Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Tips on Advanced Monitoring & Alerting in Windows Systems

September 7, 2017

  • Blog
  • Archive
Tips on Advanced Monitoring & Alerting in Windows Systems As a Windows administrator, when something with your Windows environment goes amiss, how likely are you to pinpoint the cause, and how much time might expire before you reach the point of certainty? In this blog, I want to offer up an example excerpted from my Useful Hacking Series to help Windows administrators improve their awareness of what happens whenever somebody does something within the system. Understanding of operating system internals is crucial for understanding any hacking activities. So, with that said, let’s explore a simple hacking scenario. Hopefully, you can apply this knowledge to better protect and respond to threats in your Windows environment.
If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques.

Register now

How to sniff HTTPS & and steal logon credentials

For today’s lesson, let’s explore how a hacker might sniff HTTPS traffic using Event Tracing for Windows (ETW) – a framework that provides logging capabilities with very little overhead-to-run-time performance. As an integral part of the Microsoft Windows operating system, ETW is heavily used by several system components, and can be successfully used by third-party software. ETW can provide a staggering amount of information. If you want to see a small example of what information can be found in ETW logs, follow the steps I’ve outlined below and try to dump some data of web requests made by the web browser that uses WinInet library calls. If you want to learn Windows Internals – start from ETW!
  1. First, you need to download and install Windows Performance Toolkit tools (WPT is a part of the Windows ADK: http://www.microsoft.com/en-US/download/details.aspx?id=39982) and added path to the xperf.exe to your PATH environment variable to make the usage comfortable. To sniff the credentials for basically any HTTPS- based portal, you must be logged out of the portal you desire to target.
  2. Start the cmd.exe as member of the Local Administrators group, as ETW requires administrative privileges.
  3. Next, start logger session named WinInetTest and capture events from the Microsoft-Windows-WinInet. To achieve that, run the following command: >xperf.exe -start WinInetTest -on Microsoft-Windows-WinInet -FileMode Circular -MaxFile 50 -f WinInetTest.etl
  4. Use Internet Explorer and navigate to the target HTTP-based site. Enter user name & password (doesn’t have to be a real one) and click ‘sign in’:
  5. Switch back to the cmd.exe, and stop the logger session in the following way: >xperf.exe -stop WinInetTest
  6. Now, it’s time to dump all the events from the wininet.etl file to the wininet.txt file: >xperf -i wininettest.etl -o wininet.txt -a dumper
  7. We are almost ready to see the result of the monitoring. To search the file for specific events use the following command: >findstr /i "WININET_REQUEST_HEADER_OPTIONAL" wininet.txt
Here is the summary of all we did: If you look at the Headers data, you can see your user name and password along with other POST data.

Summary Thoughts on Useful Hacking

Intercepting HTTPS traffic is possible if you are monitoring the beginning or the end of the HTTPS tunnel. At this stage, it’s important to understand that, in an operating system, there are several layers where communication is established. If one of these layers should malfunction, the security of transmission could be seriously jeopardized. Remember, HTTPS is just a protocol that is used to communicate securely, it is not used for any kind of data transformation. For the similar purpose, you can use tool Fiddler – Web Debugger. It is a fantastic tool for troubleshooting and sniffing HTTPS traffic If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques. Attendees to this session will learn what activities can be traced and monitored; starting from simple scenarios then ending with the exact steps a hacker may take to compromise a Windows system.

Paula Januszkiewicz

Hacker, Enterprise Security MVP, Cybersecurity Expert

Paula Januszkiewicz, CEO CQURE, penetration tester and mentor of CQURE Academy. Paula is also an Enterprise Security MVP and trainer (MCT) and Microsoft Security Trusted Advisor. She is also a top speaker at many well-known conferences including TechEd North America, TechEd Europe, TechEd Middle East, RSA, TechDays, CyberCrime, etc., and is often rated as number-one speaker.

Paula is engaged as a keynote speaker for security related events and she writes articles on Windows Security. Her company CQURE has now 3 locations New York, Dubai and Warsaw. Paula has conducted hundreds of IT security audits and penetration tests, including those for governmental organizations, she is a renowned security consultant. Her distinct specialization is related to Microsoft security solutions in which she holds multiple Microsoft certifications, besides being familiar with and possessing certifications in other related technologies and operating systems. Paula is passionate about sharing her knowledge with others.

In private, she enjoys researching new technologies, which she converts to authored trainings. She wrote a book about Threat Management Gateway 2010, and is working on her next book. She has access to a source code of Windows! Every year she makes over 200 flights (2013 - 248) to gain more and more experience, provides penetration tests and consults Customers about how to secure their infrastructures. Her favorite saying is: "I have a tool for that!"

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.