Detecting Windows XP Systems with Splunk

Windows XP is dead! Soon after Windows XP was introduced, Microsoft introduced the Trustworthy Computing Initiative – a kind of “security first” thinking that has been the hallmark of Microsoft for the last decade. Prior to the security focus, Microsoft operating systems were well known as a leaky sieve for viruses. Now, 12 years later, Windows XP is finally ready to be dropped. Well, to be honest – that happened a few years back. But many people are holding on to their XP installs for one reason or another. Now it’s time to give them up.

How can you tell who is connecting to your facilities with Windows XP systems? There are a variety of ways depending on if they are work computers (and bound to the domain) or home computers (and coming in for email, for example). Let’s look at a few ways.

The most common will be the home computer. Most enterprises have refreshed their work computers at least once in the last decade so they will have a new operating system on them. We can’t directly tell if a computer is Windows XP, but we can check the information sources we have available. For example, we may want to check the user agent that Outlook Web Access is providing us. The Splunk App for Microsoft Exchange provides this as a data feed and has extracted the various pieces.

eventtype=client-owa-usage | lookup useragent cs_user_agent OUTPUT os,osvariant,osversion | search osvariant="Windows NT" osversion="5.2*" | stats count by cs_username

The major piece here is the user agent lookup script provided with the Splunk App for Microsoft Exchange. This allows you to turn the user agent into it’s separate fields. We only care about two of those fields. The search outputs the list of usernames logging in with Windows NT 5.2, which is the version ID for Windows XP and Windows Server 2003. You can use this same technique with other web sites utilizing not just IIS logs but other logs like Apache.

The other piece here will be the work computer. The domain controller will store the current operating system in the computer object when a computer boots up and binds to Active Directory. We can query Active Directory with a properly configured SA-ldapsearch like this:

| ldapsearch domain=SHELL search="(&(|(operatingSystem=*XP*)(operatingSystem=*5.2*))(objectCategory=computer))" attrs="CN,operatingSystem" | table CN,operatingSystem

Here, SHELL is my NetBIOS domain name. You could also use your DNS domain name. We are looking for two versions – Windows XP and Windows NT 5.2 – depending on the particular service pack, you could see both. We then give you the name of the computer and the operating system field it is running. You could also find out who is logged in to this computer by using the Splunk App for Windows Infrastructure. This provides a user logon field in the eventtype msad-successful-user-logons:

eventtype=msad-successful-user-logons | stats latest(user) as user by src_nt_domain,src_nt_host

The src_nt_host field is the name of the computer connecting. You can now put these two together with an ldapfilter command to add on the operating system:

eventtype=msad-successful-user-logons | stats latest(_time) as _time,latest(user) as user by src_nt_domain,src_nt_host | ldapfilter domain=$src_nt_domain$ search="(&(CN=$src_nt_host$*)(objectCategory=computer))" attrs="operatingSystem" | search (operatingSystem="*XP*" OR operatingSystem="*NT 5.2*) | table user,src_nt_domain,src_nt_host,operatingSystem

This now provides the user that was last logged into the Windows XP host.

Posted by