a lot of false positives about How to detect Active Directory attacks with Wazuh

983 views
Skip to first unread message

Fabio Miotti

unread,
Mar 3, 2023, 2:16:24 AM3/3/23
to Wazuh mailing list
hello

after the installation, i receive a lot of false positives messagges about "Directory Service Access. Possible DCSync attack" - "Possible Golden Ticket attack" - 
a lot of messagges in 1 hour 

is there any way to solve the problem?
Thanks

Eduardo Leon Aldazoro

unread,
Mar 6, 2023, 4:30:17 PM3/6/23
to Wazuh mailing list
Hi Fabio, Thanks for using Wazuh !

This kind of alerts, false positives, are preventive to detect early indications of lateral movements and privilege escalation to aid in preventing active directory attacks,

We recommend to look further into every alert, specifically in the description json of the alert to solve them.

You can check the second part of the blog you mentioned here, where you can see how creating custom rules can generate alerts for specific events to track different directory attacks events. 

However another solution to prevent alert flooding for specific rules is lowering the alert level, you can learn how to do this in our documentation here.

Hope this helps you!

Best Regards,
Eduardo 
Message has been deleted

Tedew

unread,
Mar 12, 2024, 6:02:33 AM3/12/24
to Wazuh | Mailing List
hello, I have the same issues as mentioned after implemementation of rules for AD Attacks detction. 
These false positive alerts are mainly between clients and PrintServer.

Did you find some solution how to eleminate these alsers ??

Thnanks

środa, 18 października 2023 o 21:33:13 UTC+2 Eduardo Mansano napisał(a):

Hello, how are you guys ?
After I made the configuration above, a lot of Possibly golden ticket messages are appearing, between 3 servers, both have lateral communication through the Veeam backup tool, but in the alert I can't find this information.

I needed to disable the active response, as it was blocking the host all the time:
<active-response>
    <disabled>yes</disabled>

    <command>netsh</command>

    <location>local</location>

    <level>7</level>

    <rules_id>100100</rules_id>

    <timeout>60</timeout>

  </active-response>


_index

wazuh-alerts-4.x-2023.10.18



007


agent.ip

10.0.0.6



*****


data.win.eventdata.authenticationPackageName

NTLM


data.win.eventdata.elevatedToken

%%1842


data.win.eventdata.impersonationLevel

%%1833


data.win.eventdata.ipAddress

10.0.0.16


data.win.eventdata.ipPort

58203


data.win.eventdata.keyLength

128


data.win.eventdata.lmPackageName

NTLM V2


data.win.eventdata.logonGuid

{00000000-0000-0000-0000-000000000000}


data.win.eventdata.logonProcessName

NtLmSsp


data.win.eventdata.logonType

3


data.win.eventdata.processId

0x0


data.win.eventdata.subjectLogonId

0x0


data.win.eventdata.subjectUserSid

S-1-0-0


data.win.eventdata.targetDomainName

****


data.win.eventdata.targetLinkedLogonId

0x0


data.win.eventdata.targetLogonId

0x22d9acc1


data.win.eventdata.targetUserName

ger.*****


data.win.eventdata.targetUserSid

S-1-5-21-928559543-438945549-723327098-1001


data.win.eventdata.virtualAccount

%%1843


data.win.eventdata.workstationName

****


data.win.system.channel

Security


data.win.system.computer

****


data.win.system.eventID

4624


data.win.system.eventRecordID

7021123


data.win.system.keywords

0x8020000000000000


data.win.system.level

0


data.win.system.message

"An account was successfully logged on. Subject:    Security ID:        S-1-0-0    Account Name:        -    Account Domain:        -    Logon ID:        0x0 Logon Information:    Logon Type:        3    Restricted Admin Mode:    -    Virtual Account:        No    Elevated Token:        Yes Impersonation Level:        Impersonation New Logon:    Security ID:        S-1-5-21-928559543-438945549-723327098-1001    Account Name:        ger.backup    Account Domain:        SKV06    Logon ID:        0x22D9ACC1    Linked Logon ID:        0x0    Network Account Name:    -    Network Account Domain:    -    Logon GUID:        {00000000-0000-0000-0000-000000000000} Process Information:    Process ID:        0x0    Process Name:        - Network Information:    Workstation Name:    SKV03    Source Network Address:    10.0.0.16    Source Port:        58203 Detailed Authentication Information:    Logon Process:        NtLmSsp    Authentication Package:    NTLM    Transited Services:    -    Package Name (NTLM only):    NTLM V2    Key Length:        128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request.    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.    - Transited services indicate which intermediate services have participated in this logon request.    - Package name indicates which sub-protocol was used among the NTLM protocols.    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."


data.win.system.opcode

0


data.win.system.processID

680


data.win.system.providerGuid

{54849625-5478-4994-a5ba-3e3b0328c30d}


data.win.system.providerName

Microsoft-Windows-Security-Auditing


data.win.system.severityValue

AUDIT_SUCCESS


data.win.system.systemTime

2023-10-18T14:00:03.3569641Z


data.win.system.task

12544


data.win.system.threadID

9648


data.win.system.version

2



windows_eventchannel


id

1697637605.15838127


input.type

log


location

EventChannel



SiemServer.startlink.local


rule.description

Possible Golden Ticket attack


rule.firedtimes

2


rule.groups

security_event, windows



110003


rule.level

12


rule.mail

true


timestamp
Oct 18, 2023 @ 11:00:05.127

Reply all
Reply to author
Forward
0 new messages