Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Kerberos Events - Other Logon Events - ECS event Categories and Types #17517

Merged
merged 9 commits into from
May 4, 2020
Merged

Add Kerberos Events - Other Logon Events - ECS event Categories and Types #17517

merged 9 commits into from
May 4, 2020

Conversation

janniten
Copy link
Contributor

@janniten janniten commented Apr 6, 2020

Added Kerberos Tickets Events (4768,4769,4770,4771,4776), aditional logon events (4778,4779,4964), sensitive privilege use events (4673,4674), service and task scheduler events (4697,4698,4699,4700,4701,4702)

Event categories, types and outcome were aligned to the ones defined in ECS 1.5

Other minor fixes/improvements introduced

New Events
The new events are commonly used when analyzing lateral movements
Sources:
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
https://www.sans.org/security-resources/posters/dfir/windows-forensic-analysis-170
https://www.sans.org/security-resources/posters/dfir/hunt-evil-165
https://www.sans.org/security-resources/posters/dfir/windows-forensics-evidence-of-75

Event Description
4673 A privileged service was called.
4674 An operation was attempted on a privileged object.
4697 A service was installed in the system.
4698 A scheduled task was created.
4699 A scheduled task was deleted.
4700 A scheduled task was enabled.
4701 A scheduled task was disabled.
4702 A scheduled task was updated.
4768 A Kerberos authentication ticket TGT was requested.
4769 A Kerberos service ticket was requested.
4770 A Kerberos service ticket was renewed.
4771 Kerberos pre-authentication failed.
4776 The computer attempted to validate the credentials for an account.
4778 A session was reconnected to a Window Station.
4779 A session was disconnected from a Window Station.
4964 Special groups have been assigned to a new logon.

Event Categories and Types

ECS 1.5 define which are the values allowed for event categories and types.
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-category.html
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html

Modifications have been introduced in order to adjust the events to fall into allowed categories/types.
In order to add flexibility the function addActionDesc was replace for a more general function, the addEventFields. This function completes the category (event.category), the primary type (event.type) and the action description (event.action).
Aditional types can be attached to the event via AppendTo function.
For example, for Evt 4719 the addEventFields sets the event.category="iam", event.type="admin" but because it is also a change thet event.type=change is also added via AppendTo in the specific function that process the event
Having more than one value in the event.type, allow us to detect, for example, this type of activity

 event.category:iam AND event.type:admin AND event.type:change

event type example

In this way event categories/types can be easily modified according to futher ECS changes.

For all events the evet.outcome was also aligned to the specification of ECS 1.5
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-outcome.html

Fixes/Improvements

  • Event 4648:
    Events 4648 and 4624 were processed by the same function, but the winlog.logon.id field needs to be copied from different source field in the case of evt 4648
    For evt 4624 the winlog.logon.id comes from winlog.data.TargetLogonID whereas that for evt 4648 should be copied from winlog.data.SubjectLogonID
    The processing for those events were decoupled.
    In the Evt 4648 we have now the winlog.logon.id of the user logging in with the explicit credentials and thus be able to correlate with the original winlog.logon.id. See example below

4648_example

  • Event 4625:
    In this event the Add(copyTargetUserLogonId) was replaced for the .Add(copySubjectUserLogonId). The relevant LogonID information is in the winlog.event_data.SubjectLogonId and was obtain from winlog.event_dataTargetLogonId
    Normaly the winlog.event_data.SubjectLogonId is 0x0 but when one logged-in user tries to run as a different user and fails to, the LogonID is the one of the logged-in user
    In this way we can track all the activity, right from the original connection. See example below
    4625_follow-up

  • Events 4728,4729,4732,4733,4743,4746,4747,4751,4752,4756,4757,4761,4762 :
    Extracted user from winlog.event_data.MemberName in order to be added to related.user field

  • Events 4688 and 4689: winlog.logon.id field was missing. The .Add(copySubjectUserLogonId) was added.

  • Event 4688: Modified to not to add related.user when winlog.event_data.TargetUserName is "-"

  • Event 4672: add event.outcome. Aligned to ECS 1.5

  • Event 4647: Missing event.action

  • Event 4731 and 1102: Wrong event.action

  • copyTargetUser was modify in order to parse properly the user name in Kerberos Events

  • Added missing codes to logonFailureStatus table in order to map failure codes from Event 4776

  • addAuthSuccess and addAuthFailed removed and replaced for addEventOutcome and addEventFields functions.

  • Enrichment information sources. For all tables with data used to enrich events the source of that information was added.

Future Work

@janniten janniten requested a review from a team as a code owner April 6, 2020 13:51
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@janniten
Copy link
Contributor Author

janniten commented Apr 6, 2020

@andrewkroh @leehinman some new events added, adjustment to ECS event categories and types and some fixes/improvements

@janniten janniten changed the title Add Kerberos Event - Other Logon Events - ECS event Categories and Types Add Kerberos Events - Other Logon Events - ECS event Categories and Types Apr 6, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@janniten This is awesome.

I did get some errors when I tried to make the golden files.

    --- FAIL: TestSecurity/security-windows2012_4770.evtx (0.02s)
        testing_windows.go:70: failed in processor.javascript: failed in process function: TypeError: Cannot read property '2' of undefined at ..\config\winlogbeat-security.js:1356:38(17) while processing event:
...

It doesn't look like you don't have events 4770, 4771 in the eventActionTypes object. Could you add those?

@janniten
Copy link
Contributor Author

janniten commented Apr 7, 2020

@leehinman I have implemented all the changes you have suggested. Thank you!
Please let me know If I need to perform further modifications

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hit a different error with 4771

PS C:\Gopath\src\github.com\elastic\beats\x-pack\winlogbeat\module\security\test> go test -update .\security_windows_test.go
--- FAIL: TestSecurity (1.30s)
    --- FAIL: TestSecurity/security-windows2012_4771.evtx (0.03s)
        testing_windows.go:70: failed in processor.javascript: failed in process function: TypeError: Cannot read property 'toLowerCase' of undefined at ..\config\winlogbeat-security.js:1481:27(7) while processing event:
            {
              "error": {
                "message": "TypeError: Cannot read property 'toLowerCase' of undefined at ..\\config\\winlogbeat-security.js:1481:27(7)"

@janniten
Copy link
Contributor Author

janniten commented Apr 7, 2020

hit a different error with 4771

PS C:\Gopath\src\github.com\elastic\beats\x-pack\winlogbeat\module\security\test> go test -update .\security_windows_test.go
--- FAIL: TestSecurity (1.30s)
    --- FAIL: TestSecurity/security-windows2012_4771.evtx (0.03s)
        testing_windows.go:70: failed in processor.javascript: failed in process function: TypeError: Cannot read property 'toLowerCase' of undefined at ..\config\winlogbeat-security.js:1481:27(7) while processing event:
            {
              "error": {
                "message": "TypeError: Cannot read property 'toLowerCase' of undefined at ..\\config\\winlogbeat-security.js:1481:27(7)"

Correct, Event 4771 does not have the EcnryptionType Fields. Sorry
Fixed.

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. I was able to produce golden files on win2012, win2016 & win2019. After the fix below do you want me to push them to your branch?

Also, could you add an entry to CHANGELOG.next.asciidoc ?

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

event.action shouldn't be an array

@janniten
Copy link
Contributor Author

janniten commented Apr 8, 2020

Looking good. I was able to produce golden files on win2012, win2016 & win2019. After the fix below do you want me to push them to your branch?

Yes, please. Thank you!

@leehinman
Copy link
Contributor

jenkins, test this

@leehinman
Copy link
Contributor

@janniten we need to rebase off master to get rid of the merge conflicts. Would you like me to do that or do you want to?

@janniten
Copy link
Contributor Author

@leehinman, Go ahead! Thank you 😊

@leehinman
Copy link
Contributor

jenkins, test this

@leehinman
Copy link
Contributor

run tests

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another great contribution. Thanks!

Would you mind taking a pass through the JS file to ensure consistent formatting. I should probably add some kind of linting check to the project for these pipelines to make this easier.

  • spaces between function args
  • spaces around = during assignments.
  • lower camel case naming

"level": "information"
},
"process": {
"executable": "C:\\Windows\\System32\\lsass.exe",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can populate process.command_line here too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @andrewkroh , I did all modifications about lower camel case, spaces in assignments and between function args. Now testing the changes in my environment and then I'll commit the changes soon.
I have a doubt regarding to populate the process.command_line in event 4673.
I'm not able to see that information in the event, as for example in event 4688. Am I missing something?

image

[0x800000, "PASSWORD_EXPIRED"],
[0x1000000, "TRUSTED_TO_AUTH_FOR_DELEGATION"],
[0x4000000, "PARTIAL_SECRETS_ACCOUNT"],
var uac_flags = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rest of the file appears to use lower camel case.

Suggested change
var uac_flags = [
var uacFlags = [

if (! uac_list) {
return;
}
evt.Put("winlog.event_data.UserAccountControl",uac_list);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
evt.Put("winlog.event_data.UserAccountControl",uac_list);
evt.Put("winlog.event_data.UserAccountControl", uac_list);

For formatting consistency and readability it would be good to consitently use a space between args.

return;
}
if (!auditDescription[subcategoryGuid]) {
var tkt_code=parseInt(code,16).toString(2);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var tkt_code=parseInt(code,16).toString(2);
var tkt_code = parseInt(code,16).toString(2);

@janniten
Copy link
Contributor Author

Another great contribution. Thanks!

Would you mind taking a pass through the JS file to ensure consistent formatting. I should probably add some kind of linting check to the project for these pipelines to make this easier.

  • spaces between function args
  • spaces around = during assignments.
  • lower camel case naming

Hi @andrewkroh ; I'll pass through the JS in order to identify the points you have mentioned, my pleasure :)

But I need a little bit of help in order to locally update my PR (sorry, I'm not a developer, just a security girl :) ).
When I try to rebase, this error occurs (see attached). I tried few things but with luck
@leehinman can you help me?

Thank you!
error.txt

@andrewkroh
Copy link
Member

Since the branch was updated you'll probably just want to reset your local branch to match the current state of the PR before making any new changes. This will wipe out any changes to the local branch that are not in this PR.

git fetch --all
git reset --hard origin/logon-kbr-evts

@janniten
Copy link
Contributor Author

Since the branch was updated you'll probably just want to reset your local branch to match the current state of the PR before making any new changes. This will wipe out any changes to the local branch that are not in this PR.

git fetch --all
git reset --hard origin/logon-kbr-evts

Thank you! It worked. I'll be reviewing the and submitting the changes today

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 261
Skipped 1
Total 262

@andrewkroh andrewkroh merged commit 955bc46 into elastic:master May 4, 2020
@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label May 4, 2020
@zube zube bot added [zube]: Done and removed [zube]: Inbox needs_backport PR is waiting to be backported to other branches. labels May 4, 2020
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request May 4, 2020
…ypes (elastic#17517)

Add support for event IDs 4673, 4674, 4697, 4698, 4699, 4700, 4701, 4702, 4768, 4769, 4770, 4771, 4776, 4778, 4779, 4964 to the Winlogbeat Security module.

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit 955bc46)
andrewkroh added a commit that referenced this pull request May 4, 2020
…ypes (#17517) (#18174)

Add support for event IDs 4673, 4674, 4697, 4698, 4699, 4700, 4701, 4702, 4768, 4769, 4770, 4771, 4776, 4778, 4779, 4964 to the Winlogbeat Security module.

Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co>
(cherry picked from commit 955bc46)

Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
andrewkroh added a commit that referenced this pull request Jun 4, 2020
…18775)

This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
…lastic#18775)

This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (elastic#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
andrewkroh pushed a commit to andrewkroh/beats that referenced this pull request Nov 16, 2020
…lastic#18775)

This PR adds two new dashboards related to events added in PRs (elastic#12906, elastic#14299, elastic#15217, elastic#17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (elastic#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit 7b9c535)
andrewkroh added a commit that referenced this pull request Nov 30, 2020
…18775) (#22598)

This PR adds two new dashboards related to events added in PRs (#12906, #14299, #15217, #17517) and implements some improvements to existing winlogbeat security module's dashboard

New Dashboards

    User Logon Dashboard shows all the logon information. It allow us to keep track between logon and admin logons event between RDP connections and disconnections.
    Failed and Blocked Accounts allow us to keep track to failed logons and locked out account

Existing Dashboards

    Added Distribution groups Events (#15217)
    Found that Event 4625 can be generated by two different providers: Microsoft-Windows-Security-Auditing and Microsoft-Windows-EventSystem. Filters to use only the event.code=4625 from Microsoft-Windows-Security-Auditing where added

All Dashboards

    Markdown with links all the winlogbeat security dashboards where added (following the idea of Filebeats, Auditbeat dashboards)
    image

    Visualization that use may events (like group management related visualizations)
    were modified in order to use a saved search with the relevant events for that visualization as a source (instead of using individual filters for each visualization)

    Removed the margin between panels to look in the same way that other beats dashboards

    TSVB metrics were modified to use the Entire Time Range and to use eye-friendlier colors

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
(cherry picked from commit 7b9c535)

Co-authored-by: Anabella Cristaldi <33020901+janniten@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants