swannman
commented
5 years ago This is the same issue as #5 -- the security event log ETW provider is a protected channel which krabsetw does not currently support.
Closed rushikeshpatil12 closed 5 years ago
swannman
commented
5 years ago This is the same issue as #5 -- the security event log ETW provider is a protected channel which krabsetw does not currently support.
rushikeshpatil12
commented
5 years ago Thank you @swannman for responding. Would you be able to share what are the requirements for using protected security channels? Any links/pointers would be of great help.
swannman
commented
5 years ago When we have guidance on how to do this, we will post it in the thread for issue #5.
rushikeshpatil12
commented
5 years ago I just realized #5 is slightly different issue. Its about tracing EventLog which works for me. However I cannot trace events coming from provider Microsoft-Windows-Security-Auditing. EventLog is a superset of MS-Windows-Security-Auditing but filters the security events based on GPO.
I need to be able to capture security events that are not specified by GPO.
Any pointers would be great.
swannman
commented
5 years ago We don’t have a way to do this today.
jdu2600
commented
4 years ago https://github.com/microsoft/krabsetw/pull/93 allows you to trace Microsoft-Windows-Security-Auditing (as SYSTEM) - but in my testing I only saw events configured by the audit policy (GPO). So unfortunately it doesn't have the events that you are looking for. (I was actually looking for them too. :-( ) As far as I can tell, these events are never generated - i.e. the filtering for EventLog-Security is done in the provider, not the consumer.
swannman
commented
4 years ago You're right, I misunderstood the question on this thread. I can confirm that Windows checks the audit policy and does not emit an ETW event if the current audit policy has not enabled it.
rushikeshpatil12
commented
4 years ago I ended up tracing EventLog-Security separately which required lot of additional parsing work but good to see Krabs supporting it now.
Even a system process cannot enable tracing on Windows-Security-Auditing provider. I believe this provider is only available to Protected processes(ELAM) just like TI events.
swannman
commented
4 years ago That's right - we were told we needed to onboard to ELAM in order to create a trace session for Windows-Security-Auditing. I didn't realize we could simply listen to the existing trace session -- this is huge!
amitf-di
commented
2 years ago I ended up tracing EventLog-Security separately which required lot of additional parsing work but good to see Krabs supporting it now.
@rushikeshpatil12 could you please share how you did that? I want to consume from the provider manually (and not using the existing session).
Not sure if its krabsetw issue but I have been failing to trace Microsoft-Windows-Security-Auditing provider & hoping someone would already know this.
I tried running my code as LocalSystem as well tried different privileges. Also compared EventLog's process token with my process.
Logman query provider pid (EventLog Pid) doesn't even show Security-Auditing, yet it gets the . EventLog service's call stack does seem to indicate it gets the security events with realtime trace.
I looked at some other thread where it was indicated that subscribing to Eventlog-Security is not possible with krabsetw & has some known issues. Not sure if its related but would be good to know what issues.
Appreciate any help.