Tips on Advanced Monitoring & Alerting in Windows Systems

Paula Januszkiewicz, Security MVP, CEO at CQURE
September 7th, 2017

Tips on Advanced Monitoring & Alerting in Windows Systems

As a Windows administrator, when something with your Windows environment goes amiss, how likely are you to pinpoint the cause, and how much time might expire before you reach the point of certainty? In this blog, I want to offer up an example excerpted from my Useful Hacking Series to help Windows administrators improve their awareness of what happens whenever somebody does something within the system.

Understanding of operating system internals is crucial for understanding any hacking activities. So, with that said, let’s explore a simple hacking scenario. Hopefully, you can apply this knowledge to better protect and respond to threats in your Windows environment.

If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques.

Register now

How to sniff HTTPS & and steal logon credentials

For today’s lesson, let’s explore how a hacker might sniff HTTPS traffic using Event Tracing for Windows (ETW) – a framework that provides logging capabilities with very little overhead-to-run-time performance. As an integral part of the Microsoft Windows operating system, ETW is heavily used by several system components, and can be successfully used by third-party software. ETW can provide a staggering amount of information.

If you want to see a small example of what information can be found in ETW logs, follow the steps I’ve outlined below and try to dump some data of web requests made by the web browser that uses WinInet library calls. If you want to learn Windows Internals – start from ETW!

  1. First, you need to download and install Windows Performance Toolkit tools (WPT is a part of the Windows ADK: http://www.microsoft.com/en-US/download/details.aspx?id=39982) and added path to the xperf.exe to your PATH environment variable to make the usage comfortable. To sniff the credentials for basically any HTTPS- based portal, you must be logged out of the portal you desire to target.
  2. Start the cmd.exe as member of the Local Administrators group, as ETW requires administrative privileges.
  3. Next, start logger session named WinInetTest and capture events from the Microsoft-Windows-WinInet. To achieve that, run the following command:
    >xperf.exe -start WinInetTest -on Microsoft-Windows-WinInet -FileMode Circular -MaxFile 50 -f WinInetTest.etl
  4. Use Internet Explorer and navigate to the target HTTP-based site. Enter user name & password (doesn’t have to be a real one) and click ‘sign in’:
  5. Switch back to the cmd.exe, and stop the logger session in the following way:
    >xperf.exe -stop WinInetTest
  6. Now, it’s time to dump all the events from the wininet.etl file to the wininet.txt file:
    >xperf -i wininettest.etl -o wininet.txt -a dumper
  7. We are almost ready to see the result of the monitoring. To search the file for specific events use the following command:
    >findstr /i "WININET_REQUEST_HEADER_OPTIONAL" wininet.txt

Here is the summary of all we did:

If you look at the Headers data, you can see your user name and password along with other POST data.

Summary Thoughts on Useful Hacking

Intercepting HTTPS traffic is possible if you are monitoring the beginning or the end of the HTTPS tunnel. At this stage, it’s important to understand that, in an operating system, there are several layers where communication is established. If one of these layers should malfunction, the security of transmission could be seriously jeopardized.

Remember, HTTPS is just a protocol that is used to communicate securely, it is not used for any kind of data transformation. For the similar purpose, you can use tool Fiddler – Web Debugger. It is a fantastic tool for troubleshooting and sniffing HTTPS traffic

If you’re interested in an advanced, technical dive into tracing and monitoring activity within Windows, tune in to my webinar, Advanced Windows OS Tracing and Monitoring Techniques. Attendees to this session will learn what activities can be traced and monitored; starting from simple scenarios then ending with the exact steps a hacker may take to compromise a Windows system.

Paula Januszkiewicz, Security MVP, CEO at CQURE

Paula Januszkiewicz, CEO CQURE, penetration tester and mentor of CQURE Academy. Paula is also an Enterprise Security MVP and trainer (MCT) and Microsoft Security Trusted Advisor. She is also a top speaker at many well-known conferences including TechEd North America, TechEd Europe, TechEd Middle East, RSA, TechDays, CyberCrime, etc., and is often rated as number-one speaker. Paula is engaged as a keynote speaker for security related events and she writes articles on Windows Security. Her company CQURE has now 3 locations New York, Dubai and Warsaw. Paula has conducted hundreds of IT security audits and penetration tests, including those for governmental organizations, she is a renowned security consultant. Her distinct specialization is related to Microsoft security solutions in which she holds multiple Microsoft certifications, besides being familiar with and possessing certifications in other related technologies and operating systems. Paula is passionate about sharing her knowledge with others. In private, she enjoys researching new technologies, which she converts to authored trainings. She wrote a book about Threat Management Gateway 2010, and is working on her next book. She has access to a source code of Windows! Every year she makes over 200 flights (2013 - 248) to gain more and more experience, provides penetration tests and consults Customers about how to secure their infrastructures. Her favorite saying is: "I have a tool for that!"