Event ID 4688 is not complete
306 views
Skip to first unread message
Juan Fernando Hernandez Duque
May 23, 2024, 2:15:47 AM5/23/24
to Wazuh | Mailing List
Hello All,
I enabled the "Include command line in process creation events" for my Event Id 4688 in Windows.
2024 May 23 00:52:15 WinEvtLog: Security: AUDIT_SUCCESS(4688): Microsoft-Windows-Security-Auditing: (no user): no domain: xxxxxx: A new process has been created. Subject: Security ID: S-1-5-21-3217279692-1584331389-2360842418-1331 Account Name: xxxxx Account Domain: xxx Logon ID: 0x171ca59 Process Information: New Process ID: 0x2878 New Process Name: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Token Elevation Type: %%1938 Creator Process ID: 0x2a48
What I can do?
Thanks
Stuti Gupta
May 23, 2024, 2:34:14 AM5/23/24
to Wazuh | Mailing List
Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Stuti Gupta
May 23, 2024, 5:11:16 AM5/23/24
to Wazuh | Mailing List
Hello Juan Fernando Hernandez Duque
The log that you are using to test doesn't look like the EventChannel logs that Wazuh uses for widows, Like:
{"timestamp":"2023-11-28T08:30:32.918-0300","agent":{"id":"001","name":"vm-wazuhclient","ip":"172.16.0.101"},"manager":{"name":"vm-hmlwazuh"},"id":"1701171032.37801","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"eventID\":\"4688\",\"version\":\"2\",\"level\":\"0\",\"task\":\"13312\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2023-11-28T11:31:01.719139500Z\",\"eventRecordID\":\"307463\",\"processID\":\"4\",\"threadID\":\"5084\",\"channel\":\"Security\",\"computer\":\"vm-wazuhclient.domainanme.com.br\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-237819891-3985275319-1720378784-8410\\r\\n\\tAccount Name:\\t\\tuser-admin\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\tLogon ID:\\t\\t0x69977\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0xfa4\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\win32calc.exe\\r\\n\\tToken Elevation Type:\\t%%1938\\r\\n\\tMandatory Label:\\t\\tS-1-16-8193\\r\\n\\tCreator Process...... ID:\\t0xf4c\\r\\n\\tCreator Process .
The log that you are using to test doesn't look like the EventChannel logs that Wazuh uses for widows, Like:
{"timestamp":"2023-11-28T08:30:32.918-0300","agent":{"id":"001","name":"vm-wazuhclient","ip":"172.16.0.101"},"manager":{"name":"vm-hmlwazuh"},"id":"1701171032.37801","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"eventID\":\"4688\",\"version\":\"2\",\"level\":\"0\",\"task\":\"13312\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2023-11-28T11:31:01.719139500Z\",\"eventRecordID\":\"307463\",\"processID\":\"4\",\"threadID\":\"5084\",\"channel\":\"Security\",\"computer\":\"vm-wazuhclient.domainanme.com.br\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-237819891-3985275319-1720378784-8410\\r\\n\\tAccount Name:\\t\\tuser-admin\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\tLogon ID:\\t\\t0x69977\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0xfa4\\r\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\win32calc.exe\\r\\n\\tToken Elevation Type:\\t%%1938\\r\\n\\tMandatory Label:\\t\\tS-1-16-8193\\r\\n\\tCreator Process...... ID:\\t0xf4c\\r\\n\\tCreator Process .
You could try to obtain the correct log by doing the following steps:
- Enable logall, in /var/ossec/etc/ossec.conf, modify the <logall_json> option to yes. This will make Wazuh store all the logs that it receives.
- Restart the manager and reproduce the event in the agent.
- Verify the /var/ossec/logs/archives/archives.json to search for the log. You can use cat /var/ossec/logs/archives/archives.json | grep 4688 to search only the logs that contains that number.
- The log that you will find is a json with several fields. You need to copy the content of the full_log field (note that it may have some escaped characters, i.e. \", in that case, remove the \.
- Test that on the logtest. If you are using the correct log, it will decode the fields (even if the rule is not correct). You should see something like
- **Phase 2: Completed decoding.
name: 'json'
- win.eventdata.logonType: '7'
win.eventdata.targetDomainName: 'TEST-PC'
win.eventdata.targetLogonId: '0x3aa7649'
win.eventdata.targetUserName: 'test'
win.eventdata.targetUserSid: 'S-1-5-21-1479626784-3650196963-2719721884-1001'
win.system.channel: 'Security'
...
- Backup the file /var/ossec/ruleset/rules/0575-win-base_rules.xml
- Modify the rule 60000 inside that file, removing the category and changing the decoded_as to json.
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule> - Now you can test your log with the logtest and confirm if the rule is working. It is not necessary to restart the manager after modifying this or any rules file in order to use the logtest.
- In case the rule is not as per the expections then you can create your own rule for example: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.
I hope you find this information helpful!
Regards,
Regards,
Stuti Gupta
May 24, 2024, 7:44:12 AM5/24/24
to Wazuh | Mailing List
Hi please let me know if the issue is resolved
Juan Fernando Hernandez Duque
May 26, 2024, 1:36:05 AM5/26/24
to Wazuh | Mailing List
Hellow Stuti,
Sorry for the delay... I did what you told me.
- Backup the file /var/ossec/ruleset/rules/0575-win-base_rules.xml
- Modify the rule 60000 inside that file, removing the category and changing the decoded_as to json.
<rule id="60000" level="0">
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules.</description>
</rule>
And i tested my log, and below I share the output.
Starting wazuh-logtest v4.2.5
Type one log per line
{"timestamp":"2024-05-25T23:55:24.819-0500","agent":{"id":"1474","name":"XXXXXXX","ip":"x.x.x.x"},"manager":{"name":"xxxxxx"},"id":"1716699324.304748583","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4688\",\"version\":\"2\",\"level\":\"0\",\"task\":\"13312\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2024-05-26T04:55:24.763943400Z\",\"eventRecordID\":\"303806705\",\"processID\":\"4\",\"threadID\":\"22172\",\"channel\":\"Security\",\"computer\":\"XXXXXXX.XXXXXX\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tXXXXXXX$\\r\\n\\tAccount Domain:\\t\\tXXX\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x72cc\\r\\n\\tNew Process Name:\\tC:\\\\sasftpagent\\\\psftp.exe\\r\\n\\tToken Elevation Type:\\t%%1936\\r\\n\\tMandatory Label:\\t\\tS-1-16-16384\\r\\n\\tCreator Process ID:\\t0xdd4\\r\\n\\tCreator Process Name:\\tC:\\\\sasftpagent\\\\sasftpagent.exe\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-5-18\",\"subjectUserName\":\"XXXXXXX$\",\"subjectDomainName\":\"XXX\",\"subjectLogonId\":\"0x3e7\",\"newProcessId\":\"0x72cc\",\"newProcessName\":\"C:\\\\\\\\sasftpagent\\\\\\\\psftp.exe\",\"tokenElevationType\":\"%%1936\",\"processId\":\"0xdd4\",\"targetUserSid\":\"S-1-0-0\",\"targetLogonId\":\"0x0\",\"parentProcessName\":\"C:\\\\\\\\sasftpagent\\\\\\\\sasftpagent.exe\",\"mandatoryLabel\":\"S-1-16-16384\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4688","version":"2","level":"0","task":"13312","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-05-26T04:55:24.763943400Z","eventRecordID":"303806705","processID":"4","threadID":"22172","channel":"Security","computer":"XXXXXXX.XXXXXX","severityValue":"AUDIT_SUCCESS","message":"\"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXXXXX$\r\n\tAccount Domain:\t\tXXX\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x72cc\r\n\tNew Process Name:\tC:\\sasftpagent\\psftp.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0xdd4\r\n\tCreator Process Name:\tC:\\sasftpagent\\sasftpagent.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"XXXXXXX$","subjectDomainName":"XXX","subjectLogonId":"0x3e7","newProcessId":"0x72cc","newProcessName":"C:\\\\sasftpagent\\\\psftp.exe","tokenElevationType":"%%1936","processId":"0xdd4","targetUserSid":"S-1-0-0","targetLogonId":"0x0","parentProcessName":"C:\\\\sasftpagent\\\\sasftpagent.exe","mandatoryLabel":"S-1-16-16384"}}},"location":"EventChannel"}
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-05-25T23:55:24.819-0500","agent":{"id":"1474","name":"XXXXXXX","ip":"x.x.x.x"},"manager":{"name":"xxxxxx"},"id":"1716699324.304748583","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4688\",\"version\":\"2\",\"level\":\"0\",\"task\":\"13312\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2024-05-26T04:55:24.763943400Z\",\"eventRecordID\":\"303806705\",\"processID\":\"4\",\"threadID\":\"22172\",\"channel\":\"Security\",\"computer\":\"XXXXXXX.XXXXXX\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tXXXXXXX$\\r\\n\\tAccount Domain:\\t\\tXXX\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nTarget Subject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nProcess Information:\\r\\n\\tNew Process ID:\\t\\t0x72cc\\r\\n\\tNew Process Name:\\tC:\\\\sasftpagent\\\\psftp.exe\\r\\n\\tToken Elevation Type:\\t%%1936\\r\\n\\tMandatory Label:\\t\\tS-1-16-16384\\r\\n\\tCreator Process ID:\\t0xdd4\\r\\n\\tCreator Process Name:\\tC:\\\\sasftpagent\\\\sasftpagent.exe\\r\\n\\tProcess Command Line:\\t\\r\\n\\r\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\r\\n\\r\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\r\\n\\r\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\r\\n\\r\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-5-18\",\"subjectUserName\":\"XXXXXXX$\",\"subjectDomainName\":\"XXX\",\"subjectLogonId\":\"0x3e7\",\"newProcessId\":\"0x72cc\",\"newProcessName\":\"C:\\\\\\\\sasftpagent\\\\\\\\psftp.exe\",\"tokenElevationType\":\"%%1936\",\"processId\":\"0xdd4\",\"targetUserSid\":\"S-1-0-0\",\"targetLogonId\":\"0x0\",\"parentProcessName\":\"C:\\\\\\\\sasftpagent\\\\\\\\sasftpagent.exe\",\"mandatoryLabel\":\"S-1-16-16384\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4688","version":"2","level":"0","task":"13312","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-05-26T04:55:24.763943400Z","eventRecordID":"303806705","processID":"4","threadID":"22172","channel":"Security","computer":"XXXXXXX.XXXXXX","severityValue":"AUDIT_SUCCESS","message":"\"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXXXXX$\r\n\tAccount Domain:\t\tXXX\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x72cc\r\n\tNew Process Name:\tC:\\sasftpagent\\psftp.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0xdd4\r\n\tCreator Process Name:\tC:\\sasftpagent\\sasftpagent.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type '
**Phase 2: Completed decoding.
name: 'json'
Do I need create a my own rule?
Thanks...
Stuti Gupta
May 27, 2024, 6:57:16 AM5/27/24
to Wazuh | Mailing List
To test the windows log you need to follow the steps mentioned above.
So thw log will be:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4688","version":"2","level":"0","task":"13312","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-05-26T04:55:24.763943400Z","eventRecordID":"303806705","processID":"4","threadID":"22172","channel":"Security","computer":"XXXXXXX.XXXXXX","severityValue":"AUDIT_SUCCESS","message":"\"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXXXXX$\r\n\tAccount Domain:\t\tXXX\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x72cc\r\n\tNew Process Name:\tC:\\sasftpagent\\psftp.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0xdd4\r\n\tCreator Process Name:\tC:\\sasftpagent\\sasftpagent.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"XXXXXXX$","subjectDomainName":"XXX","subjectLogonId":"0x3e7","newProcessId":"0x72cc","newProcessName":"C:\\\\sasftpagent\\\\psftp.exe","tokenElevationType":"%%1936","processId":"0xdd4","targetUserSid":"S-1-0-0","targetLogonId":"0x0","parentProcessName":"C:\\\\sasftpagent\\\\sasftpagent.exe","mandatoryLabel":"S-1-16-16384"}}}
Now when you run this log it will hit rule id 60103 as severityValue is AUDIT_SUCCESS. So you need to create to rule on the bases of that like:
<group name="windows,">
<rule id="100300" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">4688</field>
<description>windows event_id 4688</description>>
</rule>
</group>
WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.
Refer https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps
So thw log will be:
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4688","version":"2","level":"0","task":"13312","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-05-26T04:55:24.763943400Z","eventRecordID":"303806705","processID":"4","threadID":"22172","channel":"Security","computer":"XXXXXXX.XXXXXX","severityValue":"AUDIT_SUCCESS","message":"\"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXXXXXX$\r\n\tAccount Domain:\t\tXXX\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x72cc\r\n\tNew Process Name:\tC:\\sasftpagent\\psftp.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0xdd4\r\n\tCreator Process Name:\tC:\\sasftpagent\\sasftpagent.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"XXXXXXX$","subjectDomainName":"XXX","subjectLogonId":"0x3e7","newProcessId":"0x72cc","newProcessName":"C:\\\\sasftpagent\\\\psftp.exe","tokenElevationType":"%%1936","processId":"0xdd4","targetUserSid":"S-1-0-0","targetLogonId":"0x0","parentProcessName":"C:\\\\sasftpagent\\\\sasftpagent.exe","mandatoryLabel":"S-1-16-16384"}}}
Now when you run this log it will hit rule id 60103 as severityValue is AUDIT_SUCCESS. So you need to create to rule on the bases of that like:
<group name="windows,">
<rule id="100300" level="5">
<if_sid>60103</if_sid>
<field name="win.system.eventID">4688</field>
<description>windows event_id 4688</description>>
</rule>
</group>
WARNING: after testing, restore the file 0575-win-base_rules.xml to its original. If you don't do that, after restarting the manager all the Windows EventChannel alerts will stop working, as the main rule is changed. The modification that I suggest is only for testing purposes.
Refer https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps
Reply all
Reply to author
Forward
Message has been deleted
0 new messages