Blocking user account in windows - Active response

561 views
Skip to first unread message

sau sau

unread,
Apr 3, 2023, 9:53:38 PM4/3/23
to Wazuh mailing list
Hello,

I was trying to write a custom script for windows to block users account that triggers rule 60122 multiple times within given timeframe. The custom rule for that is as follow:

<group name="windows,windows_security,">
   <rule id="100002" level="10" frequency="3" timeframe="120">
    <if_matched_sid>60122</if_matched_sid>
    <decoded_as>json_test</decoded_as>
    <description>windows: possible password guess on $(win.eventdata.targetUserName</description>
 <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
   </rule>
</group>

The generated alert has a field data.win.eventdata.targetUserName that has the name of the user on which multiple login attempt was made.

On the ossec.conf of wazuh manager,
  <command>
    <name>disable-account-win</name>
    <executable>disable-account-win.cmd</executable>
    <expect>user</expect>
  </command>

  <active-response>
    <command>disable-account-win</command>
    <location>local</location>
    <rules_id>100002</rules_id>
  </active-response>

On the windows agent machine,
I created a simple script just for testing

@ECHO OFF
ECHO.

FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DATE=%%A %%B
FOR /F "TOKENS=1-3 DELIMS:" %%A IN ("%TIME%") DO SET TIME=%%A:%%B:%%C

ECHO %DATE%%TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >> active-response/active-response.log

Of which the logs look like the following after execution.

Mon 04/03/2023 8:37:52.11 "active-response/bin/disable-account-win.cmd" add "-" "-" "1680536271.693720 100002 (WIN) any->EventChannel - -"

Seems like <expect>user</expect> doesn't work for targetUserName field of the alert.

I did the same thing for unix by following the documentation and everything works user parameter is sent to the agent of dstuser field.

Sun Apr  2 03:15:44 PM UTC 2023 /var/ossec/active-response/bin/disable-account.sh add test2 - 1680448544.1182108 100001

How do i do the same thing for windows???




windows_alert_100002.txt

Dario Menten

unread,
Apr 4, 2023, 11:11:09 AM4/4/23
to Wazuh mailing list

Hello Sau,
Thank you for posting in the community.

It seems that your configurations are correctly applied.
Active-Response, passes to the script in a JSON line which contains the entire alert. Having said that, when you write an Active-Response Script you need to extract the desired information from the alert in order to execute your custom actions.
Writing Active-Response scripts for Windows agents could be tricky because it does not accept PowerShell scripts natively. This can be an issue since Powershell is more flexible and it has a lot of features that can be useful in these cases.
The good news is that we can “embed” a PowerShell code into a cmd batch file.
You can see more discussion about this issue here: Wazuh Issue

To help you accomplish this, I wrote this Active-Response script that will disable (or enable if it is a rollback action) Windows Local accounts: disable-account-win.cmd

<command> <name>disable-account-win</name> <executable>disable-account-win.cmd</executable> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>disable-account-win</command> <location>local</location> <rules_id>100002</rules_id> <timeout>600</timeout> </active-response>

With this configuration, the local user will be disabled when a 100002 alert is raised and it will be enabled again after 600 seconds.

I hope this information could be helpful.

sau sau

unread,
Apr 6, 2023, 12:07:22 AM4/6/23
to Wazuh mailing list

Hello Dario,

Thank you for the help.

I modified the disable-account-win.cmd as follow:

@ECHO OFF

powershell -executionpolicy ByPass ^
    $alert = Read-Host; ^
    $alert_dict = ConvertFrom-Json $alert; ^
    $log_line = (Get-Date).ToString('yyyy-MM-dd hh:mm:ss')+\" active-response/bin/disable-account-win.cmd: AR was executed\"; ^
    Add-Content -Path 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log' -Value $log_line

:Exit


On the manager i see the debug log saying that AR is successfully sent to the agent as follow.

2023/04/06 03:41:58 ossec-remoted[445] ar-forward.c:44 at AR_Forward(): DEBUG: Active response request received: (DESKTOP-9RKUG4G) any->EventChannel NRN (null) disable-account-win600 - - 1680752518.39477
1 100002 (DESKTOP-9RKUG4G) any->EventChannel - -
2023/04/06 03:41:58 ossec-remoted[445] ar-forward.c:119 at AR_Forward(): DEBUG: Active response sent: #!-execd disable-account-win600 - - 1680752518.394771 100002 (DESKTOP-9RKUG4G) any->EventChannel - -

However, I don't see any log entries on active-responses.log.

Am I missing something here?

G Gao

unread,
Oct 4, 2023, 8:17:18 AM10/4/23
to Wazuh | Mailing List

Hi Dario, I came across this while I was searching for solution to disable Active Directory account on a Windows DC. Would I be able to use this script for that?

Thank you,

Bo

Maknus

unread,
Jan 17, 2025, 3:51:11 AM1/17/25
to Wazuh | Mailing List

Hi, 

I’d like to revisit this topic. Has anyone managed to create an Active Response that blocks a user in AD?

Reply all
Reply to author
Forward
0 new messages