Problem to trigger an active response to block RDP with a custom script

757 views
Skip to first unread message

Seb 3

unread,
Feb 18, 2021, 4:51:35 AM2/18/21
to Wazuh mailing list

Hello,


I am trying to block rdp with a custom script (active response) 

but I am not sure how to do it

It tried to do it like that but it didn't work :

(sorry I don't know how to format/highlight xml and script syntaxt to make it more readable)

here is my ossec.conf (manager):

  <command>
    <name>RDPBlock</name>
    <executable>test1.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <command>RDPBlock</command>
    <location>local</location>
    <rules_id>100035</rules_id>
  </active-response>

test active response  :

/var/ossec/bin/agent_control -L

Wazuh agent_control. Available active responses:

   Response name: firewall-drop120, command: firewall-drop.sh
   Response name: RDPBlock0, command: test1.cmd

/var/ossec/bin/agent_control -f RDPBlock0 -b 19.19.19.19 -u 003

script (copy past some part from other existing scripts and add the ip to firewall rule  I will improve it after ):

@echo off
FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DATE=%%A %%B
FOR /F "TOKENS=1-3 DELIMS=:" %%A IN ("%TIME%") DO SET TIME=%%A:%%B:%%C

ECHO %DATE%%TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >> active-response/active-responses.log

C:\Windows\system32\netsh.exe advfirewall firewall set rule name="BlockRDP" new remoteip=%3
TIMEOUT /T 120
C:\Windows\system32\netsh.exe advfirewall firewall set rule name="BlockRDP" new remoteip=1.1.1.1

ip added to the scope of the firewall and active-resposnes.log updated

16-02-21 15:14:37,84 "active-response/bin/test1.cmd" add "-" "19.19.19.19" "(from_the_server) (no_rule_id)"

everything seems good (or ok at least) until now

now it is that part that I think is not correct :

my rules :

<rule id="100030" level="5">
    <if_sid>60122</if_sid>
    <field name="win.eventdata.logonProcessName">NtLmSsp</field>XY
    <description>RDP  Logon Failure - Unknown user or bad password</description>
  </rule>

from 60122 and i used the process is NtLmSsp ( Microsoft Windows NT LAN Manager)to know that it is RDP  --> it seems a bit weird to do it like that

  <rule id="100035" level="12" frequency="5" timeframe="120">
    <if_matched_sid>100005</if_matched_sid>
    <same_field>win.eventdata.ipAddress</same_field>
    <description>RDP : Someone tried to log on 5  times in less than 120 sec (5*failures) </description>
  </rule>
Alerts are triggered perfectly in kibana and in alert.log

I also can't use <same_srcip/>  instead of the same_field (100035)

The active response does not work ( probably because of the paramaters )

maybe i have to create a custom decoder to determine srcip ?

+ my rule is decoded (correctly ?) as windows_eventchannel in the alert details  

Thank you for your help !!!

Seb







Mariano Koremblum

unread,
Feb 18, 2021, 7:30:35 AM2/18/21
to Wazuh mailing list

Hi Seb!

In order to help you I need to verify two things:

  • 1st: Is this, as you pasted here, in the rule file?
<rule id="100030" level="5">
    <if_sid>60122</if_sid>
    <field name="win.eventdata.logonProcessName">NtLmSsp</field>XY
    <description>RDP  Logon Failure - Unknown user or bad password</description>
</rule>

Because of the “XY”, that shouldn’t be there, it might cause trouble.

  • 2nd: Did you place the script where it should go? (On the agents side: /var/ossec/active-response/bin/)

I wil be waiting for your reply! :)

Regards,

Koremblum Nicolás Mariano

Seb 3

unread,
Feb 18, 2021, 8:07:48 AM2/18/21
to Wazuh mailing list
Thank you for your reply !

Sorry XY is not in my rule file It is a typo error when a wrote the post
and also  the <if_matched_sid>100005</if_matched_sid> in the post  is actually  <if_matched_sid>100030</if_matched_sid> in my local rules file ! sorry 

The script is in the right place and work perfectly  when I test it from the manager with
/var/ossec/bin/agent_control -f RDPBlock0 -b 19.19.19.19 -u 003

the problem is when the rule 100035 is triggered the script does not work

Seb 3

unread,
Feb 18, 2021, 8:34:51 AM2/18/21
to Wazuh mailing list

I just tried the default restart-ossec.cmd instead of my test1.cmd and when i go the active-responses.log on the agent i can see this line
18-02-21 14:28:16,60 "active-response/bin/restart-ossec.cmd" add "-" "null" "(from_the_server) (no_rule_id)"

the active response works with this script but If i am correct the srcip is "null" it means that is a problem of parameters ? 

Mariano Koremblum

unread,
Feb 18, 2021, 3:14:09 PM2/18/21
to Wazuh mailing list
Hi Seb!

The problem might be that "srcip" is not a valid parameter, in your case, since, when the message is decoded, no field of the eventchannel logs are stored in such tag (srcip). You might want to try changing "srcip" to "win.eventdata.ipAddress" and checking if it solves the problem.

In case that it does not work, could you please paste in here the content of the JSON that you can get by inspecting the alert on Kibana? You can find this on the Wazuh->Modules->Security Events->Events site.

We hope this solves your problem, in case not, please, let us know!

Regards,

Koremblum Nicolás Mariano

Seb 3

unread,
Feb 19, 2021, 5:00:39 AM2/19/21
to Wazuh mailing list
Hello !

I've tried to pass win.eventdata.ipAddress as parameter it didn't work but when I try this line in the script to see parameters

ECHO %DATE%%TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >> active-response/active-responses.log

 i got :

9-02-21 10:40:11,97 "active-response/bin/test1.cmd" add "-" "-" "1613727616.906986 100035 (PS-LAB) any->EventChannel - -"  


with

<command>
    <name>RDPBlock</name>
    <executable>test1.cmd</executable>

    <expect>win.eventdata.ipAddress</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


i put the  json from the alert 100035  


Thank you

100035.json

Mariano Koremblum

unread,
Feb 19, 2021, 10:09:13 AM2/19/21
to Wazuh mailing list

Hi Seb!

I’ve been doing further research about this topic and there is no easy way of getting the IP with EventChannel. Despite this, there have been some workarounds that probed to work.

So, as there is no way to get srcip from data.win.eventdata.ipAddress given an EventChannel event, in order to be able to acquire the IP, it is required to convert the event type, from EventChannel to EventLog (you can get more info about these on this Wazuh’s documentation page: How to collect Windows logs)

Before proceeding with this, could you please share with us your manager and agent's ossec.conf files?

Regards,

Koremblum Nicolás Mariano​

Seb 3

unread,
Feb 22, 2021, 9:37:51 AM2/22/21
to Wazuh mailing list
Hello Mariano

Thank you for your help  here is my ossec.conf from my agent and my manager

ossec-agent[2955].txt
ossec.conf

Seb 3

unread,
Feb 23, 2021, 5:25:29 AM2/23/21
to Wazuh mailing list
Hello I am sorry to spam but I've tried with eventlog instead of event channel I could get the srcip  and my script worked (Thank you )  but in my rules to be able to detect  RDP  I used <field name="win.eventdata.logonProcessName">NtLmSsp</field>  but this field is not in the eventlog  and I  don't know how to detect that is it rdp without the logonProcessName
I tried to use <field name="full_log">^NtLmSsp$</field> it didn't work

here is my full log :

2021 Feb 23 11:02:41 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: domain.com An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  Administrator  Account Domain:  NAME  Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc000006a  Process Information:  Caller Process ID: 0x0  Caller Process Name: -  Network Information:  Workstation Name: B39RD63  Source Network Address: 192.168.0.254  Source Port:  0  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted.

Message has been deleted

Mariano Koremblum

unread,
Feb 23, 2021, 7:39:28 AM2/23/21
to Wazuh mailing list

Hi Seb,

So, given the Wazuh’s limitation, we need to acquire win.eventdata.ipAddress as srcip, since the <command> supports only this last parameter, user and/or filename on the <expect> option. The proven way of doing so consist on using a “child decoder” of <eventchannel>‘s decoder, in order to obtain the specific field of interest and map it back to srcip, but, at the moment, Wazuh does not support the use of XML decoders for Eventchannel, as it is stated in the issue: “Windows Eventchannel decoder is not compatible with other XML decoders

So, in order to implement the workaround, you should follow the next steps:

1- On the ossec.conf file, of the Windows Agent, you should change: 

<localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
 </localfile>

To:

 <localfile>
     <location>Security</location>
     <log_format>eventlog</log_format>
     <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
       EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
       EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
       EventID != 5152 and EventID != 5157]</query>
 </localfile>

In this step we changed log_format from eventchannel to eventlog.

2- Restart the agent.

3- On the manager, you should add a new custom decoder with the following information:

<decoder name="eventlog_child">
    <parent>windows</parent>
     <regex>Source Network Address: (\.*) </regex>
     <order>srcip</order>
</decoder>

Now, this child decoder will get the network data of the event and store it on srcip field. You can check whether this field is being set by looking the alerts in Kibana.

4- Restart the Manager and then, the Active Response should execute as expected.


The Wazuh team has already improved the way parameters are sent to the Active Response and this update will be included on Wazuh v4.2.0. You can have more info about this in the following links:

Active Response/Command support additional EXPECT fields #2084
Remove the limitation of fields used by active responses #6954
PR: Remove the limitation of fields used by active responses #7317
Wazuh active response concatenating args #7521

I hope this helps you!

Regards,

Koremblum Nicolás Mariano

Seb 3

unread,
Feb 23, 2021, 9:40:56 AM2/23/21
to Wazuh mailing list
Thank you it works perfectly with eventlog instead of event channel  !!!

Mariano Koremblum

unread,
Feb 23, 2021, 11:48:12 AM2/23/21
to Wazuh mailing list
Great! Nice to know you were able to work it out!

If you still need further help we will be glad to help you! We kindly ask our community to open new threads/conversations on the google group whenever a new (unrelated) questions arises.

Regards

Koremblum Nicolás Mariano

Chunky

unread,
Nov 3, 2022, 8:15:18 AM11/3/22
to Wazuh mailing list
Hmmm , I'm facing same issue , i follows the steps you suggest , but its not work ! nothing run on windows machine :(

Mariano Koremblum

unread,
Nov 7, 2022, 12:22:10 PM11/7/22
to Wazuh mailing list
Hi Chunky,

Could you please provide more information about what is it the problem that you are facing? I don't think the case is exactly the same, if you have followed up the thread, please provide all the information previously required to be able to analyze your setup.

I will be waiting for your reply,

Mariano Koremblum
Reply all
Reply to author
Forward
0 new messages