wazuh 3.9 and sysmon

[Miki Alkalay]

Hi wazuh team,

just upgraded from 3.8.3 to 3.9.

i'm not getting the sysmon event anymore..

i changed the the rules so they'll catch the event with the eventchannel as described by your document.

for example:

    <rule id="255000" level="0">

        <group>sysmon_event1</group>

        <field name="win.eventdata.image">\\powershell.exe||\\.ps1||\\.ps2</field>

        <description>Sysmon - Event 1: Powershell or Script Execution: $(win.eventdata.image)</description>

    </rule>

please advise

Miki

[Blason R]

Same with me and Wazuh admins are working on it. I guess the decoders are not working at all infact I observed that events are not being sent to Master in first palce.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b3a0cfc1-b1ef-481f-82cb-226eb0748c4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rafael Cenit]

Hi Miki,

I successfully got it working upgrading the Wazuh manager from 3.8.3 to 3.9.

First of all there are some errors in the rule you posted:

• <group> should be <if_group>
• level="0" should be for example level="6" (level 0 means no alert to alerts.log)

So here is my custom rule located on /var/ossec/etc/rules/local_rules.xml:

<group name="sysmon,">

   <rule id="255000" level="6">
        <if_group>sysmon_event1</if_group>

        <field name="win.eventdata.image">\\powershell.exe||\\.ps1||\\.ps2</field>
        <description>Sysmon - Event 1: Powershell or Script Execution: $(win.eventdata.image)</description>
    </rule>

</group>

When I open up a powershell on the Windows agent the following alert get generated:

** Alert 1559742569.50444: - sysmon,
2019 Jun 05 15:49:29 (win2012) any->EventChannel
Rule:
 255000 (level 6) -> 'Sysmon - Event 1: Powershell or Script
Execution: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-06-05T13:49:28.697375000Z","eventRecordID":"24","processID":"1500","threadID":"1368","channel":"Microsoft-Windows-Sysmon/Operational","computer":"WIN-L2B5BQP9D71","severityValue":"INFORMATION","message":"Process
 Create:"},"eventdata":{"utcTime":"2019-06-05
13:49:28.697","processGuid":"{ED2E593D-C868-5CF7-0000-00103BF61900}","processId":"2408","image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","fileVersion":"6.3.9600.16384
 (winblue_rtm.130821-1623)","description":"Windows
PowerShell","product":"Microsoft® Windows® Operating
System","company":"Microsoft
Corporation","commandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"","currentDirectory":"C:\\Users\\Administrator\\","user":"WIN-L2B5BQP9D71\\Administrator","logonGuid":"{ED2E593D-B66F-5CF7-0000-0020EE650100}","logonId":"0x165ee","terminalSessionId":"1","integrityLevel":"High","hashes":"MD5=45F9906157E072B92140EAA2A67AE424","parentProcessGuid":"{ED2E593D-B673-5CF7-0000-0010F1780100}","parentProcessId":"1704","parentImage":"C:\\Windows\\explorer.exe","parentCommandLine":"C:\\Windows\\Explorer.EXE"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}
win.system.eventID: 1
win.system.version: 5
win.system.level: 4
win.system.task: 1
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2019-06-05T13:49:28.697375000Z
win.system.eventRecordID: 24
win.system.processID: 1500
win.system.threadID: 1368
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: WIN-L2B5BQP9D71
win.system.severityValue: INFORMATION
win.system.message: Process Create:
win.eventdata.utcTime: 2019-06-05 13:49:28.697
win.eventdata.processGuid: {ED2E593D-C868-5CF7-0000-00103BF61900}
win.eventdata.processId: 2408
win.eventdata.image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
win.eventdata.fileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)
win.eventdata.description: Windows PowerShell
win.eventdata.product: Microsoft® Windows® Operating System
win.eventdata.company: Microsoft Corporation
win.eventdata.commandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
win.eventdata.currentDirectory: C:\Users\Administrator\
win.eventdata.user: WIN-L2B5BQP9D71\Administrator
win.eventdata.logonGuid: {ED2E593D-B66F-5CF7-0000-0020EE650100}
win.eventdata.logonId: 0x165ee
win.eventdata.terminalSessionId: 1
win.eventdata.integrityLevel: High
win.eventdata.hashes: MD5=45F9906157E072B92140EAA2A67AE424
win.eventdata.parentProcessGuid: {ED2E593D-B673-5CF7-0000-0010F1780100}
win.eventdata.parentProcessId: 1704
win.eventdata.parentImage: C:\Windows\explorer.exe
win.eventdata.parentCommandLine: C:\Windows\Explorer.EXE

Tell me if it works for you.

Best regards!

[Miki Alkalay]

Hi,

i changed the rule from <group> to <if_group>

even so all my other rules are with <if_group>

it was part of my tests so i tried with <group>

still not getting any alerts

Miki

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/04838352-b6bb-4a71-ad80-fedc5b06d48b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

[Rafael Cenit]

Hi Miki,

let's find out the problem step by step.

First of all check if the event is generated on Windows by looking at the event viewer:

Make sure that your agent is monitoring the event channel:

<localfile>

<location>Microsoft-Windows-Sysmon/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

Next on your Wazuh manager, activate the logall option:

<logall>yes</logall>

Restart your manager, and open a Powershell on your agent.

You should see the event on your manager /var/ossec/logs/archives/archives.log:

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-06-05T13:17:14.713716400Z","eventRecordID":"13","processID":"1500","threadID":"1368","channel":"Microsoft-Windows-Sysmon/Operational","computer":"WIN-L2B5BQP9D71","severityValue":"INFORMATION","message":"Process Create:"},"eventdata":{"utcTime":"2019-06-05 13:17:14.698","processGuid":"{ED2E593D-C0DA-5CF7-0000-00100A621400}","processId":"2192","image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","fileVersion":"6.3.9600.16384 (winblue_rtm.130821-1623)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","commandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"","currentDirectory":"C:\\Users\\Administrator\\","user":"WIN-L2B5BQP9D71\\Administrator","logonGuid":"{ED2E593D-B66F-5CF7-0000-0020EE650100}","logonId":"0x165ee","terminalSessionId":"1","integrityLevel":"High","hashes":"MD5=45F9906157E072B92140EAA2A67AE424","parentProcessGuid":"{ED2E593D-B673-5CF7-0000-0010F1780100}","parentProcessId":"1704","parentImage":"C:\\Windows\\explorer.exe","parentCommandLine":"C:\\Windows\\Explorer.EXE"}}}

Please tell us if you get to see the event.

Best regards.

On Wednesday, June 5, 2019 at 12:22:27 PM UTC+2, Miki Alkalay wrote:

[Miki Alkalay]

Hi,

i'm getting event from the sysmon (it worked before with 3.8.2).

i'm getting the logs on the archive.log:

2019 Jun 10 12:19:28 (115_EXPORT) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"10","version":"3","level":"4","task":"10","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-06-10T09:16:10.607210300Z","eventRecordID":"4000973","processID":"2132","threadID":"2724","channel":"Microsoft-Windows-Sysmon/Operational","computer":"GALITS-WIN7.export.gov.il","severityValue":"INFORMATION","message":"Process accessed:"},"eventdata":{"utcTime":"2019-06-10 09:16:10.607","sourceProcessGUID":"{BC61C7E2-84E9-5CD1-0000-0010A5610300}","sourceProcessId":"2664","sourceThreadId":"18840","sourceImage":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","targetProcessGUID":"{BC61C7E2-84CC-5CD1-0000-0010D7DD0000}","targetProcessId":"648","targetImage":"C:\\Windows\\system32\\lsass.exe","grantedAccess":"0x1410","callTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+4595c|C:\\Windows\\system32\\KERNELBASE.dll+8185|C:\\Windows\\system32\\wbem\\cimwin32.dll+a4ba|C:\\Windows\\system32\\wbem\\cimwin32.dll+9927|C:\\Windows\\system32\\wbem\\cimwin32.dll+4a417|C:\\Windows\\system32\\framedynos.dll+debf|C:\\Windows\\system32\\framedynos.dll+100ea|C:\\Windows\\system32\\wbem\\wmiprvse.exe+11f01|C:\\Windows\\system32\\wbem\\wmiprvse.exe+11d58|C:\\Windows\\system32\\RPCRT4.dll+302c8|C:\\Windows\\system32\\RPCRT4.dll+96311|C:\\Windows\\system32\\ole32.dll+13e7e6|C:\\Windows\\system32\\wbem\\FastProx.dll+2caa7|C:\\Windows\\system32\\ole32.dll+13e876|C:\\Windows\\system32\\ole32.dll+13edd0|C:\\Windows\\system32\\ole32.dll+58a6b"}}}

there is something wrong with the decoder or the nested rules

Miki

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82ed9f4e-1b4b-4294-8f32-b956b414032f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Cristina Garrido López]

Hi Miki,

This event you shared has a Sysmon event ID 10. It should match with the default rule 61612. Can you tell me if you have this rule at your 0595-win-sysmon_rules.xml file? Do you have any other custom rule that could match with this one? Can you share it?

Also can you tell me if you have a rule with ID 20485 at your 0330-sysmon_rules.xml file?

Kind regards,

Cristina

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82ed9f4e-1b4b-4294-8f32-b956b414032f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Miki Alkalay]

Hi,

Sorry for late response' i had another issue with the manager.

i have rule 0595-win-sysmon_rules.xml in my ruleset folder

in 0330-sysmon_rules.xml i don't have rule 20485 

please advise

Miki

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82ed9f4e-1b4b-4294-8f32-b956b414032f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c2553f41-ab5e-4d23-97e2-6c3124bc7861%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Cristina Garrido López]

Hi Miki,

I would like to know if the rule you pasted in the first message was the one that you want to match with this event. If not, the event should match with rule 61612, but, as it has an alert level 0, it won't generate alert. If this is your case, change this 0 by 3 or a higher number so that you can see the alert at your alerts.log file when this event gets generated.

If not, let me know and I will help you.

Kind regards,

Cristina

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82ed9f4e-1b4b-4294-8f32-b956b414032f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c2553f41-ab5e-4d23-97e2-6c3124bc7861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Miki Alkalay]

Hi,

i managed to solve the problem, now i'm getting alerts on sysmon.

tnx for your help and patient

there was some mismatch in my rules

Miki

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82ed9f4e-1b4b-4294-8f32-b956b414032f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c2553f41-ab5e-4d23-97e2-6c3124bc7861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ad940e5c-0a7d-48c5-a39f-2d16b0f57054%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Cristina Garrido López]

Hi Miki,

I'm happy you could solve your problem, if you have any other questions, don't hesitate to contact us!

Best regards,

Cristina

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/82ed9f4e-1b4b-4294-8f32-b956b414032f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c2553f41-ab5e-4d23-97e2-6c3124bc7861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ad940e5c-0a7d-48c5-a39f-2d16b0f57054%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.