Silencing Syscheck - Based on Location
365 views
Skip to first unread message
Logan Simmons
Jul 20, 2022, 11:30:36 AM7/20/22
to Wazuh mailing list
Hello all!
We have a Wazuh Manager (version 4.3.5) in our environment of about 200+ agents that are on the same version agent installer.
I am trying to create a custom rule to not send/silence an alert for modifying the Registry based on certain criteria. (ex. original rule ID 598) within the agent. I do have the agents in groups, and have updated the agent.conf shared file to ignore these registry locations (see below).
We have a Wazuh Manager (version 4.3.5) in our environment of about 200+ agents that are on the same version agent installer.
I am trying to create a custom rule to not send/silence an alert for modifying the Registry based on certain criteria. (ex. original rule ID 598) within the agent. I do have the agents in groups, and have updated the agent.conf shared file to ignore these registry locations (see below).
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\ControlSet001\Services</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\ControlSet001\Services</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Intel</registry_ignore>
The above is also set in the ossec.conf of the manager
Below is my attempt to silence the alerts, but I seem to be missing something. The alerts are still reporting! Within the last 24 hours, 42,389 alerts have been sent to my manager for registry modification. A lot of them are "mtime" changes. Or just "a key has been added/deleted/modified".
MY CUSTOM RULE ATTEMPT
<rule id="10016" level="0">
<if_sid>598</if_sid>
<field name="syscheck.path">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<field name="decoder.name">^syscheck_registry_key_added$|^syscheck_registry_value_added$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
We have other means to monitor these changes, if necessary. These logs are just creating a lot of noise and burying other important logs.
Any help is appreciated!
If more info is needed, please let me know or provide me commands to help you out!
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Intel</registry_ignore>
The above is also set in the ossec.conf of the manager
Below is my attempt to silence the alerts, but I seem to be missing something. The alerts are still reporting! Within the last 24 hours, 42,389 alerts have been sent to my manager for registry modification. A lot of them are "mtime" changes. Or just "a key has been added/deleted/modified".
MY CUSTOM RULE ATTEMPT
<rule id="10016" level="0">
<if_sid>598</if_sid>
<field name="syscheck.path">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<field name="decoder.name">^syscheck_registry_key_added$|^syscheck_registry_value_added$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
We have other means to monitor these changes, if necessary. These logs are just creating a lot of noise and burying other important logs.
Any help is appreciated!
If more info is needed, please let me know or provide me commands to help you out!
Christian Borla
Jul 20, 2022, 2:02:26 PM7/20/22
to Wazuh mailing list
Hello!
I hope you are doing fine!
I'm digging for more information about this., I will come back as soon as I have more information.
Regards!
Christian Borla
Jul 20, 2022, 2:45:00 PM7/20/22
to Wazuh mailing list
Hi!
I found some possible changes to your custom rule.
1. The <id> of custom rules will be in the range from 100000 to 120000. link
2. Instead use <field name="decoder.name">, try with field <decoded_as>, link , But in this case it's not necessary, it's redundant, because the custom rule is a child of rule 598, which already include <decoded_as> option.
Default rule 598, do not modify it, it's just to show how <decoded_as> is configured.
<rule id="598" level="5">
<category>ossec</category>
<decoded_as>syscheck_registry_key_added</decoded_as>
<group>syscheck,syscheck_entry_added,syscheck_registry,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<description>Registry Key Entry Added to the System</description>
<mitre>
<id>T1112</id>
</mitre>
</rule>
Try with this custom rule.
<rule id="100016" level="0">
<if_sid>598</if_sid>
<field name="syscheck.path">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
Let me know if that works, if not, please look for some registry example as Wazuh receives in /var/ossec/logs/archives/archives.json on Wazuh manager side. To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then restart the manager, if you find some events we can test the rule with wazuh-logtest tool to fire an alert. Please share the json event in archives.json.
Regards!
I found some possible changes to your custom rule.
1. The <id> of custom rules will be in the range from 100000 to 120000. link
2. Instead use <field name="decoder.name">, try with field <decoded_as>, link , But in this case it's not necessary, it's redundant, because the custom rule is a child of rule 598, which already include <decoded_as> option.
Default rule 598, do not modify it, it's just to show how <decoded_as> is configured.
<rule id="598" level="5">
<category>ossec</category>
<decoded_as>syscheck_registry_key_added</decoded_as>
<group>syscheck,syscheck_entry_added,syscheck_registry,pci_dss_11.5,gpg13_4.13,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<description>Registry Key Entry Added to the System</description>
<mitre>
<id>T1112</id>
</mitre>
</rule>
Try with this custom rule.
<rule id="100016" level="0">
<if_sid>598</if_sid>
<field name="syscheck.path">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
</rule>
Let me know if that works, if not, please look for some registry example as Wazuh receives in /var/ossec/logs/archives/archives.json on Wazuh manager side. To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then restart the manager, if you find some events we can test the rule with wazuh-logtest tool to fire an alert. Please share the json event in archives.json.
Regards!
Logan Simmons
Jul 22, 2022, 8:37:08 AM7/22/22
to Wazuh mailing list
Sorry for the late response,
I will change my rules and see if anything changes. Thank you for the input!
I will change my rules and see if anything changes. Thank you for the input!
Logan Simmons
Jul 22, 2022, 9:40:25 AM7/22/22
to Wazuh mailing list
Reaching out to say that, unfortunately, that did not work. Still have a load of alerts coming in.
Enabling archives and will wait for a few events to come in.
Enabling archives and will wait for a few events to come in.
On Wednesday, July 20, 2022 at 2:45:00 PM UTC-4 christi...@wazuh.com wrote:
Logan Simmons
Jul 22, 2022, 10:40:52 AM7/22/22
to Wazuh mailing list
Below are 2 events from the archives.json. I've redacted sensitive info.
I found these logs by doing: cat /var/ossec/logs/archives/archives.json | grep "Registry Key Entry Added to the System"
____________________________________ ____________________________________ ____________________________________ ____________________________________
{"timestamp":"2022-07-22T14:23:47.848+0000","rule":{"level":5,"description":"Registry Key Entry Added to the System","id":"598","mitre":{"id":["T1112"],"tactic":["Defense Evasion"],"technique":["Modify Registry"]},"firedtimes":5,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"080","name":"REDACTED","ip":"REDACTED"},"manager":{"name":"pc-wazuh-beta"},"id":"1658499827.85054651","full_log":"Registry Key '[x64] HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VolatileUserMgrKey\\4' added\nMode: scheduled\n","syscheck":{"path":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VolatileUserMgrKey\\4","mode":"scheduled","arch":"[x64]","win_perm_after":[{"name":"TrustedInstaller","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"SYSTEM","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"Administrators","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"Users","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"ALL APPLICATION PACKAGES","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"REDACTED","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]}],"uid_after":"REDACTED","gid_after":"REDACTED","uname_after":"Administrators","gname_after":"SYSTEM","mtime_after":"2022-07-22T13:41:40","event":"added"},"decoder":{"name":"syscheck_registry_key_added"},"location":"syscheck"}
{"timestamp":"2022-07-22T14:30:05.643+0000","rule":{"level":5,"description":"Registry Key Entry Added to the System","id":"598","mitre":{"id":["T1112"],"tactic":["Defense Evasion"],"technique":["Modify Registry"]},"firedtimes":9,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"265","name":"REDACTED","ip":"REDACTED"},"manager":{"name":"pc-wazuh-beta"},"id":"1658500205.86499514","full_log":"Registry Key '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075' added\nMode: scheduled\n","syscheck":{"path":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075","mode":"scheduled","arch":"[x32]","win_perm_after":[{"name":"Users","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"Administrators","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"SYSTEM","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"CREATOR OWNER","allowed":["GENERIC_ALL"]},{"name":"ALL APPLICATION PACKAGES","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"REDACTED","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]}],"uid_after":"REDACTED","gid_after":" REDACTED","uname_after":"Administrators","gname_after":"SYSTEM","mtime_after":"2022-07-22T07:30:05","event":"added"},"decoder":{"name":"syscheck_registry_key_added"},"location":"syscheck"}
____________________________________ ____________________________________ ____________________________________ ____________________________________
I'm not really sure how to decode these and see what the problem could be.
How could I parse these to test with wazuh-logtest?
Thank you again for your help!
I found these logs by doing: cat /var/ossec/logs/archives/archives.json | grep "Registry Key Entry Added to the System"
____________________________________ ____________________________________ ____________________________________ ____________________________________
{"timestamp":"2022-07-22T14:23:47.848+0000","rule":{"level":5,"description":"Registry Key Entry Added to the System","id":"598","mitre":{"id":["T1112"],"tactic":["Defense Evasion"],"technique":["Modify Registry"]},"firedtimes":5,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"080","name":"REDACTED","ip":"REDACTED"},"manager":{"name":"pc-wazuh-beta"},"id":"1658499827.85054651","full_log":"Registry Key '[x64] HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VolatileUserMgrKey\\4' added\nMode: scheduled\n","syscheck":{"path":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VolatileUserMgrKey\\4","mode":"scheduled","arch":"[x64]","win_perm_after":[{"name":"TrustedInstaller","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"SYSTEM","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"Administrators","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"Users","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"ALL APPLICATION PACKAGES","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"REDACTED","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]}],"uid_after":"REDACTED","gid_after":"REDACTED","uname_after":"Administrators","gname_after":"SYSTEM","mtime_after":"2022-07-22T13:41:40","event":"added"},"decoder":{"name":"syscheck_registry_key_added"},"location":"syscheck"}
{"timestamp":"2022-07-22T14:30:05.643+0000","rule":{"level":5,"description":"Registry Key Entry Added to the System","id":"598","mitre":{"id":["T1112"],"tactic":["Defense Evasion"],"technique":["Modify Registry"]},"firedtimes":9,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_registry"],"pci_dss":["11.5"],"gpg13":["4.13"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"265","name":"REDACTED","ip":"REDACTED"},"manager":{"name":"pc-wazuh-beta"},"id":"1658500205.86499514","full_log":"Registry Key '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075' added\nMode: scheduled\n","syscheck":{"path":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075","mode":"scheduled","arch":"[x32]","win_perm_after":[{"name":"Users","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"Administrators","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"SYSTEM","allowed":["GENERIC_ALL","DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE"]},{"name":"CREATOR OWNER","allowed":["GENERIC_ALL"]},{"name":"ALL APPLICATION PACKAGES","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]},{"name":"REDACTED","allowed":["GENERIC_READ","READ_CONTROL","READ_DATA","READ_EA","WRITE_EA"]}],"uid_after":"REDACTED","gid_after":" REDACTED","uname_after":"Administrators","gname_after":"SYSTEM","mtime_after":"2022-07-22T07:30:05","event":"added"},"decoder":{"name":"syscheck_registry_key_added"},"location":"syscheck"}
____________________________________ ____________________________________ ____________________________________ ____________________________________
I'm not really sure how to decode these and see what the problem could be.
How could I parse these to test with wazuh-logtest?
Thank you again for your help!
Christian Borla
Jul 22, 2022, 10:44:55 AM7/22/22
to Wazuh mailing list
Hello!
I hope you are doing fine!
I'll test it and try to make it works. I will come back as soon as I have more information.I hope you are doing fine!
Regards!
Christian Borla
Jul 22, 2022, 1:09:44 PM7/22/22
to Wazuh mailing list
Hi!
I could´t make it work with wazuh-logtes yet, but we can do a test while i try to fix it.
The full log is
"full_log": "Registry Key '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075' added\nMode: scheduled\n",
And it parsed as :
"syscheck": {
"path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075",
The custom rule filter by (expanded):
<field name="syscheck.path">
^HKEY_LOCAL_MACHINE\\Software\\\.$|
^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|
^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$
</field>
Could you try with a pcre2 regex type?
<rule id="100016" level="0">
Let me know if that works.
Regards!
I could´t make it work with wazuh-logtes yet, but we can do a test while i try to fix it.
The full log is
"full_log": "Registry Key '[x32] HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075' added\nMode: scheduled\n",
"syscheck": {
"path": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpKsl1dbf4075",
<field name="syscheck.path">
^HKEY_LOCAL_MACHINE\\Software\\\.$|
^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|
^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$
</field>
<rule id="100016" level="0">
<if_sid>598</if_sid>
<field name="syscheck.path" type="pcre2"> ^HKEY_LOCAL_MACHINE\\\\(?:System\\\\(?:CurrentControlSet\\\\|ControlSet001\\\\.*)|(?:Software\\\\)).*$</field>
<field name="syscheck.path" type="pcre2"> ^HKEY_LOCAL_MACHINE\\\\(?:System\\\\(?:CurrentControlSet\\\\|ControlSet001\\\\.*)|(?:Software\\\\)).*$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
</rule>
Regards!
Logan Simmons
Jul 22, 2022, 1:57:58 PM7/22/22
to Wazuh mailing list
You've been so helpful and I thank you for your time working on this!
I will test and let you know :)
I will test and let you know :)
Logan Simmons
Jul 22, 2022, 4:13:58 PM7/22/22
to Wazuh mailing list
Unfortunately, that did not work either.
Could there be something overwriting my config somewhere that Im not aware of?
Could there be something overwriting my config somewhere that Im not aware of?
Christian Borla
Jul 22, 2022, 7:35:17 PM7/22/22
to Wazuh mailing list
Hi! thanks a lot, I'm glad to help you!
I figured out what it´s, this link mentions real field names to FIM.
I configured FIM in an anget side, then I created following rule in manager side, level 12 to trigger it, then I change the level to 0 to stop generate alerts from that ruel. The main issue was the field name (field name="file")
<rule id="100016" level="12">
<if_sid>598,554</if_sid>
<field name="file" type="pcre2">(?i)c:\\Users\\asus\\workspace\\remotd.*</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
If I create a remotd<something> file in 'c:\\Users\\asus\\workspace\\' directory it trigger an aler from rule 554, that is another change, I added rule id 554 becuse it triggers when I added a file.
This is an alert example, it only shows when alert is bigger than 0.
{"timestamp":"2022-07-22T20:23:59.203-0300","rule":{"level":12,"description":"Silencing HKLM Registry Noise.","id":"100016","firedtimes":1,"mail":true,"groups":["hp","custom"]},"agent":{"id":"015","name":"DESKTOP","ip":"192.168.10.12"},"manager":{"name":"VBox"},"id":"165853223","full_log":"File 'c:\\users\\asus\\workspace\\remotd - copy.txt' added\nMode: realtime\n","syscheck":{"path":"c:\\users\\asus\\workspace\\remotd - copy.txt","mode":"realtime","size_after":"544","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administradores","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"asus","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-2446384277-2365750671-1058278366-1001","md5_after":"72810bcbb2c02e88a4ec2c0ab73319fb","sha1_after":"cdd5e9ec7d4f37b0f27750ef53ed6fd5a27896d3","sha256_after":"69c07c039381aeddc0fe2deb61d5f2633abb6d25cb1fe4faf6461e438153d9c6","attrs_after":["ARCHIVE"],"uname_after":"asus","mtime_after":"2022-04-27T08:35:46","event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
I wolud try with following rules
or
<field name="file">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
Let me know if works to you!!
Regards!
I figured out what it´s, this link mentions real field names to FIM.
I configured FIM in an anget side, then I created following rule in manager side, level 12 to trigger it, then I change the level to 0 to stop generate alerts from that ruel. The main issue was the field name (field name="file")
<rule id="100016" level="12">
<if_sid>598,554</if_sid>
<field name="file" type="pcre2">(?i)c:\\Users\\asus\\workspace\\remotd.*</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
This is an alert example, it only shows when alert is bigger than 0.
{"timestamp":"2022-07-22T20:23:59.203-0300","rule":{"level":12,"description":"Silencing HKLM Registry Noise.","id":"100016","firedtimes":1,"mail":true,"groups":["hp","custom"]},"agent":{"id":"015","name":"DESKTOP","ip":"192.168.10.12"},"manager":{"name":"VBox"},"id":"165853223","full_log":"File 'c:\\users\\asus\\workspace\\remotd - copy.txt' added\nMode: realtime\n","syscheck":{"path":"c:\\users\\asus\\workspace\\remotd - copy.txt","mode":"realtime","size_after":"544","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administradores","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"asus","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-2446384277-2365750671-1058278366-1001","md5_after":"72810bcbb2c02e88a4ec2c0ab73319fb","sha1_after":"cdd5e9ec7d4f37b0f27750ef53ed6fd5a27896d3","sha256_after":"69c07c039381aeddc0fe2deb61d5f2633abb6d25cb1fe4faf6461e438153d9c6","attrs_after":["ARCHIVE"],"uname_after":"asus","mtime_after":"2022-04-27T08:35:46","event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
I wolud try with following rules
<rule id="100016" level="0">
<if_sid>598, 554</if_sid>
<field name="file" type="pcre2">HKEY_LOCAL_MACHINE\\\\(?:System\\\\(?:CurrentControlSet\\\\|ControlSet001\\\\.*)|(?:Software\\\\)).*$</field>
<field name="file" type="pcre2">HKEY_LOCAL_MACHINE\\\\(?:System\\\\(?:CurrentControlSet\\\\|ControlSet001\\\\.*)|(?:Software\\\\)).*$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
</rule>
<rule id="100016" level="0">
<if_sid>598, 554</if_sid><field name="file">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
Let me know if works to you!!
Regards!
Logan Simmons
Jul 26, 2022, 10:01:19 AM7/26/22
to Wazuh mailing list
I think we are getting close!
Upon reviewing your comment. I applied those changes and no luck. I decided to check the ossec.conf on the agent and compare it to the shared agent.conf and noticed that the ossec.conf had some registry monitors conflicting with the ignore options I added to agent.conf
Shared agent.conf
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\ControlSet001\Services</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Intel</registry_ignore>
<ignore>%windir%\AdminArsenal</ignore>
<registry_ignore>\Enum$</registry_ignore>
</syscheck>
Ossec.conf on agent
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
Upon reviewing your comment. I applied those changes and no luck. I decided to check the ossec.conf on the agent and compare it to the shared agent.conf and noticed that the ossec.conf had some registry monitors conflicting with the ignore options I added to agent.conf
Shared agent.conf
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\ControlSet001\Services</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Policies\Google</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Intel</registry_ignore>
<registry_ignore>\Enum$</registry_ignore>
</syscheck>
Ossec.conf on agent
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
While not all are present in the Ossec, would these entries trump the agent.conf and therefore take precedence?
Hoping that makes sense.
I will be testing out later today and reporting back, but would love your feedback on this too :)
Thank you!
Hoping that makes sense.
I will be testing out later today and reporting back, but would love your feedback on this too :)
Thank you!
Logan Simmons
Jul 26, 2022, 10:03:33 AM7/26/22
to Wazuh mailing list
To note, I only tried the first formatting of your suggestion from your most recent reply:
<rule id="100016" level="0">
<if_sid>598, 554</if_sid>
<field name="file" type="pcre2">HKEY_LOCAL_MACHINE\\\\(?:System\\\\(?:CurrentControlSet\\\\|ControlSet001\\\\.*)|(?:Software\\\\)).*$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
I am testing the below now before testing my findings above in my last post
<rule id="100016" level="0">
<if_sid>598, 554</if_sid>
<field name="file">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
<rule id="100016" level="0">
<if_sid>598, 554</if_sid>
<field name="file" type="pcre2">HKEY_LOCAL_MACHINE\\\\(?:System\\\\(?:CurrentControlSet\\\\|ControlSet001\\\\.*)|(?:Software\\\\)).*$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
<rule id="100016" level="0">
<if_sid>598, 554</if_sid>
<field name="file">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
Logan Simmons
Jul 26, 2022, 12:02:50 PM7/26/22
to Wazuh mailing list
Sorry for the back to back
Tried both suggestions and no go. I also read that the agent.conf takes precedence, so I skipped trying what I had found.
I again appreciate your help.
I've also tried the below, with no luck
<rule id="100014" level="0">
<if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
<if_group>syscheck</if_group>
<match>^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</match>
<description>Silencing HKLM Registry Noise.</description>
</rule>
And
<rule id="100014" level="0">
<if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
<field name="file">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
Tried both suggestions and no go. I also read that the agent.conf takes precedence, so I skipped trying what I had found.
I again appreciate your help.
I've also tried the below, with no luck
<rule id="100014" level="0">
<if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
<if_group>syscheck</if_group>
<match>^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</match>
<description>Silencing HKLM Registry Noise.</description>
</rule>
<rule id="100014" level="0">
<if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
<field name="file">^HKEY_LOCAL_MACHINE\\Software\\\.$|^HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\\.$|^HKEY_LOCAL_MACHINE\\System\\ControlSet001\\\.$</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
Logan Simmons
Aug 1, 2022, 3:15:42 PM8/1/22
to Wazuh mailing list
Any update to a solution for this? Thank you all
Christian Borla
Aug 1, 2022, 5:31:44 PM8/1/22
to Wazuh mailing list
Hi!! I hope you are doing fine!
I'm realy sorry for the dealy.
Last week I have been doing some test with syschek, and to make rules match, it will neccessary use the pcre2 engine.
We can try with following cases:
<rule id="100014" level="0">
<if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
Let me know if that works!
Regards!
I'm realy sorry for the dealy.
Last week I have been doing some test with syschek, and to make rules match, it will neccessary use the pcre2 engine.
We can try with following cases:
<rule id="100014" level="0">
<if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
<if_group>syscheck</if_group>
<match type="pcre2">^HKEY_LOCAL_MACHINE\\+Software\\+|^HKEY_LOCAL_MACHINE\\+System\\+CurrentControlSet\\+|^HKEY_LOCAL_MACHINE\\+System\\+ControlSet001\\+</match><if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
<if_group>syscheck</if_group>
<description>Silencing HKLM Registry Noise.</description>
</rule>
And </rule>
<rule id="100014" level="0">
<if_sid>554, 594, 597, 598, 750, 751, 752</if_sid>
<field name="file" type="pcre2">^HKEY_LOCAL_MACHINE\\+Software\\+|^HKEY_LOCAL_MACHINE\\+System\\+CurrentControlSet\\+|^HKEY_LOCAL_MACHINE\\+System\\+ControlSet001\\+</field>
<description>Silencing HKLM Registry Noise.</description>
</rule>
</rule>
Regards!
Logan Simmons
Aug 2, 2022, 2:26:05 PM8/2/22
to Wazuh mailing list
Christian,
I can confirm the second example you provided in your previous response worked!
This has helped TREMENDOUSLY with silencing noise in our environment.
Now time to tweak and filter out what logs we would need from these locations.
Thank you so much again and I appreciate your tests.
I can confirm the second example you provided in your previous response worked!
This has helped TREMENDOUSLY with silencing noise in our environment.
Now time to tweak and filter out what logs we would need from these locations.
Thank you so much again and I appreciate your tests.
Christian Borla
Aug 2, 2022, 3:01:45 PM8/2/22
to Wazuh mailing list
Hi!
Good to hear that!! you are welcome.
Thanks to use Wazuh!
Regards
Good to hear that!! you are welcome.
Thanks to use Wazuh!
Regards
Reply all
Reply to author
Forward
0 new messages