LEM questions on windows event filtering

Question

Hi guys,

We are new to LEM and are hoping you are able to guide us in the right direction as it looks like LEM is not able to do it....

* Detect event log cleared event? (1130,1102,104) or any event log events
In the windows event log these events indicate the log was cleared. I can’t find them in the LEM (I’ve created those events)
* Build a rule for an IP address or user account enumerating available shares internally
Attacker scanning available shares on the network, not targeting a specific person but if an endpoint hits 5 different shares in 1 minute we want to know.
* Search for application crash events?
*AppCrash* in application log indicates attacker attempting buffer overflow etc
* New Windows Service created?
* Mitigation of pass the hash means we need to look at event 4624 ‘LogonType=3’ ‘TargetUserName!=Anonymous Logon’ ‘TargetDomainName!=%ourdomain%’
* AV service disabled, there is an event generated by McAfee when stopped. Alert and restart?
We have created what the rule which looks for this, but the events dont appear to be forwarded/processed by the LEM.

If LEM cannot do these things we will look at alternatives.

Thanks

FormerMember · Answer

1 - I’ve looked and see no events on the lem when we clear the event log

That's odd - but if they are in the event log and for some reason not being captured, that's fixable on the connectors side.

2 - We are not sure what you mean..

My question is, I suppose, whether you already have log data you're looking for that shows this that you want to automate, or if you're looking for ways that you could detect it. If you've already got events in mind, we can automate that.

4 - So we need to look at the registry and not the log files?

To my knowledge this won't appear in log files - but if you have evidence otherwise, again, we can automate that. Based on what I know and have seen in the field, the log WILL show when a new service starts, but it WON'T show when a new service is created but not yet started. Since that data does exist in the registry, you can use LEM's built in File Integrity Monitoring to look for it there. Or, if knowing when a service starts is sufficient, you can do that, but to do that you'd want to build a list of "known" services.

5 - We can’t rely on the AV tell us that it’s been disabled. We can’t see those service stopped events reaching the LEM

That's true - so the question is back to what log data you do have that shows you that.

smiffy85 · Answer

Hi,

I have been discussing this with the IT Security Team, please see their responses as below

1 - I’ve looked and see no events on the lem when we clear the event log
2 - We are not sure what you mean..
3 - 
4 - So we need to look at the registry and not the log files?
5 - We can’t rely on the AV tell us that it’s been disabled. We can’t see those service stopped events reaching the LEM

It very much looks like this is not the SIEM we are looking for and may have to look elsewhere.

FormerMember · Answer

These should all doable, it's just a matter of finding the right events.

* Event Log Cleared - I think this one comes in as ObjectDelete, there's an out of the box rule that might already find it. Otherwise, if you have a test system, an easy thing to do is to generate one and observe where it comes from in Monitor (or nDepth) so you can piece together how it works. 
* Enumerating shares - this one might depend on how you want to do it or what log data you would like to use. One way would probably be to look for MachineLogon/Failure events to distinct InsertionIPs from the same SourceMachine (this would rely on Windows Event Log logging computer account logons). If you have an IDS, some of them also trigger on listing available shares and you could build the rule that way, too.
* Application crashes - these will probably be caught as ServiceWarning or Error events. There's a bit in the LEM application/system log connectors that look for any critical/warning/error events and generates events. You could build a rule that looks for something like Service/Process Events where EventInfo (or ProviderSID if AppCrash is the name in the event log) = *AppCrash*
* New Service Created - in this case you might want to use File Integrity Monitoring to look for new registry keys being created in that area of the registry. You can pick up when they are being started with event logs alone, which might be another approach (that will be one step "behind" the service creation, but you could use the "Stop Service" active response to respond by stopping the service before you remediate).
* 4624 Pass the Hash - these should come in most likely as UserLogons and that detail should be present in the fields (e.g. SourceDomain/DestinationDomain and SourceAccount/DestinationAccount). 
* AV Service Disabled - most likely you'll see ServiceStop events from the AV generated when this happens - if you're not seeing them, it depends on how the connectors are configured (using ePO to forward data to LEM?). Might need to update the connectors to pick up the log data if you're seeing the events in the original log, just not in the LEM console.