Uncovering window safety incidents – Safety Boulevard


Half 1: Telemetry Supply

Knowledge is the inspiration by which protection is constructed. This knowledge can come from a wide range of telemetry sources – native logging, endpoint detection and response (EDR) tools, community logging, and so forth. Knowledge from these sources provides us perception into the exercise occurring with a given machine – consumer’s logging in, processes being created, incoming community visitors, and so forth. Realizing this, I’ve all the time questioned

  • How is that this knowledge generated?
  • how do we all know we are able to Confidence This knowledge is generated when
  • How can attackers keep away from incident creation, minimizing proof of their presence?

These questions have led me down the trail of discovering out the place this knowledge comes from as soon as it’s generated and introduced to me.

One of the crucial frequent occasions inside Home windows comes from Home windows Safety Occasions. Due to my curiosity in how this knowledge is generated, in addition to having to interface with safety occasions so typically, I made a decision to reply the above questions by reverse-engineering the technology of those occasions.

This put up will stroll you thru a high-level overview of a brand new challenge referred to as telemetry supply, It highlights Mission Defenders because it pertains to safety incidents, and what defenders can do with this info.

There might be two different posts inside this collection the place one will undergo a low stage stroll via of the methodology/course of I adopted to uncover these findings and the opposite will spotlight the aggressive tradecraft doable via this analysis effort.

telemetry supply

telemetry supply There’s an open-source challenge that’s being launched that may present mapping of how totally different sources generate telemetry to show defenders. I launched the same challenge that centered on mapping API for Sysmon Occasions again in 2019. This challenge has been moved inside TelemetrySource for simpler administration and growth.


Exterior of Sysmon occasions, TelemetrySource reveals how 37 Microsoft-Home windows-Safety-Auditing (Home windows Safety) occasions are generated. The intention is to uncover how different occasions are generated over time, nonetheless the challenge was filed to launch occasions associated to the next audit sub-categories:

  • audit logon
  • audit logoff
  • audit file system
  • audit kernel object
  • audit registry
  • auditable detachable storage
  • audit listing service entry
  • audit SAM
  • audit particular logon
  • audit delicate privilege utilization
  • audit non-sensitive privilege utilization
  • audit course of creation
  • completion of audit course of
  • audit deal with manipulation
  • Audit Safety System Extension
  • Audit different object entry occasions
  • audit laptop account administration
  • Audit different object entry occasions
  • audit kerberos authentication service
  • Audit Kerberos Service Ticket Operations
  • Audit Person Account Administration
  • Audit Prolonged File Shares
  • different system occasions

Within the Microsoft-Home windows-Safety-Auditing part there’s a hyperlink a google sheets which reveals a code movement for occasion creation.

Code movement is made up of three sections:

  1. operational work – Greater-level features that carry out an operation by which Microsoft embeds an occasion processing operate.
  2. occasion processing features– Undocumented Microsoft features used to provoke the occasion auditing course of. It is necessary to notice—if this operate will not be hit, the corresponding occasion is not going to be generated.
  3. occasion emission operate — Both ntdll!EtwWriteUMSecurityEvent or nt!EtwWriteKMSecurityEvent which is able to begin the method of writing occasions to the Microsoft-Home windows-Safety-Auditing ETW supplier.

what does this imply? let’s examine EventID 4688 – Course of Creation For instance:

Operational Features:

  1. NtCreateUserProcess, PspInserProcess
  2. PsCreateMinimalProcess, PspInsertProcess
  3. PspCreateProcess, PspInsertProcess

Every of these 3 choices is a kernel-level code movement that happens when a course of is created, consider them as separate paths. On the finish of every path is a operate (PspCreateProcess) that calls an occasion processing operate (SeAuditProcessCreation) that begins the method of gathering the data wanted to create the occasion. This operate will “construct” the occasion and move it to the occasion emission operate – EtwWriteKMSecurityEvent which writes the occasion to the Microsoft-Home windows-Safety-Auditing supplier. If there was a strategy to create the method with out calling PspInsertProcess, then the choice path wouldn’t find yourself calling SeAuditProcessCreation and would as a substitute generate occasion 4688.

Any Occasion Hint session that subscribes to the Microsoft-Home windows-Safety-Auditing supplier will then have the ability to obtain these occasions, EventLog-Safety is a built-in hint session that hyperlinks these occasions to the Home windows Occasion Log.

A Remark: Inside this challenge you will notice two occasion emission features –EtwWriteKMSecurityEvent and EtwWriteUMSecurityEvent. You possibly can seek advice from the distinction between the two features as “KM/UM”. In case your assumption is that one operate was made for user-mode (UM) and the opposite for kernel-mode (KM), you’ll be right. Matt Graber advised me about user-mode features when initially beginning this challenge ntdll!EtwWriteUMSecurityEvent. This info actually excelled my analysis, so many due to him for exposing me to this info and being superior 🙂 .

DrawIO recordsdata might be connected to every movement within the Microsoft-Home windows-Safety-Audit part google sheets, I selected DrawIO recordsdata as a result of they’re simple to replace and anybody can view these recordsdata so long as they’ve VSCode related to GitHub drawio extension, This may be carried out regionally or on the internet inside GitHub when you proper click on on the DrawIO file and click on on the Open In github.dev possibility.

right here is an instance from 4688occasion above:

use of guards

I’ve all the time discovered that the one approach defenders can belief the information uncovered to them is to know the means by which it’s generated and what the occasion depends on as its set off. If we don’t depend on the information on which the detection is made, then on our greatest perception.

I really tried to make use of this confidence issue when it may be virtually helpful for analysis defenders, which led me to the next questions:

  1. For every occasion, does the technology occur in user- or kernel-mode?
  2. Which act was answerable for beginning the auditing course of?
  3. What was the operational movement that led to the incident creation?

All these questions helped form the tip product of this analysis, which seeks to reply these questions. After all, different questionable hypotheses come up from this analysis, however they are going to be mentioned within the third a part of this collection. Let me information you the place these solutions could be discovered throughout the challenge:

  1. For every occasion, does the technology occur in user- or kernel-mode?
  2. The occasion emission operate will comprise the EtwWrite*SecurityEvent operate. UM = user-mode and KM = kernel-mode.
  3. Which act was answerable for beginning the auditing course of?
  4. Inside Google Sheets there’s a operate in parentheses underneath Occasion Processing Features, this operate is answerable for beginning the gathering/packaging of knowledge wanted for occasion creation.
  5. What was the operational movement that led to the incident creation?
  6. This may be discovered underneath Operational Features inside Google Sheets and inside DrawIO recordsdata. It is good to notice, within the instances that the operational movement was in kernel-mode, I did not hint them again to user-mode. Which means, if we take a look at the method creation instance above, I did not discover that as much as Win32 API like CreateProcessW.

My hope is that defenders can take this info and future variations to assist them try to perceive the reliability of the information they’re constructing their detection for, but in addition perceive what operational flows the occasion was constructed upon. Is. This analysis is supposed to tell defensive capabilities and flip a bit when having extra confidence within the capabilities of a sure telemetry supply, if one is healthier constructed for one more supply then make the most of the second occasion as a substitute.

If anybody has any options by which they suppose this challenge could possibly be up to date to assist Defenders, please get in contact and talk about. I am open to suggestions.


This put up was meant to spotlight a brand new open-source challenge I am releasing, telemetry supply, telemetry supplyIt’s meant to point out how occasions could be obtained from totally different sources and the way they’re obtained. Proper now, the 2 sources are Sysmon (which might be up to date quickly) and Window Safety Occasions (the Microsoft-Home windows-Safety-Auditing ETW supplier). Future iterations can have updates to each talked about sources, analysis into different ETW suppliers and the way they get their knowledge.

Please keep tuned for the subsequent a part of this collection the place I’ll dive deeper into my course of/methodology to uncover my findings.

Uncovering the Window Safety Incidents was initially printed in Posts by SpecterOps workforce members on Medium, the place persons are persevering with the dialog by highlighting and responding to this story.

*** This can be a Safety Bloggers Community syndicated weblog put up by SpecterOps Crew Members – Medium written by Jonathan Johnson. Learn the unique put up right here: https://posts.specterops.io/uncovering-window-security-events-ab72e1ec745c?supply=rss—-f05f8696e3cc—4


Supply hyperlink