Protected Event Logging or Unprotect-CmsMessage supported by SO?

[PowerPress]

Is Protected Event Logging or Unprotect-CmsMessage supported by SO?

These features in windows can encrypt the win events and want to ensure SO will support it so and decrypt them.

If not is there any plan or timeline to implement?

[defensivedepth]

Security Onion cannot decrypt eventlogs in this way.

From a technical perspective, how would you expect it to work?

[PowerPress]

Install powershell core 6.0 or later on SO

Path to an exported certificate file (.cer) with private key

For each matching log could run this script

I do not have SO up and running to test but this should work by definetly not optimal

#############################################################################
#.SYNOPSIS
# Decrypts protected event log messages with Unprotect-CmsMessage.
#
#.NOTES
# When piping encrypted event log messages through Unprotect-CmsMessage, 
# only the plaintext of the body of the message is returned, not the
# entire original message object with all of its properties, hence, a
# wrapper script like this is necessary to retain those other properties.
# The performance of Add-Member and Unprotect-CmsMessage is not good.
#############################################################################

[CmdletBinding()]
Param (
       [String] $ComputerName = $env:COMPUTERNAME, 
       [String] $LogName = 'Microsoft-Windows-PowerShell/Operational', 
       [Int] $EventID = 4104,
       [Int] $MaxEvents = 10
      )


$XPath = '*[System[(EventID=' + $EventID + ')]]'

Get-WinEvent -ComputerName $ComputerName -LogName $LogName -FilterXPath $XPath -MaxEvents $MaxEvents |
ForEach { 
    if ($_.Message.IndexOf('-----BEGIN CMS-----') -ne -1)
    { 
        Write-Verbose ("Encrypted: " + $_.RecordID)
        Add-Member -PassThru -InputObject $_ -NotePropertyName 'Plaintext' -NotePropertyValue $($_.Message | Unprotect-CmsMessage -IncludeContext) 
    }
    else
    {
        Write-Verbose ("Plaintext: " + $_.RecordID)
        $_
    }
}

Additional info: https://www.sans.org/blog/powershell-protect-cmsmessage-example-code/

[defensivedepth]

It's an interesting concept. I'm not sure how it would work with Elastic Agent, which we use to ship the logs to SO, since some parsing of the log happens at the endpoint, and then again right before it is ingested to Elasticsearch.

What is the specific risk you are trying to account for? The logs are encrypted across the wire to SO.

[PowerPress]

Risk is attacker could read logs and get access to potential command line credentials if host gets compromised.

Just dont want unencrypted command line logs laying on the box that an attacker cound potentially access and find additional credentials to use for lateral movement

Could the Agent execute this on each end point and when it detects it and protected event logging is enabled before shipping the log to SO

[defensivedepth]

If there are credentials being captured via CLI logging, then there are deeper operational issues. I could certainly see this feature being useful for other types of sensitive info logged from applications (PII etc).

All that being said - I think this is interesting. I think we would like to hear if people are using this in production before attempting to support it.

[PowerPress]

Thinking this through this should not be decrypted on the end point if the goal is to ensure that a compromise doesnt reveal the contents of these logs.

Perhaps the agent could add something to the log before it ships it telling SO to process it when it arrives and decrypt it?