Active-Response on Windows for rule id 60204.
1,183 views
Skip to first unread message
Defender
Jul 8, 2022, 9:06:25 AM7/8/22
to Wazuh mailing list
Hi there!
I'm trying to configure the active-response agent on Windows for rule 60204.
The problem is the following. I found a bat script on the Internet that calls a powershell script that blocks bad ips. I put the scripts in C:\Program Files (x86)\ossec-agent\active-response\bin.
In the confuguration section in Wazuh Manager, I set up a trigger which will call the action:
<command>
<name>windowsfirewall</name>
<executable>firewall.cmd</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>windowsfirewall</command>
<location>local</location>
<rules_id>60204</rules_id>
<timeout>60</timeout>
<repeated_offenders>60,300,600</repeated_offenders>
</active-response>Then, I call event 60122 on the agent, and everything is fine, and the agent adds bad ip to windows firewall. The only thing that does not work is <repeated_offenders>60,300,600</repeated_offenders>. But the question is different. I need rule 60204 'Multiple Windows logon failures' to trigger this action, but when I set the trigger for this rule the active-response doesn't work.
<command>
<name>windowsfirewall</name>
<executable>firewall.cmd</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>windowsfirewall</command>
<location>local</location>
<rules_id>60204</rules_id>
<timeout>60</timeout>
<repeated_offenders>60,300,600</repeated_offenders>
</active-response>
I enabled # Analysisd (server or local) /var/ossec/etc/internal_options.conf analysisd.debug=2
When I get event 60204 in Wazuh, I see the following in /var/ossec/logs/ossec.log: wazuh-analysisd[3611] json_decoder.c:390 at JSON_Decoder_Exec(): DEBUG: Decoding JSON: '{"win":{"system":{"providerName"'
Please help me configure the agent so that rule 60204 triggers the active-response.
Wazuh Manager - App version: 4.3.5; App revision: 4306
Wazuh Agent - 4.3.5
Regards,
Sergh
I'm trying to configure the active-response agent on Windows for rule 60204.
The problem is the following. I found a bat script on the Internet that calls a powershell script that blocks bad ips. I put the scripts in C:\Program Files (x86)\ossec-agent\active-response\bin.
In the confuguration section in Wazuh Manager, I set up a trigger which will call the action:
<command>
<name>windowsfirewall</name>
<executable>firewall.cmd</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>windowsfirewall</command>
<location>local</location>
<rules_id>60204</rules_id>
<timeout>60</timeout>
<repeated_offenders>60,300,600</repeated_offenders>
</active-response>Then, I call event 60122 on the agent, and everything is fine, and the agent adds bad ip to windows firewall. The only thing that does not work is <repeated_offenders>60,300,600</repeated_offenders>. But the question is different. I need rule 60204 'Multiple Windows logon failures' to trigger this action, but when I set the trigger for this rule the active-response doesn't work.
<command>
<name>windowsfirewall</name>
<executable>firewall.cmd</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>windowsfirewall</command>
<location>local</location>
<rules_id>60204</rules_id>
<timeout>60</timeout>
<repeated_offenders>60,300,600</repeated_offenders>
</active-response>
I enabled # Analysisd (server or local) /var/ossec/etc/internal_options.conf analysisd.debug=2
When I get event 60204 in Wazuh, I see the following in /var/ossec/logs/ossec.log: wazuh-analysisd[3611] json_decoder.c:390 at JSON_Decoder_Exec(): DEBUG: Decoding JSON: '{"win":{"system":{"providerName"'
Please help me configure the agent so that rule 60204 triggers the active-response.
Wazuh Manager - App version: 4.3.5; App revision: 4306
Wazuh Agent - 4.3.5
Regards,
Sergh
Christian Borla
Jul 11, 2022, 2:16:58 PM7/11/22
to Wazuh mailing list
Hello
Sergh !
Thanks for use Wazuh, I hope you are doing fine!
The functionality repeated_offenders it will be able for Windows agent in comming versions.
In other hand, I think the problem with rule 60204 is it not fill the field srcip, Do you have any alert fired by rule 60204?
Maybe it will be necessary to create a custom rule in json decoder file, to capture srcip like following issue.
Let me know if this information is useful to you.
Regards!
Thanks for use Wazuh, I hope you are doing fine!
The functionality repeated_offenders it will be able for Windows agent in comming versions.
In other hand, I think the problem with rule 60204 is it not fill the field srcip, Do you have any alert fired by rule 60204?
Maybe it will be necessary to create a custom rule in json decoder file, to capture srcip like following issue.
Let me know if this information is useful to you.
Regards!
Message has been deleted
Defender
Jul 12, 2022, 2:53:08 AM7/12/22
to Wazuh mailing list
Hi Christian. Thank you very much for your help!
Yes, I see trigger 60204 on the manager dashboard. But the active-response is not running.
What do I need to do?
Yes, I see trigger 60204 on the manager dashboard. But the active-response is not running.
What do I need to do?
понедельник, 11 июля 2022 г. в 21:16:58 UTC+3, christi...@wazuh.com:
Message has been deleted
Defender
Jul 12, 2022, 9:26:50 AM7/12/22
to Wazuh mailing list
Turned on remoted.debag=2 and noticed the difference.
When active-respnse is successfully executed for trigger 60122, then in logs:
wazuh-remoted[34510] ar-forward.c:99 at AR_Forward(): DEBUG: Active response sent: #!-execd
When active-response unsuccessfully tries to execute for trigger 60204, then in logs:
wazuh-remoted[37837] ar-forward.c:40 at AR_Forward(): DEBUG: Active response request received: (local_source) [] NRN 001
When active-respnse is successfully executed for trigger 60122, then in logs:
wazuh-remoted[34510] ar-forward.c:99 at AR_Forward(): DEBUG: Active response sent: #!-execd
When active-response unsuccessfully tries to execute for trigger 60204, then in logs:
wazuh-remoted[37837] ar-forward.c:40 at AR_Forward(): DEBUG: Active response request received: (local_source) [] NRN 001
вторник, 12 июля 2022 г. в 14:19:56 UTC+3, Defender:
Christian Borla
Jul 12, 2022, 10:30:39 AM7/12/22
to Wazuh mailing list
Hi Sergh!
I hope you are doing fine!!
Yes, the issue here is the alert, it not include the srcip field, a workaround of this behavior is include a new decoder which will capture and fill srcip field from ipAddress .
The file that contain the json decoder is /var/ossec/ruleset/decoders/0006-json_decoders.xml, I replaced the original decoder by customized decoder. (be careful in this section) I don't like modify default files as 0006-json_decoders.xml, but I couldn't make it work otherwise.
Original decoder:
<decoder name="json">
<prematch>^{\s*"</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Customized decoder:
<decoder name="json">
<prematch>^{\s*"</prematch>
</decoder>
<decoder name="json_child">
<parent>json</parent>
<regex type="pcre2">eventdata.*?"ipAddress":"([^"]+)"</regex>
<order>srcip</order>
</decoder>
<decoder name="json_child">
<parent>json</parent>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Restart the manager and try again, you can check if the srcip it's working running a sample log with wazuh-logtest tool
Example:
# /var/ossec/bin/wazuh-logtest
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-07-06T07:32:49.393996000Z","eventRecordID":"993504","processID":"712","threadID":"12140","channel":"Security","computer":"pc-name","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdocumentos tecnicos\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC0000064\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tB_03\r\n\tSource Network Address:\t111.11.111.111\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"documentos tecnicos","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"B_03","keyLength":"0","processId":"0x0","ipAddress":"111.11.111.111","ipPort":"0"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-07-06T07:32:49.393996000Z","eventRecordID":"993504","processID":"712","threadID":"12140","channel":"Security","computer":"pc-name","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdocumentos tecnicos\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC0000064\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tB_03\r\n\tSource Network Address:\t111.11.111.111\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"documentos tecnicos","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"B_03","keyLength":"0","processId":"0x0","ipAddress":"111.11.111.111","ipPort":"0"}}}'
**Phase 2: Completed decoding.
name: 'json'
srcip: '111.11.111.111' <--------- new field
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '111.11.111.111'
win.eventdata.ipPort: '0'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc0000064'
win.eventdata.subjectLogonId: '0x0'
That way AR can identifies the srcip field as a valid ip and should works!
Let me know if that works for you.
Regards.
I hope you are doing fine!!
Yes, the issue here is the alert, it not include the srcip field, a workaround of this behavior is include a new decoder which will capture and fill srcip field from ipAddress .
The file that contain the json decoder is /var/ossec/ruleset/decoders/0006-json_decoders.xml, I replaced the original decoder by customized decoder. (be careful in this section) I don't like modify default files as 0006-json_decoders.xml, but I couldn't make it work otherwise.
Original decoder:
<decoder name="json">
<prematch>^{\s*"</prematch>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Customized decoder:
<decoder name="json">
<prematch>^{\s*"</prematch>
</decoder>
<decoder name="json_child">
<parent>json</parent>
<regex type="pcre2">eventdata.*?"ipAddress":"([^"]+)"</regex>
<order>srcip</order>
</decoder>
<decoder name="json_child">
<parent>json</parent>
<plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>
Restart the manager and try again, you can check if the srcip it's working running a sample log with wazuh-logtest tool
Example:
# /var/ossec/bin/wazuh-logtest
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-07-06T07:32:49.393996000Z","eventRecordID":"993504","processID":"712","threadID":"12140","channel":"Security","computer":"pc-name","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdocumentos tecnicos\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC0000064\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tB_03\r\n\tSource Network Address:\t111.11.111.111\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"documentos tecnicos","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"B_03","keyLength":"0","processId":"0x0","ipAddress":"111.11.111.111","ipPort":"0"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-07-06T07:32:49.393996000Z","eventRecordID":"993504","processID":"712","threadID":"12140","channel":"Security","computer":"pc-name","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tdocumentos tecnicos\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC0000064\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tB_03\r\n\tSource Network Address:\t111.11.111.111\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"documentos tecnicos","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"B_03","keyLength":"0","processId":"0x0","ipAddress":"111.11.111.111","ipPort":"0"}}}'
**Phase 2: Completed decoding.
name: 'json'
srcip: '111.11.111.111' <--------- new field
win.eventdata.authenticationPackageName: 'NTLM'
win.eventdata.failureReason: '%%2313'
win.eventdata.ipAddress: '111.11.111.111'
win.eventdata.ipPort: '0'
win.eventdata.keyLength: '0'
win.eventdata.logonProcessName: 'NtLmSsp'
win.eventdata.logonType: '3'
win.eventdata.processId: '0x0'
win.eventdata.status: '0xc000006d'
win.eventdata.subStatus: '0xc0000064'
win.eventdata.subjectLogonId: '0x0'
That way AR can identifies the srcip field as a valid ip and should works!
Let me know if that works for you.
Regards.
Message has been deleted
Defender
Jul 12, 2022, 1:19:33 PM7/12/22
to Wazuh mailing list
Christian. Thank you very much for your help! I replaced the original decoder with a customized decoder. Then when I do a check with this log I do see srcip.
But nothing has actually changed. Active-response for rule id 60204 does not work.
Here is the script that runs for 60122 and does not run for 60204.
Thanks @opensecure.co for this script`s.
But nothing has actually changed. Active-response for rule id 60204 does not work.
Here is the script that runs for 60122 and does not run for 60204.
Thanks @opensecure.co for this script`s.
firewall.cmd
:: Simple script to run Windows Firewall Block
:: The script executes a powershell script and appends output.
@ECHO OFF
ECHO.
"C:\Program Files\PowerShell\7\"pwsh.exe -executionpolicy ByPass -File "C:\Program Files (x86)\ossec-agent\active-response\bin\windowsfirewall.ps1"
:Exit
windowsfirewall.ps1
################################
##Script to add/remove destination ip to windows firewall
################################
##########
##@opensecure.co
##########
# Read the Alert that triggered the Active Response in manager and convert to Array
$INPUT_JSON = Read-Host
$INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json
$INPUT_ARRAY = $INPUT_ARRAY | ConvertFrom-Json
$ErrorActionPreference = "SilentlyContinue"
$command = $INPUT_ARRAY."command"
$hostip = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration | where {$_.DHCPEnabled -ne $null -and $_.DefaultIPGateway -ne $null}).IPAddress | Select-Object -First 1
$destinationip = $INPUT_ARRAY."parameters"."alert"."data"."win"."eventdata"."ipAddress" <!-- These fields changed for ip -->
#Add Destination IP to Windows Firewall
if ( $command -eq 'add' -AND $destinationip -ne '127.0.0.1' -And $destinationip -ne '0.0.0.0' -And $destinationip -ne $hostip )
{
New-NetFirewallRule -DisplayName "Wazuh Active Response - $destinationip" -Direction Inbound –LocalPort Any -Protocol Any -Action Block -RemoteAddress $destinationip
echo "$destinationip added to blocklist via Windows Firewall" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
}
#Remove Destination IP from Windows Firewall
if ( $command -eq 'delete' -AND $destinationip -ne '127.0.0.1' -And $destinationip -ne '0.0.0.0' -And $destinationip -ne $hostip )
{
Remove-NetFirewallRule -DisplayName "Wazuh Active Response - $destinationip"
echo "$destinationip removed to blocklist via Windows Firewall" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
}
:: The script executes a powershell script and appends output.
@ECHO OFF
ECHO.
"C:\Program Files\PowerShell\7\"pwsh.exe -executionpolicy ByPass -File "C:\Program Files (x86)\ossec-agent\active-response\bin\windowsfirewall.ps1"
:Exit
windowsfirewall.ps1
################################
##Script to add/remove destination ip to windows firewall
################################
##########
##@opensecure.co
##########
# Read the Alert that triggered the Active Response in manager and convert to Array
$INPUT_JSON = Read-Host
$INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json
$INPUT_ARRAY = $INPUT_ARRAY | ConvertFrom-Json
$ErrorActionPreference = "SilentlyContinue"
$command = $INPUT_ARRAY."command"
$hostip = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration | where {$_.DHCPEnabled -ne $null -and $_.DefaultIPGateway -ne $null}).IPAddress | Select-Object -First 1
$destinationip = $INPUT_ARRAY."parameters"."alert"."data"."win"."eventdata"."ipAddress" <!-- These fields changed for ip -->
#Add Destination IP to Windows Firewall
if ( $command -eq 'add' -AND $destinationip -ne '127.0.0.1' -And $destinationip -ne '0.0.0.0' -And $destinationip -ne $hostip )
{
New-NetFirewallRule -DisplayName "Wazuh Active Response - $destinationip" -Direction Inbound –LocalPort Any -Protocol Any -Action Block -RemoteAddress $destinationip
echo "$destinationip added to blocklist via Windows Firewall" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
}
#Remove Destination IP from Windows Firewall
if ( $command -eq 'delete' -AND $destinationip -ne '127.0.0.1' -And $destinationip -ne '0.0.0.0' -And $destinationip -ne $hostip )
{
Remove-NetFirewallRule -DisplayName "Wazuh Active Response - $destinationip"
echo "$destinationip removed to blocklist via Windows Firewall" | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
}
вторник, 12 июля 2022 г. в 17:30:39 UTC+3, christi...@wazuh.com:
Christian Borla
Jul 13, 2022, 3:31:49 PM7/13/22
to Wazuh mailing list
Hi Sergh!
Sorry for the delay! I hope you are doing fine, It should include the srcip field after update and restart the manager. Did you check with wazuh-logtest tool?
In other hand, maybe it could be a size issue, I think it should works, but maybe calling powershell from cmd trim the alert, and fails.
You can do some test for that, chack if no_full_log is set on rule id="60204" to reduce the size of the alert, the file is /var/ossec/ruleset/rules/0580-win-security_rules.xml
<rule id="60204" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Here you have a launcher example script, similar than firewall.cmd :
@echo off
setlocal enableDelayedExpansion
set ARPATH="%programfiles(x86)%\ossec-agent\active-response\bin\\"
if "%~1" equ "" (
set /p input=
set aux=!input:*"extra_args":[=!
for /f "tokens=1 delims=]" %%a in ("!aux!") do (
set aux=%%a
)
set script=!aux:~1,-1!
if exist "!ARPATH!!script!" (
echo !input! >alert.txt
start /b cmd /c "%~f0" child !script!
)
exit /b
)
set "name=%~1"
goto !name!
:child
copy nul pipe.txt >nul
"%~f0" launcher >pipe.txt | powershell -ExecutionPolicy Bypass -File !ARPATH!%~2 <pipe.txt
del pipe.txt
exit /b
:launcher
for /f "delims=" %%a in (alert.txt) do (
set output=%%a
)
echo(!output!
del alert.txt
exit /b
Here the limitation is 'set /p input=' it works with alerts less than 1024 characters.
I think we are here in same situation.
I will continuos working on this, and I will come back as soon as I have more information.
Regards.
Sorry for the delay! I hope you are doing fine, It should include the srcip field after update and restart the manager. Did you check with wazuh-logtest tool?
In other hand, maybe it could be a size issue, I think it should works, but maybe calling powershell from cmd trim the alert, and fails.
You can do some test for that, chack if no_full_log is set on rule id="60204" to reduce the size of the alert, the file is /var/ossec/ruleset/rules/0580-win-security_rules.xml
<rule id="60204" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Here you have a launcher example script, similar than firewall.cmd :
@echo off
setlocal enableDelayedExpansion
set ARPATH="%programfiles(x86)%\ossec-agent\active-response\bin\\"
if "%~1" equ "" (
set /p input=
set aux=!input:*"extra_args":[=!
for /f "tokens=1 delims=]" %%a in ("!aux!") do (
set aux=%%a
)
set script=!aux:~1,-1!
if exist "!ARPATH!!script!" (
echo !input! >alert.txt
start /b cmd /c "%~f0" child !script!
)
exit /b
)
set "name=%~1"
goto !name!
:child
copy nul pipe.txt >nul
"%~f0" launcher >pipe.txt | powershell -ExecutionPolicy Bypass -File !ARPATH!%~2 <pipe.txt
del pipe.txt
exit /b
:launcher
for /f "delims=" %%a in (alert.txt) do (
set output=%%a
)
echo(!output!
del alert.txt
exit /b
Here the limitation is 'set /p input=' it works with alerts less than 1024 characters.
I think we are here in same situation.
I will continuos working on this, and I will come back as soon as I have more information.
Regards.
Defender
Jul 13, 2022, 5:41:07 PM7/13/22
to Wazuh mailing list
Hi Christian. Thank you very much for your help and support!
Yes, I added a new decoder then rebooted the server.
This is very interesting. When in wazuh-logtest I was testing that log you indicated, I saw the srcip field. But when I test the alert from Wazuh, I don't see this field. I don't know why.
I am attaching the fresh alert 60204 and its test in wazuh-.logtest
Checked no_full_log, the field is enabled.
Yes, I added a new decoder then rebooted the server.
This is very interesting. When in wazuh-logtest I was testing that log you indicated, I saw the srcip field. But when I test the alert from Wazuh, I don't see this field. I don't know why.
I am attaching the fresh alert 60204 and its test in wazuh-.logtest
Checked no_full_log, the field is enabled.
Apologize for the link. Google didn't allow me to attach a 20mb giff.
Christian Borla
Jul 14, 2022, 3:09:46 PM7/14/22
to Wazuh mailing list
Hi Sergh!
Sorry for the delay! I hope you are doing fine!
I'm almost sure about the issue is the size of the alert, alert 60204 includes alerts that trigger it in filed previous_output, it have to fail the logging 8 times to trigger it.
As a test you can reduce the frequency parameter, change it to 3 or 2.
The file is:
/var/ossec/ruleset/rules/0580-win-security_rules.xml
<rule id="60204" level="10" frequency=3 timeframe="240">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
After update it, restart the manager, then make it fail and check if active response fires.
Please let me know the result.
Regards.
Sorry for the delay! I hope you are doing fine!
I'm almost sure about the issue is the size of the alert, alert 60204 includes alerts that trigger it in filed previous_output, it have to fail the logging 8 times to trigger it.
As a test you can reduce the frequency parameter, change it to 3 or 2.
The file is:
/var/ossec/ruleset/rules/0580-win-security_rules.xml
<rule id="60204" level="10" frequency=3 timeframe="240">
<if_matched_group>authentication_failed</if_matched_group>
<same_field>win.eventdata.ipAddress</same_field>
<options>no_full_log</options>
<description>Multiple Windows logon failures.</description>
<mitre>
<id>T1110</id>
</mitre>
<group>authentication_failures,gdpr_IV_32.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_SI.4,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
After update it, restart the manager, then make it fail and check if active response fires.
Please let me know the result.
Regards.
Defender
Jul 14, 2022, 4:56:37 PM7/14/22
to Wazuh mailing list
Hi Christian! Thank you so much for your Support!
Yes really! If I put frequency=2, the active-recponse works! All that is greater than 2 does not work. But 2 is not enough for brute force.
Is it possible to make it work at 5 ?
Yes really! If I put frequency=2, the active-recponse works! All that is greater than 2 does not work. But 2 is not enough for brute force.
Is it possible to make it work at 5 ?
четверг, 14 июля 2022 г. в 22:09:46 UTC+3, christi...@wazuh.com:
Christian Borla
Jul 14, 2022, 9:00:59 PM7/14/22
to Wazuh mailing list
Hi Sergh!
Good to know, the problem is in firewall.cmd, I think ByPass command trimm the alert, and fail the json format check in windowsfirewall.ps1, maybe printing the input as it arrives at each script will shows the problem.
The problem with rule 60204 is it include in the alert the alerts that triggered it, the frequency is 8 by default, so are 8 json alert included, I think are arround 20.000 characters. we have to ensure that ByPass can handle the alert size before set the frequency in 5. Regarding command prompt limits I found this link
Another option is try to move the logic to python, in that link after explain Linux section it convert same code to executable application to Windows, and it use a luncher code, similar as you did.
Let me know if this information is useful, I'll keep looking for more information, let me know if you find something.
Regards.
Good to know, the problem is in firewall.cmd, I think ByPass command trimm the alert, and fail the json format check in windowsfirewall.ps1, maybe printing the input as it arrives at each script will shows the problem.
firewall.cmd
:: Simple script to run Windows Firewall Block
:: The script executes a powershell script and appends output.
@ECHO OFF
ECHO.
"C:\Program Files\PowerShell\7\"pwsh.exe -executionpolicy ByPass -File "C:\Program Files (x86)\ossec-agent\active-response\bin\windowsfirewall.ps1"
:Exit
:: The script executes a powershell script and appends output.
@ECHO OFF
ECHO.
"C:\Program Files\PowerShell\7\"pwsh.exe -executionpolicy ByPass -File "C:\Program Files (x86)\ossec-agent\active-response\bin\windowsfirewall.ps1"
:Exit
Another option is try to move the logic to python, in that link after explain Linux section it convert same code to executable application to Windows, and it use a luncher code, similar as you did.
Let me know if this information is useful, I'll keep looking for more information, let me know if you find something.
Regards.
Defender
Jul 15, 2022, 4:53:40 AM7/15/22
to Wazuh mailing list
Hi Christian! Thanks for all your help!
Please help me to configure the launch of the script using launcher.cmd https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html#custom-active-response-linux-example
I don't really understand how to configure it correctly
Please help me to configure the launch of the script using launcher.cmd https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response.html#custom-active-response-linux-example
I don't really understand how to configure it correctly
пятница, 15 июля 2022 г. в 04:00:59 UTC+3, christi...@wazuh.com:
Defender
Jul 15, 2022, 6:29:08 PM7/15/22
to Wazuh mailing list
I found another way out.
To configure Active-Response on brute using sysmon. I configured to get the logs from sysmon. And then I came up against a problem.
I am not getting sysmon_event_id-3 (RuleName: RDP). But I get sysmon_event_id-3 (Usermode).
Please help me to configure getting. sysmon_event_id-3 (RuleName: RDP).
Maybe then I will solve my problem.
To configure Active-Response on brute using sysmon. I configured to get the logs from sysmon. And then I came up against a problem.
I am not getting sysmon_event_id-3 (RuleName: RDP). But I get sysmon_event_id-3 (Usermode).
Please help me to configure getting. sysmon_event_id-3 (RuleName: RDP).
Maybe then I will solve my problem.
пятница, 15 июля 2022 г. в 11:53:40 UTC+3, Defender:
Christian Borla
Jul 18, 2022, 10:27:36 AM7/18/22
to Wazuh mailing list
Hello Sergh!
I hope you are doing fine! sorry for the delay!
Please look for some sysmon_event_id-3 (RuleName: RDP) in /var/ossec/logs/archives/archives.json on Wazuh manager side.
To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then restart the manager, if you find some sysmon_event_id-3 (RuleName: RDP) events we can create a decoder and a rule to fire an alert. Please share the json string in archives.json.
Let me know if that works.
Regrards.
I hope you are doing fine! sorry for the delay!
Please look for some sysmon_event_id-3 (RuleName: RDP) in /var/ossec/logs/archives/archives.json on Wazuh manager side.
To enable archive.json file edit /var/ossec/etc/ossec.conf into manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then restart the manager, if you find some sysmon_event_id-3 (RuleName: RDP) events we can create a decoder and a rule to fire an alert. Please share the json string in archives.json.
Let me know if that works.
Regrards.
Defender
Jul 18, 2022, 1:36:36 PM7/18/22
to Wazuh mailing list
Hi Christian! Thanks for your support!
I am attaching the archives.json sysmon_rdp alert.
I am attaching the archives.json sysmon_rdp alert.
понедельник, 18 июля 2022 г. в 17:27:36 UTC+3, christi...@wazuh.com:
Christian Borla
Jul 18, 2022, 9:08:44 PM7/18/22
to Wazuh mailing list
Hello Sergh!
I hope you are doing fine!
I made a rule to match the sysmon event, I used 3 fields to make it as specific as possible. Add the following rule to /var/ossec/etc/rules/local_rules.xml in manager side, then restart the manager.I hope you are doing fine!
<rule id="300111" level="9">
<decoded_as>json</decoded_as>
<field name="win.system.channel" type="pcre2">^Microsoft-Windows-Sysmon\/Operational$</field>
<field name="win.system.eventID">3</field>
<field name="win.eventdata.ruleName">^RDP$</field>
<description>sysmon_event_id-3 (RuleName: RDP)</description>
<options>no_full_log</options>
</rule>
You can test the rule with wazuh-logtest tool, I extracted from archives.json string the raw event.
/var/ossec/bin/wazuh-logtest
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-18T17:27:53.9799805Z","eventRecordID":"97941","processID":"4364","threadID":"5504","channel":"Microsoft-Windows-Sysmon/Operational","computer":"pc-name.my.domain.local","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: RDP\r\nUtcTime: 2022-07-18 17:27:52.129\r\nProcessGuid: {8de37f55-59ac-62d5-1600-000000003e00}\r\nProcessId: 1552\r\nImage: C:\\Windows\\System32\\svchost.exe\r\nUser: NT AUTHORITY\\NETWORK SERVICE\r\nProtocol: tcp\r\nInitiated: false\r\nSourceIsIpv6: false\r\nSourceIp: 95.31.244.207\r\nSourceHostname: 0547890134.clatir.corlina.co\r\nSourcePort: 54208\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 10.40.1.200\r\nDestinationHostname: pc-name.my.domain.local\r\nDestinationPort: 3389\r\nDestinationPortName: ms-wbt-server\""},"eventdata":{"ruleName":"RDP","utcTime":"2022-07-18 17:27:52.129","processGuid":"{8de37f55-59ac-62d5-1600-000000003e00}","processId":"1552","image":"C:\\\\Windows\\\\System32\\\\svchost.exe","user":"NT AUTHORITY\\\\NETWORK SERVICE","protocol":"tcp","initiated":"false","sourceIsIpv6":"false","sourceIp":"95.31.244.207","sourceHostname":"0547890134.clatir.corlina.co","sourcePort":"54208","destinationIsIpv6":"false","destinationIp":"10.40.1.200","destinationHostname":"pc-name.my.domain.local","destinationPort":"3389","destinationPortName":"ms-wbt-server"}}}Type one log per line
**Phase 1: Completed pre-decoding.
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.destinationIp: '10.40.1.200'
win.eventdata.destinationIsIpv6: 'false'
win.eventdata.destinationPort: '3389'
win.eventdata.destinationPortName: 'ms-wbt-server'
win.eventdata.image: 'C:\\Windows\\System32\\svchost.exe'
win.eventdata.initiated: 'false'
win.eventdata.processGuid: '{8de37f55-59ac-62d5-1600-000000003e00}'
win.eventdata.processId: '1552'
win.eventdata.protocol: 'tcp'
win.eventdata.ruleName: 'RDP'
win.eventdata.sourceHostname: '0547890134.clatir.corlina.co'
win.eventdata.sourceIp: '95.31.244.207'
win.eventdata.sourceIsIpv6: 'false'
win.eventdata.sourcePort: '54208'
win.eventdata.user: 'NT AUTHORITY\\NETWORK SERVICE'
win.eventdata.utcTime: '2022-07-18 17:27:52.129'
win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
win.system.computer: 'pc-name.my.domain.local'
win.system.eventID: '3'
win.system.eventRecordID: '97941'
win.system.keywords: '0x8000000000000000'
win.system.level: '4'
win.system.message: '"Network connection detected:
RuleName: RDP
UtcTime: 2022-07-18 17:27:52.129
ProcessGuid: {8de37f55-59ac-62d5-1600-000000003e00}
ProcessId: 1552
Image: C:\Windows\System32\svchost.exe
User: NT AUTHORITY\NETWORK SERVICE
Protocol: tcp
Initiated: false
SourceIsIpv6: false
SourceIp: 95.31.244.207
SourceHostname: 0547890134.clatir.corlina.co
SourcePort: 54208
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 10.40.1.200
DestinationHostname: pc-name.my.domain.local
DestinationPort: 3389
DestinationPortName: ms-wbt-server"'
win.system.opcode: '0'
win.system.processID: '4364'
win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
win.system.providerName: 'Microsoft-Windows-Sysmon'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2022-07-18T17:27:53.9799805Z'
win.system.task: '3'
win.system.threadID: '5504'
win.system.version: '5'
**Phase 3: Completed filtering (rules).
id: '300111'
level: '7'
description: 'sysmon_event_id-3 (RuleName: RDP)'
groups: '['hp', 'custom']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
As you can see, it process the full event as json and fires an alert, **Alert to be generated.
Use the custom rule id as a input of your active response configuration, rule 300111 in this example, and modify the script to use the field win.eventdata.sourceIp: '95.31.244.207'
Let me know if this is useful to you.
Regards!
Defender
Jul 19, 2022, 2:27:35 AM7/19/22
to Wazuh mailing list
Hi Christian. Thanks for all your help!
I created the rule as you instructed.
When I test in /var/ossec/bin/wazuh-logtest
I see **Phase 1: Completed pre-decoding. then I see **Phase 2: Completed decoding. But I don't see **Phase 3: Completed filtering (rules).
And that's why Alert doesn't show up
I created the rule as you instructed.
When I test in /var/ossec/bin/wazuh-logtest
I see **Phase 1: Completed pre-decoding. then I see **Phase 2: Completed decoding. But I don't see **Phase 3: Completed filtering (rules).
And that's why Alert doesn't show up
вторник, 19 июля 2022 г. в 04:08:44 UTC+3, christi...@wazuh.com:
Defender
Jul 19, 2022, 5:32:03 AM7/19/22
to Wazuh mailing list
Tried it on another server manager and it works! + Found the standard rule 92105.
I will write later about Active Response for Sysmon RDP rule.
Thank a lot Christian!
I will write later about Active Response for Sysmon RDP rule.
Thank a lot Christian!
вторник, 19 июля 2022 г. в 09:56:40 UTC+3, Defender:
Christian Borla
Jul 19, 2022, 8:48:57 AM7/19/22
to Wazuh mailing list
Hello Sergh!
Great!!! Let me know how if AR works!,
Regards!
Great!!! Let me know how if AR works!,
Regards!
Defender
Jul 19, 2022, 3:04:23 PM7/19/22
to Wazuh mailing list
It works very interestingly)
The maximum number of sysmon rdp detections for active-response that works = 3.
But. Microsoft documentation says maximum character length for cmd = 8191.
And the length of one sysmon rdp alert = 1539.
It means that maximum number of attempts for sysmon rdp alert for active-response that should work is 5. But it doesn't work.
I also noticed one more interesting thing. I set for local Rule
BruteForce sysmon rdp = 8. Active-response didn't work. But as soon as I restarted the agent, the blocking rule in firewall appeared immediately.
The maximum number of sysmon rdp detections for active-response that works = 3.
But. Microsoft documentation says maximum character length for cmd = 8191.
And the length of one sysmon rdp alert = 1539.
It means that maximum number of attempts for sysmon rdp alert for active-response that should work is 5. But it doesn't work.
I also noticed one more interesting thing. I set for local Rule
BruteForce sysmon rdp = 8. Active-response didn't work. But as soon as I restarted the agent, the blocking rule in firewall appeared immediately.
вторник, 19 июля 2022 г. в 15:48:57 UTC+3, christi...@wazuh.com:
isaactyy
Jan 27, 2023, 2:08:54 AM1/27/23
to Wazuh mailing list
Dear Christian & Sergh,
hi there. im currently trying to configure active response to drop RDP 60204 too. im facing the same problem using the two script cmd & ps1 to be invoke on the windows agent side for active response, that there is no response at all even after changing 60204's frequency parameter to 3 or 2. but able to detect 60122 and 60204.
im currently trying to use Sysmon to trigger RDP bruteforce attack, is there any documentation that can refer in using Sysmon to activate firewall drop for window? i have downloaded Sysmon for Window.
Please guide me along.
im currently trying to use Sysmon to trigger RDP bruteforce attack, is there any documentation that can refer in using Sysmon to activate firewall drop for window? i have downloaded Sysmon for Window.
Please guide me along.
Thanks & Best Regards,
Isaac
Reply all
Reply to author
Forward
0 new messages