
윈도우 보안 이벤트 // IIS 로그 분석

vencedor 2016. 6. 21. 16:27

보안 이벤트 넘버

%%2305 The specified user account has expired. (532)
%%2309 The specified account's password has expired. (535)
%%2310 Account currently disabled. (531)
%%2311 Account logon time restriction violation. (530)
%%2312 User not allowed to logon at this computer. (533)
%%2313 Unknown user name or bad password. (529)


IIS 로그 파서

MSSQL 형식으로 로그 분석

logparser -i:FS "SELECT TOP 20 Path, CreationTime FROM C:\inetpub\wwwroot\*.* ORDER BY CreationTime DESC" -rtp:-1 
최근 생성된 시간을 기준으로 찾기

logparser -i:FS "SELECT TOP 20 Path, LastWriteTime FROM C:\inetpub\wwwroot\*.* ORDER BY LastWriteTime DESC" -rtp:-1
최근 수정된 파일 찾기

logparser "SELECT DISTINCT TO_LOWERCASE(cs-uri-stem) AS URL, Count(*) AS Hits FROM ex*.log WHERE sc-status=200 GROUP BY URL ORDER BY URL"    -rtp:-1  
악성 파일을 삭제할 경우 200 OK 로그 찾기

logparser -i:FS "SELECT TO_LOWERCASE(SUBSTR(Name, LAST_INDEX_OF(Name, '.'),  STRLEN(Name))) AS Extenstion, Count(*) AS Files FROM C:\inetpub \wwwroot\*.*, C:\inetpub\scripts\*.* WHERE Attribute NOT LIKE 'D%' GROUP BY Extenstion ORDER BY Files DESC" -rtp:-1 
Script Abuse 분석(exe, dll 등의 파일 찾기)

logparser "SELECT [cs-uri-stem], [cs-uri-query], Count(*) AS [Hits] FROM c:\logs\web\ex*.log WHERE sc-status = 500 GROUP BY [cs-uri-stem], [cs-uri-query] ORDER BY [hits], [cs-uri-stem] DESC" -rtp:-1 -i:iisw3c
500 에러코드 검사

logparser "SELECT TO_STRING(TO_TIMESTAMP(date, time), 'yyyy-MM-dd') AS Day, cs-uri-stem, Count(*) AS Total ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe') GROUP BY Day, cs-uri-stem ORDER BY cs-uri-stem, Day" -rtp:-1 
가장 많은 리퀘스트 히트 찾기

logparser "SELECT date, QUANTIZE(time, 3600) AS hour, sc-status, Count(*) AS Errors FROM ex03*.log WHERE sc-status>=400 GROUP BY date, hour, sc-status HAVING Errors>25 ORDER BY Error DESC" -rtp:-1 
시간당 에러수가 가장 많이 발생한 날짜 확인

logparser "SELECT DISTINCT date, cs-uri-stem, c-ip, Count(*) AS Hits FROM ex*.log GROUP BY date, c-ip, cs-uri-stem HAVING Hits>50 ORDER BY Hits DESC" -rtp:-1 
하루동안 50번이상 동일 페이지에 접속을 시도한 Client IP 찾기

logparser "SELECT cs-uri-query, Count(*) AS Total FROM ex*.log WHERE sc-status>=500 GROUP BY cs-uri-query ORDER BY Total DESC" -rtp:-1 
모든 에러 기록 확인

logparser "SELECT cs-uri-stem, sc-status, Count(*) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem, sc-status ORDER BY cs-uri-stem, sc-status" -rtp:-1 
스크립트 및 Executable 파일의 HTTP 서버 코드 기록 확인

logparser "SELECT cs-uri-stem, WIN32_ERROR_DESCRIPTION(sc-win32-status) AS Error, Count(*) AS Total FROM ex*.log WHERE sc-win32-status>0 AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, Error ORDER BY cs-uri-stem, Error" -rtp:-1
Win32 Status Code 분석을 통한 Attack 확인

logparser "SELECT cs-uri-stem, cs-method, Count(*) AS Total FROM ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, cs-method ORDER BY cs-uri-stem, cs-method" -rtp:-1  
HTTP 메소드 통계 분석