Monthly Archives: July 2015

Sysinternals Sysmon – monitoring your system and handling the output

I’ve been excited about the long past announcement (Aug 2014) of a new utility from Sysinternals – Sysmon!

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

In one of the channel9 video’s Mark Russinovich talks about how it helped him track down the original point of entry of a malware application. Mark is an amazing guy.

I was immediately hooked, so Sysmon has been installed on all my home devices and devices that my relatives forces me to support. Plus it’s a cool way to keep your paranoia in check and find out who installed that piece of software on your favourite Terminal (oops, Remote Desktop Services!) Server.

Now, the link above has all the installation and configuration instructions, so I won’t dig into them.

The minor issue I had with the tool is that it lacked structured output. Most of the useful information is stored in the message block of the Event Viewer log, for example:

Process Create:
UtcTime: 19/07/2015 06:35
ProcessGuid: {0021847f-454d-55ab-0000-00109a1f330b}
ProcessId: 7944
Image: C:\WINDOWS\system32\wbem\wmiprvse.exe
CommandLine: C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
User: NT AUTHORITY\SYSTEM
LogonGuid: {***************}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
HashType: SHA1
Hash: D06DFEC8ACA88E68A9CECBCF3379B20FF73E6D72
ParentProcessGuid: {0021847f-492f-55a7-0000-001049c00000}
ParentProcessId: 844
ParentImage: C:\WINDOWS\system32\svchost.exe
ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch

I’ve finally decided it’s time to make the output a bit more readable (and my definition of readable was .csv and Pivot Tables in Microsoft Excel), so I wrote a nice script that converted Event Viewer Sysmon log into .csv for some quality reading and analysis. The alternative would be to convert it to xml and work my way from there, but it’s .csv for now.

Main issues were that I got a bit rusty using the string class and methods and the conversion to .csv that required to work with an array of objects that have different number of properties, hence the conversion wasn’t always picking up all the data, stackoverflow.com had the answer to that issue.

The conversion is still a bit messy sometimes, but that doesn’t bother me, data is more or less readable and visible in Excel.

sysmon_001

Now I can track down all the started apps, network connections, which users started the apps, where did the connection from them go and so forth. I know there are probably a lot more complicated and fancy solutions on the market, but Sysmon is easy, small and free, what can be better?

Grab your script copy New-SysmonCsvReport.ps1. No warranties.

Virtual Mobile Devices

“Virtual Mobile Devices” – now that’s an expression you don’t hear often. First thing that pop-up in my mind is the platform for developers – Xamarin, which isn’t really correct, because it’s a way to code your apps in C# and instantly make them available cross-platform – iOS, Android, Windows Phone.

Turns out there is a company that tries to make a living out of “Virtual Mobile Device” concept – remotium.com.

Fancy sales slogans – “VIRTUAL MOBILE DEVICES LET YOU WORK WHERE YOU ARE”. But wait, I can already work where I am using a number of other crazy technologies such as Inbox application (which is really good) on my Android or a laptop configured with a VPN or DirectAccess to my enterprise network, “why do I need this product” – was the question I’ve asked myself.

This post cleared out some confusion:

Let’s start with the basics.  VDI was originally developed to free desktops and desktop apps from the chains of form factor.  Once a desktop is virtualized it can be accessed from any device that supports a viewer.  But mobile apps don’t need to be mobilized – they already run on mobile devices.  So virtual mobility is done for a different reason: to give IT simple, bulletproof controls for managing mobile apps and data.

VDI solutions simply run the stock Windows OS, and cannot provide the levels of application control and visibility that VMI solutions like Remotium Virtual Mobile Platform provide.  Working from the base Android Open Source Platform (AOSP), we have unparalleled visibility and control over app behavior.  For example, Remotium VMP enables IT administrators to apply HTTP and iptables-style filtering to individual apps.  VDI can’t do that.  Neither can it override app permissions to prevent specific apps from accessing contacts, calendars or location data – all built in functions in Remotium VMP.  The audit trails that Remotium VMP can create with an instrumented OS leave VDI solutions in the dust.  VDI might be able to deliver a mobile app, but it can’t secure it the way VMI can.

So the product is all about security measures and auditing for your already written enterprise mobile applications.

What happens on the technical side is that you download a client application on your phone that receives streaming data from a server. Application (a mobile application) is run on server side and the visual data is streamed to your phone.

remotium

This allows for all sorts of security lockdowns – buffer, screenshots, network.

Navigation is only inside the app, with switching between different applications that are available in a locked down environment. There is a built-in 2-step verification with an additional PIN for accessing the app itself – “Workspace”.

In my opinion the streaming protocol could be better, I would say the experience is uncomfortable and not just for graphics-heavy content – even writing an e-mail feels like earlier versions of Citrix solutions. Here are a few demo videos – one and two.

Remotium requires an always-on internet connection (what doesn’t, nowadays?), so there were some technical glitches along the way – “Error – could not connect to remote session.” and time outs/black screens.

Traffic usage is something to keep in mind aswell. I’ve used the app for about 10 minutes and it consumed ~15.58Mb over my Wi-FI network, that’s about ~93.48 Mb per hour.

Remotium is a lot like XenDesktop/XenApp only for streaming mobile apps with all the benefits this brings, it will do what is advertised if you need to lockdown a specific enterprise app.

Sometimes it will be easier to code additional changes to the original application instead. Sometimes it will be easier to use the pre-build bundle of enterprise productivity applications (mail, calendar, file sharing) applications from one of the Enterprise Mobility Management vendors – VMware AirWatch, MobileIron, Citrix, IBM, Microsoft and etc.

Sometimes you can re-use what you have and lockdown using this solution. And maybe restricting/securing and managing apps on mobile devices is not worth the effort for most organizations. We shall see.

Amazon AppStream

Wanted to do a review of “Amazon AppStream” – Amazon AppStream lets you deliver your Windows applications to any device. Started with the intro video first; emphasis on heavy graphics, cross platform and scalability.

Got pushed away by pricing – 132.8$ per user per month or 192$ per user per month and region availability – no Europe.

What’s pretty cool is that they allow you develop your own client app and some other custom features (such as an Entitlement Service).

Will have to get back to this when things improve.

Notes:

  • 01-Jul-2015 No Europe. Limited region availability – “Q: What regions will my application be streamed from? A: AppStream is available in US East (N.Virginia) and Asia Pacific (Tokyo). AppStream will stream the application from the region in which it has been deployed to.”
  • 01-Jul-2015 Pricey. $0.83/hr (US East (N.Virginia)) and $1.20/hr (Asia Pacific (Tokyo)). 160 working hours per month is 132.8$ per user per month or 192$ per user per month
  • Amusing comment – “During the streaming application deployment, you may experience poor performance. This is caused by the Windows Remote Desktop Protocol (RDP) connection to the instance and does not reflect the actual streaming performance.”