Permissions and UAC
SUMMARY
Issues with permissions may incur different symptoms depending on the version of the agent, such as v5 agents will not display information on latest events page, and for legacy agents the Snare service will not start after stopping.
For Legacy agents
If your Snare Agent fails to start with error 0x5, the good news is the Snare Agent is working as it should! Issue is with Windows permissions that raises Access Denied errors, as it cannot subscribe to the core event logs (you can check this in your Snare Debug Logs, see below).
For version 5 agents
In these agents no events are displayed.
Get your Snare debug logs
To identify this issue please retrieve your debug logs. Start a command prompt as Administrator and from c:\program files\snare, type:
net stop snare
snarecore -c -d9 > mydebuglogs.log
If you have permissions issues, you may see an entry in your logs like [Snare 4.3.0](1712 - 21/06/2015 08:24:11): Failed to subscribe to 'Security' events. Error = 0x5]
Please investigate the following:
Check and Set Appropriate UAC
The user/group associated with Snare service must have at least read access to minimum Security, System and Applications logs. If the user/group associated with Snare agent cannot access any of these logs then agent (currently) will exit/crash.
Analysis of the SDDLs shows:
Application:
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
System:
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
Security:
channelAccess: O:BAG:SYD:(D;; 0xf0007;;;AN)(A;; 0x7;;;SO)(A;; 0x1;;;AO)
The very simple explanation is that "Event Log Readers" group/users do not have access to Security logs and technical explanation is following.
Note that following line of SDDL that DOES NOT exists for Security logs
(A;;0x1;;;S-1-5-32-573)
SID of "Event Log Readers" is S-1-5-32-573 (http://support.microsoft.com/en-us/kb/243330) or user PsGetSID <user/group name> to get SID (https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx) and 0x1 means generic access (http://www.netid.washington.edu/documentation/domains/sddl.aspx).
Currently (as per their SDDL), Anonymous logins (AN) are denied access, Server Operators (SO) and Account Operators (AO) have access to security logs.
How to Fix
To fix the problem, we must give access to "Event Log Readers" group to security logs. Login to the machine as administrator and do the following from administrative command prompt:
1.Type:
wevtutil gl security >> sddl.txt
Edit sddl.txt and copy the text after channelAccess: As per current SDDL it should be as follows.
O:BAG:SYD:(D;; 0xf0007;;;AN)(A;; 0x7;;;SO)(A;; 0x1;;;AO)
Append (A;;0x1;;;S-1-5-32-573) in this line and it will be like the following
Execute the following command via command prompt. Note: Input parameter is surrounded by ""
To confirm that SDDL on security logs have been updated successfully, run the following command again
The channelAccess: must be as follows:
Now run/install the Snare agent and it should work.
Check Permissions to Directories/Files
Check that 'Event Log Reader' or 'eventlog' groups has minimum read permissions to following folders/files
\Windows\System32\winevt
Application.evtx
Security.evtx
System.evtx
Check Permissions to Registry Entries
"NT Service\Eventlog" account has minimum read (NOT special) permissions of:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Application
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security
For further information: http://terrytlslau.tls1.cc/2014/05/administrators-failed-to-read-security.html
Further information
Microsoft Advanced Threat Analytics have known issues that may cause havoc with permissions. If this is installed please refer to https://docs.microsoft.com/en-us/advanced-threat-analytics/whats-new-version-1.8