Windows.EventLogs.RemoteAccessVPN

This Artifact enables scoping EventLogs from Microsoft VPN, served by Remote Access Service server role. It is designed to assist in identifying VPN connections on organizations that are using Microsoft VPN service. It targets both server and client side logs.

This artifact parses EvtxHunter output and returns a set of fields in results. An unparsed data field is availible in the hidden _RawData field.

There are several parameter’s available for search leveraging regex.

  • ClientEvtxGlob glob of VPN Client EventLogs to target. Default to Application.evtx.
  • ServerEvtxGlob glob of VPN Server EventLogs to target. Default to System.evtx.
  • NPSLogsGlob glob of NPS Server Text Logs to target.
  • dateAfter enables search for events after this date.
  • dateBefore enables search for events before this date.
  • IocRegex enables regex search over the message field.
  • IgnoreRegex enables a regex whitelist for the Message field.
  • SearchVSS enables searching over VSS.

name: Windows.EventLogs.RemoteAccessVPN
author: Théo Letailleur, Synacktiv 
description: |
  This Artifact enables scoping EventLogs from Microsoft VPN, served by 
  Remote Access Service server role. 
  It is designed to assist in identifying VPN connections on organizations that 
  are using Microsoft VPN service. It targets both server and client side logs.
  
  This artifact parses EvtxHunter output and returns a set of fields in results.
  An unparsed data field is availible in the hidden _RawData field.
  
  There are several parameter's available for search leveraging regex.  
  
    - ClientEvtxGlob glob of VPN Client EventLogs to target. Default to Application.evtx.  
    - ServerEvtxGlob glob of VPN Server EventLogs to target. Default to System.evtx.
    - NPSLogsGlob glob of NPS Server Text Logs to target.
    - dateAfter enables search for events after this date.  
    - dateBefore enables search for events before this date.
    - IocRegex enables regex search over the message field.
    - IgnoreRegex enables a regex whitelist for the Message field.  
    - SearchVSS enables searching over VSS.  
    

reference:
    - https://www.synacktiv.com/publications/forensic-aspects-of-microsoft-remote-access-vpn.html
    - https://learn.microsoft.com/en-us/windows-server/remote/remote-access/remote-access

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: ClientEvtxGlob
    default: '%SystemRoot%\System32\Winevt\Logs\Application.evtx'
    description: "EVTX file path glob where RAS Client logs are stored"
  - name: ServerEvtxGlob
    default: '%SystemRoot%\System32\Winevt\Logs\System.evtx'
    description: "EVTX file path glob where RAS Server logs are stored"
  - name: NPSLogsGlob
    default: '%SystemRoot%\System32\LogFiles\IN*'
  - name: IocRegex
    default: .
    type: regex
  - name: IgnoreRegex
    description: "Regex of string to whitelist"
    type: regex
  - name: SearchVSS
    description: "Add VSS into query."
    type: bool
  - name: DateAfter
    type: timestamp
    description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
  - name: DateBefore
    type: timestamp
    description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"

sources:
  - name: VPN Server
    description: VPN Server event logs
    query: |
      LET VPNServerIdRegex = '^(20250|20253|20255|20271|20272|20274|20275)$'

       -- User
      LET extract_user(eventid, eventdata) =
                if(condition=eventid=20271,then=format(format='''%v''', args=[eventdata[1]]), else=
                if(condition=(eventid=20250 OR eventid=20253 OR eventid=20255 OR eventid=20272 OR eventid=20274),then=format(format='''%v''', args=[eventdata[2]]), else=
                if(condition=eventid=20275,then="N/A")
            ))      
    
      -- TunnelIP
      LET extract_tunnelip(eventid, eventdata) =
                if(condition=eventid=20274,then=format(format='''%v''', args=[eventdata[4]]), else=
                if(condition=eventid=20275,then=format(format='''%v''', args=[eventdata[2]])
            ))  

      -- ExternalIP
      LET extract_externalip(eventid, eventdata) =
                if(condition=eventid=20271,then=format(format='''%v''', args=[eventdata[2]]))
    
      SELECT EventTime,Computer,Channel,Provider,EventID,extract_user(eventid=EventID,eventdata=EventData.Data) as User, extract_tunnelip(eventid=EventID, eventdata=EventData.Data) as TunnelIP, extract_externalip(eventid=EventID, eventdata=EventData.Data) as ExternalIP, EventData.Data[1:] as ExtraInfo,Message,EventData.Data as _RawData
      FROM Artifact.Windows.EventLogs.EvtxHunter(
                        EvtxGlob=ServerEvtxGlob,
                        IocRegex=IocRegex,
                        IdRegex=VPNServerIdRegex,
                        WhitelistRegex=IgnoreRegex,
                        DateAfter=DateAfter,
                        DateBefore=DateBefore, 
                        SearchVSS=SearchVSS )

  - name: VPN Clients
    description: VPN Client event logs
    query: |
      LET VPNClientIdRegex = '^(20220|20221|20222|20223|20224|20225|20226|20227)$'

      SELECT EventTime,Computer,Channel,Provider,EventID,EventData.Data[1] as User, EventData.Data[2:] as ExtraInfo,Message,EventData.Data as _RawData
      FROM Artifact.Windows.EventLogs.EvtxHunter(
                        EvtxGlob=ClientEvtxGlob,
                        IocRegex=IocRegex,
                        IdRegex=VPNClientIdRegex,
                        WhitelistRegex=IgnoreRegex,
                        DateAfter=DateAfter,
                        DateBefore=DateBefore, 
                        SearchVSS=SearchVSS )    

  - name: NPS Server
    description: Retrieve NPS Server logs (also available in the Microsoft VPN server)
    query: |
        SELECT * FROM foreach(
           row={
              SELECT FullPath FROM glob(globs=expand(path=NPSLogsGlob))
           },
           query={
               SELECT * from parse_csv(filename=FullPath, columns=["ComputerName","ServiceName","Record-Date","Record-Time","Packet-Type","User-Name","Fully-Qualified-Distinguished-Name","Called-Station-ID","Calling-Station-ID","Callback-Number","Framed-IP-Address","NAS-Identifier","NAS-IP-Address","NAS-Port","Client-Vendor","Client-IP-Address","Client-Friendly-Name","Event-Timestamp","Port-Limit","NAS-Port-Type","Connect-Info","Framed-Protocol","Service-Type","Authentication-Type","Policy-Name","Reason-Code","Class","Session-Timeout","Idle-Timeout","Termination-Action","EAP-Friendly-Name","Acct-Status-Type","Acct-Delay-Time","Acct-Input-Octets","Acct-Output-Octets","Acct-Session-Id","Acct-Authentic","Acct-Session-Time","Acct-Input-Packets","Acct-Output-Packets","Acct-Terminate-Cause","Acct-Multi-Ssn-ID","Acct-Link-Count","Acct-Interim-Interval","Tunnel-Type","Tunnel-Medium-Type","Tunnel-Client-Endpt","Tunnel-Server-Endpt","Acct-Tunnel-Conn","Tunnel-Pvt-Group-ID","Tunnel-Assignment-ID","Tunnel-Preference","MS-Acct-Auth-Type","MS-Acct-EAP-Type","MS-RAS-Version","MS-RAS-Vendor","MS-CHAP-Error","MS-CHAP-Domain","MS-MPPE-Encryption-Types","MS-MPPE-Encryption-Policy","Proxy-Policy-Name","Provider-Type","Provider-Name","Remote-Server-Address","MS-RAS-Client-Name","MS-RAS-Client-Version"])
           })