# Plugin wmi-application-logger id:1518 version: 0.0.2 # Last modification: 2015-05-13 16:11 # # Plugin Selection Info: # AlienVault:WMI Application Logger:- # # END-HEADER # Accepted products: # alienvault - plugin-wmi - # Description: # [DEFAULT] plugin_id=1518 [config] type=detector enable=yes source=wmi credentials_file=/etc/ossim/agent/wmi_credentials.csv sleep=10 process= start=no stop=no [start_cmd] cmd=wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select LogFile,RecordNumber from Win32_NTLogEvent Where Logfile = 'Application'" | head -n 3 | tail -n 1 | cut -f 2 -d \| regexp= [cmd] cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select ComputerName,EventCode,Logfile,Message,RecordNumber,SourceName,TimeWritten,User from Win32_NTLogEvent Where Logfile = 'Application' and RecordNumber > OSS_COUNTER" | cat start_regexp=^([^\|]+)\|(\d+)\|([^\|]+)\| regexp="^(?P<system_name>[^\|]+)\|(?P<plugin_sid>\d+)\|(?P<logfile>[^\|]+)\|(?P<message>[^\|]+)\|(?P<recordnumber>[^\|]+)\|(?P<sourcename>[^\|]+)\|(?P<timewritten>[^\|]+)\|(?P<username>.*)$" src_ip={resolv($0)} plugin_sid={$1} userdata2={$2} userdata3={$3} userdata4={$4} userdata5={$5} userdata6={$6} username={$7}
[start_cmd] [cmd]You use
[start_cmd]
and [cmd]
to return the last WMI Application event, and start reading from that event.
Create a new user in the Windows host (without any administrator privileges) who can connect remotely. In this example, we use “wmiuser” as the username and “wmi” as the password.
Important: This step is performed to make the connection more secure.
Enable remote access and activation permissions for the user account you just created.
Dcomcnfg
in the empty field and press Enter.
Click the COM Security tab, then Edit Limits under Access Permissions.
Click ANONYMOUS LOGON, enable Allow Remote Access, and then click OK.
Click Apply.
On the COM Security tab, under Launch and Activation Permissions, select Edit Limits, then click Add.
In the empty field of the popup that appears, type the username for the new user account and click OK.
On the Launch and Activation Permissions dialog box, select Remote Launch, Local Activation, and Remote Activation. Click OK.
Click Apply, and then OK.
Connect to the Sheriff Console through SSH and use your credentials to log in.
The Sheriff Setup menu displays.
On the Sheriff Setup main menu, select Jailbreak System to gain command line access.
Select Yes when prompted. You will be in the root directory.
Create a wmi_credentials.csv
file.
vim /etc/vigilante/agent/wmi_credentials.csv
Add IPs, users, and password with the following formats.
xxx.xxx.x.x,<domain_name>\\<wmiuser>,<password>
Example
233.200.7.0, mydomain_name\\mr_big,uguessed1t
If you do not use a domain, enter the following instead.
_xxx.xxx.x.x_, <username>,<password>
Save the file.
wmi_credentials.csv
file you just created. You will need command line access to Sheriff CSM to complete this task.
To specify the path to the WMI credentials file Depending on which plugin you've enabled, locate the WMI configuration file or files in your Sheriff CSM instance. Potential file locations might be any of the following.
/etc/vigilante/agent/plugins/wmi-application-logger.cfg /etc/vigilante/agent/plugins/wmi-monitor.cfg /etc/vigilante/agent/plugins/wmi-security-logger-srv2008.cfg /etc/vigilante/agent/plugins/wmi-security-logger.cfg /etc/vigilante/agent/plugins/wmi-system-logger.cfg
Create the file <wmi-xxxx-plugin>.cfg.local
based on your choice and enter the path to your wmi_credentials.csv
file in the credentials_file
field.
Example
[config] credentials_file=/etc/vigilante/agent/wmi_credentials.csv
Save the file.