Windows Event ID's 5136,5137, 5139 and 5141
790 views
Skip to first unread message
Lucio Emanuel Soldo
Jan 21, 2021, 4:40:48 AM1/21/21
to Wazuh mailing list
Hi Everyone.
I read a post in the past where the rule ID 18104 which catches AUDIT SUCCESS is configure with a level 0, for that reason is it no possible to save like an alert.
In order to solve that I applied a troubleshooting posted in this groups which it indicates change the level by create a custom rule. I do that by creating the following entry in my custom rule:
<rule id="110011" level="12">
<if_sid>18104</if_sid>
<id>^5137$|^5137$|^5139$|^5141$</id>
<description>Windows Audit Success</description>
</rule>
But when I execute ossec-logtest no problem about phase 1 but phase 2 shows the following error:
**Phase 2: Completed decoding.
No decoder matched.
I`m ussing Wazuh version 4.0.1
Thank you very much for your helping.
victor....@wazuh.com
Jan 21, 2021, 7:21:32 AM1/21/21
to Wazuh mailing list
Hello Lucio,
I think you are not using the proper log for your testing in ossec-logtest. Even if the level of the rule is 0, ossec-logtest should return you the triggered rule. In addition, your logtest shows that "No decoder matched" and that should not be the case.
Let's use these logs in order to find out if your custom rules work correctly:
2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.
2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5241): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.
Also, we are going to change your rule to make debugging easier:
<description>Windows Audit Success testing</description>
</rule>
If we do not use your custom rule and use Log1, logtest return:
**Phase 1: Completed pre-decoding.
full event: '2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
timestamp: '2016 Sep 27 10:48:30'
hostname: 'centos1'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '5137'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'AAAABCC'
system_name: '01.KKKKK.com'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
We can see that default Wazuh rule for Windows audit success event (18104) is triggered. Showing that even level 0 rules are displayed.
Although, when we add the custom rule we get the following:
**Phase 1: Completed pre-decoding.
full event: '2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
timestamp: '2016 Sep 27 10:48:30'
hostname: 'centos1'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '5137'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'AAAABCC'
system_name: '01.KKKKK.com'
**Phase 3: Completed filtering (rules).
Rule id: '110011'
Level: '12'
Description: 'Windows Audit Success testing'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5241): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
timestamp: '2016 Sep 27 10:48:30'
hostname: 'centos1'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(5241): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '5241'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'AAAABCC'
system_name: '01.KKKKK.com'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
You can see that the custom rule is trigger when id is one of the specified in your <id> tag and that the level is properly set (Level: '12'). Although, for other ids Wazuh default rule (18104) is triggered, with level set to 0.
I think you are not using the proper log for your testing in ossec-logtest. Even if the level of the rule is 0, ossec-logtest should return you the triggered rule. In addition, your logtest shows that "No decoder matched" and that should not be the case.
Let's use these logs in order to find out if your custom rules work correctly:
- Log1:
2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.
- Log2:
2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5241): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.
Also, we are going to change your rule to make debugging easier:
<rule id="110011" level="12">
<if_sid>18104</if_sid>
<id>^5137$|^5139$|^5141$</id><if_sid>18104</if_sid>
<description>Windows Audit Success testing</description>
</rule>
If we do not use your custom rule and use Log1, logtest return:
**Phase 1: Completed pre-decoding.
full event: '2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
timestamp: '2016 Sep 27 10:48:30'
hostname: 'centos1'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '5137'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'AAAABCC'
system_name: '01.KKKKK.com'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
We can see that default Wazuh rule for Windows audit success event (18104) is triggered. Showing that even level 0 rules are displayed.
Although, when we add the custom rule we get the following:
- Log1:
**Phase 1: Completed pre-decoding.
full event: '2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
timestamp: '2016 Sep 27 10:48:30'
hostname: 'centos1'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(5137): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '5137'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'AAAABCC'
system_name: '01.KKKKK.com'
**Phase 3: Completed filtering (rules).
Rule id: '110011'
Level: '12'
Description: 'Windows Audit Success testing'
**Alert to be generated.
- Log 2
**Phase 1: Completed pre-decoding.
full event: '2016 Sep 27 10:48:30 WinEvtLog: Security: AUDIT_SUCCESS(5241): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
timestamp: '2016 Sep 27 10:48:30'
hostname: 'centos1'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(5241): Microsoft-Windows-Security-Auditing: AAAABCC: KKKKK: 01.KKKKK.com: An account was successfully logged on.'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '5241'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'AAAABCC'
system_name: '01.KKKKK.com'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
You can see that the custom rule is trigger when id is one of the specified in your <id> tag and that the level is properly set (Level: '12'). Although, for other ids Wazuh default rule (18104) is triggered, with level set to 0.
Lucio Emanuel Soldo
Jan 21, 2021, 7:52:03 AM1/21/21
to Wazuh mailing list
Hi Victor,
Thank you very much !
Well...as you mentioned....the problem was the sample I used to check within ossec-logtest. I used your sample without any problem!!, for that reason, thank you very much!
Lucio Emanuel Soldo
Feb 11, 2021, 10:36:35 AM2/11/21
to Wazuh mailing list
Hi Victor, how are you doing?
Today it was possible to enable this king of event on the Domain Controller. Through the Event Viewer it was possible to find out , for example, event like 5136 when GPO is created. However, in the Wazuh server with the following configuration nothing appear, but with de ossec-logtest works fine:
<rule id="100011" level="12">
<if_sid>18104</if_sid>
<id>5136|5137|5139|5141</id>
<description>Windows Audit Success</description>
</rule>
I mean, when I use the ossec-logtest is possible to verify event under rule id 100011 but when I search the rule id 100011 on the Wazuh Kibanna nothing appears.
Could you help me?
Thank you very much.
Lucio Emanuel Soldo
Feb 12, 2021, 4:08:34 AM2/12/21
to Wazuh mailing list
Hello. I would like to add some information. In Wazuh I investigated two rules id for Audit Success, no only 18104. Here is an example for 60103 rule id:
<rule id="60103" level="0">
<if_sid>60001</if_sid>
<field name="win.system.severityValue">^AUDIT_SUCCESS$|^success$</field>
<description>Windows audit success event</description>
<options>no_full_log</options>
</rule>
For that reason, I don´t realize what is the difference between 18104 y 60103.
Thank you very much.
Lucio Emanuel Soldo
Feb 12, 2021, 9:48:10 AM2/12/21
to Wazuh mailing list
Hello. I´ve finally found the solution. Following my solution:
<rule id="100011" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">5141</field>
<field name="win.eventdata.objectClass">groupPolicyContainer</field>
<description>Se ha eliminado una política de seguridad</description>
</rule>
I used the SID 60103 instead 18140 and added the
<field name="win.system.eventID">5141</field> instead <id>^5137$|^5137$|^5139$|^5141$</id>
Thank you very much!!
Reply all
Reply to author
Forward
0 new messages