You are on page 1of 28

Interested in learning

more about security?

SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

EVTX and Windows Event Logging


This paper will explore Microsoft s EVTX log format and Windows Event Logging framework. The EVTX data stream
and structure will be defined as a basis for the Windows Event Logging framework and log subscription
components that can be used to collect and correlate logs in a complex Windows-based environment.

Copyright SANS Institute


Author Retains Full Rights
AD
.
EVTXandWindowsEventLogging

hts
l rig
ful
ins
eta
rr
tho
, Au

EVTX
Key fingerprint = AF19 FA27 2F94 and DE3D
998D FDB5 Windows Event
F8B5 06E4 Logging
A169 4E46
08
20

GCIA Gold Certification

Author: Brandon Charter, bcharter@secureworks.com


te

Adviser: Brent Deterding


titu
Ins

Accepted:
NS
SA

BrandonCharter 1

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
Outline

rig
1. Abstract ................................................................................................................ 3

l
ful
2. WhatisEVTX ...................................................................................................... 4

ins
EVTXEventDefinition ................................................................................................ 4

eta
EVTXComponents................................................................................................... 11

rr
EventViewer......................................................................................................... 11

tho
WindowsEventLogService ................................................................................. 13
Au

3. WorkingwithEVTXEvents ............................................................................ 13
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

ConfiguringLogSubscriptions.................................................................................. 14
20

SubscriptionSecurity ............................................................................................ 17
te

4. Conclusion ......................................................................................................... 25
titu

5. References......................................................................................................... 25
Ins


NS
SA

BrandonCharter 2

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
1. Abstract

rig
Auditingandcompliancearefarmoreimportanttoanorganizationthaneverbefore

l
ful
duetosecurityincidentsanddigitalthreats.Securityprofessionalsareunderincreasing

ins
pressuretounderstandthechangesthatoccurinincreasinglycomplexITenvironments.The

collectionandaggregationcapabilityofthetechnologyinthesecomplexenvironmentsis

eta
constantlychangingtoadapttotheauditingandcompliancerequirementsthatmany

organizationsmustmeet.

rr
tho
ManyorganizationsuseMicrosoftsWindowsplatformfordesktop,workstation,or

serverenvironments.Microsofthasrecentlyreworkedthelogcollectionandaggregation
Au
functionalityofWindowsVistabasedplatforms.ThenewWindowsEventLoggingframework

andEVTXlogformatincludeincreasedfunctionalityforsecurityprofessionalstocollectand
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

correlatelogs.
20

ThispaperwillexploreMicrosoftsEVTXlogformatandWindowsEventLogging
te

framework.TheEVTXdatastreamandstructurewillbedefinedasabasisfortheWindows
titu

EventLoggingframeworkandlogsubscriptioncomponentsthatcanbeusedtocollectand

correlatelogsinacomplexWindows-basedenvironment.
Ins
NS
SA

BrandonCharter 3

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
2. WhatisEVTX

rig
EVTXisMicrosoftsnewlogformatwhichhasbeenimplementedinVistaandServer

l
ful
2008.ThemainreasonforreworkingthepreviousEVTlogformatisthattherehavebeen

ins
veryfewupdatessinceWindowsNT4.0toaccommodatefortheincreasinglevelof

compliancethatisrequiredtoday.EVTXincludesmanynewfeaturesandenhancements

eta
whichincludemanyneweventproperties,theuseofchannelstopublishevents,an

ExtensibleMarkupLanguage(XML)format,anewEventViewer,andarewrittenWindows

rr
EventLogservice.
tho
EVTX Event Definition
Au

EVTXincludesmanyneweventpropertieswhichmakeupeacheventthatis
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

published.OneofthenewpropertiesintroducedinEVTXistheKeywordsfield.This

propertystoresvalueswhichmayhavepreviouslybeenstoredintheTypefieldintheEVT
20

format.IntheEVTformat,theTypefieldstoredtheseverityandanykeywordsforeach
te

event.InEVTX,theLevelpropertyisusedtostoretheseverityoftheeventinsteadofthe
titu

Typefield.Althoughnotanewproperty,manyEventIDfieldvalueschangedsignificantlyin

EVTX.TheEventIDisauniqueidentifierthatisallocatedforeachtypeofeventandisthe
Ins

mostcommonwaytoreferenceauniqueevent.TheEventIDrelationshipformostsecurity-

relatedeventsisEVTXEventId=EVTEventId+4096(Fitzgerald,2007).
NS

ThefollowingtableisalistwhichMicrosoft(EventProperties,2008)hasdefinedasthe
SA

mostcommoneventproperties.

PropertyNameDescription

BrandonCharter 4

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
Thesoftwarethatloggedtheevent,whichcanbeeitheraprogramname,

rig
suchas"SQLServer",oracomponentofthesystemorofalarge
Source
program,suchasadrivername.Forexample,"Elnkii"indicatesan

l
EtherLinkIIdriver.

ful
Anumberidentifyingtheparticulareventtype.Thefirstlineofthe

ins
descriptionusuallycontainsthenameoftheeventtype.Forexample,
6005istheIDoftheeventthatoccurswhentheEventLogserviceis
EventID

eta
started.Thefirstlineofthedescriptionofsuchaneventis"TheEventlog
servicewasstarted."TheEventIDandtheSourcecanbeusedby
productsupportrepresentativestotroubleshootsystemproblems.

rr
tho
Aclassificationoftheeventseverity.Thefollowingeventseveritylevels
canoccurinthesystemandapplicationlogs:
Au
Information.Indicatesthatachangeinanapplicationorcomponenthas
occurred,suchasanoperationhassuccessfullycompleted,aresource
hasbeencreated,oraservicestarted.
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

Warning.Indicatesthatanissuehasoccurredthatcanimpactserviceor
20

resultinamoreseriousproblemifactionisnottaken.

Error.Indicatesthataproblemhasoccurred,whichmightimpact
te

Level functionalitythatisexternaltotheapplicationorcomponentthattriggered
titu

theevent.

Critical.Indicatesthatafailurehasoccurredfromwhichtheapplication
Ins

orcomponentthattriggeredtheeventcannotautomaticallyrecover.

Thefollowingeventseveritylevelscanoccurinthesecuritylog:
NS

SuccessAudit.Indicatesthattheexerciseofauserrighthas
succeeded.
SA

FailureAudit.Indicatesthattheexerciseofauserrighthasfailed.

BrandonCharter 5

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
IntheEventViewernormallistview,thesearerepresentedbyasymbol.

rig
Thenameoftheuseronwhosebehalftheeventoccurred.Thisnameis

l
ful
theclientIDiftheeventwasactuallycausedbyaserverprocessorthe
primaryIDifimpersonationisnottakingplace.Whereapplicable,a
User
securitylogentrycontainsboththeprimaryandimpersonationIDs.

ins
Impersonationoccurswhentheserverallowsoneprocesstotakeonthe
securityattributesofanother.

eta
Containsanumericvaluethatidentifiestheactivityorapointwithinan
OperationalCode activitythattheapplicationwasperformingwhenitraisedtheevent.For

rr
example,initializationorclosing.

Log
tho
Thenameofthelogwheretheeventwasrecorded.
Au
TaskCategory Usedtorepresentasubcomponentoractivityoftheeventpublisher.
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Asetofcategoriesortagsthatcanbeusedtofilterorsearchforevents.
08

Keywords
Examplesinclude"Network","Security",or"Resourcenotfound."
20

Thenameofthecomputeronwhichtheeventoccurred.Thecomputer
nameistypicallythenameofthelocalcomputer,butitmightbethename
te

Computer
ofacomputerthatforwardedtheeventoritmightbethenameofthelocal
titu

computerbeforeitsnamewaschanged.

DateandTime Thedateandtimethattheeventwaslogged.
Ins

ProcessID Theidentificationnumberfortheprocessthatgeneratedtheevent.
NS

ThreadID Theidentificationnumberforthethreadthatgeneratedtheevent.
SA

ProcessorID Theidentificationnumberfortheprocessorthatprocessedtheevent.

SessionID Theidentificationnumberfortheterminalserversessioninwhichthe

BrandonCharter 6

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
eventoccurred.

rig
Theelapsedexecutiontimeforkernal-modeinstructions,inCPUtime
KernalTime
units.

l
ful
UserTime Theelapsedexecutiontimeforuser-modeinstructions,inCPUtimeunits.

ins
ProcessorTime Theelapsedexecutiontimeforuser-modeinstructions,inCPUticks.

eta
Identifiestheactivityintheprocessforwhichtheeventisinvolved.This
CorrelationId
identifierisusedtospecifysimplerelationshipsbetweenevents.

rr
Relative
CorrelationId tho
Identifiesarelatedactivityinaprocessforwhichtheeventisinvolved.
Au

,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

OneofthemostnoticeablechangesintheEVTXimplementationistheuseof

channelstostoreevents.TheWindowsEventLogSoftwareDeveloperKitdefineschannels
20

asstreamsofeventswhichareusedbytheOSandapplicationstopublisheventstoalog

(EventLogsandChannelsinWindowsEventLog,2008).Themainchannelsthatare
te
titu

includedinVistaandServer2008arebrokenupintotwogroups.Thefirstgroupiscalled
WindowsLogsandthisincludestheApplication,Security,andSystemchannels.Italso
Ins

includestwonewchannelswhicharecalledSetupandForwardedEvents.Thesecondgroup

ofchannelsiscalledtheApplicationandServicesLogs.Thisgroupcontainsmanyindividual
NS

channelswhichpublisheventsfromasingleapplicationorcomponent.Figure1displaysthe

relationshipbetweenchannelgroupsandindividualchannels.
SA

BrandonCharter 7

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
l rig
ful
ins
eta
rr
tho
Au

Figure1
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

Eachchannelgrouphastwochanneltypesandeacheventhasaneventtype.The
20

servicedchanneltypecontainsAdminandOperationalevents.Thedirectchanneltype

containsAnalyticandDebugevents.Themaindifferencebetweenthetwochanneltypesis
te

thatservicedchannelscanbeforwardedand/orcollectedremotelyanddirectchannels
titu

cannot(EventLogsandChannelsinWindowsEventLog,2008).Figure2displaysthe
Ins

relationshipbetweenchanneltypesandeventtypes.
NS
SA

BrandonCharter 8

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
l rig
ful
ins
eta
rr
tho
, Au

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08


20

Figure2
te

Asmentionedabove,EVTXlogsarestoredusingaXMLformat.XMLwascreatedto
titu

provideaformatthatcouldbeusedtosharestructureddatainaformatwhichallows

developerstodefinetheirownelements.ThecharacteristicsofXMLmakeittheideal
Ins

languagetouseforeventlogs.TheXMLlogformatgreatlyincreasesthegranularitythatcan

beappliedwhenviewingeventsinEventVieweroranyother3rdpartyapplication.An
NS

exampleoftheXMLformatinaviewfromEventViewerisshowninfigure3.
SA

BrandonCharter 9

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
l rig
ful
ins
eta
rr
tho
,Au

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

Figure3
20

TheimagedisplaystheXMLelementswhicharedefinedbythe<Element>tagsand
te

thedatawhichisdefinedbytheelement.The<System>elementisrequiredandcontains
titu

informationabouttheevent,whilethe<EventData>elementisnotrequiredanditcontains

thereasontheeventwaspublished(EventRepresentationforEventConsumers,2008).
Ins

XMLprovidesamuchmorestructuredformatthantheEVTformat.Thedefaultlocationfor

thelogfilesareinthefollowingdirectory:%SystemRoot%\System32\Winevt\Logs\andthey
NS

containthe.evtxextension.Thedefaultbehaviorforlogsistooverwriteeventsasneeded
SA

startingwiththeoldesteventsfirst.

BrandonCharter 10

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
EVTX Components

rig
TheEVTXlogformatwhichhasbeenintegratedintoallversionsofMicrosoftVistaand

l
Server2008isofficiallyknownasWindowsEventLogwhereastheformerEVTformatis

ful
knownsimplyasEventLogging.WindowsEventLogincludesanewEventVieweraswellas

ins
arewrittenWindowsEventLogservice.

eta
Event Viewer

rr
AlthoughadetailedreviewofthenewEventViewerisoutsidethescopeofthispaper,

tho
understandingthenewfeaturesoftheapplicationarecriticaltoinvestigatingthechangesthat

havebeenintroducedinEVTX.SomeofthenewfeaturesofthenewEventViewerinclude
Au
advancedfilteringbasedonXML,theabilitytoattachtaskstoevents,andtheabilitytouse

logsubscriptionstocollecteventsfromremotecomputers.ThenewEventViewerthatis
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

includedinVistaandServer2008iscapableofopeningeventlogsthathavebeenstoredin

theformerEVTformat.Thisbecomesimportantwhenworkinginamixedenvironmentor
20

lookingathistoricaldata.UsingthenewEventViewerisalmostanecessitybecausethe
te

previousversionthatisfoundinoperatingsystemssuchasWindowsXPandServer2003is
titu

notcapableofreadingthenewEVTXformat.ThenewEventVieweriscapableofexporting

logsinEVTX,XML,TXT,andCSVformat.
Ins

OneofthemostusefulnewfeaturesoftheEventVieweristheabilitytocreatea
NS

customviewtofiltertheeventswhicharedisplayed.Theabilitytocreateacustomviewcan

greatlyreducetheamountoftimethatisneededtolocateaparticulareventwhencompared
SA

tothepreviousversionofEventViewer.SincetheEVTXeventsarestoredusingXML,

customviewsallowenduserstofiltereventsoneachpropertyorfieldthatdefinesanevent.

CustomviewscanalsobesavedandimportedintotheEventViewertosaveadditionaltime

BrandonCharter 11

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
inthefuture.Thecustomviewwindowallowsfilteringbasedonwhentheeventwaslogged,

rig
thelevel,log,source,eventID,keyword,user,andcomputer.Ifadditionalfilteringisneeded,

thecustomviewwindowhasanXMLtabwhichallowstheendusertocreateacustomview

l
ful
byeditingtheXMLquerydirectly.TheXMLsyntaxforaqueryforallAuditFailuresfromthe

Securitylogisshowninfigure4.

ins
eta
rr
tho
, Au

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08
20
te
titu
Ins
NS
SA

Figure4

BrandonCharter 12

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
TheEventVieweralsocontainsaninterfacewhichcanbeusedtoattachatasktoan

rig
event.Thisnewfeaturehasmanyuseswhicharevirtuallylimitless.Taskscanbeattached

toaneventwhichmatchesafilterthatisdefinedusingthesameoptionsasthecustomviews

l
ful
whichweredescribedabove.Thisincludestheabilitytoattachatasktoaneventbasedona

customXMLfilter.InordertoattachatasktoaneventwithacustomXMLfilter,theTask

ins
SchedulermustbeusedinsteadoftheAttachaTasktothisLogwizardthatisfoundinthe

eta
EventViewer.

rr
Windows Event Log Service

tho
ThemainreasontheWindowsEventLogservicewasrewrittenwastoeliminatethe

performanceandscalabilityrestrictionsthatarefoundinpreviousversionsofMicrosoft
Au

Windowsproducts.TheWindowsEventLogserviceiscapableofpublishingeventsinan
,

asynchronousmannerwhichpreventsthepublishingapplicationfromwaitingfortheservice
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

tostoretheevent(Menn,2006).Oncetheeventispublished,theWindowsLogServicethen
20

performsadditionalprocessingbasedonthetypeofevent.Certaintypesofeventsarethen

handleddifferentlybasedontheimpacttheymayhaveonoverallsystemperformance.
te

Specifically,AnalyticandDebugeventsareimmediatelywrittentoafileduetothelarge
titu

volumeofthesetypesofeventswhereastheAdminandOperationaleventsmaybedelivered
Ins

tosubscriberssuchastheeventforwarder.
NS

3. WorkingwithEVTXEvents
SA

ThescalabilityandarchitecturechangesthatareincludedinEVTXarejustas

importantasthechangesintheformatitself.LogSubscriptionscanbeusedtocollectand

correlatelogsfrommultipleEVTXenabledhoststhroughoutanetwork.

BrandonCharter 13

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
Configuring Log Subscriptions

rig
InordertoworkwithSubscriptions,theWindowsEventCollectorservicemustbe

l
runningonthehostthatwillbecollectinglogs(subscriber).TheWindowsRemote

ful
Managementservicemustbeconfiguredandrunningonthesubscriberandanyforwarding

ins
hosts(forwarder).Althoughtherearevariousconfigurationoptionsavailable,thequickest

andeasiestwaytoconfiguretheWindowsRemoteManagementserviceistoexecutethe

eta
commandwinrmquickconfigonthecommandlineasaprivilegeduser.Thequickconfig

rr
optionwillsetuptheWindowsRemoteManagementservicetolistenonport80/tcponall

interfaces,updatetheWindowsFirewalltoallowthisserviceonthisport,andsettheservice

tostartautomatically.
tho
Au
Anotherrequirementinconfiguringalogsubscriptionisthattheappropriateuser
,

and/orcomputerpermissionsmustbeaddedontheforwardinghost.Logsubscriptionscan
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

beconfiguredtouseuserorcomputeraccountstoforwardthelogssecurelyfromthe
20

forwardertothesubscriber.Ifcomputeraccountsarechosen,thecomputeraccountofthe

subscribermustbeaddedtothelocalAdministratorsgroupoftheforwarder.The
te

subscriptioncanalsobeconfiguredtouseanyuseraccountwhichisamemberofthelocal
titu

Administratorsgroupontheforwarder.
Ins

AlogsubscriptioncanbesetupintheEventViewerbyselectingtheCreate

SubscriptionlinkinsidetheSubscriptionsview.Thesubscriptionspropertieswizardwillthen
NS

presenttheuserwithaviewthatlookssimilartotheimageshowinfigure5.Onceaname
SA

anddescriptionarefilledin,theuserispresentedwithadropdownlistcontainingallexisting

logdestinationsonthesubscriber.Thedestinationlogconfigurationoptionallowstheend

usertoeasilycombinelogsfrommultipleforwardersintoonecentralloglocation.Thesource

BrandonCharter 14

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
computerswhichwillforwardlogstothesubscribermustthenbeselected.Subscriptionscan

rig
besetupasCollectororSourcecomputerinitiatedtypes.Theuserandcomputer

permissionswillbesetupinthisstepandvarydependingonwhichsubscriptiontypeis

l
ful
selected.Afiltercanbeappliedtoselectonlythedesiredeventstobeforwardedtothe

subscriber.FiltersareconfiguredviasamewizardandXMLsyntaxthatisdescribedabove.

ins
eta
rr
tho
, Au

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08
20
te
titu
Ins


NS

Figure5
SA

Selectingtheadvancedsettingsbuttonloadsawizardwhichlistsoptionsfortheuser

account,speedsettings,andtheportthatwillbeusedbythesubscription.Therearethree

BrandonCharter 15

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
speedsettingswhichcanbeconfiguredwhensettingupasubscriptionviathesubscription

rig
wizard.ThereisafourthsettingwhichistousecustomsettingsviatheWindowsEvent

CollectorUtility(wecutil)(SettingupaSourceInitiatedSubscription,2008).Thefollowinglist

l
ful
describesthethreesubscriptionspeedsettingswhichcanbeconfiguredviathewizard

(Shields,2007).

ins
"Normalmode"configuresthetargetcomputertopulleventinformationfromthe

eta

sourcecomputerfiveitemsatatime,withabatchtimeoutof15minutes.

"Minimizebandwidth"reversesthedirectionofthedelivery,pushingthedatafrom

rr

sourcetodestination.Thisishelpfulifbandwidthisanissue.Theinfluxoflogdataat

tho
thedestinationisslowedwiththebatchtimeoutandtheheartbeatintervalincreasesto
sixhours.
Au
"Minimizelatency"modeworkswellforgatheringreal-timeornearreal-timedata.This
alsousespushmode,butsignificantlydialsupthetimeouttoevery30seconds.
,

Thesettingsforthelogsubscriptionaresavedtoaregistrykeylocatedat:
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Su
20

bscriptions.Thesettingsintheregistrykeycanbeviewedbyrunningwecutilgsand

modifiedbyrunningwecutilsswiththeappropriateparameters.Figure6showstheoutput
te

fromwecutilgsforasubscriptionnamedTest.
titu
Ins
NS
SA

BrandonCharter 16

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
l rig
ful
ins
eta
rr
tho
Au

,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure6
08

Thewecutilcontainsmanyconfigurationoptionsthatarenotdisplayedinthe
20

subscriptionwizard.Onesuchoptionallowsfinetuningofthelatencyandheartbeatintervals
te

describedabovewhenthevalueofConfigurationModeissettoCustom.Thewecutilhas
titu

manyadditionalcommandlineoptionswhichcanbeusedtoconfigureandtroubleshoota

subscription.Thebestdocumentationontheutilitycanbefoundbyusingthebuiltinhelp
Ins

whichisdisplayedbyrunningwecutil/?onthecommandline.
NS

Subscription Security
SA

Asdescribedabove,therearetwoserviceswhichsubscriptionsusetoforwardand

receiveeventsfromremotehosts.Themainfocusonsecuritywillbebasedaroundthe

WindowsRemoteManagementservicewhichhandlesthenetworkcommunicationbetween

BrandonCharter 17

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
thesubscriberandtheforwarder.Therearetwoconfigurationoptionswhensettingup

rig
WindowsRemoteManagementwhichcontrolhowthedatabeingtransferredisencrypted.

ThefirstoptionistouseHTTP(TCPport80)whichwilltransmitthedataincleartext.The

l
ful
secondconfigurationoptionistouseHTTPS(TCPport443)whichwilluseacertificateto

encryptthedataviaanSSLtunnel.

ins
AtestenvironmentwascreatedinordertoinvestigatethesecurityoftheHTTPand

eta
HTTPSoptionsoftheWindowsRemoteManagementservice.Thetestenvironmentincludes

rr
anActiveDirectoryDomain(GCIA.GOLD)whichcontainstwoWindowsServer2008

tho
Standard32-bithosts.Thedomaincontainsasingledomaincontroller

(DC1.GCIA.GOLD/10.1.1.200)whichthelogsubscriber,andthelogforwarder
Au
(SERVER1.GCIA.GOLD/10.1.1.201).Wireshark1.0.3wasusedtoperformmultiplepacket

capturesonthesubscriber(DC1.GCIA.GOLD).
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

Thepacketcapturesinfigures7and8arefromastandardlogsubscriptionbetween
20

DC1andSERVER1.TheTCPthree-way-handshakeandEthernetlayerisnotshown.The

logsubscriptioninfigure7wasconfiguredusingtheHTTPoption.AlthoughtheHTTPlayer
te

ofthepacketisnotencrypted,theWindowsRemoteManagementservicedoesnotaccept
titu

trafficthatisnotencryptedusingtheKerberosSecurityServiceProviderornegotiate
Ins

authentication(AuthenticationforRemoteConnections,2008).TheWindowsRemote

ManagementserviceutilizesSimpleObjectAccessProtocol(SOAP)totransferdataand
NS

commandsto/fromtheservice(ConfigurationandSecurity,2008).Theyellowhighlightingin

figure7showstheContent-TypefieldoftheHTTPheaderhasavalueofapplication/soap+
SA

xmlindicatingthattheHTTPheaderinthistransmissionwasnotencrypted.Thered

highlightingshowsthatthedataportionofthelogtransmissionwasencryptedviaan

encryptedHTTPKerberossession.

BrandonCharter 18

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
No.TimeSourceDestinationProtocolInfo

rig
100.71961810.1.1.20010.1.1.201HTTPPOST/wsmanHTTP/1.1
InternetProtocol,Src:10.1.1.200,Dst:10.1.1.201
TransmissionControlProtocol,SrcPort:49205(49205),DstPort:http(80),Seq:1,Ack:1,

l
ful
Len:2149
HypertextTransferProtocol

ins
0000000c294a7936000c29f63d9e08004500..)Jy6..).=...E.
0010088d1a164000800600000a0101c80a01....@...........

eta
002001c9c0350050146b5cf033b46d865018...5.P.k\.3.m.P.
0030402917990000504f5354202f77736d61@)....POST/wsma
00406e20485454502f312e310d0a41757468nHTTP/1.1..Auth

rr
00506f72697a6174696f6e3a204b65726265orization:Kerbe

tho
0060726f7320594949467251594a4b6f5a49rosYIIFrQYJKoZI
007068766353415149434151427567675763hvcSAQICAQBuggWc
00804d4949466d4b4144416745466f514d43MIIFmKADAgEFoQMC
Au
00904151366942774d46414341414141436aAQ6iBwMFACAAAACj
snip
,

07d0437a4235556b54795067313963583442CzB5UkTyPg19cX4B
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

07e06f586b6e6c795876484b50726e4d6d2boXknlyXvHKPrnMm+
07f05533675978446268594e593d0d0a436fU3gYxDbhYNY=..Co
20

08006e74656e742d547970653a206170706cntent-Type:appl
081069636174696f6e2f736f61702b786d6cication/soap+xml
te

08203b636861727365743d5554462d31360d;charset=UTF-16.
08300a557365722d4167656e743a204d6963.User-Agent:Mic
titu

0840726f736f66742057696e524d20436c69rosoftWinRMCli
0850656e740d0a486f73743a205345525645ent..Host:SERVE
Ins

086052312e676369612e676f6c640d0a436fR1.gcia.gold..Co
08706e74656e742d4c656e6774683a20300dntent-Length:0.
08800a436f6e6e656374696f6e3a204b6565.Connection:Kee
NS

0890702d416c6976650d0a0d0ap-Alive....


SA

No.TimeSourceDestinationProtocolInfo
171.41040710.1.1.20010.1.1.201HTTPPOST/wsmanHTTP/1.1
(multipart/encrypted)

InternetProtocol,Src:10.1.1.200,Dst:10.1.1.201

BrandonCharter 19

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
TransmissionControlProtocol,SrcPort:49205(49205),DstPort:http(80),Seq:2150,Ack:

rig
342,Len:953
HypertextTransferProtocol
MediaType

l
ful

0000000c294a7936000c29f63d9e08004500..)Jy6..).=...E.
001003e11a194000800600000a0101c80a01....@...........

ins
002001c9c0350050146b655533b46edb5018...5.P.keU3.n.P.
00303fd31b660000504f5354202f77736d61?..f..POST/wsma

eta
00406e20485454502f312e310d0a55736572nHTTP/1.1..User
00502d4167656e743a204d6963726f736f66-Agent:Microsof
0060742057696e524d20436c69656e740d0atWinRMClient..

rr
0070436f6e74656e742d547970653a206d75Content-Type:mu

tho
00806c7469706172742f656e637279707465ltipart/encrypte
0090643b70726f746f636f6c3d226170706cd;protocol="appl
00a069636174696f6e2f485454502d4b6572ication/HTTP-Ker
Au
00b06265726f732d73657373696f6e2d656eberos-session-en
00c063727970746564223b626f756e646172crypted";boundar
,

00d0793d22456e6372797074656420426f75y="EncryptedBou
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

00e06e64617279220d0a486f73743a205345ndary"..Host:SE
00f052564552312e676369612e676f6c640dRVER1.gcia.gold.
20

01000a436f6e74656e742d4c656e6774683a.Content-Length:
0110203730330d0a436f6e6e656374696f6e703..Connection
te

01203a204b6565702d416c6976650d0a0d0a:Keep-Alive....
01302d2d20456e6372797074656420426f75--EncryptedBou
titu

01406e646172790d0a09436f6e74656e742dndary...Content-
0150547970653a206170706c69636174696fType:applicatio
Ins

01606e2f485454502d4b65726265726f732dn/HTTP-Kerberos-
017073657373696f6e2d656e637279707465session-encrypte
0180640d0a094f726967696e616c436f6e74d...OriginalCont
NS

0190656e743a20747970653d6170706c6963ent:type=applic
01a06174696f6e2f736f61702b786d6c3b63ation/soap+xml;c
01b06861727365743d5554462d31363b4c65harset=UTF-16;Le
SA

01c06e6774683d3339380d0a2d2d20456e63ngth=398..--Enc
01d072797074656420426f756e646172790dryptedBoundary.
01e00a09436f6e74656e742d547970653a20..Content-Type:

01f06170706c69636174696f6e2f6f637465application/octe

BrandonCharter 20

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
0200742d73747265616d0d0a3c0000000504t-stream..<.....

rig
021006ff0000001c0000000053f99c742242..........S..t"B
0220e73c38544742490130941e3af0aecf6c.<8TGBI.0..:...l
02306332252863b2ef6227820be75dd294c8c2%(c..b'...]...

l
ful
02407d798b351790daf71c7f30c8cd6c8967}y.5......0..l.g
02508d9458e39798120e8f8176d1b41b6e3b..X.......v...n;
02607950f2ef4293330e22382716c5d5ba1cyP..B.3."8'.....

ins
0270737751234abbdd6c543956f19cf343a1swQ#J..lT9V...C.
0280fe82cc7a740ef970a7bf6ebf62b8a25f...zt..p..n.b.._

eta
0290906c3d9bd819c289209c388d0b9343a9.l=......8...C.
02a0bcac17e234896ac1307a5f099e83e151....4.j.0z_....Q
02b0b59bb3dc03ad44fb17dfe76d0558ccb5......D....m.X..

rr
02c0e9704de19771db96c4950c99cb5ea575.pM..q.......^.u

tho
02d0772eb8e71c0201201855d7830132b17fw.......U...2..
02e08e3d28ad7dcc1c7517098a3be36ca1ab.=(.}..u...;.l..
02f01376e91bb531d15d7372e80b81f6df02.v...1.]sr......
Au
03002e6db480d5b34a6882d9e64c1b0da10d.m....Jh...L....
0310f474e1c1987e0bcad7d232bf8b816fa6.t...~....2...o.
,

032053eff5e00c645e8a48111308c5e4d4f4S....d^.H.......
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

03306beca3dac1084856fb8f6f26b79decc9k.....HV..o&....
0340e29508be41b9ea3f165a93e29231e6e5....A..?.Z...1..
20

0350b3602f52fad52eb749364b75fd03d487.`/R....I6Ku....
036069cb27367b3329e60f60713d86201814i.'6{3)..`q=...
te

0370084f493fe1e37200c247389ff7815ef6.OI?..r..G8...^.
03805cf4613ec5eec3797b39276b380d36f7\.a>...y{9'k8.6.
titu

039017e19e2248a9b721ffe252e52f514dbf..."H..!..R./QM.
03a0367fe7e8c9a8ce34e2fa76c88e655fd66......4..v..e_.
Ins

03b0688f88b96741fbe44240164776dfe04ah...gA..B@.Gv..J
03c0a83b2d5d63a963280858d1b6331cc5fa.;-]c.c(.X..3...
03d0ba3a956984a8f52c2d2d20456e637279.:.i...,--Encry
NS

03e07074656420426f756e646172790d0aptedBoundary..
Figure7
SA

AlogsubscriptionthatisconfiguredusingtheHTTPSoptionwillnotcontainan

unencryptedHTTPheaderasalldataisencryptedinastandardSSLtunnel.Figure8shows

BrandonCharter 21

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
afullSSLhandshakeandlogtransmissionfromalogsubscriptionconfiguredtouseHTTPS.

rig
TheyellowhighlightingshowsthatthistrafficisusingTLSv1andthegreenhighlightingshows

theTLShandshakestepsasidentifiedbyWireshark.Theredhighlightingshowsthe

l
ful
ApplicationDatapacketcontainingtheencryptedHTTPheader.

ins
No.TimeSourceDestinationProtocolInfo
5167.64591010.1.1.20110.1.1.200TLSv1ClientHello
InternetProtocol,Src:10.1.1.201,Dst:10.1.1.200

eta
TransmissionControlProtocol,SrcPort:64392(64392),DstPort:https(443),Seq:1,Ack:1,
Len:146

rr
SecureSocketLayer

tho
0000000c29f63d9e000c294a793608004500..).=...)Jy6..E.
001000ba4e5140008006945a0a0101c90a01..NQ@....Z......
Au
002001c8fb8801bb0bfef777310584dd5018.........w1...P.
003040290d970000160301008d0100008903@)..............
00400148e5623c927b41364ffa50d991a962.H.b<.{A6O.P...b
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
0050e726c7372e1b761fbc2e3d648570c0bb.&.7..v...=d.p..
08

0060f4205423000030bd60f9adf8e081a0c1.T#..0.`.......
007076de76760b85eae81904089ce7098dd1v.vv............
20

0080c2f90018002f00350005000ac009c00a...../.5........
0090c013c014003200380013000401000028.....2.8.......(
te

00a000000012001000000d6463312e676369.........dc1.gci
00b0612e676f6c64000a0008000600170018a.gold..........
titu

00c00019000b00020100........

Ins

No.TimeSourceDestinationProtocolInfo
6167.64840110.1.1.20010.1.1.201TLSv1ServerHello,ChangeCipher
Spec,EncryptedHandshakeMessage
NS

InternetProtocol,Src:10.1.1.200,Dst:10.1.1.201
TransmissionControlProtocol,SrcPort:https(443),DstPort:64392(64392),Seq:1,Ack:
SA

147,Len:138
SecureSocketLayer

0000000c294a7936000c29f63d9e08004500..)Jy6..).=...E.

BrandonCharter 22

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
001000b205264000800600000a0101c80a01...&@...........

rig
002001c901bbfb88310584dd0bfef8095018......1.......P.
0030010018370000160301004a0200004603...7......J...F.
00400148e5623c3f3f11b7cd0edd671cda08.H.b<??.....g...

l
ful
00506ea08f8cf22751f5fd0e4a28aa3846d8n....'Q...J(.8F.
006069205423000030bd60f9adf8e081a0c1iT#..0.`.......
007076de76760b85eae81904089ce7098dd1v.vv............

ins
0080c2f9002f001403010001011603010030.../...........0
0090a712fe7481553bcf8b8d4b43c84b75e6...t.U;...KC.Ku.

eta
00a0bf46bd6d5a529a8a14c4a82604d5904e.F.mZR.....&...N
00b0dd13ab5cc672d20c43d3b3085b2470aa...\.r..C...[$p.

rr
No.TimeSourceDestinationProtocolInfo

tho
7167.65171310.1.1.20110.1.1.200TLSv1ApplicationData
InternetProtocol,Src:10.1.1.201,Dst:10.1.1.200
TransmissionControlProtocol,SrcPort:64392(64392),DstPort:https(443),Seq:147,Ack:
Au
139,Len:293
SecureSocketLayer
,


Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

0000000c29f63d9e000c294a793608004500..).=...)Jy6..E.
0010014d4e534000800693c50a0101c90a01.MNS@...........
20

002001c8fb8801bb0bfef844310585675018.........D1..gP.
003040060db50000170301012086b0ac4fed@............O.
te

0040f633dfbc80419c26e825820b94ea6f18.3...A.&.%....o.
0050362983ac6ccdeb698b1a953c284aeb296)..l..i...<(J.)
titu

006098038f51f085d6cef422a79e15536815...Q....."...Sh.
00707238d5fb8a5ab2eac022fca04e423a05r8...Z..."..NB:.
Ins

00804e9bcc69eedf7b36a9675d3e7668649bN..i..{6.g]>vhd.
00901055aa782698f288e0bc314c472d20e7.U.x&.....1LG-.
00a0e24aef384dbf6c21c2ff58c4eb937429.J.8M.l!..X...t)
NS

00b0afb0c8d838d42bfab1a4c423ab3653f0....8.+....#.6S.
00c0ee28be031b545a95e54bcc68470ce3d8.(...TZ..K.hG...
00d0514f0033128ace987b4895790168b3a9QO.3....{H.y.h..
SA

00e061820ec070394518bea8ffbedd27fc04a...p9E......'..
00f0e864b722b2f5baac754afd3065e0997e.d."....uJ.0e..~
0100d3cbc5fd73ba9e9ec7d2cd41a4f5a125....s......A...%

0110310ca3f300030d314c4bf32adadf4de01......1LK.*..M.

BrandonCharter 23

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
012008aed6ddf6ce3e112e20ed4e2d82e61c......>...N-...

rig
0130f11d81b5351bd75e72675cd086fbf61f....5..^rg\.....
0140d30a84519e4ac995033078a63ef307ce...Q.J...0x.>...
01506b9c5bb3143b55095eedack.[..;U.^..

l
ful
Figure8

ins
AuthenticationtotheWindowsRemoteManagementservicesupportsfourtypesof

authenticationwhichisusedtovalidatetheincomingconnectionrequest.Accordingtothe

eta
MicrosoftDeveloperNetworkdocumentation,WindowsRemoteManagementsupportsfour
typesofauthentication(AuthenticationforRemoteConnections,2008).

rr
tho
Basic-theusernameandpasswordaresentintheauthenticationexchange.
Basicauthenticationistheleastsecureauthenticationtypeandisdisabledby
Au
default.

NegotiateWindowsimplementationofSimpleandProtectedGSSAPI
,

NegotiationMechanism(SPNEGO).ThisisalsoknownasWindowsIntegrated
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

Authentication.
20

Kerberosamutualauthenticationusingencryptedkeys.Theclientandserver
mustbemembersofadomaintouseKerberosauthentication.
te

ClientCertificate-basedusesSSLcertificatetoauthenticateandmapa
titu

certificatetoalocalaccount.Thisauthenticationtypeisrequiredfor
communicationbetweennon-membersandmembersofadomain.
Ins

Alogsubscriptioncanbeconfiguredtoforwardeventsfrombothmembersandnon-

membersofadomain.Hostswhicharemembersofadomaincanforwardeventsusingthe
NS

HTTPSoptionwithouttheuseofacertificate.Non-membersofadomaincanonlyforward
SA

eventsusingtheHTTPSoptionandacertificateisrequiredusingthedefaultconfiguration.

ThisdefaultsettingcanbemodifiedintheWindowsRemoteManagementconfigurationby

allowingBasicauthenticationandaddingtheremotehosttotheTrustedHostslist(Windows

BrandonCharter 24

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
RemoteManagementGlossary,2008).

rig
4. Conclusion

l
ful
EVTXandWindowsEventLoggingframeworkincludemanynewfeatureswhichgive

ins
securityprofessionalsandITadministratorsmorepowertoaccuratelycorrelateand

aggregatelogsinaWindowsenvironment.TheEVTXformatincludesnewfieldswhichcan

eta
storedatathatcanbefilteredandsortedviatheunderlyingXMLstructure.Theuseoflog

subscriptionstakesthepainoutoflogaggregationinaWindowsenvironment.Log

rr
subscriptionscanbedeployedacrossanentiredomainwiththehelpofActiveDirectory.
tho
Thesechangesandenhancementsshouldalloworganizationstomeettheauditingand
Au
compliancerequirementsthatmayberequiredinmanyenvironments.

5. References
,

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08

AuthenticationforRemoteConnections.(2008,May15).RetrievedJuly18,2008,from
20

MicrosoftWebsite:http://msdn.microsoft.com/en-us/library/aa384295(VS.85).aspx
te

ConfigurationandSecurity.RetrievedSeptember28,2008,fromMicrosoftWebsite:
titu

http://technet.microsoft.com/en-us/library/cc782312.aspx

EventLogsandChannelsinWindowsEventLog.(2008,September19).Retrieved
Ins

September22,2008,fromMicrosoftWebsite:http://msdn.microsoft.com/en-

us/library/aa385225.aspx
NS

EventProperties.RetrievedJuly18,2008,fromMicrosoftWebsite:
http://technet.microsoft.com/en-us/library/cc765981.aspx
SA

EventRepresentationforEventConsumers.(2008,September19).RetrievedSeptember22,
2008,fromMicrosoftWebsite:http://msdn.microsoft.com/en-us/library/aa385229.aspx

BrandonCharter 25

SANS Institute 2008, Author retains full rights.


.
EVTXandWindowsEventLogging

hts
Fitzgerald,E.(2007,April18).VistaSecurityEventsGetNoticed.Messagepostedto

rig
http://blogs.msdn.com/ericfitz/archive/2007/04/18/vista-security-events-get-

noticed.aspx

l
ful
Menn,V.(2006,November).WindowsVista:NewToolsforEventManagementinWindows

Vista.TechNetMagazine.RetrievedSeptember10,2008,fromMicrosoftWebsite:

ins
http://technet.microsoft.com/en-us/magazine/cc160886.aspx

eta
SettingupaSourceInitiatedSubscription.(2008,September19).RetrievedSeptember23,
2008,fromMicrosoftWebsite:http://msdn.microsoft.com/en-

rr
us/library/bb870973(VS.85).aspx

tho
Shields,G.(2007,August).Syslog20YearsLater.RedmondMagazine.RetrievedAugust

2,2008,from:http://redmondmag.com/columns/article.asp?editorialsid=1868
Au
WindowsRemoteManagementGlossary.(2008,May15).RetrievedJuly18,2008,from
,

MicrosoftWebsite:http://msdn.microsoft.com/en-us/library/aa384465(VS.85).aspx
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
08
20
te
titu
Ins
NS
SA

BrandonCharter 26

SANS Institute 2008, Author retains full rights.


Last Updated: June 23rd, 2017

Upcoming SANS Training


Click Here for a full list of all Upcoming SANS Events by Location

SANS Cyber Defence Canberra 2017 Canberra, AU Jun 26, 2017 - Jul 08, 2017 Live Event

SANS Columbia, MD 2017 Columbia, MDUS Jun 26, 2017 - Jul 01, 2017 Live Event

SEC564:Red Team Ops San Diego, CAUS Jun 29, 2017 - Jun 30, 2017 Live Event

SANS London July 2017 London, GB Jul 03, 2017 - Jul 08, 2017 Live Event

Cyber Defence Japan 2017 Tokyo, JP Jul 05, 2017 - Jul 15, 2017 Live Event

SANS ICS & Energy-Houston 2017 Houston, TXUS Jul 10, 2017 - Jul 15, 2017 Live Event

SANS Cyber Defence Singapore 2017 Singapore, SG Jul 10, 2017 - Jul 15, 2017 Live Event

SANS Los Angeles - Long Beach 2017 Long Beach, CAUS Jul 10, 2017 - Jul 15, 2017 Live Event

SANS Munich Summer 2017 Munich, DE Jul 10, 2017 - Jul 15, 2017 Live Event

SANSFIRE 2017 Washington, DCUS Jul 22, 2017 - Jul 29, 2017 Live Event

Security Awareness Summit & Training 2017 Nashville, TNUS Jul 31, 2017 - Aug 09, 2017 Live Event

SANS San Antonio 2017 San Antonio, TXUS Aug 06, 2017 - Aug 11, 2017 Live Event

SANS Hyderabad 2017 Hyderabad, IN Aug 07, 2017 - Aug 12, 2017 Live Event

SANS Boston 2017 Boston, MAUS Aug 07, 2017 - Aug 12, 2017 Live Event

SANS Prague 2017 Prague, CZ Aug 07, 2017 - Aug 12, 2017 Live Event

SANS Salt Lake City 2017 Salt Lake City, UTUS Aug 14, 2017 - Aug 19, 2017 Live Event

SANS New York City 2017 New York City, NYUS Aug 14, 2017 - Aug 19, 2017 Live Event

SANS Chicago 2017 Chicago, ILUS Aug 21, 2017 - Aug 26, 2017 Live Event

SANS Adelaide 2017 Adelaide, AU Aug 21, 2017 - Aug 26, 2017 Live Event

SANS Virginia Beach 2017 Virginia Beach, VAUS Aug 21, 2017 - Sep 01, 2017 Live Event

SANS San Francisco Fall 2017 San Francisco, CAUS Sep 05, 2017 - Sep 10, 2017 Live Event

SANS Tampa - Clearwater 2017 Clearwater, FLUS Sep 05, 2017 - Sep 10, 2017 Live Event

SANS Network Security 2017 Las Vegas, NVUS Sep 10, 2017 - Sep 17, 2017 Live Event

SANS Dublin 2017 Dublin, IE Sep 11, 2017 - Sep 16, 2017 Live Event

SANS Paris 2017 OnlineFR Jun 26, 2017 - Jul 01, 2017 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced