OSSEC - Windows Event Log - PowerShell Alerts

[Phillipa Moorea]

I'm having issues trying to setup logging for PowerShell.


I started out creating a powershell profile file ("C:\Winodws\System32\WindowsPowerShell\v1.0\Profile.ps1") with the following lines of code:
$LogCommandHealth = $true
$LogCommandLifecycleEvent = $true


This allowed me to get Windows Event Logs for PowerShell commands.

This is the Windows Event log path: %SystemRoot%\System32\Winevt\Logs\Windows PowerShell.evtx

On the OSSEC client I enabled logging for the PowerShell event log by adding this to ossec.conf:

<localfile>

    <location>Windows PowerShell</location>

    <log_format>eventlog</log_format>

 </localfile>

To get the logs on the OSSEC server at /var/ossec/logs/archives/archives.log, I added this to /var/ossec/etc/ossec.conf file under the "<global>" section:

<logall>yes</logall>

I need to get the logs to show up in the alert logs though at /var/ossec/logs/alerts/alerts.log.  They do not show up?

The log inside archives.log looks like this:

2015 Nov 06 10:20:11 (HOSTNAME) 192.168.5.1->WinEvtLog 2015 Nov 06 10:20:08 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME.DOMAIN.com: Get-Host Started      NewCommandState=Started

        SequenceNumber=127

        HostName=ConsoleHost

        HostVersion=2.0

        HostId=2ff69cc2-302d-4d7c-baef-f57106d8c4b3

        EngineVersion=2.0

        RunspaceId=261b4763-f866-4b2a-a472-eae41e3c0d72

        PipelineId=9

        CommandName=Get-Host

        CommandType=Cmdlet

        ScriptName=

        CommandPath=

        CommandLine=Get-Host

I tried to run /var/ossec/bin/ossec-logtest and paste in the log, but it doesn't work because of all the newlines.  So then I tried just pasting in the first line to the command and got this output:

**Phase 1: Completed pre-decoding.

       full event: '2015 Nov 06 10:20:11 (HOSTNAME) 192.168.5.1->WinEvtLog 2015 Nov 06 10:20:08 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME.DOMAIN.com: Get-Host Started'

       hostname: 'alien'

       program_name: '(null)'

       log: '2015 Nov 06 10:20:11 (HOSTNAME) 192.168.5.1->WinEvtLog 2015 Nov 06 10:20:08 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME.DOMAIN.com: Get-Host Started'

**Phase 2: Completed decoding.

       No decoder matched.

**Phase 3: Completed filtering (rules).

       Rule id: '100212'

       Level: '5'

       Description: 'Powershell Command.'

**Alert to be generated.

So it says "Alert to be generated", but I never get an alert.  Also it shows "No decoder matched".  Do I have to have a decoder in order to get an alert?  How do I write a decoder for this?  But my main question is how do I get an alert?

Any help would be greatly appreciated!!!  Because I am now lost

[dan (ddp)]

You do not need a decoder. Did you restart the ossec processes on the manager after adding the rule?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Phillipa Moorea]

I have restarted OSSEC using the OSSEC Agent Manager on the ossec client computer.  I have also restarted the OSSEC service on the OSSEC server.  I'm not sure why I can't reply to your response, so I had to reply to mine @dan(ddpbsd)

Also I am using OSSEC HIDS v2.8 on the client & server.

[Phillipa Moorea]

Ok, I think I know what's going on now.  I do not have the latest stable release of 2.8.3.  I think I might have 2.8.2 or 2.8.1 or something.

I found this issue which resembled my issue because the logs have multiple lines in powershell.  https://github.com/ossec/ossec-hids/issues/224

Then I saw that a fix was implemented in 2.9 from here: https://github.com/ossec/ossec-hids/pull/457

Then from this forum I now see that perhaps it is implemented in 2.8.3 on Nov 5th which is probably the day after I had made my OSSEC updates, lol: https://groups.google.com/forum/#!topic/ossec-list/JA9x4uzDg1g

I'll try updating to the latest version again and see if that helps.

[Phillipa Moorea]

Well, I updated both the server and client OSSEC HIDS to 2.8.3, but still no luck.  The PowerShell logs in archive.log are still multi-line logs, and I am getting the same results.

[Phillipa Moorea]

A little further, I changed the logformat from eventlog to eventchannel, and now the archive.log has taken out all of the multiple lines.  I still do not have a generated alert yet even though ossec-logtest says it generates an alert and it matches my custom rule.  I set the level to level 6.

[Phillipa Moorea]

If anybody knows what I am doing wrong, any help would be great.  Even just a documentation link or something or a question of clarification?  I have posted this issue in the AlienVault forums as well.  I've been keeping both forums updated.

I think a lot of people will want to monitor any scripts from the command line and from PowerShell that run on one of their servers or workstations.  If bad malware gets onto a device, it usually runs scripts, so this is part of my detection technique to alert me if a script is ran.  I'm still working on the rules.

This is my current rule setup in the local_rules.xml file:

<group name="local,syslog,">
  <rule id="100210" level="6">
    <id>^400$|^403$|^500$|^501$|^600$</id>
    <description>Powershell Event.</description>
  </rule>
  <rule id="100211" level="6">
    <match>CommandType=Cmdlet</match>
    <description>Powershell Command.</description>
  </rule>
  <rule id="100212" level="6">
    <match>PowerShell</match>
    <description>Powershell Log.</description>
  </rule>

</group>

I'm not sure if the group name matters or needs to be something specific?

[dan (ddp)]

On Mon, Nov 30, 2015 at 6:39 AM, Phillipa Moorea <philli...@gmail.com> wrote:
> If anybody knows what I am doing wrong, any help would be great. Even just
> a documentation link or something or a question of clarification? I have
> posted this issue in the AlienVault forums as well. I've been keeping both
> forums updated.
>

Can you post an entry from the archives.log after the eventchannel change?

> I think a lot of people will want to monitor any scripts from the command
> line and from PowerShell that run on one of their servers or workstations.
> If bad malware gets onto a device, it usually runs scripts, so this is part
> of my detection technique to alert me if a script is ran. I'm still working
> on the rules.
>
> This is my current rule setup in the local_rules.xml file:
>
> <group name="local,syslog,">
> <rule id="100210" level="6">
> <id>^400$|^403$|^500$|^501$|^600$</id>
> <description>Powershell Event.</description>
> </rule>
> <rule id="100211" level="6">
> <match>CommandType=Cmdlet</match>
> <description>Powershell Command.</description>
> </rule>
> <rule id="100212" level="6">
> <match>PowerShell</match>
> <description>Powershell Log.</description>
> </rule>
> </group>
>
> I'm not sure if the group name matters or needs to be something specific?
>

The group names shouldn't affect much.

[Phillipa Moorea]

Hi Dan!  Here's a log from my archives.log file

2015 Nov 30 10:07:57 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 10:07:54 WinEvtLog: Security: AUDIT_SUCCESS(4688): Microsoft-Windows-Security-Auditing: (no user): no domain: HOSTNAME_FQDN: A new process has been created. Subject:  Security ID:  S-1-5-21-1292428093-1078145449-842925246-500  Account Name:  Administrator  Account Domain:  DOMAIN  Logon ID:  0x6b008a65  Process Information:  New Process ID:  0xeac  New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  Token Elevation Type: %%1936  Creator Process ID: 0x2068

I also get other similar powershell event logs with this type of unique message info:

handle to an object was closed

a process has exited

handle to an object was requested

privileges used for access check

in addition to the log above which has the message "a new process has been created"

[Phillipa Moorea]

Also, thanks for the information about the groups

[Phillipa Moorea]

Here's another example of a log file in which I'm actually interested in:

2015 Nov 30 13:02:39 (HOSTNAME) HOSTIP->WinEvtLog 2015 Nov 30 13:02:39 WinEvtLog: Windows PowerShell: INFORMATION(500): PowerShell: (no user): no domain: HOSTNAME_FQDN: Command "Get-Host" is Started.     Details:    NewCommandState=Started   SequenceNumber=41   HostName=ConsoleHost  HostVersion=2.0  HostId=9579f128-903c-463c-80fa-7eaa4a80dc54  EngineVersion=2.0  RunspaceId=c07bf134-24b9-47f7-9dfe-9732dc3e675d  PipelineId=5  CommandName=Get-Host  CommandType=Cmdlet  ScriptName=  CommandPath=  CommandLine=Get-Host

This log actually shows the command name that was ran "Get-Host" was my test Powershell command.  If there was a script, then the ScriptName would be populated.

[Phillipa Moorea]

Could the problem (of not creating alerts) be caused because PowerShell events are INFORMATIONAL?

Informational Event Codes generated by PowerShell: 400, 403, 500, 501, 600

[Phillipa Moorea]

I had before restarted only OSSEC, but now I tried restarting the server, but no fixes yet.

Could the issue be caused by the use of OSSEC on an AlienVault OSSIM server?

[Santiago Bassett]

I haven't have time to go through the whole email thread, but I don't think using OSSEC in AlienVault OSSIM would cause this. The only modification AlienVault does to OSSEC is the format used for alerts output (at alerts.log), so it can easily be parsed by the AlienVault plugin.

Regarding your other question, please check that conditions of <if_sid> rules are also met, and that ultimately the alert level is different than 0.

Hope that helps

[Phillipa Moorea]

Thanks Santiago for the information about OSSIM.

I do not have conditions for "if_sid" in the rules.  I'm not sure what I would even put there since this is the first rule for PowerShell events.  I currently have set the alert level on the rule to 2.  I tried other values, but nothing was working there.  I'm still trying to debug why an alert is not generating, even though when I run the ossec-logtest, it says that an alert will be generated....

[Phillipa Moorea]

Yeah, I finally got the alerts working.  This post helped me out alot: https://groups.google.com/forum/#!searchin/ossec-list/alert$20to$20be$20generated/ossec-list/SWJe7nm2cbU/pKc8HSfDXCEJ

It shows exactly a log inside of the archive.log, and what you should paste into the ossec-logtest.  I also found somewhere to run ossec-logtest with the "-v" flag option to show the rule matches too.  After I got that, I found that other rules would match causing the level to be 0.

Rule 6 matches which was a generic windows rule.

Rule 18100 matched with some logs which is the "Group of windows rules"

I changed the "<if_sid>" to the 18100 as suggested by Santiago, and then ran the test again.

It worked.

So I actually tested it in a real test scenario, and it worked!! Alarms were generated in the alarms.log file.

THANK YOU everyone for all of your help.  After a bunch of fixes, configuration fixes, OSSEC upgrades, buying an OSSEC book off of amazon, and these forums, I was finally able to get it to work. :)

YEAH!!

[Santiago Bassett]

Glad it finally worked Phillipa :-)

[Phillipa Moorea]

Thanks for all the help from you (Santiago), from dan, some other posts on here, github repository issues, a book I bought on ossec for $10, and the work of the OSSEC developers that made the 2.8.3 update, and of course the people in the AlienVault Labs!

I was now able to get the alerts working.  I analyzed the PowerShell logs and changed my rules a bit.  Here is what I changed it too:

<group name="powershell,">
  <rule id="100210" level="0">
    <if_sid>18100,18101</if_sid>
    <match>CommandType=Script</match>
    <description>Powershell Script.</description>
  </rule>
  <rule id="100211" level="0">
    <if_sid>18100,18101</if_sid>

    <match>CommandType=Cmdlet</match>
    <description>Powershell Command.</description>
  </rule>

  <rule id="100212" level="0">
    <if_sid>18100,18101</if_sid>
    <match>CommandType=Function</match>
    <description>Powershell Function.</description>
  </rule>  
  <rule id="100213" level="2">
    <if_sid>100210</if_sid>
    <match>NewCommandState=Started</match>
    <description>Powershell Script (500-Started).</description>
  </rule>
  <rule id="100214" level="2">
    <if_sid>100210</if_sid>
    <match>NewCommandState=Stopped</match>
    <description>Powershell Script (501-Stopped).</description>
  </rule>  
  <rule id="100215" level="2">
    <if_sid>100211</if_sid>
    <match>NewCommandState=Started</match>
    <description>Powershell Command (500-Started).</description>
  </rule>
  <rule id="100216" level="2">
    <if_sid>100211</if_sid>
    <match>NewCommandState=Stopped</match>
    <description>Powershell Command (501-Stopped).</description>
  </rule>  
  <rule id="100217" level="2">
    <if_sid>100212</if_sid>
    <match>NewCommandState=Started</match>
    <description>Powershell Function (500-Started).</description>
  </rule>
  <rule id="100218" level="2">
    <if_sid>100212</if_sid>
    <match>NewCommandState=Stopped</match>
    <description>Powershell Function (501-Stopped).</description>
  </rule>

</group> <!-- POWERSHELL -->

I have also created a custom OSSIM plugin for AlienVault to get the alerts into the SEIM:

/etc/ossim/agent/plugins/powershell.cfg: (ATTACHED FILE)

/etc/ossim/agent/plugins/powershell.sql: (ATTACHED FILE)

It's probably not the best structure, but it works pretty well and is a good start!

[Phillipa Moorea]

Thanks for all the help from you (Santiago), from dan, some other posts on here, github repository issues, a book I bought on ossec for $10, and the work of the OSSEC developers that made the 2.8.3 update, and of course the people in the AlienVault Labs!

I was now able to get the alerts working.  I analyzed the PowerShell logs and changed my rules a bit.  Here is what I changed it too:

<group name="powershell,">
  <rule id="100210" level="0">
    <if_sid>18100,18101</if_sid>
    <match>CommandType=Script</match>

    <description>Powershell Script.</description>
  </rule>
  <rule id="100211" level="0">
    <if_sid>18100,18101</if_sid>

    <match>CommandType=Cmdlet</match>
    <description>Powershell Command.</description>
  </rule>

[Santiago Bassett]

Thanks Phillipa for sharing. So good to see you actually integrated it with AlienVault OSSIM too. 

[Daniel]

So basically what you're doing is looking for INFO logs and then matching the log content and not the actual log ID? Interesting. My general rule workflow is this:
If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then create alert with LEVEL=y.

Types can be referenced in <ossec-dir>/rules/msauth_rules.xml, with 18101 being informational. Also, check out "http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf"

My basic powershell rule looks like the following:

<!-- BEGIN "Windows PowerShell.evtx" Rules -->
  <rule id="104010" level="7">
    <if_sid>18101</if_sid>
    <id>^400$|^403$</id>
    <Match>PowerShell</Match>
    <description>PowerShell Started/Stopped.</description>
    <info>From "Windows PowerShell.evtx"</info>
  </rule>
<!-- END "Windows PowerShell.evtx" Rules -->

...

[Phillipa Moorea]

I didn't know how to get the rule to match the log id.  I tried doing the <id>^500$</id> for example, but it didn't work for me.

This used to be my rule when I was messing around with it:

<rule id="100210" level="6">
  <id>^400$|^403$|^500$|^501$|^600$</id>
  <description>Powershell Event.</description>
</rule>

I also have the problem in which opening PowerShell and running Get-Date creates like 22 different alerts :(.  In the logs I notice that there is a SequenceNumber, but I'm not sure how to use that to say generate 1 alert for opening powershell, and 1 alert for running a command.  Or just 1 alert for opening and running a single command.

Just by opening the powershell window I get 24 events.  The SequenceNumber iterates like this:

Event Log 1   - 1

Event Log 2   - 3

Event Log 3   - 5

Event Log 4   - 7

Event Log 5   - 9

Event Log 6   - 11

Event Log 7   - 13

Event Log 8   - 15

Event Log 9   - 16

Event Log 10 - 17

Event Log 11 - 18

Event Log 12 - 19

Event Log 13 - 20

Event Log 14 - 21

Event Log 15 - 22

Event Log 16 - 23

Event Log 17 - 24

Event Log 18 - 25

Event Log 19 - 26

Event Log 20 - 27

Event Log 21 - 28

Event Log 22 - 29

Event Log 23 - 30

Event Log 24 - 31

Then I run Get-Date and I get 24 new logs where Event Log 1-24 matches up with SequenceNumber 32-55

Then I close PowerShell and get 1 new Event Log with SequenceNumber 56

When I open PowerShell again, the SequenceNumber repeats back to 1

[Phillipa Moorea]

Oh yeah, it probably didn't work because I didn't have if_sid maybe the first time I was doing this.

[Taylor Duncan]

I know this is old, but thank you SO much for posting the resolution. I ran into the exact same issue when writing a decoder for a Windows log file. I did not realize that the OSSEC logs in archive contained an added header and it caused me a HUGE headache when writing the decoder. I tested mine in production and it works perfectly. Thank you again.