Collect RPC Firewall logs from Windows hosts
name: Windows.EventLogs.RPCFirewall
description: |
Collect RPC Firewall logs from Windows hosts
reference:
- https://github.com/zeronetworks/rpcfirewall
author: Wes Lambert - @therealwlambert
parameters:
- name: TargetGlob
default: '%SystemRoot%\System32\Winevt\Logs\RPCFW.evtx'
- name: IdRegex
default: .
type: regex
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET EventDescriptionTable <= SELECT * FROM parse_csv(accessor="data", filename='''
ID,Description
1,RPC Firewall Protection Added
2,RPC Firewall Protection Removed
3,RPC Server Function Called
''')
SELECT EventTime,
Computer,
Channel,
EventID,
EventRecordID,
{ SELECT Description FROM EventDescriptionTable WHERE ID = EventID} AS Description,
EventData,
if(condition=EventID=3,
then=dict(
Function=EventData.Data[0],
ProcessID=EventData.Data[1],
ImagePath=EventData.Data[2],
Protocol=EventData.Data[3],
Endpoint=EventData.Data[4],
ClientNetworkAddress=EventData.Data[5],
InterfaceUUID=EventData.Data[6],
OpNum=EventData.Data[7],
SID=EventData.Data[8],
AuthenticationLevel=EventData.Data[9],
AuthenticationService=EventData.Data[10],
ClientPort=EventData.Data[11],
ServerNetworkAddress=EventData.Data[12],
ServerPort=EventData.Data[13]),
else=dict(
ImagePath=EventData.Data[0],
ProcessID=EventData.Data[1]
)
) AS EventDataDetails,
Message
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=TargetGlob,
VSSAnalysisAge=VSSAnalysisAge,
IdRegex=IdRegex)