Skip to content

Microsoft Always On VPN

Overview

Microsoft Always On VPN is a Windows feature allowing secure connection to protected networks.

This guide will explain how to forward Network Policy Server (NPS) logs to Sekoia.io

The following Sekoia.io built-in rules match the intake Microsoft Always On VPN. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Microsoft Always On VPN on ATT&CK Navigator

SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Authentication logs Authentication packets are logged
Network device logs Network packets are logged by Always On VPN

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category network
Type ``

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,2,,\"DOMAIN\\doe-j\",,,,,,,,,,,,,,,1,2,11,\"VPN TEST\",0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317092\",,,,\"Microsoft: Carte \u00e0 puce ou autre certificat\",,,,,\"317093\",,,,,,,,,,,,,,,,,,,,,,,4,2,\"VPN TEST\",1,,,,",
    "event": {
        "category": [
            "network"
        ],
        "type": [
            "allowed"
        ]
    },
    "@timestamp": "2022-09-22T13:32:06Z",
    "network": {
        "protocol": "PPP"
    },
    "observer": {
        "hostname": "VPNTEST1"
    },
    "related": {
        "hosts": [
            "VPNTEST1"
        ],
        "user": [
            "doe-j"
        ]
    },
    "rule": {
        "name": "VPN TEST"
    },
    "service": {
        "name": "RAS"
    },
    "user": {
        "domain": "DOMAIN",
        "name": "doe-j"
    },
    "windows": {
        "remote_access_server": {
            "authentication": {
                "name": "PEAP",
                "type": 11
            },
            "class": "311 1 <REDACTED> 08/25/2022 03:41:37 317092",
            "framed_protocol": {
                "name": "PPP",
                "type": 1
            },
            "packet": {
                "name": "Access-Accept",
                "type": 2
            },
            "provider": {
                "type": 1
            },
            "reason": {
                "code": 0,
                "name": "IAS_SUCCESS"
            },
            "service": {
                "name": "Framed",
                "type": 2
            },
            "session": {
                "id": "317093"
            }
        }
    }
}
{
    "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,11,,\"DOMAIN\\doe-j\",,,,,,,,,,,,,,,,,11,\"VPN TEST\",0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317091\",30,,,,,,,,\"317092\",,,,,,,,,,,,,,,,,,,,,,,,,\"VPN TEST\",1,,,,",
    "event": {
        "category": [
            "network"
        ],
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-09-22T13:32:06Z",
    "observer": {
        "hostname": "VPNTEST1"
    },
    "related": {
        "hosts": [
            "VPNTEST1"
        ],
        "user": [
            "doe-j"
        ]
    },
    "rule": {
        "name": "VPN TEST"
    },
    "service": {
        "name": "RAS"
    },
    "user": {
        "domain": "DOMAIN",
        "name": "doe-j"
    },
    "windows": {
        "remote_access_server": {
            "authentication": {
                "name": "PEAP",
                "type": 11
            },
            "class": "311 1 <REDACTED> 08/25/2022 03:41:37 317091",
            "packet": {
                "name": "Access-Challenge",
                "type": 11
            },
            "provider": {
                "type": 1
            },
            "reason": {
                "code": 0,
                "name": "IAS_SUCCESS"
            },
            "session": {
                "id": "317092",
                "timeout": 30
            }
        }
    }
}
{
    "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,1,\"jdoe@mydomain.org\",\"DOMAIN\\doe-j\",\"5.6.7.8\",\"4.3.2.1\",,,\"VPNTEST1\",\"1.2.3.4\",1519,,\"1.2.3.4\",\"VPNTEST1\",,,5,,1,2,11,\"VPN TEST\",0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317092\",,,,\"Microsoft: Carte \u00e0 puce ou autre certificat\",,,,,\"317093\",,,,,,,,,79617,1,\"4.3.2.1\",\"5.6.7.8\",,,,,,,\"MSRASV5.20\",311,,,,,\"VPN TEST\",1,,,\"MSRAS-0-UC11480\",\"MSRASV5.20\"",
    "event": {
        "category": [
            "network"
        ],
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-09-22T13:32:06Z",
    "network": {
        "protocol": "PPP"
    },
    "observer": {
        "hostname": "VPNTEST1"
    },
    "related": {
        "hosts": [
            "VPNTEST1"
        ],
        "ip": [
            "1.2.3.4",
            "4.3.2.1"
        ],
        "user": [
            "doe-j"
        ]
    },
    "rule": {
        "name": "VPN TEST"
    },
    "service": {
        "name": "RAS"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "nat": {
            "ip": "4.3.2.1",
            "port": 1519
        }
    },
    "user": {
        "domain": "DOMAIN",
        "email": "jdoe@mydomain.org",
        "name": "doe-j"
    },
    "windows": {
        "remote_access_server": {
            "authentication": {
                "name": "PEAP",
                "type": 11
            },
            "class": "311 1 <REDACTED> 08/25/2022 03:41:37 317092",
            "framed_protocol": {
                "name": "PPP",
                "type": 1
            },
            "packet": {
                "name": "Access-Request",
                "type": 1
            },
            "provider": {
                "type": 1
            },
            "reason": {
                "code": 0,
                "name": "IAS_SUCCESS"
            },
            "service": {
                "name": "Framed",
                "type": 2
            },
            "session": {
                "id": "317093"
            },
            "tunnel_medium": {
                "name": "IPv4",
                "type": 1
            }
        }
    }
}
{
    "message": "\"VPNTEST1\",\"RAS\",09/22/2022,13:32:06,4,\"jdoe@mydomain.org\",,\"5.6.7.8\",\"4.3.2.1\",,\"172.16.2.58\",\"VPNTEST1\",\"1.2.3.4\",1519,,\"1.2.3.4\",\"VPNTEST1\",1663846326,,5,,1,2,,,0,\"311 1 <REDACTED> 08/25/2022 03:41:37 317092\",,,,,1,,,,\"317093\",3,,,,,\"50765\",1,,79617,1,\"4.3.2.1\",\"5.6.7.8\",,,,,,,\"MSRASV5.20\",311,,,0,,\"VPN TEST\",,,,\"MSRAS-0-UC11480\",\"MSRASV5.20\"",
    "event": {
        "category": [
            "network"
        ],
        "type": [
            "info"
        ]
    },
    "@timestamp": "2022-09-22T13:32:06Z",
    "network": {
        "protocol": "PPP"
    },
    "observer": {
        "hostname": "VPNTEST1"
    },
    "related": {
        "hosts": [
            "VPNTEST1"
        ],
        "ip": [
            "1.2.3.4",
            "4.3.2.1"
        ]
    },
    "service": {
        "name": "RAS"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4",
        "nat": {
            "ip": "4.3.2.1",
            "port": 1519
        }
    },
    "user": {
        "email": "jdoe@mydomain.org"
    },
    "windows": {
        "remote_access_server": {
            "class": "311 1 <REDACTED> 08/25/2022 03:41:37 317092",
            "framed_protocol": {
                "name": "PPP",
                "type": 1
            },
            "packet": {
                "name": "Accounting-Request",
                "type": 4
            },
            "reason": {
                "code": 0,
                "name": "IAS_SUCCESS"
            },
            "service": {
                "name": "Framed",
                "type": 2
            },
            "session": {
                "id": "317093"
            },
            "tunnel_medium": {
                "name": "IPv4",
                "type": 1
            }
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
event.category keyword Event category. The second categorization field in the hierarchy.
observer.hostname keyword Hostname of the observer.
rule.name keyword Rule name
service.name keyword Name of the service.
source.ip ip IP address of the source.
source.nat.ip ip Source NAT ip
source.nat.port long Source NAT port
user.domain keyword Name of the directory the user is a member of.
user.email keyword User email address.
user.name keyword Short name or login of the user.
windows.remote_access_server.authentication.type number The code of the authentication scheme
windows.remote_access_server.class keyword The attribute sent to the client in a Access-Accept packet
windows.remote_access_server.framed_protocol.type number The type of the RADIUS framed protocol
windows.remote_access_server.packet.type number The code of the RADIUS packet type
windows.remote_access_server.provider.name keyword The name of the authentication provider
windows.remote_access_server.provider.type number The code of the authentication provider
windows.remote_access_server.reason.code number The code of the authentication status
windows.remote_access_server.service.type number The code of the RADIUS service type
windows.remote_access_server.session.id keyword The identifier of the session
windows.remote_access_server.session.timeout number The timeout of the session
windows.remote_access_server.tunnel_medium.type number The code of the RADIUS tunnel medium type

Configure

NXLog agent to a syslog concentrator

Configuring NPS logging

Refer to the Microsoft documentation to activate the NPS logging on the server. The logs should be written as files with the IAS (legacy) format.

NXLog setup on Windows

This section describes how to configure NXLog to forward your Windows events through syslog.

First of all, download NXLog at the following link : https://nxlog.co/products/all/download. Then, open the NXLog configuration file at C:\Program Files (x86)\nxlog\conf\nxlog.conf and update it with the following instructions:

 ## This is a sample configuration file. See the nxlog reference manual about the
 ## configuration options. It should be installed locally and is also available
 ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

 ## Please set the ROOT to the folder your nxlog was installed into,
 ## otherwise it will not start.

 #define ROOT C:\Program Files\nxlog
 define ROOT C:\Program Files (x86)\nxlog
 define SYSTEMROOT C:\Windows
 define CERTDIR %ROOT%\cert

 Moduledir %ROOT%\modules
 CacheDir %ROOT%\data
 Pidfile %ROOT%\data\nxlog.pid
 SpoolDir %ROOT%\data
 LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
  Module xm_syslog
</Extension>

<Input nps>
    Module    im_file
    File      '%SYSTEMROOT%\System32\LogFile\*.log'
</Input>

<Output concentrator>
  Module om_tcp
  Host CONCENTRATOR_HOST
  Port 514
  OutputType Syslog_TLS

  Exec to_syslog_ietf();
</Output>
<Route eventlog_to_concentrator>
  Path eventlog => concentrator
</Route>

In the above configuration make sure to replace CONCENTRATOR_HOST variable by your syslog concentrator IP.

Restart the NXLog service through the Services tool as Administrator or use Powershell command line: Restart-Service nxlog

Forward logs to Sekoia.io

Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.

Enjoy your events

Go to the events page to watch your incoming events.

Further Readings