This Artifact enables scoping EventLogs from Microsoft VPN, served by Remote Access Service server role. It is designed to assist in identifying VPN connections on organizations that are using Microsoft VPN service. It targets both server and client side logs.
This artifact parses EvtxHunter output and returns a set of fields in results. An unparsed data field is availible in the hidden _RawData field.
There are several parameter’s available for search leveraging regex.
name: Windows.EventLogs.RemoteAccessVPN
author: Théo Letailleur, Synacktiv
description: |
This Artifact enables scoping EventLogs from Microsoft VPN, served by
Remote Access Service server role.
It is designed to assist in identifying VPN connections on organizations that
are using Microsoft VPN service. It targets both server and client side logs.
This artifact parses EvtxHunter output and returns a set of fields in results.
An unparsed data field is availible in the hidden _RawData field.
There are several parameter's available for search leveraging regex.
- ClientEvtxGlob glob of VPN Client EventLogs to target. Default to Application.evtx.
- ServerEvtxGlob glob of VPN Server EventLogs to target. Default to System.evtx.
- NPSLogsGlob glob of NPS Server Text Logs to target.
- dateAfter enables search for events after this date.
- dateBefore enables search for events before this date.
- IocRegex enables regex search over the message field.
- IgnoreRegex enables a regex whitelist for the Message field.
- SearchVSS enables searching over VSS.
reference:
- https://www.synacktiv.com/publications/forensic-aspects-of-microsoft-remote-access-vpn.html
- https://learn.microsoft.com/en-us/windows-server/remote/remote-access/remote-access
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: ClientEvtxGlob
default: '%SystemRoot%\System32\Winevt\Logs\Application.evtx'
description: "EVTX file path glob where RAS Client logs are stored"
- name: ServerEvtxGlob
default: '%SystemRoot%\System32\Winevt\Logs\System.evtx'
description: "EVTX file path glob where RAS Server logs are stored"
- name: NPSLogsGlob
default: '%SystemRoot%\System32\LogFiles\IN*'
- name: IocRegex
default: .
type: regex
- name: IgnoreRegex
description: "Regex of string to whitelist"
type: regex
- name: SearchVSS
description: "Add VSS into query."
type: bool
- name: DateAfter
type: timestamp
description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
- name: DateBefore
type: timestamp
description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
sources:
- name: VPN Server
description: VPN Server event logs
query: |
LET VPNServerIdRegex = '^(20250|20253|20255|20271|20272|20274|20275)$'
-- User
LET extract_user(eventid, eventdata) =
if(condition=eventid=20271,then=format(format='''%v''', args=[eventdata[1]]), else=
if(condition=(eventid=20250 OR eventid=20253 OR eventid=20255 OR eventid=20272 OR eventid=20274),then=format(format='''%v''', args=[eventdata[2]]), else=
if(condition=eventid=20275,then="N/A")
))
-- TunnelIP
LET extract_tunnelip(eventid, eventdata) =
if(condition=eventid=20274,then=format(format='''%v''', args=[eventdata[4]]), else=
if(condition=eventid=20275,then=format(format='''%v''', args=[eventdata[2]])
))
-- ExternalIP
LET extract_externalip(eventid, eventdata) =
if(condition=eventid=20271,then=format(format='''%v''', args=[eventdata[2]]))
SELECT EventTime,Computer,Channel,Provider,EventID,extract_user(eventid=EventID,eventdata=EventData.Data) as User, extract_tunnelip(eventid=EventID, eventdata=EventData.Data) as TunnelIP, extract_externalip(eventid=EventID, eventdata=EventData.Data) as ExternalIP, EventData.Data[1:] as ExtraInfo,Message,EventData.Data as _RawData
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=ServerEvtxGlob,
IocRegex=IocRegex,
IdRegex=VPNServerIdRegex,
WhitelistRegex=IgnoreRegex,
DateAfter=DateAfter,
DateBefore=DateBefore,
SearchVSS=SearchVSS )
- name: VPN Clients
description: VPN Client event logs
query: |
LET VPNClientIdRegex = '^(20220|20221|20222|20223|20224|20225|20226|20227)$'
SELECT EventTime,Computer,Channel,Provider,EventID,EventData.Data[1] as User, EventData.Data[2:] as ExtraInfo,Message,EventData.Data as _RawData
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=ClientEvtxGlob,
IocRegex=IocRegex,
IdRegex=VPNClientIdRegex,
WhitelistRegex=IgnoreRegex,
DateAfter=DateAfter,
DateBefore=DateBefore,
SearchVSS=SearchVSS )
- name: NPS Server
description: Retrieve NPS Server logs (also available in the Microsoft VPN server)
query: |
SELECT * FROM foreach(
row={
SELECT FullPath FROM glob(globs=expand(path=NPSLogsGlob))
},
query={
SELECT * from parse_csv(filename=FullPath, columns=["ComputerName","ServiceName","Record-Date","Record-Time","Packet-Type","User-Name","Fully-Qualified-Distinguished-Name","Called-Station-ID","Calling-Station-ID","Callback-Number","Framed-IP-Address","NAS-Identifier","NAS-IP-Address","NAS-Port","Client-Vendor","Client-IP-Address","Client-Friendly-Name","Event-Timestamp","Port-Limit","NAS-Port-Type","Connect-Info","Framed-Protocol","Service-Type","Authentication-Type","Policy-Name","Reason-Code","Class","Session-Timeout","Idle-Timeout","Termination-Action","EAP-Friendly-Name","Acct-Status-Type","Acct-Delay-Time","Acct-Input-Octets","Acct-Output-Octets","Acct-Session-Id","Acct-Authentic","Acct-Session-Time","Acct-Input-Packets","Acct-Output-Packets","Acct-Terminate-Cause","Acct-Multi-Ssn-ID","Acct-Link-Count","Acct-Interim-Interval","Tunnel-Type","Tunnel-Medium-Type","Tunnel-Client-Endpt","Tunnel-Server-Endpt","Acct-Tunnel-Conn","Tunnel-Pvt-Group-ID","Tunnel-Assignment-ID","Tunnel-Preference","MS-Acct-Auth-Type","MS-Acct-EAP-Type","MS-RAS-Version","MS-RAS-Vendor","MS-CHAP-Error","MS-CHAP-Domain","MS-MPPE-Encryption-Types","MS-MPPE-Encryption-Policy","Proxy-Policy-Name","Provider-Type","Provider-Name","Remote-Server-Address","MS-RAS-Client-Name","MS-RAS-Client-Version"])
})