Windows Unique Executables and New Commands

by Dave Breslin
August 3, 2012

NewCommands

This template reports programs and commands observed running for the first time.

The template uses the LCE events named  "Unique_Windows_Executable" and "New_Command" which are automatically generated by a script developed in TASL (Tenable Application Scripting Language) whose filename is "program_accounting.tasl".  To produce the events the TASL script continually monitors Windows events 592 (Windows XP and 2003) and 4688 (Windows Vista, 7 and 2008).

LCE event “Unique_Windows_Executable” is generated when a command/program is observed being used for the first time across all the Windows hosts whose 592 and 4688 events are being normalized and stored in LCE.  LCE event “New_Command” is generated when a command/program is observed being used for the first time on a single Windows host. In the example report “TeamViewer.exe” is used for the first time on host 10.0.0.11 (SVR1003) and has never been observed in use on any host which generates a "Unique_Windows_Executable" event:

Teamviewer-unqiue

This also generates a "New_Command" event for host 10.0.0.11 (SVR1003):

Teamviewer-new

When "TeamViewer.exe" is used later for the first time on host 10.0.0.14 (SVR1009) a "New_Command" event is generated for host 10.0.0.14 (SVR1009), however, a "Unique_Windows_Executable" event is not generated because "TeamViewer.exe" was observed previously being run on host 10.0.0.11 (SVR1003).

Teamview-new2

Both the "Unique Executables" and "New Commands" template chapters include tables for highlighting where on an organization's network the hosts generating the events are located:

Locations

The tables will be very useful in prioritizing actions if the events are being monitored as part of a proactive process.

The "New Commands" chapter does not filter on Windows hosts. By default it will report on all hosts regardless of platform with "New_Command" events. The "New_Command" event is also triggered for Linux and UNIX based platforms. Below is an example of querying "New_Command" events for a Mac OS X 10.7 platform using the SecurityCenter GUI:

MAC

If an organization is also using LCE to monitor UNIX and Linux based platforms then a dynamic or static asset list can be used to filter the chapter's report elements.

DynamicAssetListWindows

 

Dynamic


Newcommandschapter

 

Eventfilters

Alternatively, the filters could be could modified for the IP ranges of the Windows hosts without the need for creating an asset list:

Eventfilters2

When event monitoring first begins every command/program will be processed as new and generate the LCE events the template uses. A learning period should be expected and planned for.

The LCE architecture can collect Windows events remotely leveraging WMI which include events 592 and 4688 used for generating the LCE events used by this template.