Windows Daily Command and User Summary

by Dave Breslin
July 30, 2012

CommandSummary

This template produces daily summaries of commands and users for the past seven days. It also reports on installed software.

The template works by combining the “Daily_User_Summary” and “Daily_Command_Summary” LCE events with the installed software report produced by Nessus plugin 20811. The LCE events used by the template are automatically generated by a script developed in TASL (Tenable Application Scripting Language) whose filename is "program_accounting.tasl". Windows events 592 (Windows XP and 2003) and 4688 (Windows Vista, 7 and 2008) are used to build the daily summary events. Plugin 20811 is a Nessus credentialed check.

The template does not filter the list of hosts for which it will produce a report.  If run without setting additonal filters it will build a report for every host (active IP address) that the user running the report can view in the cumulative vulnerability database.

To filter the template to report on certain hosts use the iterator’s filters. The table element responsible for producing the host summary which is positioned at the beginning of the report will also need its filters set.

Filtertemplate

Six examples follow for demonstrating how to set the filters to focus the template on hosts that share a common attribute or exhibit a common behaviour.


1. Filter for Windows hosts only

One method to report only for Windows hosts would be to create a dynamic asset list and use it with the filters.

DynamicAssetListWindows

WindowsHostsFilter

A second method to report only on Windows hosts involves using the Nessus Enhanced Operating System Identification. Which is actually how the dynamic asset list works above. Filter on plugin 11936, "OS Identification", and the vulnerability text "indows".

WindowsHostsFilter2

Either method outlined will require Nessus plugin 11936 to have been enabled in a scan policy so that there are 11936 results for Windows hosts.

2. Filter for only those hosts that have had daily command and user summary LCE events created over the last 7 days

Filters default to a data type of vulnerability. To filter using LCE filters change Data Type to "Event":

EventDataType

To filter by the events “Daily_User_Summary” and “Daily_Command_Summary” that fall under the event type of "process" set Normalized Event to "Daily*" and Type to "process". Also, ensure the Timeframe is set to "Last 7 Days".

Eventfilterdaily

 

3. Filter for those hosts that have a vulnerability with a known exploit

Set Exploit Available to "Yes".

Exploitavailable

 

4. Filter for those hosts detected running malicious processes and/or potentially unwanted software

Use Plugin ID to filter on plugin results for 59275 and 59641.

Malicious

 

5. Filter by those hosts whose antivirus isn't up-to-date or isn't functioning properly.

Use Plugin ID to filter on plugin results for 20284, 12107, 12106, 20283, 16192, 21725, 24232, 21608, 12215, 43164, 52544 and 52668.

Avplugins

 

6. Filter for those hosts that have made a suspected outbound botnet connection in the last 7 days

Set Data Type to "Event", Timeframe to "Last 7 Days", Type to "threatlist" and Direction to "Outbound".

Outboundbotnet