So we got hit with some virus this week, and it really put security at the top of our list again. A couple of things happened as a result of this. First and foremost, the virus spread because someone hadn't rolled out a patch from the WSUS server. I ran Microsoft's Baseline Security Analyzer against the machines in our site and it came up clean after I rolled out that patch.
We had been toying with the idea of what to do about Java, Adobe Reader, and Adobe Flash patches for some time, and I ran across a really nice product by Dameware (now owned by Solarwinds) called Dameware Patch Manager, and since we had some money to spend before the end of the year I was able to buy it. The nice thing about this is that it pushes patches out using your existing WSUS infrastructure, so we'll be getting the (seemingly) hundreds of different versions of Java et al patched up to current. That'll negate some other nasty attack vectors. It also ties into WSUS to give you a lot more reporting options. WSUS reports have always irritated me, and I hope that when I get this deployed early next year that I'll be able to clean that up. I'll keep you up to date. I looked at Ninite Pro, but it didn't give me the side-benefit of advanced WSUS reporting.
One of the actions of the virus was that it was trying to brute force a few accounts. I was able to trace the infection using the security log on our domain controllers, but there's got to be a better way! The best way is buying a SEIM device (Security Event and Incident Manager, which monitors logs and other things for security incidents and notifies you automatically) or software to monitor all of our logs. Since I really don't have the cash to get SEIM up and running, I decided to write a Powershell script that would comb through the security logs on our domain controllers and report any bad password attempts.
I tried to pull this off entirely with Powershell, but working with the Windows event logs remotely from within Powershell was proving tedious and slow. I found an app called ElDump that will import the logs into a text file. The download like from the main site for ElDump (here) is broken, so I had to scour Google for it, but I found it. It's a marvelous little thing, really! Also, I tried to get one block of script working for all 4 of my domain controllers, but in the end I just copied and pasted the block I had working and changed the name of the target server and output file names because I had better things to do than write beautiful script.
Here it is. My explanations are in the comment lines (comment begin with a # symbol):
THIS POWERSHELL SCRIPT ONLY WORKS FOR WINDOWS 2003 DC'S. READ MY MEA CULPA AND THE TECHNIQUE FOR 2008/2008R2 DC'S HERE.
#Use ElDump to export and events in the security log with ID 675 in the past 24 hours from dc1 and redirect output to junk.txt
C:\eldump\eldump.exe -l security -e 675 -O dts -m Security -A 24 -s \\dc1 -M >> junk.txt
#Create Output file variable
$File = "C:\badlogins-DC1.txt"
#Grab the content, whittle it down to include only lines containing "0x18" (bad password) and output to file. I had to change the width so it wouldn't wrap.
Get-Content junk.txt | select-string -pattern "0x18" | out-file -width 140 $File
#Delete the first file, set a string variable for use with the email subject and body, email the file, and delete the output file
del junk.txt
$Text = "Password Failures from DC1"
Send-Mailmessage -from "administrator@foo.com" -to me@foo.com -subject $Text -smtpserver mailserver1 -body $Text -attachments $File
del $File
A side benefit to this script was that I found a long-forgotten scheduled task that couldn't run because the stored password was bad. Good times.
EDIT: For Windows 2008 (and up) servers, you need to change the ElDump command to return event 4771 instead of 675.
C:\eldump\eldump.exe -l security -e 675 -O dts -m Security -A 24 -s \\dc1 -M >> junk.txt
#Create Output file variable
$File = "C:\badlogins-DC1.txt"
#Grab the content, whittle it down to include only lines containing "0x18" (bad password) and output to file. I had to change the width so it wouldn't wrap.
Get-Content junk.txt | select-string -pattern "0x18" | out-file -width 140 $File
#Delete the first file, set a string variable for use with the email subject and body, email the file, and delete the output file
del junk.txt
$Text = "Password Failures from DC1"
Send-Mailmessage -from "administrator@foo.com" -to me@foo.com -subject $Text -smtpserver mailserver1 -body $Text -attachments $File
del $File
A side benefit to this script was that I found a long-forgotten scheduled task that couldn't run because the stored password was bad. Good times.
EDIT: For Windows 2008 (and up) servers, you need to change the ElDump command to return event 4771 instead of 675.
Hi Charles,
ReplyDeleteFor log analysis and reporting/alerting we use a product called splunk, you can check it out at splunk.com. It's pricing is based on the amount of logs you index, but you can also use it for free if you index 500MB/day. The nice thing about this tool is the ability to create dashboards, and you can easily tell by a quick look what's going on. I have a local install that I use for ad-hoc log analysis, helps a lot with aligning event's from multiple logs to a specific time period.
Thanks, I will check it out!
ReplyDeleteHi Omar,
ReplyDeleteIm using splunk to collects wsus report but unfortunately im only able to received un important report ..I try index=wsus but still unable to get useful report .any idea that you can help me to do a search command line.