Microsoft Always On VPN
Overview
- Vendor:
- Supported environment:
- Version compatibility:
- Detection based on: Telemetry
- Supported application or feature: Microsoft Always On VPN is a Windows feature allowing secure connection to protected networks.
This guide will explain how to forward Network Policy Server (NPS) logs to Sekoia.io
Configure
NXLog agent to a syslog concentrator
Configuring NPS logging
Refer to the Microsoft documentation to activate the NPS logging on the server. The logs should be written as files with the IAS (legacy) format.
NXLog setup on Windows
This section describes how to configure NXLog to forward your Windows events through syslog.
First of all, download NXLog at the following link : https://nxlog.co/products/all/download. Then, open the NXLog configuration file at C:\Program Files (x86)\nxlog\conf\nxlog.conf and update it with the following instructions:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define SYSTEMROOT C:\Windows
define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input nps>
Module im_file
File '%SYSTEMROOT%\System32\LogFile\*.log'
</Input>
<Output concentrator>
Module om_tcp
Host CONCENTRATOR_HOST
Port 514
OutputType Syslog_TLS
Exec to_syslog_ietf();
</Output>
<Route eventlog_to_concentrator>
Path eventlog => concentrator
</Route>
In the above configuration make sure to replace
CONCENTRATOR_HOSTvariable by your syslog concentrator IP.
Restart the NXLog service through the Services tool as Administrator or use Powershell command line: Restart-Service nxlog
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.
Enjoy your events
Go to the events page to watch your incoming events.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
"VPNTEST1","RAS",09/22/2022,13:32:06,2,,"DOMAIN\doe-j",,,,,,,,,,,,,,,1,2,11,"VPN TEST",0,"311 1 <REDACTED> 08/25/2022 03:41:37 317092",,,,"Microsoft: Carte à puce ou autre certificat",,,,,"317093",,,,,,,,,,,,,,,,,,,,,,,4,2,"VPN TEST",1,,,,
"VPNTEST1","RAS",09/22/2022,13:32:06,11,,"DOMAIN\doe-j",,,,,,,,,,,,,,,,,11,"VPN TEST",0,"311 1 <REDACTED> 08/25/2022 03:41:37 317091",30,,,,,,,,"317092",,,,,,,,,,,,,,,,,,,,,,,,,"VPN TEST",1,,,,
"VPNTEST1","RAS",09/22/2022,13:32:06,1,"jdoe@mydomain.org","DOMAIN\doe-j","5.6.7.8","4.3.2.1",,,"VPNTEST1","1.2.3.4",1519,,"1.2.3.4","VPNTEST1",,,5,,1,2,11,"VPN TEST",0,"311 1 <REDACTED> 08/25/2022 03:41:37 317092",,,,"Microsoft: Carte à puce ou autre certificat",,,,,"317093",,,,,,,,,79617,1,"4.3.2.1","5.6.7.8",,,,,,,"MSRASV5.20",311,,,,,"VPN TEST",1,,,"MSRAS-0-UC11480","MSRASV5.20"
"VPNTEST1","RAS",09/22/2022,13:32:06,4,"jdoe@mydomain.org",,"5.6.7.8","4.3.2.1",,"172.16.2.58","VPNTEST1","1.2.3.4",1519,,"1.2.3.4","VPNTEST1",1663846326,,5,,1,2,,,0,"311 1 <REDACTED> 08/25/2022 03:41:37 317092",,,,,1,,,,"317093",3,,,,,"50765",1,,79617,1,"4.3.2.1","5.6.7.8",,,,,,,"MSRASV5.20",311,,,0,,"VPN TEST",,,,"MSRAS-0-UC11480","MSRASV5.20"
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Microsoft Always On VPN. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Microsoft Always On VPN on ATT&CK Navigator
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Authentication logs |
Authentication packets are logged |
Network device logs |
Network packets are logged by Always On VPN |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | network |
| Type | `` |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,2,,\"DOMAIN\\doe-j\",,,,,,,,,,,,,,,1,2,11,\"VPN TEST\",0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317092\",,,,\"Microsoft: Carte \u00e0 puce ou autre certificat\",,,,,\"317093\",,,,,,,,,,,,,,,,,,,,,,,4,2,\"VPN TEST\",1,,,,",
"event": {
"category": [
"network"
],
"type": [
"allowed"
]
},
"@timestamp": "2022-09-22T13:32:06Z",
"network": {
"protocol": "PPP"
},
"observer": {
"hostname": "VPNTEST1"
},
"related": {
"hosts": [
"VPNTEST1"
],
"user": [
"doe-j"
]
},
"rule": {
"name": "VPN TEST"
},
"service": {
"name": "RAS"
},
"user": {
"domain": "DOMAIN",
"name": "doe-j"
},
"windows": {
"remote_access_server": {
"authentication": {
"name": "PEAP",
"type": 11
},
"class": "311 1 <REDACTED> 08/25/2022 03:41:37 317092",
"framed_protocol": {
"name": "PPP",
"type": 1
},
"packet": {
"name": "Access-Accept",
"type": 2
},
"provider": {
"type": 1
},
"reason": {
"code": 0,
"name": "IAS_SUCCESS"
},
"service": {
"name": "Framed",
"type": 2
},
"session": {
"id": "317093"
}
}
}
}
{
"message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,11,,\"DOMAIN\\doe-j\",,,,,,,,,,,,,,,,,11,\"VPN TEST\",0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317091\",30,,,,,,,,\"317092\",,,,,,,,,,,,,,,,,,,,,,,,,\"VPN TEST\",1,,,,",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2022-09-22T13:32:06Z",
"observer": {
"hostname": "VPNTEST1"
},
"related": {
"hosts": [
"VPNTEST1"
],
"user": [
"doe-j"
]
},
"rule": {
"name": "VPN TEST"
},
"service": {
"name": "RAS"
},
"user": {
"domain": "DOMAIN",
"name": "doe-j"
},
"windows": {
"remote_access_server": {
"authentication": {
"name": "PEAP",
"type": 11
},
"class": "311 1 <REDACTED> 08/25/2022 03:41:37 317091",
"packet": {
"name": "Access-Challenge",
"type": 11
},
"provider": {
"type": 1
},
"reason": {
"code": 0,
"name": "IAS_SUCCESS"
},
"session": {
"id": "317092",
"timeout": 30
}
}
}
}
{
"message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,1,\"jdoe@mydomain.org\",\"DOMAIN\\doe-j\",\"5.6.7.8\",\"4.3.2.1\",,,\"VPNTEST1\",\"1.2.3.4\",1519,,\"1.2.3.4\",\"VPNTEST1\",,,5,,1,2,11,\"VPN TEST\",0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317092\",,,,\"Microsoft: Carte \u00e0 puce ou autre certificat\",,,,,\"317093\",,,,,,,,,79617,1,\"4.3.2.1\",\"5.6.7.8\",,,,,,,\"MSRASV5.20\",311,,,,,\"VPN TEST\",1,,,\"MSRAS-0-UC11480\",\"MSRASV5.20\"",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2022-09-22T13:32:06Z",
"network": {
"protocol": "PPP"
},
"observer": {
"hostname": "VPNTEST1"
},
"related": {
"hosts": [
"VPNTEST1"
],
"ip": [
"1.2.3.4",
"4.3.2.1"
],
"user": [
"doe-j"
]
},
"rule": {
"name": "VPN TEST"
},
"service": {
"name": "RAS"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 1519
}
},
"user": {
"domain": "DOMAIN",
"email": "jdoe@mydomain.org",
"name": "doe-j"
},
"windows": {
"remote_access_server": {
"authentication": {
"name": "PEAP",
"type": 11
},
"class": "311 1 <REDACTED> 08/25/2022 03:41:37 317092",
"framed_protocol": {
"name": "PPP",
"type": 1
},
"packet": {
"name": "Access-Request",
"type": 1
},
"provider": {
"type": 1
},
"reason": {
"code": 0,
"name": "IAS_SUCCESS"
},
"service": {
"name": "Framed",
"type": 2
},
"session": {
"id": "317093"
},
"tunnel_medium": {
"name": "IPv4",
"type": 1
}
}
}
}
{
"message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,4,\"jdoe@mydomain.org\",,\"5.6.7.8\",\"4.3.2.1\",,\"172.16.2.58\",\"VPNTEST1\",\"1.2.3.4\",1519,,\"1.2.3.4\",\"VPNTEST1\",1663846326,,5,,1,2,,,0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317092\",,,,,1,,,,\"317093\",3,,,,,\"50765\",1,,79617,1,\"4.3.2.1\",\"5.6.7.8\",,,,,,,\"MSRASV5.20\",311,,,0,,\"VPN TEST\",,,,\"MSRAS-0-UC11480\",\"MSRASV5.20\"",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2022-09-22T13:32:06Z",
"network": {
"protocol": "PPP"
},
"observer": {
"hostname": "VPNTEST1"
},
"related": {
"hosts": [
"VPNTEST1"
],
"ip": [
"1.2.3.4",
"4.3.2.1"
]
},
"service": {
"name": "RAS"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 1519
}
},
"user": {
"email": "jdoe@mydomain.org"
},
"windows": {
"remote_access_server": {
"class": "311 1 <REDACTED> 08/25/2022 03:41:37 317092",
"framed_protocol": {
"name": "PPP",
"type": 1
},
"packet": {
"name": "Accounting-Request",
"type": 4
},
"reason": {
"code": 0,
"name": "IAS_SUCCESS"
},
"service": {
"name": "Framed",
"type": 2
},
"session": {
"id": "317093"
},
"tunnel_medium": {
"name": "IPv4",
"type": 1
}
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
observer.hostname |
keyword |
Hostname of the observer. |
rule.name |
keyword |
Rule name |
service.name |
keyword |
Name of the service. |
source.ip |
ip |
IP address of the source. |
source.nat.ip |
ip |
Source NAT ip |
source.nat.port |
long |
Source NAT port |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.email |
keyword |
User email address. |
user.name |
keyword |
Short name or login of the user. |
windows.remote_access_server.authentication.type |
number |
The code of the authentication scheme |
windows.remote_access_server.class |
keyword |
The attribute sent to the client in a Access-Accept packet |
windows.remote_access_server.framed_protocol.type |
number |
The type of the RADIUS framed protocol |
windows.remote_access_server.packet.type |
number |
The code of the RADIUS packet type |
windows.remote_access_server.provider.name |
keyword |
The name of the authentication provider |
windows.remote_access_server.provider.type |
number |
The code of the authentication provider |
windows.remote_access_server.reason.code |
number |
The code of the authentication status |
windows.remote_access_server.service.type |
number |
The code of the RADIUS service type |
windows.remote_access_server.session.id |
keyword |
The identifier of the session |
windows.remote_access_server.session.timeout |
number |
The timeout of the session |
windows.remote_access_server.tunnel_medium.type |
number |
The code of the RADIUS tunnel medium type |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.