custom rule to detect Windows Event ID 4723

198 views
Skip to first unread message

Simon Wong

unread,
Apr 10, 2024, 12:58:00 PM4/10/24
to Wazuh | Mailing List
Dear Wazuh support,

I have written a custom rule to detect a privileged account resetting its own password, which is supposedly not allowed.

<rule id="100612" level="10">

  <field name="win.system.eventID">^4723$</field>

  <list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/yl-breakglass-user-list</list>

  <description>Attempt was made to reset own password by breakglass account $(win.eventdata.targetUserName)</description>

</rule>

</group>


I have tested the rules with the sample event in ruleset test.

{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4723","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-04-10T16:03:26.441520800Z","eventRecordID":"57381","processID":"640","threadID":"748","channel":"Security","computer":"WIN-J84F9QGGKVR.redteamleaders.com","severityValue":"AUDIT_SUCCESS","message":"\"An attempt was made to change an account's password.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-4191840055-282165865-653649976-1221\r\n\tAccount Name:\t\tbreakglassadmin01\r\n\tAccount Domain:\t\tredteamleaders\r\n\tLogon ID:\t\t0x545DD5\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-4191840055-282165865-653649976-1221\r\n\tAccount Name:\t\tbreakglassadmin01\r\n\tAccount Domain:\t\tredteamleaders\r\n\r\nAdditional Information:\r\n\tPrivileges\t\t-\""},"eventdata":{"targetUserName":"breakglassadmin01","targetDomainName":"redteamleaders","targetSid":"S-1-5-21-4191840055-282165865-653649976-1221","subjectUserSid":"S-1-5-21-4191840055-282165865-653649976-1221","subjectUserName":"breakglassadmin01","subjectDomainName":"redteamleaders","subjectLogonId":"0x545dd5"}}}

The ruleset test shows that the alerts were fired successfully, but they never show up in the event dashboard. Do you have any idea?


Regards,

Simon

Screenshot 2024-04-11 at 00.30.13.png

Dario Menten

unread,
Apr 15, 2024, 10:23:26 AM4/15/24
to Wazuh | Mailing List

Hello Simon,
Thank you for posting in the community.

I see the rule is not linked to any other rule (or rule group) or decoder. Maybe it is because of that, I recommend linking it to the rule group windows, just like this:

<rule id="100612" level="10"> <if_group>windows</if_group> <field name="win.system.eventID">^4723$</field> <list field="win.eventdata.targetUserName" lookup="match_key">etc/lists/yl-breakglass-user-list</list> <description>Attempt was made to reset own password by breakglass account $(win.eventdata.targetUserName)</description> </rule>

So it will catch all the rules from the Windows Event Channel and it will check if it has the eventID 4723 and the targetUserName in the cdblist mentioned.
I hope this helps.

Reply all
Reply to author
Forward
0 new messages