Introducing Sleat - an overview of the problem Sleat was written to solve, along with some examples of how it fits into the context of a penetration test.
Uses for Sleat
Sleat is a collection of scripts for collecting, parsing, and analyzing logon events from Windows Security logs.
These scripts can be used for:
Identifying workstations belonging to privileged users
Identifying workstations/accounts connecting from the CDE
Identifying workstations/accounts connecting from an IP address that wasn’t included (or conveniently forgotten!) in the scoping documents
Visualizing the relationship of logon events across the environment using Graphviz
Before performing analysis, logon events must first be collected from a Windows host. This can be done several ways:
Using the included Powershell script, sleat-collect.ps1. This script will search the Security log on the local Windows host for Events with EventID 4624, pull specific fields (IP, Domain, Username, Workstation), sort and uniq the results, then write the output to a CSV file.
Copying the raw Security log (Security.evtx) off the Windows host and parsing it locally. EVTX files are stored in a proprietary binary XML format, so parsing it requires outside help. A python tool called python-evtx works well for converting the binary data into an ASCII XML format. This dump of ASCII XML can then be parsed by sleat-parse.py to build a CSV file with the same fields produced by sleat-collect.ps1.
The resultant CSV file is then passed to sleat-analyze.rb for analysis, along with two other files:
<corp networks> - a newline-delimited text file of networks in corporate scope with CIDR notation (ex: 10.5.1.0/24)
<cde networks> - a newline-delimited text file of networks in CDE scope with CIDR notation (ex: 172.16.10.0/24)
The scripts are broken up into 3 parts: Collect, Parse, and Analyze.
Overview of Scripts
sleat-collect.ps1 - Powershell script to enumerate logon events from the Security log
This script should be copied to the target Windows host and executed as a user with Administrator privileges. You may need to Set-ExecutionPolicy Bypass before running. Pouring through hundreds of thousands of Events can take several minutes (on some hosts, can take upwards of 45 minutes). Although slow, this is less work than copying the Security.evtx file, converting it to ASCII XML, then parsing it.
sleat-parse.py - Python script for parsing output from python-evtx
If sleat-collect.ps1 was used to generate the CSV file, then this step can be skipped.
If the Security.evtx log was copied off the Windows host (usually found at C:\Windows\System32\winevt\Logs\Security.evtx), then the first step in parsing it locally is to convert it from the proprietary binary XML format into an ASCII XML format. This can be done with python-evtx:
Once the data has been converted to ASCII XML, the relevant fields need to be pulled from the Logon events. This can be done by sleat-parse.py:
Using sleat-parse.py to generate ‘CORPDOM-logons.csv’ from ‘CORPDOM-dump.xml’:
The resulting CSV file can then be passed to sleat-analyze.rb.
sleat-analyze.rb - Ruby script for validating scope, identifying locations of privileged users, building graphs of logon relationships, and more.
By default, the script shows a fully verbose dump:
This output can be filtered using various options. For example, filtering out corporate hosts:
Filtering out machine accounts and domain\username from output:
Instead of finding hosts based on their scope, you may want to find hosts that belong to a privileged user. Let’s say a list of privileged users resides in a file named privusers.txt:
This file can be passed with the -p option to only show logons for these users (domain names are ignored - this may help find accounts with the same name across different domains):
Each time the script is ran, two files are generated: inscope.dot and outscope.dot. The reminder at the end of the output shows an example of how to render these dot files into a visual graph using neato. The contents of the dot files will only contain the results from the latest sleat-analyze.rb output.
Example output of inscope.dot.png. Red nodes indicate CDE networks, light green nodes indicate corporate networks:
Currently only supports analyzing a single CSV. Extend it to analyze multiple CSVs, correlate, and build dot files showing mesh network of logons.
Filter duplicates when using -u option in sleat-analyze.rb
Add filter to match (or exclude) specified domain names
Multithread powershell script to collect logs from multiple hosts simultaneously and write back to an open share (Routehunter-style)
Investigate other types of useful Events to analyze (currently just inspecting 4624)