Collect RPC Firewall logs from Windows hosts
name: Windows.EventLogs.RPCFirewall
description: |
Collect RPC Firewall logs from Windows hosts
reference:
- https://github.com/zeronetworks/rpcfirewall
author: Wes Lambert - @therealwlambert
parameters:
- name: TargetGlob
default: '%SystemRoot%\System32\Winevt\Logs\RPCFW.evtx'
- name: TargetVSS
type: bool
- name: IdRegex
default: .
type: regex
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET EventDescriptionTable <= SELECT * FROM parse_csv(accessor="data", filename='''
ID,Description
1,RPC Firewall Protection Added
2,RPC Firewall Protection Removed
3,RPC Server Function Called
''')
SELECT EventTime,
Computer,
Channel,
EventID,
EventRecordID,
{ SELECT Description FROM EventDescriptionTable WHERE ID = EventID} AS Description,
EventData,
if(condition=EventID=3,
then=dict(
Function=EventData.Data[0],
ProcessID=EventData.Data[1],
ImagePath=EventData.Data[2],
Protocol=EventData.Data[3],
Endpoint=EventData.Data[4],
ClientNetworkAddress=EventData.Data[5],
InterfaceUUID=EventData.Data[6],
OpNum=EventData.Data[7],
SID=EventData.Data[8],
AuthenticationLevel=EventData.Data[9],
AuthenticationService=EventData.Data[10],
ClientPort=EventData.Data[11],
ServerNetworkAddress=EventData.Data[12],
ServerPort=EventData.Data[13]),
else=dict(
ImagePath=EventData.Data[0],
ProcessID=EventData.Data[1]
)
) AS EventDataDetails,
Message
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=TargetGlob,
SearchVSS=TargetVSS,
IdRegex=IdRegex)