Policy violation - windows login events

[Angelos Alevizopoulos]

Hi ossec community,

I'm wonder if rule with ID 17101(policy_rules) could also be triggered for events derived from windows agents. I'm testing the following log with ossec-logtest but only  the rule with ID 18107(ms_auth_rules) gets triggered:

2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: Win2016-1.AD.*****.domain: An account was successfully logged on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  WIN2016-1$  Account Domain:  AD.*****.DOMAIN  Logon ID:  0x7effdf27325  Logon GUID:  {BB6F5B99-2E84-D711-F3ED-2D759EA2B180}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: -  Source Network Address: ::1  Source Port:  87***  Detailed Authentication Information:  Logon Process:  Kerberos  Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.

ossec-logtest:

**Phase 3: Completed filtering (rules).

       Rule id: '18107'

       Level: '3'

       Description: 'Windows Logon Success.'

**Alert to be generated.

I've tried to add a local rule adapted to the windows group, like below but with no results: 

<group name="local,windows,">

  <rule id="100020" level="9">

    <if_group>authentication_success</if_group>

    <time>7 pm - 7:00 am</time>

    <description>Successful login during non-business hours</description>

    <group>login_time,</group>

    <options>no_ar</options>

  </rule>

</group>

I would be grateful for any help

Angel

[Angelos Alevizopoulos]

An additional problem is that it's not possible to overwrite any rule from policy_rules.xml.

When a rule from that directory is copied to local_rules.xml and OSSEC is restarted, it throws this error: "OSSEC analysisd: Testing rules failed. Configuration error. Exiting"

Please help!

[Mauro Agustín Malara]

Hi Angel!

In first place, my apologies for the late response.

"I'm wonder if rule with ID 17101(policy_rules) could also be triggered for events derived from windows agents."

Yes, to give you some context: The standard rules are located in /var/ossec/rules . And, if you want to modify them, you must to do the custom changes in /var/ossec/rules/local_rules.xml . In second place, the policy rules are disabled by default in /var/ossec/etc/ossec.conf and therefore you should enable it (if not, you don't have to overwrite the rule, you can only create a new rule in local_rules.xml with any id). So, the steps would be:

1. Uncomment the line <!-- <include>policy_rules.xml</include> --> in /var/ossec/etc/ossec.conf and save the changes
2. Copy the rule you want to modify from the rule file (/var/ossec/rules/policy_rules.xml)
3. Paste it in /var/ossec/rules/local_rules.xml like this (I changed the description only for demonstration purposes):
   <group name="policy_violation,windows,">
     <rule id="17101" level="9" overwrite="yes">

1. 
       <if_group>authentication_success</if_group>
       <time>7 pm - 7:00 am</time>
   

1.     <description>Description in order to verify the rule</description>
       <group>login_time,</group>
     </rule>
   </group>
2. Restart OSSEC (/var/ossec/bin/ossec-control restart)
   Starting OSSEC HIDS v3.6.0...
   Started ossec-execd...
   Started ossec-analysisd...
   Started ossec-logcollector...
   Started ossec-remoted...
   Started ossec-syscheckd...
   Started ossec-monitord...
   Completed.
   
3. Finally, I test the rule with your example log and this is what I get:
   

1. **Phase 3: Completed filtering (rules).
   

1.        Rule id: '17101'
          Level: '9'
          Description: 'Description in order to verify the rule'
   **Alert to be generated.

Plus: OSSEC reads the logs in /var/log/messages , so you can write your example log within that file (with the machine time) and checking the file where OSSEC logs the alerts (/var/ossec/logs/alerts/alerts.log) in order to verify that the rule is working well.

1. Write your example log into the messages file:
   echo "2021 Nov 15 22:53:50 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: Win2016-1.AD.*****.domain: An account was successfully logged on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:
    -  Logon ID:  0x0  Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  WIN2016-1$  Account Domain:  AD.*****.DOMAIN  Logon ID:  0x7effdf27325  Logon GUID:  {BB6F5B99-2E84-D711-F3ED-2D759EA2B180}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: -  Source Network Address: ::1  Source Port:  87***  Detailed Authentication Information:  Logon Process:  Kerberos  Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed." >> /var/log/messages
   
2. Check the alerts file:
   # tail /var/ossec/logs/alerts/alerts.log
   ** Alert 1637027681.747: mail  - policy_violation,windows,login_time,
   2021 Nov 16 01:54:41 centos-manager2->/var/log/messages
   Rule: 17101 (level 9) -> 'Description in order to verify the rule'
   Src IP: ::1
   User: -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  WIN2016-1$
   2021 Nov 15 22:53:50 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN: Win2016-1.AD.*****.domain: An account was successfully logged on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  WIN2016-1$  Account Domain:  AD.*****.DOMAIN  Logon ID:  0x7effdf27325  Logon GUID:  {BB6F5B99-2E84-D711-F3ED-2D759EA2B180}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: -  Source Network Address: ::1  Source Port:  87***  Detailed Authentication Information:  Logon Process:  Kerberos  Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.
   
   ** Alert 1637027686.1978: mail  - ossec,rootcheck,
   2021 Nov 16 01:54:46 centos-manager2->rootcheck
   Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
   File '/etc/rc.d/init.d/ossec' is owned by root and has write permissions to anyone.

Please, let me know if this help,

Regards,

Mauro Malara.