.168.0.11:1037 remote=74.125.127.100:80) exists. State = CloseWaitState. PID = 4376.
1/31/2011 1:31:19 PM 1158 682 TCP: connection 0xfffffa8004489cf0 delivery 0xfffffa8004489e50 satisfied 0x35 bytes 0x17a requested. IsFullySatisfied = 0. RcvNxt = 2280417497.
1/31/2011 1:31:19 PM 1074 685 TCP: connection 0xfffffa8004489cf0: Received data with number of bytes = 53. ThSeq = 2280417497.
1/31/2011 1:31:19 PM 1156 686 TCP: connection 0xfffffa8004489cf0, delivery 0xfffffa8004489e50, Request 0xfffffa80040fb1a0 posted for 0x145 bytes, flags = 0. RcvNxt = 2280417550.
1/31/2011 1:31:45 PM 1158 1097 TCP: connection 0xfffffa8004489cf0 delivery 0xfffffa8004489e50 satisfied 0x35 bytes 0x145 requested. IsFullySatisfied = 0. RcvNxt = 2280417550.
1/31/2011 1:31:45 PM 1074 1100 TCP: connection 0xfffffa8004489cf0: Received data with number of bytes = 53. ThSeq = 2280417550.
....

$ grep -f search knpasntlm.ASCII.txt | grep received | awk -F":" {'print $5'} | awk {'print $3'} | sort -nr | uniq -c | sort -nr | less
   2416
   1696 192.168.0.15
   1403 192.168.0.11
   586 224.0.0.252
   527 67.192.97.131
   403 74.125.224.54
   333 74.125.127.83
   313 74.125.53.19
   227 192.168.0.255
   174 74.125.155.191
   132 184.73.205.16
   128 74.125.127.17
   120 239.255.255.250
   107 208.71.123.76
   103 96.17.109.9
....

To be continued...

Get-WinEvent, EventLogs, ETL, Providers on Win7

2011-01-23T17:39:00.000-08:00

'Get-WinEvent' in Powerhsell 2 when combined with ETL on Windows 7 allows exceptional event log queries. This function allows the administrator to create an array of all Event Logs and sort by 'time created' all those records created in the last (1) day:

function global:LatestLogEntries
{
   [CmdletBinding()]
   Param(
   [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
   [int32] $param1,
   [string] $ErrorActionPreference="silentlycontinue"
   )

$LogNames=(Get-Winevent -listlog * )
$goback = (get-date) - (new-timespan -days $param1 )
$LogNames | % {get-winevent -FilterHashTable @{LogName=$_.LogName;StartTime=$goback}}
}

LatestLogEntries 1 | sort -descending -property TimeCreated | ft -auto TimeCreated,LogName,ProviderName,RecordID,Message | more

There are over six hundred providers shipped with Windows 7. This function chooses all those providers nominally relevant to Network,Security, and IP and allows the administrator to sort by 'time created' the maximum amount of entries specified:

function global:NetSecIP_Entries

{

[CmdletBinding()]

Param(

[Parameter(Mandatory=$true,ValueFromPipeline=$true)]

[int32] $param1,

[string] $ErrorActionPreference="silentlycontinue"

)

$Providers=Get-WinEvent -ListProviders *

$NetworkSecIP_Providers= $Providers | % {$_.Name} | findstr "Network Sec IP"

foreach ($provider_message in $NetworkSecIP_Providers) {get-winevent -max $param1 -provider $provider_message}

}

NetSecIP_Entries 20 | sort -descending -property TimeCreated | ft -auto TimeCreated,LogName,ProviderName,RecordID,Message | more

Powershell LSOF/Parsing Netstat Part II

2010-12-15T21:22:00.000-08:00

Two 'lsof for Powershell' scripts covering v4 and v6 have been placed here:

h http://rmfdevelopment.com/PowerShell_Scripts/PS_LSOF.ps1
http://rmfdevelopment.com/PowerShell_Scripts/PS_LSOF_gwmi.ps1

This is a second update to this script which matches the port to the process in Powershell by parsing netstat for TCP and UDP and then appending 'ps' or 'gwmi' information associated with the process related to that port. There's nothing in this function (but sorted port order) which carries through a relational tie from port to process information. There is a lot of information produced in this script, as I print all of netstat -ano and then query the corresponding network process with either 'ps' or 'gwmi'. (Click to enlarge):

Powershell LSOF / Parsing Netstat

2010-10-23T19:10:00.000-07:00

This script, parse-netstat.ps1, successfully parses 'netstat -ano' for each PROTO (TCP,TCPv6,UDP, UDPv6) and then uses 'ps' to enumerate ID,NAME,PATH,FileVersion for the process associated with each networked PID. Thus we have a basic Powershell LSOF utility with room for calculated properties and additional text parsing. There is no spec of regex anywhere in my text parsing of netstat. Sample output:

PS C:\ps1> .\parse-netstat.ps1
TCP Local Ports:
135
445
1025
1026
1027
1028
1031
9000
24800
47001
139
24800
139
1095
1099
1100
1101
1102
1679
1706
TCP PIDS:

  Id Name Path FileVersion
  -- ---- ---- -----------
1012 svchost C:\Windows\system32\svchost.exe 6.0.6000.16386 (vista_rtm.061101-2205)
   4 System
684 wininit C:\Windows\system32\wininit.exe 6.0.6000.16386 (vista_rtm.061101-2205)
460 svchost C:\Windows\System32\svchost.exe 6.0.6000.16386 (vista_rtm.061101-2205)
760 lsass C:\Windows\system32\lsass.exe 6.0.6000.16386 (vista_rtm.061101-2205)
  12 svchost C:\Windows\system32\svchost.exe 6.0.6000.16386 (vista_rtm.061101-2205)
740 services C:\Windows\system32\services.exe 6.0.6000.16386 (vista_rtm.061101-2205)
   4 System
4244 synergys C:\Program Files (x86)\Synergy+\bin\synergys.exe
   4 System
   4 System
4244 synergys C:\Program Files (x86)\Synergy+\bin\synergys.exe
   4 System
552 Picasa3 C:\Program Files (x86)\Google\Picasa3\Picasa3.exe 3.6.105.67
552 Picasa3 C:\Program Files (x86)\Google\Picasa3\Picasa3.exe 3.6.105.67
552 Picasa3 C:\Program Files (x86)\Google\Picasa3\Picasa3.exe 3.6.105.67
552 Picasa3 C:\Program Files (x86)\Google\Picasa3\Picasa3.exe 3.6.105.67
552 Picasa3 C:\Program Files (x86)\Google\Picasa3\Picasa3.exe 3.6.105.67
   4 System
4460 chrome C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe 0.0.0.0

Accessing (or not) GetOwnerModuleFromTcpEntry from Powershell

2010-10-11T21:42:00.000-07:00

Normally on XP SP2, Vista, Win7 'netstat -ano' or 'netstat -anob' gives us the connected sockets, the PID of listening applications. With the '-b' option, netstat makes an attempt at finding the owner of the socket probably through the 'GetOwnerModuleFromTcpEntry function [which] retrieves data about the module that issued the context bind for a specific IPv4 TCP endpoint in a MIB table row.' found in iphlpapi.dll (IP Helper). Finding this same information with Powershell I have found to be more than difficult. It is easy enough to find the listening and connected sockets with [System.NET.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().

List-Connections.ps1 will produce a listing comparable to netstat. However, I can't find the MIB table entry from the process to the socket (or the converse) in either 'ps' or 'gwmi win32_process'. My workaround is to use netstat from cmd.exe where gwmi_netstat_ano.cmd is:

for /f "tokens=1-6" %%a in ('netstat -ano ^| findstr TCP') do @echo %%e > ano.list.txt
for /f "tokens=1-6" %%a in ('netstat -ano ^| findstr UDP') do @echo %%d >> ano.list.txt

or where gwmi_tcpvcon_ano.cmd is:

@del /q ano.list.txt
@path C:\tools\SysinternalsSuite\;%path%
for /f "delims=, tokens=1-5" %%a in ('tcpvcon -acn ^| findstr TCP') do @echo %%c >> ano.list.txt
for /f "delims=, tokens=1-5" %%a in ('tcpvcon -acn ^| findstr UDP') do @echo %%c >> ano.list.txt

This powershell script runs the commands in 'gwmi_netstat_ano.cmd' and processes the 'netstat -ano' output with 'gwmi win32_process':

Microsoft.PowerShell.Management\Start-Process $pwd\gwmi_netstat_ano.cmd -argument /Q -nonewwindow
$ano_list = gc ano.list.txt | sort | get-unique
$ano_proc = foreach ($ano in $ano_list) {gwmi win32_process | Select Name,ProcessId,HandleCount,ThreadCount,WriteOperationCount,ReadOperationCount,CommandLine | ? {$_.ProcessID -eq "$ano"}}
write $ano_proc | sort -property ProcessID | ft -auto
# or alternatively
foreach ($id in $ano_list) {get-wmiObject win32_process -filter "ProcessID=$id" | Select Name,ProcessID,Commandline}

PS C:\ps1: .\gwmi_netstat_ano.ps1

C:\ps1: for /F "tokens=1-6" %a in ('netstat -ano | findstr TCP') do @echo %e > ano.list.txt
C:\ps1: for /F "tokens=1-6" %a in ('netstat -ano | findstr UDP') do @echo %d >> ano.list.txt

Name ProcessId HandleCount ThreadCount WriteOperationCount ReadOperationCount CommandLine
---- --------- ----------- ----------- ------------------- ------------------ -----------
System 4 5381 151 62649 2192
svchost.exe 1164 368 11 1902 2335 C:\Windows\system32\svchost.exe -k LocalService
svchost.exe 1304 700 27 398 2119 C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe 3168 1234 49 12312 42668 C:\Windows\system32\svchost.exe -k netsvcs
opera.exe 3684 849 39 112787 65814 "C:\Program Files (x86)\Opera\opera.exe"
ftp.exe 3796 128 1 4 5 ftp rmfdevelopment.com

Name ProcessID Commandline
---- --------- -----------
svchost.exe 1164 C:\Windows\system32\svchost.exe -k LocalService
svchost.exe 1304 C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe 3168 C:\Windows\system32\svchost.exe -k netsvcs
opera.exe 3684 "C:\Program Files (x86)\Opera\opera.exe"
ftp.exe 3796 ftp rmfdevelopment.com
System 4

( A script like Get-Svchost.ps1 can help open up the incantations of svchost.exe.) I find the cmd.exe workaround I use here unfortunate as a security professional, because it means I am unable to use Powershell to get the MIB table entry from GetOwnerModuleFromTcpEntry, information which is critical to understanding malware. Sure, I can parse this information from netstat, but this blows up any chance of scripting detection anywhere near real-time. Perhaps someone has an answer...

Check-TCPUDPClient.ps1

2010-09-24T15:26:00.000-07:00

The output from the script below is designed to be a framework to check TCP and UDP open ports under connection. It makes use of whatever TCP and UDP Client sockets code is native to Powershell 2.0. My original conception was to create a scripted 'fuzzer' that would send non-arbitrary data to open ports to test or provoke library module loading. Powershell's socket facilities are impressive for a scripted language. I don't know how much documentation there is for TCP/IP. No error checking implemented.

Check-TCPUDPClient.ps1

.\Check-TCPUDPClient.ps1 rmfvista

Listening TCP Ports:
135
139
445
1025
1026
1027
1028
1029
7800
9000
47001
Listening UDP Ports:
123
137
138
500
1900
4500
5355
50353
55326
Connected TCPPorts:
RMFVista 127.0.0.1:7801 127.0.0.1:7800
RMFVista 127.0.0.1:7800 127.0.0.1:7801
c6.59.85ae.static.theplanet.com 174.133.89.198:80 192.168.0.13:1031
h108.www5.itahost.com 85.13.200.108:110 192.168.0.13:8125
pz-in-f18.1e100.net 74.125.127.18:443 192.168.0.13:9104
pz-in-f189.1e100.net 74.125.127.189:443 192.168.0.13:9105
pz-in-f18.1e100.net 74.125.127.18:443 192.168.0.13:9107
nuq04s01-in-f102.1e100.net 74.125.19.102:80 192.168.0.13:9120
RMFVista.rmfdevelopment.com 192.168.0.13:47001 192.168.0.13:9131
RMFVista.rmfdevelopment.com 192.168.0.13:47001 192.168.0.13:9142
RMFVista.rmfdevelopment.com 192.168.0.13:9131 192.168.0.13:47001
RMFVista.rmfdevelopment.com 192.168.0.13:9142 192.168.0.13:47001
TCP Ports:
TCP Port 135 open
TCP Port 139 open
TCP Port 445 open
TCP Port 1025 open
TCP Port 1026 open
TCP Port 1027 open
TCP Port 1028 open
TCP Port 1029 open
Exception calling "Connect" with "2" argument(s): "No connection could be m
At C:\Ps1\Check-TCPUDPClient_006.ps1:77 char:36
+ $Connection = $TCPclient.Connect <<<< ($ip,$_)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationExcepti
+ FullyQualifiedErrorId : DotNetMethodException

TCP Port 7800 closed
TCP Port 9000 open
TCP Port 47001 open
UDP Ports:
UDP Port 123 open
UDP Port 137 open
UDP Port 138 open
UDP Port 500 open
UDP Port 1900 open
UDP Port 4500 open
UDP Port 5355 open
UDP Port 50353 open
UDP Port 55326 open

Looking at Process, Threads, Modules with Powershell 2.0

2010-07-31T00:55:00.000-07:00

I have published "Looking at Processes, Modules, and Threads with Powershell 2.0 Part I". The paper concerns itself with comparing Processes, Modules, and Threads and offers some discussion for comparing their changes over time. See also:
http://www.rmfdevelopment.com/PowerShell_Scripts/diff_PMT.ps1
http://rmfdevelopment.com/PowerShell_Scripts/diff_PMT_adv.ps1

Argus!!!

2010-06-19T18:43:00.000-07:00

I have been reading Real Digital Forensics and came across the recommended use of Argus ("Audit Record Generation and Utilization System"). Argus is fast, wide and deep network analysis of pcap files. It took me some time to compile and start to make sense of it, although there is a relevant and clever wiki page and a good collection of recent articles explaining research, university and real world use. My discussion below concerns Argus auditing functionality.

Argus dumps your pcap file into a compressed argus formatted file which carries every piece of session information an inquisitive NSM forensic could possibly want from a network trace including time-slices, TCP options, anonymization, geolocation, and graphing . Here are some basic examples I walked myself through. The first step is to write the pcap file to an argus file using 'argus'.

/usr/local/sbin/argus -d -r 08Mar1142PST2010.in.1268074842 -w 08Mar1142PST2010.in.1268074842.argus

Next I use 'ra' (read argus) to read the packet data. You can specify fields and bpf style filters. Here I specify (append) a filter ('ip proto 6') for only TCP packets (e.g grep TCP /etc/protocols):

ra -n -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | less
19:08:09.660222 e s tcp 207.44.254.106.56813 -> 192.168.0.12.3246 3 186 REQ
19:12:01.707471 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
19:32:55.259094 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
19:33:44.995964 e tcp 221.192.199.35.12200 -> 192.168.0.12.8000 1 60 REQ
19:34:36.506022 e tcp 221.192.199.35.12200 -> 192.168.0.12.80 1 60 REQ
19:53:52.914418 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ

Here I specify source address, destination port and connection state fields with the '-s' option and sort the result by source address and destination port before using 'uniq -c' to rank those fields.

ra -n -s saddr dport state -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | sort -k1,2 -nr | uniq -c | sort -nr | less
149 221.195.73.86 8000 REQ
100 192.168.0.12 80 ACC
81 222.45.112.59 2479 REQ
80 222.45.112.59 8085 REQ
80 222.45.112.59 3246 REQ
76 204.236.155.168 3246 REQ

I am using 'rasort' to something similar here but appending grep to filter only those source addresses with a connected state.

rasort -n -s saddr dport state -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | sort -k1 -nr | uniq -c | sort -nr | grep CON | less
14 74.125.19.19 19412 CON
14 74.125.19.17 20073 CON
13 85.13.200.108 19216 CON
13 85.13.200.108 19024 CON
13 74.125.19.83 19145 CON
13 74.125.19.83 18961 CON

I am not quite clear when to use 'rasort' versus 'ra' with sort and uniq appended. There is also 'ratop' . May take some time to sort out the best scripts for top talkers. Like 'ra', I can tell 'rasort' to include specific field (-s switch) and then specify the field(s) to sort by (-m switch). I am still using 'uniq -c | sort -r' .

rasort -s saddr dport proto bytes stat -m dport saddr -r 08Mar1142PST2010.in.1268074842.argus | grep -v -f file | uniq -c | sort -r | less

149 221.195.73.86 8000 tcp 60 REQ
81 222.45.112.59 2479 tcp 60 REQ
80 222.45.112.59 8085 tcp 60 REQ
80 222.45.112.59 3246 tcp 60 REQ
76 204.236.155.168 3246 tcp 60 REQ
76 222.45.112.59 9415 tcp 60 REQ

So here I apply a bpf filter for dst port 22 and the '-z' to see TCPstate changes :

rasort -nn -s saddr dport proto bytes state -m dport saddr -z -r 08Mar1142PST2010.in.1268074842.argus - dst port 22 | uniq -c | sort -nr

3 125.141.195.190 22 6 62 s
3 114.202.247.235 22 6 62 s
3 58.217.255.103 22 6 62 s
3 97.163.189.33 22 6 62 s
2 94.158.184.183 22 6 62 s
2 61.151.246.140 22 6 62 s

Argus, baby!! Fast, wide and deep!!

the 'find' command for security...Part I

2010-06-14T17:10:00.000-07:00

These are some meditations on using the *NIX 'find' command for security...

These are very quick ways of find the 'last access' on every file. 'Stat -x' is for OpenBSD. The grep 'file' contains:
File:
Access:

for i in `find /`; do echo $i `stat -x $i | grep "Access"`;done
find / | xargs stat -x | grep -f file | tr -d "[\042]"

On Linux or Cygwin:

for i in `find /cygdrive/C/Security`; do echo $i `stat $i | grep "Access" | grep -v Gid`;done
/cygdrive/C/Security Access: 2010-06-14 15:58:04.293000000 -0700

/cygdrive/C/Security/.ImplementingSecurityDuringWebDesign.txt.swp Access: 2009-12-08 18:33:47.445000000 -080
/cygdrive/C/Security/.PapersToAuthor.txt.swo Access: 2009-12-08 18:30:19.533000000 -0800
/cygdrive/C/Security/.PapersToAuthor.txt.swp Access: 2009-12-07 12:23:46.045000000 -0800

find /cygdrive/C/Security | xargs stat | grep -f file | grep -v Gid: | tr -d "[\042]"

File: `/cygdrive/C/Security/004.log'

Access: 2010-05-17 11:57:27.217000000 -0700

File: `/cygdrive/C/Security/05.13.10.log'
Access: 2010-05-13 11:47:53.292000000 -0700
File: `/cygdrive/C/Security/05.14.10.log'
Access: 2010-05-14 09:27:55.329000000 -0700

....

Now, I am looking at ways to use the find command per user. The purpose of this experiment is to understand why I get such different results for commands that would seemingly return only more detail for the same result...
find / -user rferrisx
find / -exec ls -l {} \; | awk '$3=="rferrisx" {print $3" "$9}'
find / -user rferrisx -exec ls -lhuS {} \; | awk '{print $3" "$5" "$9}'

bash-4.0# find / -user rferrisx
/home/rferrisx
/home/rferrisx/.ssh
/home/rferrisx/.ssh/authorized_keys
/home/rferrisx/.Xdefaults
/home/rferrisx/.cshrc
/home/rferrisx/.login
/home/rferrisx/.mailrc
/home/rferrisx/.profile
/home/rferrisx/.Xauthority
/dev/ttyp0

bash-4.0# find / -exec ls -l {} \; | awk '$3=="rferrisx" {print $3" "$9}'
rferrisx rferrisx
rferrisx .Xauthority
rferrisx .Xdefaults
rferrisx .cshrc
rferrisx .login
rferrisx .mailrc
rferrisx .profile
rferrisx .ssh
rferrisx authorized_keys
rferrisx /home/rferrisx/.ssh/authorized_keys
....

bash-4.0# find / -user rferrisx -exec ls -lhuS {} \; | awk '{print $3" "$5" "$9}'
root 28.6M 08Mar1142PST2010.in.1268074842
root 18.2M 08Mar1137PST2010.out.1268074837
root 2.7M 08Mar1142PST2010.in.log
root 1.6M 08Mar1142PST2010.in.p0f
root 258K 08Mar1137PST2010.out.log
root 154K 08Mar1137PST2010.out.p0f
rferrisx 773B .cshrc
rferrisx 512B .ssh
rferrisx 398B .login
rferrisx 218B .profile
...

time stamping windows directory and file names

2010-06-02T11:24:00.000-07:00

This is something I have blogged about before, but I thought it worth posting again. Special characters need to be eliminated to create a time stamp that can be used as a Windows file name. The `date` program in Unix has a number of very useful options for this. Windows cmd shell is more limited. This is what I use:

:: rtime.cmd
@echo off

set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set realtime=%realtime:* =%
set timestamp=%realdate%.%realtime%
echo %timestamp%

This command script uses 'variable substitution' from the set command to remove special characters (e.g. : / ) unacceptable as Windows file or directory names . This line:
set timestamp=%realdate%.%realtime%

can be changed as needed for more CSV compatible logging:
set timestamp="%realdate%","%realtime%"

Once cached, it runs pretty fast and is suitable for lightweight logging:

$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.05.99

real 0m0.202s
user 0m0.015s
sys 0m0.031s

$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.12.65

real 0m0.062s
user 0m0.000s
sys 0m0.015s

$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.14.68

real 0m0.062s
user 0m0.000s
sys 0m0.015s

piping tcpdump output to lsof

2010-05-25T19:50:00.000-07:00

This simple Bash script will output the lsof end of any foreign network connection:
[Set to the interface of your choice]
while [ 1 ]
   do
   for i in `tcpdump -i rl0 -c 1 -l dst $(hostname) | awk '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}'`
   do lsof -i@$i
   done
done
with time/date stamp added and headers removed:
while [ 1 ]

   do
   for i in `tcpdump -i rl0 -c 1 -l dst $(hostname) | awk '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}'`
   do echo `date -u` `lsof -i@$i | grep -v PID`
   done
done

Run like this:
./tcp_lsof.sh >> tcp.lsof.log &

the script produces output like this:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 18392 rferrisx 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:13974 (ESTABLISHED)
sshd 29850 root 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:13974 (ESTABLISHED)
or
Wed May 26 15:22:06 UTC 2010 sshd 9448 root 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:15729 (ESTABLISHED)
sshd 29734 rferrisx 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:15729 (ESTABLISHED)
Wed May 26 15:22:07 UTC 2010 sshd 9448 root 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:15729 (ESTABLISHED)
sshd 29734 rferrisx 5u IPv4 0xd699ac80

A prototype test harness...but needs lots of work

2010-05-19T23:06:00.000-07:00

I have spent too much time here in the last few days working on a test harness for live network files in Vista. As a prototype, what I have written may be useful. However, numerous problems were uncovered. The idea was this: At any moment they are a discoverable set of files that are being accessed by the network. In theory, you should be able to list those files and then query them for their integrity. The heart of this is something like:

icacls %dir_file% &(
if /I [%filetype% EQU [regular sfc /verifyfile=%dir_file% ) &(
if /I [%filetype% EQU [regular accesschk -qv %dir_file% ) &(
if /I [%filetype% EQU [regular sigcheck -q %dir_file% )

Definitely some useful information is returned. But the project will have to be rewritten in a faster language with better string support. Interesting to see what information it did return. Like the file - C:\Windows\System32\nsi.dll - below.

Running icacls, sfc, accesschk, sigcheck for FileType,FileID,Path: regular 1220: "C:\Windows\System32\nsi.dll "
filetype=regular
C:\Windows\System32\nsi.dll NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)

Successfully processed 1 files; Failed processing 0 files

Windows Resource Protection could not perform the requested operation.
C:\Windows\System32\nsi.dll
Medium Mandatory Level (Default) [No-Write-Up]
RW NT SERVICE\TrustedInstaller
FILE_ALL_ACCESS
R BUILTIN\Administrators
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL
R NT AUTHORITY\SYSTEM
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL
R BUILTIN\Users
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL
c:\windows\system32\nsi.dll:
Verified: Signed
Signing date: 8:08 AM 1/19/2008
Strong Name: Unsigned
Publisher: Microsoft Corporation
Description: NSI User-mode interface DLL
Product: Microsoft« Windows« Operating System
Version: 6.0.6001.18000
File version: 6.0.6001.18000 (longhorn_rtm.080118-1840)

Car hacking....

2010-05-17T20:49:00.000-07:00

"Indeed, we have demonstrated the ability to systematically control a wide array of components including engine, brakes, heating and cooling, lights, instrument panel, radio, locks, and so on. Combining these we have been able to mount attacks that represent potentially significant threats to personal safety. For example, we are able to forcibly and completely disengage the brakes while driving, making it difficult for the driver to stop. Conversely, we are able to forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly."

Great Reading! Great Research!

How would you like to pwn your first car?

lsof for Windows subsitute

2010-05-07T12:44:00.000-07:00

5/10/2010 update to this post (see below)
I've created a couple of Vista cmd files that pump netstat output to tasklist to help substitute for the missing`lsof -Ts` in Linux (see below). The TCP/TCPv6 output logs the time, IP address (foreign endpoint), application information. The (stateless) UDP/UDPv6 output just logs time and application information. (See output below). The value of logging network endpoints and their process information is incalculable in security. Mark Russinovich's procmon (when run with the network filter) does this quite thoroughly. Microsoft's Netmon 3.3 correlates endpoint data packets to most applications. However, I was interesting in developing something cmd line, perhaps not so heavy, using all native Vista commands. The crux of the scripts are:

:: pipe appropriate netstat output to tasklist
for /f "tokens=1-5" %%a in ('@netstat -%netstat_option% -p %connection_type% ^| findstr /V Active ^| findstr /V Proto') do set EP=%%c& set PID=%%e& call :loop
..
::log Endpoint and network process PID
@echo "%timestamp%","%EP%", | findstr /V "ECHO"
@tasklist /FO CSV /V /FI "PID eq %PID%" /NH

With an automated check of network %PID% in place, you can add options to check/log the open files of each network application with the (very slow) 'openfiles' command:
[The 'openfiles' cmd works once global flags are enabled.]

for /f "tokens=1-5" %a in ('openfiles /query /FO TABLE /NH /V') do @if %c==%PID% echo %e >> temp
...
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064
...
Adding Mark Russinovich's accesschk will show the security permissions on those files:

for /f %i in ('more temp') do @accesschk -qv %i | more
....
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064\avcodec-52.dll
Medium Mandatory Level (Default) [No-Write-Up]
RW RMFVista\Admin
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
....
The cmd files can be found here:
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_TCP.cmd
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_UDP.cmd

5/10/2010 update:
An update which takes any of four arguments (TCP,TCPv6,UDP, UDPv6) and logs to a CSV file output as below can be found at http://www.rmfdevelopment.com/PowerShell_Scripts/ano_all.cmd
ano_all.cmd output for TCP
"05.10.2010_11.35.21.34","LISTENING","0.0.0.0:1029","0.0.0.0:0","services.exe","740","Services","0","9,532"

"05.10.2010_11.35.21.82","LISTENING","0.0.0.0:9000","0.0.0.0:0","System","4","Services","0","21,204"

"05.10.2010_11.35.22.34","LISTENING","192.168.0.3:139","0.0.0.0:0","System","4","Services","0","21,204"

"05.10.2010_11.35.22.84","CLOSE_WAIT","192.168.0.3:1059","174.133.89.198:80","pctsSvc.exe","856","Services","0","195,660"

"05.10.2010_11.35.23.33","ESTABLISHED","192.168.0.3:1072","85.13.200.108:21","ftp.exe","2568","Console","1","6,388"

"05.10.2010_11.35.23.82","ESTABLISHED","192.168.0.3:1080","74.125.155.139:80","chrome.exe","4404","Console","1","62,576"

"05.10.2010_11.35.24.31","ESTABLISHED","192.168.0.3:1082","72.14.213.191:80","chrome.exe","4404","Console","1","62,576"

ano_TCP.cmd output for TCP
(note: It would be trivial to add the connection state as well. I did in ano_all.cmd as remarked above -RMF)

"05.06.2010_21.30.31.74","174.133.89.198:80",
"pctsSvc.exe","3368","Services","0","24,588 K","Unknown","NT AUTHORITY\SYSTEM","0:15:51","N/A"
"05.06.2010_21.30.32.20","72.14.213.99:80",
"Picasa3.exe","4248","Console","1","128,588 K","Running","RMFVista\Admin","0:02:16","Picasa 3"
"05.06.2010_21.30.32.69","72.14.213.101:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.15","74.125.127.191:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.60","74.125.127.105:443",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.34.12","74.125.127.139:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"

ano_UDP.cmd output for UDP
(note: No foreign IP addresses ever shows up in Microsoft's netstat for protocol UDP...as far as I can tell.)

"05.06.2010_21.29.42.51","*:*",
"nc.exe","4120","Console","1","572 K","Unknown","RMFVista\Admin","0:00:00","N/A"
"05.06.2010_21.29.44.07","*:*",
"svchost.exe","1196","Services","0","3,400 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:01","N/A"
"05.06.2010_21.29.44.50","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.44.99","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.45.42","*:*",
"svchost.exe","1288","Services","0","17,136 K","Unknown","NT AUTHORITY\NETWORK SERVICE","0:00:03","N/A"
"05.06.2010_21.29.45.87","*:*",
"VCSW.exe","5644","Services","0","3,540 K","Unknown","NT AUTHORITY\SYSTEM","0:00:04","N/A"

lsof (Linux 4.78) sample output
lsof -Ts | grep -i Firefox | grep IPv4
firefox 5756 root 5lu IPv4 22403 TCP 192.168.0.5:40814->nuq04s01-in-f113.le100.net:www (ESTABLISHED)

Day 2 at LinuxFest

2010-04-25T21:27:00.000-07:00

Another great day at Linux Fest! I attended excellent presentations on Digital Forensics by Hal Pomeranz and Brian Pate (2 hours), both of which were very useful and felt very "hands on". I can't say enough good things about LinuxFest. The organizers are doing Whatcom County business development a tremendous favor. In reality, I think the Chamber of Commerce and the City of Bellingham should be helping to fund this volunteer supported event every quarter. Talent comes from all over the Northwest: Seattle, Portland, Tri-Cities, Olympia, Bothell, Mt. Vernon, you name it. I made contacts, met vendors, passed out business cards and had great discussions. Learned a lot as well.

Thank you LinuxFest NorthWest!!!!

Brilliant Day 1 at LinuxFest NorthWest

2010-04-24T23:14:00.000-07:00

I had a brilliant first day at LinuxFest NorthWest. I sat through five presentations on privacy and computer security in Haskell 115 at Bellingham Technical College. Brian Alseth of ACLU of Washington delivered the usual terrifying description of how data mining is destroying privacy. John Lock talked about Web Commerce Security. Gary Smith of PNL gave and excellent talk on Linux Server Hardening. Hal Pomeranz finished up the day with two hours on SE Linux. Wow! What a beast SE Linux is...

LinuxFest...a great thing.

Joanna Rutkowska and ITL and "Security by Isolation"

2010-04-21T12:17:00.000-07:00

A day spent reading the research of Joanna Rutkowska and her Invisible Things Lab is a day spent improving your IQ. Ms. Rutkowska is famous for describing vulnerabilities in SMM, BIOS, and VM hypervisors. In short, rather than attack the Operating System (although she has done some of that as well), she and her team attack the layer between the Operating System and the hardware; specifically rings -1, -2, -3 to use her terminology. Her work has led her to some drastic conclusions about hardware and digital security. In Joanna's universe, it is not that "game is over" but that the digital industry has never really fielded a team that could win yet. To do something about this, she and her team have developed a customized version of Linux (Qubes-OS); partitioning off OS components into VMs to prevent the spread of malware through the access of "universal privilege" (my own term).

What do I mean by "universal privilege"? [Beware, the author's own untutored verbiage is to follow...] Computers are strange but beautiful machines. When the first computational devices were built, we wanted to send in questions and retrieve answers. After computer scientists achieved this breakthrough, they spent the next half century attempting to generate increasing profits by increasing the speed at which answers to their questions would be returned. And they did a damn fine job at this. The increase in computational speed has to count as the single greatest technical advancement of our species by this point in history. Watch any movie about the Hubble or the Mars Rover and ask yourself: How would that happen without digital data? We have designed our computational efforts as if we were children with thirsty minds and ravenous social needs; ready to exercise our "universal privilege" to discuss/communicate/download whatever our minds and souls desire.

Security is mainly the story of protection. Secrecy is mainly the story of compartmentalization. In contrast to the development of computational speed, we've done a poor job at protection and compartmentalization of computers and their networks. In fact, we've been so concerned about the spread of information, we've done everything possible to unleash the flow of digital data across the world. PCs and Servers are now everywhere, in every complex product, in every country. Our computer networks are now the most tangible and real-time evidence of our civilization. Computers still retain all of the "strange and beautiful" architecture designed upon the premise that we want very little between our computers and fast answers to our questions. We are by nature social creatures with unbounded curiosity and potentially unbounded need for "end to end" trust. Unfortunately, the reality of unconstrained digital response has helped created powerful offensive weaponry in the untrustworthy world we live in.

So now back to universal privilege and Joanna Rutkowska and her team at Invisible Things Lab. Eschewing (in part) the drive for secure code and secure micro-kernels, Joanna and her team attempt to do the following:

"Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system."

They achieve this "security by isolation" by compartmentalizing their OS into secure virtual machines. It is a timely idea. As if to prove this, the NSF gave a $1.5 M dollar grant to an University of Illinois researcher nearly days after ITL's announcement of Qubes to do something similar. "Security by isolation" is an ancient concept thoroughly deployed by computer and software architecture at all levels. There are numerous examples: CPUs break down access to the processor into "Rings" (0-3). Operating Systems break down execution in kernel and userland and then compartmentalize execution further. Some kernels just boot the most basic OS components, (Most desktop OS kernels are monolithic). Software compartmentalizes (perhaps 'componentizes') itself into functions, system calls, objects, and libraries. Some software, like Java and C#, works hard at making code live in a secure 'sandbox'. Part of the developmental reason for object oriented programming (originally) was (marginally) security-based: 'encapsulation'. Networking software has followed the trend of security by compartmentalization from switch fabric to firewalls to NAC. Hosted services, in some very real sense, are a form of "security by isolation".

In reality, we continue to invent "security by isolation" in kernels, software layers, networks, network components, firewalls, and virtual machines. As processor speed grows in an untrustworthy world, the desktop and network will always continue to need the most advanced compartmentalization to protect them from the expanding digitized world. To this end, our "universal privilege" to keep asking questions of each other will always be haunted by the necessity of "security by isolation".

tcpslice II

2010-04-18T09:29:00.000-07:00

More uses for tcpslice, ipsumdump, BASH 4.1 :

[This gives you today's top source IP and source IP Port combination:

/usr/sbin/tcpslice `date +%Y"y"%m"m"%d"d"` $BASH_ARGV | ipsumdump --no-headers -sD -

./todays_dump.sh MarApr.snort.in.tcpd | sort -nr | uniq -c | sort -nr
     13 85.144.201.237 7959
      3 95.179.99.147 5900
      3 64.206.157.2 23
      3 222.45.112.59 8085
      3 109.187.8.70 5900
      2 98.247.214.152 23 ...

This gives you today's top source IP and source IP location:

/usr/sbin/tcpslice `date +%Y"y"%m"m"%d"d"` $BASH_ARGV |
for i in `ipsumdump --no-headers -s -`
     do echo $i : $(printf "%s" `./geoip.sh $i | awk -F":" '{print $2}' | awk -F"," '{print $1","$2","$3}' ` )
done

./tgeodump.sh MarApr.snort.in.tcpd | sort -nr | uniq -c | sort -nr
     13 85.144.201.237 : NL,07,Amsterdam
     12 222.45.112.59 : CN,22,Beijing
      4 222.215.230.49 : CN,32,Chengdu
      3 95.179.99.147 : RU,43,Lipetsk
      3 64.206.157.2 : US,NH,Nashua
      3 109.187.8.70 : IPAddressnotfound,,
      2 98.247.214.152 : US,WA,Bothell ...

where 'geoip.sh' is:
geoiplookup -f /usr/local/share/GeoIP/GeoLiteCity.dat $1

I note that file names like this '08Mar1142PST2010.in.1268074842' don't process through tcpslice.

tcpslice

2010-04-14T11:39:00.000-07:00

Tcpslice is a useful tool from LBL network group that allows you to carve up a large pcap file format into time slices.

To look at the start and finish time stamps of the entire pcap file in various time formats:

tcpslice -r Marchrferrisx.snort.in

Marchrferrisx.snort.in  Mon Mar  8 11:08:09 2010        Mon Apr  5 09:09:37 2010

tcpslice -t Marchrferrisx.snort.in

Marchrferrisx.snort.in  2010y03m08d11h08m09s660222u     2010y04m05d09h09m37s390876u

tcpslice -R Marchrferrisx.snort.in

Marchrferrisx.snort.in  1268075289.660222       1270483777.390876

To return data from a particular time slice to a file with BPF filters use syntax like this:

tcpslice 1257347146.060 1257347146.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175'

(Check out bothunter logs for more examples like this..)

In this example, I want all the packets that are not IPv6 for one date:

/usr/sbin/tcpslice 2010y04m05d Marchrferrisx.snort.in | /usr/sbin/tcpdump -r - 'not(ip6)' | less

reading from file -, link-type EN10MB (Ethernet)
01:06:17.290514 IP 125.141.195.190.35460 > 192.168.0.12.ssh: S 1607742099:1607742099(0) win 65535 
01:40:16.181816 IP c-98-247-214-152.hsd1.wa.comcast.net.catchpole > 192.168.0.12.telnet: SWE 498716114:498716114(0) win 5840
01:40:19.172942 IP c-98-247-214-152.hsd1.wa.comcast.net.catchpole > 192.168.0.12.telnet: SWE 498716114:498716114(0) win 5840
01:44:01.423708 IP hn.kd.ny.adsl.x11 > 192.168.0.12.ms-sql-s: S 833421312:833421312(0) win 16384
03:37:06.073237 IP 75.125.252.76.http > 192.168.0.12.48532: S 1175613974:1175613974(0) ack 143375003 win 14420
04:07:03.019711 IP 222.45.112.59.12200 > 192.168.0.12.ssm-els: S 363594672:363594672(0) win 8192 ...

Now I want all ms-sql-s destination packets from the ingress pcap that are not IPv6 for all of March:

/usr/sbin/tcpslice 2010y04m01d 2010y04m31d Marchrferrisx.snort.in | /usr/sbin/tcpdump -r - -n 'dst port(1433)'
reading from file -, link-type EN10MB (Ethernet)
18:33:42.614843 IP 125.46.78.100.x11 > 192.168.0.12.ms-sql-s: S 908984320:908984320(0) win 16384
23:38:50.771853 IP 61.183.172.35.x11 > 192.168.0.12.ms-sql-s: S 47316992:47316992(0) win 16384
03:35:18.351118 IP 121.12.125.7.x11 > 192.168.0.12.ms-sql-s: S 640548864:640548864(0) win 16384
11:09:45.631103 IP 218.61.127.71.x11 > 192.168.0.12.ms-sql-s: S 1613627392:1613627392(0) win 16384
00:47:21.207593 IP 218.90.163.66.x11 > 192.168.0.12.ms-sql-s: S 648937472:648937472(0) win 16384
08:56:05.732622 IP 61.183.172.35.x11 > 192.168.0.12.ms-sql-s: S 47316992:47316992(0) win 16384
18:06:53.798198 IP 59.51.114.39.x11 > 192.168.0.12.ms-sql-s: S 648937472:648937472(0) win 16384 ...

Something similar, but a little cleaner, can be done with ipsumdump:


/usr/sbin/tcpslice 2010y04m01d 2010y04m31d Marchrferrisx.snort.in | ipsumdump -tsD | grep -w 1433
 
1270172022.614843 125.46.78.100 1433 
1270190330.771853 61.183.172.35 1433 
1270204518.351118 121.12.125.7 1433 
1270231785.631103 218.61.127.71 1433 
1270280841.207593 218.90.163.66 1433 
1270310165.732622 61.183.172.35 1433 
1270343213.798198 59.51.114.39 1433 ...

One year anniversary

2010-04-10T19:31:00.000-07:00

Today is the one year anniversary of this blog. This is my 48th post in that time period. According to Google Analytics, 1,250 “absolute unique visitors” have provided for 1,566 visits from 781 unique cities from 78 unique countries. 72 page titles were viewed a total of 2,241 times. Here are some of the most popular pages:

Actually, I have no idea what to make of any of these numbers.

More fun with ipsumdump

2010-04-05T10:37:00.000-07:00

More fun with ipsumdump. Below, sorting March ingress by COUNT(SIP), COUNT(SPort), Sorted GeoIP location. All very fast.

ipsumdump -s --no-headers Marchrferrisx.snort.in |
sort -nr | uniq -c | sort -nr | less

    626 75.125.252.73
    384 74.125.19.191
    358 125.45.109.196
    286 66.165.46.165
    242 74.125.127.191
    234 74.125.53.191
    138 67.214.120.156
    138 204.236.155.168
    127 67.228.177.148
    120 74.125.19.19
    107 173.14.243.230
    105 221.195.73.86
    103 221.192.199.35

....

ipsumdump -S --no-headers Marchrferrisx.snort.in |
sort -nr | uniq -c | sort -nr

   6523 80
   1669 443
   1220 12200
    553 63585
    468 19150
    459 19099
    238 6000
    198 19135
    156 19134
     93 21
     46 110
     34 5242
     30 9875
     21 52079
     21 35356
     20 1935

for i in `ipsumdump -s --no-headers Marchrferrisx.snort.in |
             sort -nr | uniq |sort -nr`
do
             echo $i `geoip.sh $i | awk -F: '{print $2$3}'`
done

222.86.62.237 CN, N/A, N/A, N/A, 35.000000, 105.000000, 0, 0
222.59.176.26 CN, 04, Wuxi, N/A, 31.577200, 120.293900, 0, 0
222.59.176.105 CN, 04, Wuxi, N/A, 31.577200, 120.293900, 0, 0
222.45.112.59 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.45.112.221 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.41.8.67 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.37.37.33 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.34.103.72 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.243.14.144 CN, 11, Xupu, N/A, 27.909401, 110.585800, 0, 0
222.219.236.209 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.215.230.49 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.215.230.170 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.214.218.188 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.211.69.13 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.208.183.218 CN, 32, Chengdu, N/A, 30.666700, 104.066597, 0, 0
222.186.25.143 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
222.186.24.37 CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
...

"One Page Checklist for Securing and Cleaning a Malware Infected Windows PC"

2010-04-02T21:10:00.000-07:00

A "One Page Checklist for Securing and Cleaning a Malware Infected Windows PC" is available. From the paper:

In this process, you are looking for outbound and inbound communication and connection attempts that seem suspicious – data transfers that you can not account for, processes that seem inexplicable, or unsigned files. You may or may not see logon attempts, registry changes, file creation, file access, file permission changes. You may need to correlate Network Monitor logs with network ingress and egress firewall logs. Additional info at:

Vista logon.scr error

2010-03-31T04:03:00.000-07:00

Vista, as most of us know, will take a machine out of standby (light sleep), to install the "Tuesday updates". After it reboots, I see this:

Logon screen error are traditionally dangerous because they have been used to bypass the logon screen.

Data Breaches 2010

2010-03-22T14:12:00.000-07:00

Below is a list of 171 data breaches identified by public records found by the ID Theft Resource Center for the first two and one half months of 2010. ITRC has a justice department grant to catalog all known data breaches from credible sources. ITRC is a donor sponsored, multi-venue, non-profit working to resolve identity theft. If you are a public or private sector enterprise of any type - banking, financial services, insurance, University, medical provider, HMO, governmental department, law firm, hotelier, or non-profit - you will find analogs to your business in this list. I encourage you to read through this list if you have any network or data exposure and ask yourself:

What information assets does my group have to lose?
How could we lose them?

ITRC20100316-01 John Hancock Financial Services

ITRC20100315-02 TD Bank PA Yes

ITRC20100311-01 US Bank OH

ITRC20100310-05 Securities and Exchange Commission

ITRC20100310-04 Assurity Financial Services US

ITRC20100309-10 Virgin Money USA Inc

ITRC20100309-01 Ally Bank US

ITRC20100308-16 Wells Fargo - Law

ITRC20100308-14 Partnership Federal Credit Union

ITRC20100308-09 Telhio Credit Union OH

ITRC20100308-08 M&T Bank MD

ITRC20100305-08 BlackRock US

ITRC20100226-01 CitiGroup US

ITRC20100224-01 SunTrust Banks FL

ITRC20100218-08 ING Fund US

ITRC20100201-03 Ameriquest Mortgage MN

ITRC20100126-07 Gregory Navone, First Interstate

ITRC20100114-02 Lincoln National Financial Securities

ITRC20100113-02 Suffolk County National Bank

ITRC20100104-01 Eastern Bank Corp MA

ITRC20100316-03 Beecher Carlson Holdings US

ITRC20100316-02 Beer & Wine Hobby

ITRC20100315-01 Littleton Pizza Hut franchisee

ITRC20100312-01 MonoPrice.com US

ITRC20100310-08 Experian US

ITRC20100310-07 GroupM US

ITRC20100310-06 Citco - Evanston Capital

ITRC20100310-03 Kraft Foods US

ITRC20100310-01 Thrivent Financial PA None

ITRC20100309-15 AlixPartners LLP US

ITRC20100309-14 T-Mobile MD

ITRC20100309-13 Hotels.com - vendor US

ITRC20100309-12 LitCon Group VA

ITRC20100309-11 AT&T - unknown vendor

ITRC20100309-08 California Business Bureau Medical

ITRC20100309-07 Wolters Kluwer - CCH

ITRC20100309-06 Center for American Progress

ITRC20100309-05 Ameriprise Financial - vendor

ITRC20100309-03 Priceline.com US -

ITRC20100309-02 United Guaranty Residential Insurance

ITRC20100308-15 Coffee.org US

ITRC20100308-13 LampSource US

ITRC20100308-12 Ameriprise Financial US

ITRC20100308-11 Bristol-Myers Squibb Company US

ITRC20100308-10 MoneyGram International US

ITRC20100308-07 National Audubon Society AZ

ITRC20100308-06 Willard InterContinental Hotel DC

ITRC20100308-05 Ameriprise Financial Inc US

ITRC20100308-04 Cell Phone Kiosk -

ITRC20100308-03 Arrow Electronics NY

ITRC20100308-01 Los Angeles Westin Bonaventure

ITRC20100305-12 Uniformed Services Benefit Association

ITRC20100305-11 Nuance Communications US Yes

ITRC20100305-10 FCI USA LLC US

ITRC20100305-09 Genworth Financial, Life Insurance

ITRC20100305-07 Thermo Fisher Scientific Inc

ITRC20100305-05 Moses,Phillips, Young, Brannon and

ITRC20100305-04 Easybakeware.com US

ITRC20100305-02 Hancock Fabrics US

ITRC20100304-03 Vernon Sales Promotion US

ITRC20100301-07 Feeney Agency PA

ITRC20100301-06 McGraw-Hill Construction UT

ITRC20100301-05 Erisa Pension Systems -

ITRC20100301-02 MSO of Puerto Rico

ITRC20100301-01 MSO of Puerto Rico

ITRC20100226-02 Wyndham Hotels US

ITRC20100225-01 Law Firms, Smyrna GA

ITRC20100224-02 Association for the Blind

ITRC20100223-24 Mid America Kidney Stone

ITRC20100223-17 Merkle Direct Marketing -

ITRC20100223-16 Health Services for Children

ITRC20100223-12 Public Employee Health Insurance

ITRC20100223-07 Private Practice, Wilmington NC

ITRC20100223-02 Educators Mutual Insurance Association

ITRC20100219-02 H&R Block IN Yes

ITRC20100218-09 Cullman Dairy Queen AL

ITRC20100218-07 Galeton, Gloves Inc US

ITRC20100218-06 Daedalus Books US

ITRC20100218-05 TGI Friday's - West

ITRC20100218-04 Eclipse Property Solutions FL

ITRC20100218-02 Small Dog Electronics US

ITRC20100212-03 Macy's - St Louis

ITRC20100212-01 Equifax US

ITRC20100209-13 Ozarks Area Community Action

ITRC20100209-11 St. Clair Winery &

ITRC20100209-10 Highmark US -

ITRC20100209-06 Ceridian US

ITRC20100209-03 AvMed Health Plans FL

ITRC20100202-03 Innotek US

ITRC20100202-02 P.F. Chang's Bistro

ITRC20100119-04 ExposeObama.com

ITRC20100119-03 Time Customer Service

ITRC20100119-02 Goodwill - Kent County

ITRC20100111-01 Metropark NY

ITRC20100104-02 Moriarty & Primack MA

ITRC20100305-01 New Mexico State University

ITRC20100301-04 Bennett College NC

ITRC20100219-01 Valdosta State University GA

ITRC20100218-01 Southern Illinois University IL

ITRC20100209-14 Kansas City Art Institute

ITRC20100209-04 University of Texas El

ITRC20100202-01 West Virginia University WV

ITRC20100201-04 Columbia University

ITRC20100201-02 Humboldt State University CA

ITRC20100126-05 University of Missouri MO

ITRC20100114-03 Eugene School District OR

ITRC20100114-01 Western Michigan University MI

ITRC20100316-04 St. Louis Metropolitan Police

ITRC20100305-06 Anne Arundel County's Fire

ITRC20100304-01 SC Department of Health

ITRC20100301-03 Arkansas Guard, Camp Robinson

ITRC20100223-25 New York Department of

ITRC20100223-14 Alaska Department of Health

ITRC20100223-13 Brooke Army Medical Center

ITRC20100222-01 TennCare TN Yes -

ITRC20100218-03 West Memphis Police Department

ITRC20100209-09 Social Security Administration NY

ITRC20100209-08 Wyoming Department of Health

ITRC20100209-07 Ohio Department of Administrative

ITRC20100209-02 D.C. Office of Tax

ITRC20100209-01 CA Department of Health

ITRC20100201-01 Iowa Racing and Gaming

ITRC20100128-01 PricewaterhouseCoopers - Alaska state

ITRC20100127-01 US Department of Commerce

ITRC20100126-08 New York Department of

ITRC20100126-06 Minnesota Department of Labor

ITRC20100126-04 Seattle Municipal Court WA

ITRC20100126-02 Internal Revenue Service -

ITRC20100126-01 Columbus Health Department OH

ITRC20100119-01 City of Oakridge OR

ITRC20100107-01 Housing Authority of New

ITRC20100104-03 Transportation Security Administration (TSA)

ITRC20100311-07 BlueCross BlueShield of RI

ITRC20100311-06 Center for Neurosciences AZ

ITRC20100311-05 Advanced NeuroSpinal Care CA

ITRC20100311-04 Lucille Packard Children's Hospital

ITRC20100311-03 University of New Mexico

ITRC20100311-02 North Carolina Baptist Hospital

ITRC20100310-02 Quest Diagnostics - AmeriPath

ITRC20100309-16 Empi Recovery Services -

ITRC20100309-04 DaVita - Renal Treatment

ITRC20100308-02 University of Texas Southwestern

ITRC20100305-03 Wake Forest University Baptist

ITRC20100302-01 Diabetes Direct FL

ITRC20100226-03 Shands HealthCare FL

ITRC20100225-02 University of Washington Medical

ITRC20100223-23 Private Practice Torrance #5

ITRC20100223-22 Private Practice Torrance #4

ITRC20100223-21 Private Practice Torrance #3

ITRC20100223-20 Private Practice Torrance #2

ITRC20100223-19 Private Practice, Torrance #1

ITRC20100223-18 City of Hope National

ITRC20100223-15 Cogent Healthcare of Wisconsin,

ITRC20100223-11 BlueCross BlueShield - DC,

ITRC20100223-10 Children's Medical Center of

ITRC20100223-09 Concentra TX

ITRC20100223-08 Advocate Health Care IL

ITRC20100223-06 Blue Island Radiology Consultants,

ITRC20100223-05 Private Practice, Stoughton MA

ITRC20100223-04 Cardiology Consultants FL Yes

ITRC20100223-01 Ashley and Gray DDS

ITRC20100222-02 Group Health WA

ITRC20100212-02 University of Texas Medical

ITRC20100209-12 Greensburg Dental Practices PA

ITRC20100209-05 Abbott Medical Optics CA

ITRC20100128-02 University of California -

ITRC20100127-02 University Medical Clinic -

ITRC20100126-09 Methodist Hospital - Texas

ITRC20100126-03 Unknown Dentist TX

ITRC20100113-01 Kaiser HMO CA

ITRC20100105-01 Massachusetts Eye and Ear

ipsumdump..

2010-03-18T11:58:00.000-07:00

It is easy to be fond of professor Eddie Kohler's ipsumdump. Take your monthly egress pcap file and filter it through something like this:

for i in `ipsumdump -s --no-headers $1 | sort -n | uniq`
do echo $i, `./geoip.sh $i | awk '{print $1""$7""$8" "$9""$10""$11}'`
done
( where geoip.sh is geoiplookup -f /usr/local/share/GeoIP/GeoLiteCity.dat $1 )

and what you are quickly returned something like this:

10.10.10.2, GeoIPAddressnot found
12.129.147.95, GeoIPVA,Ashburn, 20147,39.033501,-77.483803,
12.130.131.98, GeoIPCA,San Bruno,94066,37.622799,
12.130.81.249, GeoIPNY,Brooklyn, N/A,40.652500,-73.955399,
12.149.161.248, GeoIPCA,Mountain View,94043,37.419201,
12.25.91.250, GeoIPCT,Stamford, N/A,41.083099,-73.538803,
12.25.93.2, GeoIPNY,Newburgh, 12550,41.537498,-74.051201,
24.123.206.230, GeoIPIN,Lawrenceburg, 47025,39.162300,-84.891098,
24.226.158.219, GeoIPQC,Richmond, N/A,45.666698,-72.150002,
24.43.25.8, GeoIPCA,Los Angeles,N/A,34.041599,
24.43.43.169, GeoIPCA,Los Angeles,N/A,34.041599,
38.103.25.181, GeoIPVA,Alexandria, N/A,38.790901,-77.094704,
38.106.23.79, GeoIPN/A,N/A, N/A,38.000000,-97.000000,
41.208.20.155, GeoIP06,Alberton, N/A,-26.233299,28.133301,
58.19.117.118, GeoIP12,Wuhan, N/A,30.583300,114.266701,
58.215.75.62, GeoIP22,Beijing, N/A,39.928902,116.388298,
59.181.103.140, GeoIP16,Bombay, N/A,18.975000,72.825798,
59.36.98.195, GeoIP30,Dongguan, N/A,23.048901,113.744598,
59.51.114.39, GeoIP11,Changsha, N/A,28.179199,113.113602,
...

How the FEDS use social networking...

2010-03-16T23:34:00.000-07:00

What type of security risk is social networking? A document obtained by the EFF and posted on Wired's Threat Level blog details how FBI and Secret Service are using social networking sites to obtain information. Here's a sample from the document:

"Overview of Key Social Networking Sites

GETTING INFO FROM FACEBOOK

Data is organized by user ID or group ID

Standard data productions (per LE guide):

Neoprint, Photoprint, User Contact Info, Group Contanct Info, IP Logs

HOWEVER, Facebook has other data available.

Often cooperative with emergency requests."

So glad to hear that FEDS are getting co-operation from Facebook. Think for a moment what this other data might be: your chats? your friend searches? your browsing? I have to wonder what Facebook "IP Logs" look like....

Some Thoughts on Computer Defense for Small Business

2010-02-26T16:31:00.000-08:00

I have written a paper targeted for small business owners: "Some Thoughts on Computer Defense for Small Business"

"The problem of computer security will continue to increase in intensity in the coming years. Geo-political conflict, an increasing wealth divide between North and South in an increasingly networked world, and increasingly sophisticated threats will challenge the most well prepared specialists to secure your network. The passage of time has only made the following Unix administrator's adage become more true: “There are two kinds of computer users: those who have lost data and those who will.” Which part of that data loss cycle is your destiny?" read more

Advanced Persistent Threat IV

2010-02-24T12:46:00.000-08:00

SRI's Malware Threat Center has issued version 1.5 of Bot Hunter. Bot Hunter uses a proprietary algorithm with data collection facilities of a customized Snort to determine the botnet communication on Windows hosts and at Unix bastion at the egress of your network. You can review the data it collects from its honey net. Here's a picture of it running on Vista:

Update: 02/27/10 And so I had a 1.10 Score. (Below) Bot Net Hunter reported that a Microsoft IP conducted an outbound scan of 18 IPs. Something to think about...

OUTBOUND SCAN (spp)

207.46.16.248 (2) (20:05:49.902 PST)

event=777:7777005 (2) {udp} E5[bh] Detected moderate malware port scanning of 18 IPs (11 /24s) (# pkts S/M/O/I=0/52/4/0): 137u:52, [] MAC_Src: 00:16:EA:4C:F3:AE

Funny, I had Netmon 3.3 running, but it didn't catch that IP at that time This turned out to be a Microsoft DNS IP:

9:41:51.287 192.168.0.14 80 (0x50) 207.46.16.248 207.46.16.248 msdn.microsoft.akadns.net 00-09-5B-00-F3-DA msdn.microsoft.akadns.net 5599 (0x15DF)

Advanced Persistent Threat Part III

2010-02-16T20:05:00.000-08:00

It certainly is possible to examine host or network outbound conversations. But we then have to determine which outbound conversations are legitimate. Current AV software attempts to block access to potentially 'known dangerous' or 'pre-determined dangerous' malware sites but such judgements are apparently failing to prevent APT from sending stolen data to weigh stations. On OpenBSD if we are looking at outbound connections, we might sniff as thus using Snort:

/usr/local/bin/snort -D -vdeXX -l . -L `date "+%d%b%H%S%Z%Y.out"` -i dc0 'port not(whois or domain or router) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)'

On Vista, we might have two interfaces (wired and wireless) we need to examine:

start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 1 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)
start /min cmd /c C:\snort\bin\snort.exe -vdeXX -l . -i 2 port not(whois or domain or router or 5353) and not(broadcast or arp) and not(dst net 192.168.0.0/24 or 224.0.0.0/24 or 239.0.0.0/8)

We can look at the logs. And we are surprised by the number of outbound connections we make:
C:\Snort\bin>snort -v -q -r snort.log.1266372570 | find "->" | gawk -F"->" '{print $2}' | sort /R | uniq -c | sort /R
   327 74.125.103.208:80
   133 74.202.67.83:80
   105 216.35.221.76:80
   100 198.104.200.154:80
   51 72.21.91.19:80
   32 96.17.70.50:80
....

Perhaps one solution to APT would be some real time co-ordination between sites suspected of being data theft transfer stations and real-time (firewall or host) blocking of the data-transfer to those hosts/servers. This type of solution has some headwind but may need to be implemented on a individual or corporate basis to prevent "incidental blacklisting". Other solutions might include:

(1) real time packet examination of data for critical or sensitive information
(2) heuristic detection of data flows that seems 'abnormal'
(3) heuristic detection of file access that seems 'abnormal'

The industry awaits such solutions.

Advanced Persistent Threat Part II

2010-02-12T13:35:00.000-08:00

These thoughts occur to me this week in reading the numerous blog posts on APT and the Mandiant Report. Somehow my research made me think of the bane of Othello the Moor ( "Iago" ). Very loosely translated from Latin, "Iago" might mean "I am nothing". Often it is more commonly translated as "supplanter" or "heel grabber".

(1) I don't have a binary, technical threat analysis, disassembled stub, class diagram or detection method for APT.
(2) I don't know any host based security products that would block "illegitimate APT" (outgoing traffic) on ports 80 and 443 from a legitimate user space request. How would developers even implement such a service? If you could trace all events to an un-hijacked input device, you could block any events that are not desktop based. This would probably put updates,software installations,sandbox scripts in a pickle. Therefore, is this a problem in search of a network based solution?
(3) I propose we solve the debate about how "APT style" threats can be distinguished from other threats by

(a) ranking the level of resources needed to complete them or
(b) the level of functional immunity granted their perpetrators

(4) I don't know yet how to prototype or replicate an APT in my lab. Therefore, How do I know it exists outside of the conceptualization of others?
(5) Ten years ago last August I received this comment while working with an IDS developer: "This product will stop the script kiddies and most of the uber-hackers. Then there's the "Men in Black". I have no idea how we stop them."

- "Iago"

Advanced Persistent Threat

2010-02-09T17:27:00.000-08:00

The news on "Advanced Persistent Threat" has been broken in a big way by Google and the recent Mandiant report. More comments will follow at a later date. But some occur to me now:

(1) Our current desktop and server Operating Systems are not secure.
(2) Computer networks are insecure for most organizations and at many levels.
(3) Digital data can no longer be protected against a determined foe.
(4) Security researchers and visionaries should receive more funding. Lots.

Order and read the Mandiant Report. Then imagine what a resourced foe could do if they believed the security of their nation-state depended upon seemless corporate intrusions. Now imagine those techniques automated and in the wild. In order for the world to have safe computing systems, our government and industry needs to sponsor more research and decriminalize vulnerability research. Otherwise, no data will ever be secret or protected again.

Defending Against the Small Business Threat

2010-02-08T10:39:00.000-08:00

"Do you expect I'm going to solve this? I'm going to take on these Russian thieves? Clearly I'm not going to [be able to] do it." -small business owner defrauded by malware and "money mules"

A great and overdue article in the Wall Street Journal this morning: "Wanted: Defense Against Online Bank Fraud". The article discusses a now popular cyber-crime first popularized in 2008 which is initiated by an online theft/fraud of insecured ATM/payroll data on user/client/small business PCs. Fake payroll members are created and then [recruited] "money mules" cash out fraudulent paychecks from ATM terminals across the globe. If the fraud is timed right, a small business can lose large sums from their payroll accounts within 24 hours or less. The FBI and the IC3 has been warning about this for some time:

http://www.fbi.gov/pressrel/pressrel09/ach_110309.htm

http://www.ic3.gov/media/2009/091103-1.aspx

Small businesses during a recession make excellent targets. It is a bit like capitalizing on sick children. Large businesses and banks know the value of security infrastructure and development. They have lots to lose and they have been high priority targets in the past. (And they have just received big chunks of "Stimulus funding." ) Most small business employ limited staff, have a few PCs (perhaps running some accounting software), maybe some server or cloud infrastructure investments, and a web site or web/commerce site.

The few aggressive owners/proprietors that investigate securing their infrastructure may have done so on a "self-help" basis - implementing firewalls, UTM, anti-virus, anti-spyware. But even these self-motivated individuals are in no way prepared to be the targets of dedicated information warfare from skilled global criminal enterprises originating in eastern Europe, South America, Russia, China, etc. Thus, in less than 24 hours, small business payroll accounts, many of these derived from 'bridge loans' from local banks, are wiped out. The targeting of small business by cyber-criminals is an "anti-stimulus" effort; functioning to effectively siphon funds from a weakened American economy.

Security as Interdepartmental conflict...

2009-12-15T10:08:00.000-08:00

I received this message in my hotmail this morning:

Why does Microsoft get dinged for this type of presentation? Why does it happen? On a small scale it was probably because the hotmail Calendar team wasn't talking with the hotmail Security team. But that doesn't answer much. Computer security is still, in almost all industries and architectures, and "add-in". It is overlaid on top of existing products and architectures. The "security guys" are on separate teams, their training is exclusive, their recommendations are "integrated" into existing products. The practice of security never fully integrates into test suites for most product development because it can't be marketed like a popsicle. It is sold as an immunity, a dose of antibiotic, a pill. Compatibility of security architecture with existing product development has ambiguous ownership.

Cell Tracking

2009-12-05T22:20:00.000-08:00

This is the link to an absolutely extraordinary post on privacy by Christopher Soghoian:
http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html . Mr. Soghoian's post describes the evolution of "Cell Tracking", an issue the EFF has discussed for a number of years at http://www.eff.org/issues/cell-tracking. An exceptional video on current status of the law for "cell tracking" and "mobility tracking" can be found here: http://www.youtube.com/watch?v=YFo2VcfWCBQ&feature=channel/

The information reminds me that the OS inside most cell-phones is a literal "black box". Because I run midpssh, I can usually find cell's IP address in the netstat tables of my SSH Server. I can see there may be some filtered ports on my phone. But I cannot:
(1) access a console or ssh prompt
(2) run a network sniffer or IDS on my cell phone to see if someone is "pinging" my location or hacking me.

Your cell phone is a tracking device that forbids you from root access.

"The specified uptodateness vector is corrupt."

2009-11-30T21:15:00.000-08:00

I haven't posted in awhile. Time to get back into the swing of things with a little pre-Christmas Season silliness. Occasionally, the practice of network security makes us all a little goofy. Seemingly random pursuits overtake us. Silly thoughts fill our console. Perhaps this is a result of low light in the northern latitudes this time of year...In any event, should use wish to query all of the messages available in the "net helpmsg" file on Windows Vista, you can run a command like this:

for /l %i in (1,1,16000) do @( echo %i && net helpmsg %i ) 2>NUL

This will give a formatted output of every existing net help msg and all numbers that are not so.. Keep in mind that there are most probably less than 5000 of these messages, however they are numbered somewhat inconsistently in the sequence between 1 - 16,000. With cygwin or GNUWin32 utilities loaded you could add:

for /l %i in (1,1,16000) do @( echo %i && net helpmsg %i ) 2>NUL | egrep -B 2 -i [a-z] | tr -d /-/- | tr -d \r

This would produce a long list of only those numbers with messages and, after some substantial period of time and processor use, would yield some very interesting reading. Here are a few of my favorites:

581
A Windows Server has an incorrect configuration.

593
NTVDM encountered a hard error.

597
The parameter(s) passed to the server in the clientserver shared memory window were invalid. Too much data may have been put in the shared memory window.

598
The stream is not a tiny stream.

611
There is an IP address conflict with another system on the network

612
There is an IP address conflict with another system on the network

615
The policy of your user account does not allow you to change passwords too frequently.
This is done to prevent users from changing back to a familiar, but potentially discovered, password.
If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.

617
You have attempted to change your password to one that you have used in the past.
The policy of your user account does not allow this. Please select a password that you have not previously used.

629
A group marked use for deny only cannot be enabled.

670
WOW Assertion Error.

677
{Too Much Information}
The specified access control list (ACL) contained more information than was expected.

678
This warning level status indicates that the transaction state already exists for the registry subtree, but that a transaction commit was previously aborted.
The commit has NOT been completed, but has not been rolled back either (so it may still be committed if desired).

680
{GUID Substitution}
During the translation of a global identifier (GUID) to a Windows security ID (SID), no administrativelydefined GUID prefix was found.
A substitute prefix was used, which will not compromise system security. However, this may provide a more restrictive access than intended.

704
{Redundant Read}
To satisfy a read request, the NT faulttolerant file system successfully read the requested data from a redundant copy.
This was done because the file system encountered a failure on a member of the faulttolerant volume, but was unable to reassign the failing area of the device.

705
{Redundant Write}
To satisfy a write request, the NT faulttolerant file system successfully wrote a redundant copy of the information.
This was done because the file system encountered a failure on a member of the faulttolerant volume, but was not able to reassign the failing area of the device.

730
The system has awoken

746
{Connect Failure on Primary Transport}
An attempt was made to connect to the remote server hs on the primary transport, but the connection failed.
The computer WAS able to connect on a secondary transport.

1265
The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

1274
The group policy framework should call the extension in the synchronous foreground policy refresh.

1282
The system detected an overrun of a stackbased buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

1292
An operation attempted to exceed an implementationdefined limit.

1349
The type of the token is inappropriate for its attempted use.

1350
Unable to perform a security operation on an object that has no associated security.

1353
The domain was in the wrong state to perform the security operation.

1370
An internal security database corruption has been encountered.

1384
During a logon attempt, the user's security context accumulated too many security IDs.

2228
There are too many names in the user accounts database.

2385
The Run server you requested is paused.

2431
The alert table is full.

3013
The printer driver is known to be unreliable.

3014
The printer driver is known to harm the system.

3029
Local security could not be started because the user accounts database
(NET.ACC) was missing or corrupted, and no usable backup
database was present.

THE SYSTEM IS NOT SECURE.

3060
The service did not respond to control and was stopped with
the DosKillProc function.

3194
Hanging up a stuck session to ***.

3413
Your logon time at *** ends at ***.
Please clean up and log off.

3513
More data is available than can be returned by Windows.

3950
Reissue the given operation as a cached IO operation

4006
Replication with a nonconfigured partner is not allowed.

6628
Log space is exhausted.

6730
The transaction does not have a superior enlistment.

8606
Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.

8629
The specified uptodateness vector is corrupt.

8630
The request to replicate secrets is denied.

10038
An operation was attempted on something that is not a socket.

10059
Too many references to some kernel object.

10107
A system call that should never fail has failed.

11007
There are no senders.

11008
There are no receivers.

15250
The requested system device cannot be identified due to multiple indistinguishable devices potentially matching the identification criteria.