Select field
176 views
Skip to first unread message
Jonathan G.
Sep 6, 2023, 4:24:58 AM9/6/23
to Wazuh | Mailing List
Hello,
I try to make a rule with hash but i can take the hash i want.
I see this field
data.win.eventdata.hashes SHA1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,MD5=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,SHA256=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,IMPHASH=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I want only one on them, how i can take only SHA1 for example ? I tried with "data.win.eventdata.hashes.SHA1" but it doesnt work.
I want to write a rule like this :
<rule id="119016" level="3">
<if_sid>92151</if_sid>
<list field="data.win.eventdata.hashes">etc/lists/well-know-hashes</list>
<description>Well-know hashes.</description>
</rule>
and in this list the SHA256 hash.
Hope you can help me, thanks !
<if_sid>92151</if_sid>
<list field="data.win.eventdata.hashes">etc/lists/well-know-hashes</list>
<description>Well-know hashes.</description>
</rule>
and in this list the SHA256 hash.
Hope you can help me, thanks !
Ifeanyi Onyia Odike
Sep 7, 2023, 7:32:22 AM9/7/23
to Wazuh | Mailing List
Hi Jonathan,
Thank you for using Wazuh!
Can you please share the log you would like to create an alert for?
Regards,
Jonathan G.
Sep 11, 2023, 10:23:28 AM9/11/23
to Wazuh | Mailing List
Hi Ifeanyi Onyia Odike,
{"timestamp":"2023-09-05T01:52:52.041+0200","rule":{"level":12,"description":"Binary loaded PowerShell automation library - Possible unmanaged Powershell execution by suspicious process","id":"92151","mitre":{"id":["T1059.001"],"tactic":["Execution"],"technique":["PowerShell"]},"firedtimes":4,"mail":true,"groups":["sysmon","sysmon_eid7_detections","windows"]},"agent":{"id":"232","name":"PC","ip":"10.10.10.10"},"manager":{"name":"WAZUH"},"id":"1693871572.323904892","cluster":{"name":"wazuh","node":"master-node"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"7","version":"3","level":"4","task":"7","opcode":"0","keywords":"0x8000000000000000","systemTime":"2023-09-04T23:52:51.0530447Z","eventRecordID":"1236707","processID":"4596","threadID":"6612","channel":"Microsoft-Windows-Sysmon/Operational","computer":"PC.DOMAIN","severityValue":"INFORMATION","message":"\"Image loaded:\r\nRuleName: technique_id=T1059.001,technique_name=PowerShell\r\nUtcTime: 2023-09-04 23:52:51.038\r\nProcessGuid: {b04789ea-6dd2-64f6-5528-010000002400}\r\nProcessId: 18892\r\nImage: C:\\Windows\\SysWOW64\\rundll32.exe\r\nImageLoaded: C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll\r\nFileVersion: 10.0.19041.3031\r\nDescription: System.Management.Automation\r\nProduct: Microsoft (R) Windows (R) Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: System.Management.Automation.dll\r\nHashes: SHA1=F82EEF87D70F470EF7ED53A0801D6AAB3772D3D6,MD5=469F4EA26835A0B79D6A04EB5D4B5F4F,SHA256=A31FAC6BD655161FF9E56C92856E34129AA02285A77B3D6474BD8310CF29C1C1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA\r\nSigned: true\r\nSignature: Microsoft Windows\r\nSignatureStatus: Valid\r\nUser: AUTORITE NT\\Système\""},"eventdata":{"ruleName":"technique_id=T1059.001,technique_name=PowerShell","utcTime":"2023-09-04 23:52:51.038","processGuid":"{b04789ea-6dd2-64f6-5528-010000002400}","processId":"18892","image":"C:\\\\Windows\\\\SysWOW64\\\\rundll32.exe","imageLoaded":"C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL\\\\System.Management.Automation\\\\v4.0_3.0.0.0__31bf3856ad364e35\\\\System.Management.Automation.dll","fileVersion":"10.0.19041.3031","description":"System.Management.Automation","product":"Microsoft (R) Windows (R) Operating System","company":"Microsoft Corporation","originalFileName":"System.Management.Automation.dll","hashes":"SHA1=F82EEF87D70F470EF7ED53A0801D6AAB3772D3D6,MD5=469F4EA26835A0B79D6A04EB5D4B5F4F,SHA256=A31FAC6BD655161FF9E56C92856E34129AA02285A77B3D6474BD8310CF29C1C1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA","signed":"true","signature":"Microsoft Windows","signatureStatus":"Valid","user":"AUTORITE NT\\\\Système"}}},"location":"EventChannel"}
Ifeanyi Onyia Odike
Sep 12, 2023, 2:23:56 PM9/12/23
to Wazuh | Mailing List
Hi
Jonathan
I will look at this log and respond to you as soon as I can.
Please hold.
Regards,
I will look at this log and respond to you as soon as I can.
Please hold.
Regards,
Jonathan G.
Sep 13, 2023, 8:14:44 AM9/13/23
to Wazuh | Mailing List
Hi
Ok thanks :)
Ok thanks :)
Jonathan G.
Sep 25, 2023, 7:46:31 AM9/25/23
to Wazuh | Mailing List
Hello Ifeanyi Onyia Odike
Any news ?
Any news ?
Ifeanyi Onyia Odike
Sep 25, 2023, 9:33:11 AM9/25/23
to Wazuh | Mailing List
Hi Jonathan,
I'm sorry for not getting back to you sooner.
I had a second look at this issue.
I advise using the Wazuh Malware detection capability, specifically the CDB lists and threat intelligence.
Once set up, all you have to do is include the malicious hash in the list.
You can always update the list according to your preferences.
I hope this helps.
Let me know if this meets your requirements or if you have further questions.
Regards,
Jonathan G.
Sep 26, 2023, 11:23:14 AM9/26/23
to Wazuh | Mailing List
Hi,
I will try this. Thanks
I will try this. Thanks
Reply all
Reply to author
Forward
0 new messages