Troubling collecting windows event id: 4698/4699

[serano...@gmail.com]

Hi All.

i'm trying to colelct event about sheduled tasks  audi event in windows (event id: 4698/4699), but i continuing fail, so i've to ask you some help.

I've added this rule to my file:

    <rule id="300100" level="9">
        <!--Description: Detects the creation of scheduled tasks in user session from GUI-->
        <!--Date: 2022/11/29-->
        <!--Stefano Serano-->
        <mitre>
            <id>attack.execution</id>
            <id>attack.persistence</id>
            <id>attack.privilege_escalation</id>
            <id>attack.t1053.005</id>
            <id>attack.s0111</id>
            <id>car.2013-08-001</id>
        </mitre>
        <description>Scheduled Task Creation from GUI</description>
        <options>no_full_log</options>
        <group>process_creation,windows,</group>
        <if_sid>60103</if_sid>
        <field name="win.system.eventID" negate="no" type="pcre2">^4698$|^4699$</field>
    </rule>

but anytime i trigger the event, the alert goes to archives.json and i don't know wy.

Here a sample log:

• "full_log":"{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4699","version":"1","level":"0","task":"12804","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-11-29T10:03:14.868233700Z","eventRecordID":"580818","processID":"660","threadID":"4616","channel":"Security","computer":"SOC-DC01.soc-ngway.local","severityValue":"AUDIT_SUCCESS","message":"\"A scheduled task was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-598632658-3456686301-2170191157-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tNGWSOC\r\n\tLogon ID:\t\t0x10176531\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\testone\r\n\tTask Content: \t\t\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t2814749767115427\r\n\tClientProcessId: \t\t\t5260\r\n\tParentProcessId: \t\t\t5904\r\n\tFQDN: \t\t0\r\n\t\""},"eventdata":{"subjectUserSid":"S-1-5-21-598632658-3456686301-2170191157-500","subjectUserName":"administrator","subjectDomainName":"NGWSOC","subjectLogonId":"0x10176531","taskName":"\\\\testone","clientProcessStartKey":"2814749767115427","clientProcessId":"5260","parentProcessId":"5904","rpcCallClientLocality":"0","fQDN":"SOC-DC01.soc-ngway.local"}}}",

Thanks in any case, have a nice day.

[Nicolas Zapata]

Hi Stefano, I hope you are fine!

I will be helping you with your problem, just give me a few minutes to analyze it well and I will come back with an answer!
In the meantime, could you test the log you sent, with the wazuh logtest? and please send me the output.

[Stefano Serano]

Hi Nicolas.

Thanks for your fast reply.

This is another problem i have, i've tried to ingest the log like this:

{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4699","version":"1","level":"0","task":"12804","opcode":"0","keywords":"0x8020000000000000","systemTime":"2022-11-29T10:03:14.868233700Z","eventRecordID":"580818","processID":"660","threadID":"4616","channel":"Security","computer":"SOC-DC01.soc-ngway.local","severityValue":"AUDIT_SUCCESS","message":"\"A scheduled task was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-598632658-3456686301-2170191157-500\r\n\tAccount Name:\t\tadministrator\r\n\tAccount Domain:\t\tNGWSOC\r\n\tLogon ID:\t\t0x10176531\r\n\r\nTask Information:\r\n\tTask Name: \t\t\\testone\r\n\tTask Content: \t\t\r\n\r\nOther Information:\r\n\tProcessCreationTime: \t\t2814749767115427\r\n\tClientProcessId: \t\t\t5260\r\n\tParentProcessId: \t\t\t5904\r\n\tFQDN: \t\t0\r\n\t\""},"eventdata":{"subjectUserSid":"S-1-5-21-598632658-3456686301-2170191157-500","subjectUserName":"administrator","subjectDomainName":"NGWSOC","subjectLogonId":"0x10176531","taskName":"\\\\testone","clientProcessStartKey":"2814749767115427","clientProcessId":"5260","parentProcessId":"5904","rpcCallClientLocality":"0","fQDN":"SOC-DC01.soc-ngway.local"}}}

but it result  to be decoded as json, but the log i know for sure is decoded correctly if i seach for it into archive.json(below the sample). What i've to remove/add to ingest the log correctly?

{

• "timestamp":"2022-11-29T11:18:43.352+0100",
• "agent":{
  • "id":"015",
  • "name":"SOC-DC01",
  • "ip":"192.168.55.20",
  • "labels":{
    • "agent":{
      • "os":"Windows"
      },
    • "host":{
      • "type":"Server"
      }
    }
  },
• "manager":{
  • "name":"wazuh-testrules"
  },
• "id":"1669717123.121483244",
• "cluster":{
  • "name":"NGW-SOC-TEST",
  • "node":"NGW-SOC-TEST"
  },

• "full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4699\",\"version\":\"1\",\"level\":\"0\",\"task\":\"12804\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2022-11-29T10:03:14.868233700Z\",\"eventRecordID\":\"580818\",\"processID\":\"660\",\"threadID\":\"4616\",\"channel\":\"Security\",\"computer\":\"SOC-DC01.soc-ngway.local\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"A scheduled task was deleted.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-598632658-3456686301-2170191157-500\\r\\n\\tAccount Name:\\t\\tadministrator\\r\\n\\tAccount Domain:\\t\\tNGWSOC\\r\\n\\tLogon ID:\\t\\t0x10176531\\r\\n\\r\\nTask Information:\\r\\n\\tTask Name: \\t\\t\\\\testone\\r\\n\\tTask Content: \\t\\t\\r\\n\\r\\nOther Information:\\r\\n\\tProcessCreationTime: \\t\\t2814749767115427\\r\\n\\tClientProcessId: \\t\\t\\t5260\\r\\n\\tParentProcessId: \\t\\t\\t5904\\r\\n\\tFQDN: \\t\\t0\\r\\n\\t\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-5-21-598632658-3456686301-2170191157-500\",\"subjectUserName\":\"administrator\",\"subjectDomainName\":\"NGWSOC\",\"subjectLogonId\":\"0x10176531\",\"taskName\":\"\\\\\\\\testone\",\"clientProcessStartKey\":\"2814749767115427\",\"clientProcessId\":\"5260\",\"parentProcessId\":\"5904\",\"rpcCallClientLocality\":\"0\",\"fQDN\":\"SOC-DC01.soc-ngway.local\"}}}",

• "decoder":{
  • "name":"windows_eventchannel"
  },
• "data":{

• "location":"EventChannel"

}

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/8pgWvBxiuZ4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fca2381f-c32f-47ed-a23b-180960ecb518n%40googlegroups.com.

[Nicolas Zapata]

There is a previous configuration, which is already pre-established by Wazuh as default. That configuration is canceling the reading of some win events.

I attach the example of this configuration:

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and
      EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and
     EventID != 5157]</query>

  </localfile>

Please check if the event id are there and remove it

I hope I have been helpful. Please do not hesitate to ask any questions you may have.

[Stefano Serano]

Hi.

no is not there: 

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>

Anyway i saw the log coming to archive.json file, so the event is not excluded from agent prevoiusly

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f15d7bf2-5ef1-4154-a3ba-184696d245can%40googlegroups.com.

[Tiago Teixeira]

Hi All,

I have the same issue! Any conclusion about the problem?