How to Configure Remote Desktop Logon success or fails monitoring

[Black Fish]

Hi All,

I tried from different sources mentioned below but nothing worked for me, can any one provide step-by-step guide to implement rules and configurations at manager and agent side.

https://groups.google.com/g/wazuh/c/D38DBp2WGxM

https://github.com/wazuh/wazuh/issues/7651

https://www.gitmemory.com/issue/wazuh/wazuh-ruleset/779/732016605

Thanks.

[Jonathan Martín Valera]

Hi Imranqut,

By default, alerts are generated for successful and failed logins.

For example, when I have failed in the log on, the following alert has been generated

** Alert 1621322307.827557: - windows,windows_security,win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 May 18 07:18:27 (windows_agent) any->EventChannel
Rule: 60122 (level 5) -> 'Logon Failure - Unknown user or bad password'
  ....

And when I performed a successful log on, then the following alert has been generated:

** Alert 1621324117.1570036: - windows,windows_security,authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2021 May 18 07:48:37 (windowsc) any->EventChannel
Rule: 60106 (level 3) -> 'Windows Logon Success'
  ....

This is generated using the Security channel. This is enabled by default in the ossec.conf of the windows agent, with the following block:

<localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
        EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
        EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
        EventID != 5152 and EventID != 5157]
    </query>
</localfile>

For the particular case of Remote Desktop Logon, as mentioned in the references you have shared, you have to use the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational system channel.

Add the following block to your windows agent ossec.conf

<localfile>
    <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
    <log_format>eventchannel</log_format>
</localfile>

Next, add the following rule in the /var/ossec/etc/rules/local_rules.xml file on the wazuh-manager side.

 <rule id="100100" level="5">
    <if_sid>60009</if_sid>
    <field name="win.system.channel">^Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational$</field>
    <description>Terminal Services Remote Connection Manager</description>
  </rule>

Restart your wazuh-agent and wazuh-manager services, to apply the new configuration.

From now on, if you perform a successful remote login, you will see an alert like the following one:

** Alert 1621329638.1903180: - local,syslog,sshd,
2021 May 18 09:20:38 (windowsc) any->EventChannel
Rule: 100100 (level 5) -> 'Terminal Services Remote Connection Manager'
{"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","providerGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","eventID":"1149","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x1000000000000000","systemTime":"2021-05-18T09:20:38.595912200Z","eventRecordID":"150","processID":"904","threadID":"5440","channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","computer":"windowsc","severityValue":"INFORMATION","message":"\"Remote Desktop Services: User authentication succeeded:\r\n\r\nUser: qa\r\nDomain: \r\nSource Network Address: 172.16.1.1\""},"eventXML":{"param1":"qa","param3":"172.16.1.1"}}}
win.system.providerName: Microsoft-Windows-TerminalServices-RemoteConnectionManager
win.system.providerGuid: {C76BAA63-AE81-421C-B425-340B4B24157F}
win.system.eventID: 1149
win.system.version: 0
win.system.level: 4
win.system.task: 0
win.system.opcode: 0
win.system.keywords: 0x1000000000000000
win.system.systemTime: 2021-05-18T09:20:38.595912200Z
win.system.eventRecordID: 150
win.system.processID: 904
win.system.threadID: 5440
win.system.channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
win.system.computer: windowsc
win.system.severityValue: INFORMATION
win.system.message: "Remote Desktop Services: User authentication succeeded:

User: qa
Domain: 
Source Network Address: 172.16.1.1"
win.eventXML.param1: qa
win.eventXML.param3: 172.16.1.1

Or, if the remote login fails, you will see the following:

** Alert 1621329558.1846170: - local,syslog,sshd,
2021 May 18 09:19:18 (windowsc) any->EventChannel
Rule: 100100 (level 5) -> 'Terminal Services Remote Connection Manager'
{"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","providerGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","eventID":"261","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x1000000000000000","systemTime":"2021-05-18T09:19:19.114971000Z","eventRecordID":"147","processID":"904","threadID":"1160","channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","computer":"windowsc","severityValue":"INFORMATION","message":"\"Listener RDP-Tcp received a connection\""},"eventXML":{"listenerName":"RDP-Tcp"}}}
win.system.providerName: Microsoft-Windows-TerminalServices-RemoteConnectionManager
win.system.providerGuid: {C76BAA63-AE81-421C-B425-340B4B24157F}
win.system.eventID: 261
win.system.version: 0
win.system.level: 4
win.system.task: 0
win.system.opcode: 0
win.system.keywords: 0x1000000000000000
win.system.systemTime: 2021-05-18T09:19:19.114971000Z
win.system.eventRecordID: 147
win.system.processID: 904
win.system.threadID: 1160
win.system.channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
win.system.computer: windowsc
win.system.severityValue: INFORMATION
win.system.message: "Listener RDP-Tcp received a connection"
win.eventXML.listenerName: RDP-Tcp

From here, you can create a child rule of 100100 with a more specific condition in case you need it.

Try it and let us know the results.

Best regards.

​

[Black Fish]

Thank you so much bro, it worked for me i tested on windows 10, can you help me with child rules too? 

Virus-free. www.avast.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6a4c4302-4370-4f67-8c3d-84db212aa639n%40googlegroups.com.

Virus-free. www.avast.com

[Jonathan Martín Valera]

Okay, what exactly do you need? What condition(s) do you want for these rules?

[Bianca Asan]

Can you provide me a log to test the rule using wazuh-logtest?

[Jonathan Martín Valera]

Hi Bianca,

The corresponding events stored in /var/ossec/logs/archives/archives.log file are as follows:

Remote authentication succeeded

2021 May 18 09:20:38 (windowsc) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","providerGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","eventID":"1149","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x1000000000000000","systemTime":"2021-05-18T09:20:38.595912200Z","eventRecordID":"150","processID":"904","threadID":"5440","channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","computer":"windowsc","severityValue":"INFORMATION","message":"\"Remote Desktop Services: User authentication succeeded:\r\n\r\nUser: qa\r\nDomain: \r\nSource Network Address: 172.16.1.1\""},"eventXML":{"param1":"qa","param3":"172.16.1.1"}}}

Remote authentication failed

2021 May 18 09:20:36 (windowsc) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","providerGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","eventID":"261","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x1000000000000000","systemTime":"2021-05-18T09:20:37.487298000Z","eventRecordID":"149","processID":"904","threadID":"1160","channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","computer":"windowsc","severityValue":"INFORMATION","message":"\"Listener RDP-Tcp received a connection\""},"eventXML":{"listenerName":"RDP-Tcp"}}}

In case you want to test these events in the /var/ossec/bin/ossec-logtest tool, you have to remember to remove the headers to keep the clean event, which will be processed in this way. The events would be as follows:

Remote authentication succeeded

{"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","providerGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","eventID":"1149","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x1000000000000000","systemTime":"2021-05-18T09:20:38.595912200Z","eventRecordID":"150","processID":"904","threadID":"5440","channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","computer":"windowsc","severityValue":"INFORMATION","message":"\"Remote Desktop Services: User authentication succeeded:\r\n\r\nUser: qa\r\nDomain: \r\nSource Network Address: 172.16.1.1\""},"eventXML":{"param1":"qa","param3":"172.16.1.1"}}}

Remote authentication failed

{"win":{"system":{"providerName":"Microsoft-Windows-TerminalServices-RemoteConnectionManager","providerGuid":"{C76BAA63-AE81-421C-B425-340B4B24157F}","eventID":"261","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x1000000000000000","systemTime":"2021-05-18T09:20:37.487298000Z","eventRecordID":"149","processID":"904","threadID":"1160","channel":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","computer":"windowsc","severityValue":"INFORMATION","message":"\"Listener RDP-Tcp received a connection\""},"eventXML":{"listenerName":"RDP-Tcp"}}}

Now, if we introduce this event in the ossec-logtest tool, it will show us that it is decoded with the json decoder and that it does not match with any rule.

**Phase 2: Completed decoding.
       decoder: 'json'
       win.system.providerName: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
       win.system.providerGuid: '{C76BAA63-AE81-421C-B425-340B4B24157F}'
       win.system.eventID: '261'
       win.system.version: '0'
       win.system.level: '4'
       win.system.task: '0'
       win.system.opcode: '0'
       win.system.keywords: '0x1000000000000000'
       win.system.systemTime: '2021-05-18T09:20:37.487298000Z'
       win.system.eventRecordID: '149'
       win.system.processID: '904'
       win.system.threadID: '1160'
       win.system.channel: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
       win.system.computer: 'windowsc'
       win.system.severityValue: 'INFORMATION'
       win.system.message: '"Listener RDP-Tcp received a connection"'
       win.eventXML.listenerName: 'RDP-Tcp'

This is caused because the base rule for eventchannel makes use of the windows_eventchannel decoder instead of the json decoder.

So, to test the eventchannel events in this tool, we can do a little trick, which is to momentarily change the base rule of the eventchannel events to use the json decoder. To do this, we have to edit this rules file /var/ossec/ruleset/rules/0575-win-base_rules.xml, comment the lines of the rule with id 60000: <category>ossec</category>, <decoded_as>windows_eventchannel</decoded_as> and write <decoded_as>json</decoded_as>. It would be as follows:

<rule id="60000" level="0">
    <!--<category>ossec</category>
    <decoded_as>windows_eventchannel</decoded_as>-->
    <decoded_as>json</decoded_as>
    <field name="win.system.providerName">\.+</field>
    <options>no_full_log</options>
    <description>Group of windows rules</description>
</rule>

From now on, if we enter the event again, it will be decoded with the json decoder and will follow the eventchannel rule parsing flow. In this case, we can see that it would match the rule 100100:

**Phase 2: Completed decoding.
       decoder: 'json'
       win.system.providerName: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
       win.system.providerGuid: '{C76BAA63-AE81-421C-B425-340B4B24157F}'
       win.system.eventID: '261'
       win.system.version: '0'
       win.system.level: '4'
       win.system.task: '0'
       win.system.opcode: '0'
       win.system.keywords: '0x1000000000000000'
       win.system.systemTime: '2021-05-18T09:20:37.487298000Z'
       win.system.eventRecordID: '149'
       win.system.processID: '904'
       win.system.threadID: '1160'
       win.system.channel: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
       win.system.computer: 'windowsc'
       win.system.severityValue: 'INFORMATION'
       win.system.message: '"Listener RDP-Tcp received a connection"'
       win.eventXML.listenerName: 'RDP-Tcp'

**Phase 3: Completed filtering (rules).
       Rule id: '100100'
       Level: '5'
       Description: 'Terminal Services Remote Connection Manager'
**Alert to be generated.

Important Note: This change is only useful for debugging eventchannel events in the ossec-logtest tool, it is very important that after debugging, the 60000 rule is returned to its original state, otherwise eventchannel alerts may not be generated correctly.

<rule id="60000" level="0">
    <category>ossec</category>
    <decoded_as>windows_eventchannel</decoded_as>
    <field name="win.system.providerName">\.+</field>
    <options>no_full_log</options>
    <description>Group of windows rules</description>
</rule>

Remember to restart the wazuh-manager after applying this change in case you have also done it when modifying the rule, because for testing the ruleset changes with the ossec-logtest tool it is not strictly necessary to restart the wazuh-manager, only when you want to apply it to the context in general.

Best regards.

​