CVE-2019-18935 – Using Powershell to review IIS and Windows Logs (Searching for IoC)

This article can be considered a Cyber-Security article more than a Software Development one for the content and part of the vocabulary that will be used but don’t be scared. I wanted to keep it very practical and to give you a simple example of what type of tools everyone can build or use in certain scenarios like in CyberSec and Incident Response.

Cyber-Security

I always described cybersecurity as a moving target.

Regardless of your role in IT, as a user or simply as a consumer there are a lot of things to be aware of when you use any product or service.

It very important for this subject keeping up to date. So podcasts, blogs, or websites are a good way to access a curated list of information, but I always recommend to go the source whenever possible (nist.gov, mitre.gov or similar organisations).

CVE

One important concept that I give for granted you already are familiar with is the Common Vulnerability and Exposure (CVE). 

In this article, I will use a specific scenario I wanted to build a script to find if some servers were already compromised, more than just know if they were affected by this vulnerability (CVE-2019-18935: link 1, link 2).

IoC

These pieces of evidence are frequently called IoC (Indicator of Compromise) from computer forensics and in this example, I wanted to review some IIS logs looking for a pattern matching and specific error entries in the Windows Event logs. 

The process could be done even manually for a few log files, but as the number of logs and servers grows it will not be practical. 

I was looking for writing something quickly that could be simple to read and tweaked by other colleagues and could be extended and be adapted/scale-out for larger environments.

FROM: https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors

Check-CVE-2019-18935.ps1

This script is meant to be run locally. The only setting needed is changing the IISLogFolder where your IIS Logs for your websites are stored. 

So running this script against a test file returned this output.

Conclusions

I wanted to share this for giving you a practical example that turning a CVE into a script it is most of the time not that complicated.

Once again, the idea is to read the CVE and extracting the requirements for your script and build your tool as quickly as possible.

Needless to say that these types of scripts will not replace any log aggregation or a good log management tool and platform. 

I hope that you’ve found this article useful. This script is available on my GitHub repository. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.