Auditing Scenarios for Web Application Hosted in IIS - Part 1 - SSL Binding Modified

Microsoft

Feb 08, 2023

I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:

Changes in permission of the Application Root folder.
Web site being deleted.
SSL certificate binding modified.

Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.

The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog:

Scenario 1: SSL binding modified:

When we configure an SSL Binding for HTTPs in IIS, a registry entry is made to the path HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\. This is used by HTTP.sys driver for TLS handshake. You can also view all the SSL bindings using netsh http show sslcert.

References:

Option 1: Using Sysmon to monitor Registry.

===================================

Sysmon - Sysinternals | Microsoft Learn is great tool for "offline monitoring" of processes, file I/O and registry. We can setup Sysmon configuration to write events for Registry activity on HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\.

Sample Steps (configure as needed):

========

Download and extract Sysmon from Sysmon - Sysinternals | Microsoft Learn.
Install Sysmon drivers:
- Sysmon64 -i (run as administrator)
Create a configuration file - regedit.xml for monitoring the registry path:

<TargetObject condition="contains">Services\HTTP\Parameters</TargetObject>

</RegistryEvent>
</EventFiltering>

</Sysmon>

Configure sysmon:
- copy regedit.xml to extracted folder of sysmon.
- cd <folder to sysmon>
- sysmon64 -c regedit.xml
Notice the events 12,13 after a binding change in IIS:
- Event Viewer -> Application and Services Log -> Microsoft -> Windows -> Sysmon.
Uninstalling Sysmon:
- sysmon64 -u
More details and customization - Sysmon - Sysinternals | Microsoft Learn

Option 2: Using Operating System and IIS Auditing.

=====================================

For capturing SSL certificate changes, we found 3 types of Audits would help:

Registry Auditing – if changes done directly at registry level
Process Auditing (enabled by default) – If the changes are done using netsh.
IIS Configuration Auditing – If the changes are done using IIS Manager

Registry Auditing:

Open regedit and navigate to the registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\
- Right Click and Select Permissions
- Select Advanced Permissions
- Go to Auditing Tab
- Click on Add
  - Click on Select Principal >> Add Everyone and click on advanced permissions. Select the checked permissions as mentioned in the below image.

Open Local Security Policy Editor (run >> secpol.msc)

Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry >> configure for success and failure )

If changes are made to the Audited Registry folder, we would see an event like below in security event logs:
Reference - 4657(S) A registry value was modified. (Windows 10) | Microsoft Learn

Audit Registry (Windows 10) | Microsoft Learn

2. Process Auditing

If the SSL cert is modified by netsh command, we can review process creation event in Security logs (usually enabled by default):

If you don't see process creation events, enable the auditing by referring below steps (or use GPO):
- run >> Secpol.msc >> Advanced Policy Configuration >> System Audit Policies:
  - Detailed Tracking >> Audit Process creation >> Configure for success and failure
References
- 4688(S) A new process has been created. (Windows 10) | Microsoft Learn
- Command line process auditing | Microsoft Learn

3. IIS Configuration Auditing