Possible process injection activity detected rdpclip.exe
60 views
Skip to first unread message
Furkan İzci
Oct 28, 2024, 6:08:25 AM10/28/24
to Wazuh | Mailing List
I want to stop the alert in the image, but even though I wrote the rules below, the alert still comes. what should I do?
<group name="windows,sysmon">
<rule id="100111" level="0">
<if_sid>100200</if_sid>
<field name="win.eventdata.sourceImage">C:\\\\Windows\\\\System32\\\\rdpclip.exe</field>
<field name="win.eventdata.targetImage">C:\\\\Windows\\\\System32\\\\csrss.exe</field>
<description>False positive: Possible process injection activity detected from "$(win.eventdata.sourceImage)" on "$(win.eventdata.targetImage)"</description>
<mitre>
<id>T1055.001</id>
</mitre>
</rule>
</group>
-----------------------------------------------------------------------------------------------
<group name="windows,sysmon">
<rule id="100111" level="0">
<if_sid>100200</if_sid>
<field name="win.eventdata.sourceImage">C:\\\\Windows\\\\System32\\\\rdpclip.exe</field>
<field name="win.eventdata.targetImage">C:\\\\Windows\\\\System32\\\\csrss.exe</field>
<description>False positive: Possible process injection activity detected from "$(win.eventdata.sourceImage)" on "$(win.eventdata.targetImage)"</description>
<mitre>
<id>T1055.001</id>
</mitre>
</rule>
</group>
-----------------------------------------------------------------------------------------------
<group name="windows,sysmon">
<rule id="100111" level="0">
<if_sid>100200</if_sid>
<if_sid>100200</if_sid>
<field name="win.eventdata.sourceImage">^C:\\Windows\\System32\\rdpclip.exe$</field>
<field name="win.eventdata.targetImage">^C:\\Windows\\System32\\csrss.exe$</field>
<field name="win.eventdata.targetImage">^C:\\Windows\\System32\\csrss.exe$</field>
<description>False positive: Possible process injection activity detected from "$(win.eventdata.sourceImage)" on "$(win.eventdata.targetImage)"</description>
</rule>
</group>
I tried two rules separately but neither worked.
I tried two rules separately but neither worked.
Henadence Anyam
Oct 28, 2024, 6:46:21 AM10/28/24
to Wazuh | Mailing List
Hello
Furkan,
Let's use the PCRE syntax as shown below:
<group name="windows,sysmon,">
<group name="windows,sysmon,">
<rule id="100111" level="0">
<if_sid>100200</if_sid>
<field name="win.eventdata.sourceImage" type="pcre2">C:\\\\Windows\\\\System32\\\\rdpclip\.exe</field>
<field name="win.eventdata.targetImage" type="pcre2">C:\\\\Windows\\\\System32\\\\csrss\.exe</field>
<field name="win.eventdata.targetImage" type="pcre2">C:\\\\Windows\\\\System32\\\\csrss\.exe</field>
<description>False positive: Possible process injection activity detected from "$(win.eventdata.sourceImage)" on "$(win.eventdata.targetImage)"</description>
<mitre>
<id>T1055.001</id>
</mitre>
</rule>
</group>
Ensure that the rule ID 100111 is unique and has not been used before.
Then, restart the Wazuh manager to apply the changes.
Kindly provide me the log sample if that doesn't work.
Waiting for your feedback on this.
Furkan İzci
Oct 28, 2024, 7:58:46 AM10/28/24
to Wazuh | Mailing List
it didn't work.
full log:
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"8","version":"2","level":"4","task":"8","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-10-28T11:42:07.073670700Z","eventRecordID":"76553546","processID":"3596","threadID":"5832","channel":"Microsoft-Windows-Sysmon/Operational","computer":"************","severityValue":"INFORMATION","message":"\"CreateRemoteThread detected:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: 2024-10-28 11:42:07.065\r\nSourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}\r\nSourceProcessId: 50964\r\nSourceImage: C:\\Windows\\System32\\rdpclip.exe\r\nTargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}\r\nTargetProcessId: 10616\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 64912\r\nStartAddress: 0xFFFFB68878B12EF0\r\nStartModule: -\r\nStartFunction: -\r\nSourceUser: *****\\*****\r\nTargetUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1055,technique_name=Process Injection","utcTime":"2024-10-28 11:42:07.065","sourceProcessGuid":"{118b8ff8-24ea-671f-0fe6-000000005800}","sourceProcessId":"50964","sourceImage":"C:\\\\Windows\\\\System32\\\\rdpclip.exe","targetProcessGuid":"{118b8ff8-24e7-671f-07e6-000000005800}","targetProcessId":"10616","targetImage":"C:\\\\Windows\\\\System32\\\\csrss.exe","newThreadId":"64912","startAddress":"0xFFFFB68878B12EF0","sourceUser":"*****\\\\*****","targetUser":"NT AUTHORITY\\\\SYSTEM"}}}
full log:
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"8","version":"2","level":"4","task":"8","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-10-28T11:42:07.073670700Z","eventRecordID":"76553546","processID":"3596","threadID":"5832","channel":"Microsoft-Windows-Sysmon/Operational","computer":"************","severityValue":"INFORMATION","message":"\"CreateRemoteThread detected:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: 2024-10-28 11:42:07.065\r\nSourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}\r\nSourceProcessId: 50964\r\nSourceImage: C:\\Windows\\System32\\rdpclip.exe\r\nTargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}\r\nTargetProcessId: 10616\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 64912\r\nStartAddress: 0xFFFFB68878B12EF0\r\nStartModule: -\r\nStartFunction: -\r\nSourceUser: *****\\*****\r\nTargetUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1055,technique_name=Process Injection","utcTime":"2024-10-28 11:42:07.065","sourceProcessGuid":"{118b8ff8-24ea-671f-0fe6-000000005800}","sourceProcessId":"50964","sourceImage":"C:\\\\Windows\\\\System32\\\\rdpclip.exe","targetProcessGuid":"{118b8ff8-24e7-671f-07e6-000000005800}","targetProcessId":"10616","targetImage":"C:\\\\Windows\\\\System32\\\\csrss.exe","newThreadId":"64912","startAddress":"0xFFFFB68878B12EF0","sourceUser":"*****\\\\*****","targetUser":"NT AUTHORITY\\\\SYSTEM"}}}
28 Ekim 2024 Pazartesi tarihinde saat 13:46:21 UTC+3 itibarıyla Henadence Anyam şunları yazdı:
Henadence Anyam
Oct 28, 2024, 9:04:38 AM10/28/24
to Wazuh | Mailing List
Hello
Furkan,
Starting wazuh-logtest v4.9.1
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"8","version":"2","level":"4","task":"8","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-10-28T11:42:07.073670700Z","eventRecordID":"76553546","processID":"3596","threadID":"5832","channel":"Microsoft-Windows-Sysmon/Operational","computer":"************","severityValue":"INFORMATION","message":"\"CreateRemoteThread detected:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: 2024-10-28 11:42:07.065\r\nSourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}\r\nSourceProcessId: 50964\r\nSourceImage: C:\\Windows\\System32\\rdpclip.exe\r\nTargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}\r\nTargetProcessId: 10616\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 64912\r\nStartAddress: 0xFFFFB68878B12EF0\r\nStartModule: -\r\nStartFunction: -\r\nSourceUser: *****\\*****\r\nTargetUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1055,technique_name=Process Injection","utcTime":"2024-10-28 11:42:07.065","sourceProcessGuid":"{118b8ff8-24ea-671f-0fe6-000000005800}","sourceProcessId":"50964","sourceImage":"C:\\\\Windows\\\\System32\\\\rdpclip.exe","targetProcessGuid":"{118b8ff8-24e7-671f-07e6-000000005800}","targetProcessId":"10616","targetImage":"C:\\\\Windows\\\\System32\\\\csrss.exe","newThreadId":"64912","startAddress":"0xFFFFB68878B12EF0","sourceUser":"*****\\\\*****","targetUser":"NT AUTHORITY\\\\SYSTEM"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"8","version":"2","level":"4","task":"8","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-10-28T11:42:07.073670700Z","eventRecordID":"76553546","processID":"3596","threadID":"5832","channel":"Microsoft-Windows-Sysmon/Operational","computer":"************","severityValue":"INFORMATION","message":"\"CreateRemoteThread detected:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: 2024-10-28 11:42:07.065\r\nSourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}\r\nSourceProcessId: 50964\r\nSourceImage: C:\\Windows\\System32\\rdpclip.exe\r\nTargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}\r\nTargetProcessId: 10616\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 64912\r\nStartAddress: 0xFFFFB68878B12EF0\r\nStartModule: -\r\nStartFunction: -\r\nSourceUser: *****\\*****\r\nTargetUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1055,technique_name=Process Injection","utcTime":"2024-10-28 11:42:07.065","sourceProcessGuid":"{118b8ff8-24ea-671f-0fe6-000000005800}","sourceProcessId":"50964","sourceImage":"C:\\\\Windows\\\\System32\\\\rdpclip.exe","targetProcessGuid":"{118b8ff8-24e7-671f-07e6-000000005800}","targetProcessId":"10616","targetImage":"C:\\\\Windows\\\\System32\\\\csrss.exe","newThreadId":"64912","startAddress":"0xFFFFB68878B12EF0","sourceUser":"*****\\\\*****","targetUser":"NT AUTHORITY\\\\SYSTEM"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.newThreadId: '64912'
win.eventdata.ruleName: 'technique_id=T1055,technique_name=Process Injection'
win.eventdata.sourceImage: 'C:\\Windows\\System32\\rdpclip.exe'
win.eventdata.sourceProcessGuid: '{118b8ff8-24ea-671f-0fe6-000000005800}'
win.eventdata.sourceProcessId: '50964'
win.eventdata.sourceUser: '*****\\*****'
win.eventdata.startAddress: '0xFFFFB68878B12EF0'
win.eventdata.targetImage: 'C:\\Windows\\System32\\csrss.exe'
win.eventdata.targetProcessGuid: '{118b8ff8-24e7-671f-07e6-000000005800}'
win.eventdata.targetProcessId: '10616'
win.eventdata.targetUser: 'NT AUTHORITY\\SYSTEM'
win.eventdata.utcTime: '2024-10-28 11:42:07.065'
win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
win.system.computer: '************'
win.system.eventID: '8'
win.system.eventRecordID: '76553546'
win.system.keywords: '0x8000000000000000'
win.system.level: '4'
win.system.message: '"CreateRemoteThread detected:
RuleName: technique_id=T1055,technique_name=Process Injection
UtcTime: 2024-10-28 11:42:07.065
SourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}
SourceProcessId: 50964
SourceImage: C:\Windows\System32\rdpclip.exe
TargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}
TargetProcessId: 10616
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 64912
StartAddress: 0xFFFFB68878B12EF0
StartModule: -
StartFunction: -
SourceUser: *****\*****
TargetUser: NT AUTHORITY\SYSTEM"'
win.system.opcode: '0'
win.system.processID: '3596'
win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
win.system.providerName: 'Microsoft-Windows-Sysmon'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2024-10-28T11:42:07.073670700Z'
win.system.task: '8'
win.system.threadID: '5832'
win.system.version: '2'
**Phase 3: Completed filtering (rules).
id: '100111'
level: '0'
description: 'False positive: Possible process injection activity detected from "C:\\Windows\\System32\\rdpclip.exe" on "C:\\Windows\\System32\\csrss.exe"'
groups: '['windows', 'sysmon']'
firedtimes: '1'
mail: 'False'
mitre.id: '['T1055.001']'
mitre.tactic: '['Defense Evasion', 'Privilege Escalation']'
mitre.technique: '['Dynamic-link Library Injection']'
Let me know how it goes.
Below is a logtest result with the rule I provided and it works.
You can see rule 100111 triggered at phase 3.
You can see rule 100111 triggered at phase 3.
Type one log per line
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"8","version":"2","level":"4","task":"8","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-10-28T11:42:07.073670700Z","eventRecordID":"76553546","processID":"3596","threadID":"5832","channel":"Microsoft-Windows-Sysmon/Operational","computer":"************","severityValue":"INFORMATION","message":"\"CreateRemoteThread detected:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: 2024-10-28 11:42:07.065\r\nSourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}\r\nSourceProcessId: 50964\r\nSourceImage: C:\\Windows\\System32\\rdpclip.exe\r\nTargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}\r\nTargetProcessId: 10616\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 64912\r\nStartAddress: 0xFFFFB68878B12EF0\r\nStartModule: -\r\nStartFunction: -\r\nSourceUser: *****\\*****\r\nTargetUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1055,technique_name=Process Injection","utcTime":"2024-10-28 11:42:07.065","sourceProcessGuid":"{118b8ff8-24ea-671f-0fe6-000000005800}","sourceProcessId":"50964","sourceImage":"C:\\\\Windows\\\\System32\\\\rdpclip.exe","targetProcessGuid":"{118b8ff8-24e7-671f-07e6-000000005800}","targetProcessId":"10616","targetImage":"C:\\\\Windows\\\\System32\\\\csrss.exe","newThreadId":"64912","startAddress":"0xFFFFB68878B12EF0","sourceUser":"*****\\\\*****","targetUser":"NT AUTHORITY\\\\SYSTEM"}}}
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"8","version":"2","level":"4","task":"8","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-10-28T11:42:07.073670700Z","eventRecordID":"76553546","processID":"3596","threadID":"5832","channel":"Microsoft-Windows-Sysmon/Operational","computer":"************","severityValue":"INFORMATION","message":"\"CreateRemoteThread detected:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: 2024-10-28 11:42:07.065\r\nSourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}\r\nSourceProcessId: 50964\r\nSourceImage: C:\\Windows\\System32\\rdpclip.exe\r\nTargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}\r\nTargetProcessId: 10616\r\nTargetImage: C:\\Windows\\System32\\csrss.exe\r\nNewThreadId: 64912\r\nStartAddress: 0xFFFFB68878B12EF0\r\nStartModule: -\r\nStartFunction: -\r\nSourceUser: *****\\*****\r\nTargetUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1055,technique_name=Process Injection","utcTime":"2024-10-28 11:42:07.065","sourceProcessGuid":"{118b8ff8-24ea-671f-0fe6-000000005800}","sourceProcessId":"50964","sourceImage":"C:\\\\Windows\\\\System32\\\\rdpclip.exe","targetProcessGuid":"{118b8ff8-24e7-671f-07e6-000000005800}","targetProcessId":"10616","targetImage":"C:\\\\Windows\\\\System32\\\\csrss.exe","newThreadId":"64912","startAddress":"0xFFFFB68878B12EF0","sourceUser":"*****\\\\*****","targetUser":"NT AUTHORITY\\\\SYSTEM"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.newThreadId: '64912'
win.eventdata.ruleName: 'technique_id=T1055,technique_name=Process Injection'
win.eventdata.sourceImage: 'C:\\Windows\\System32\\rdpclip.exe'
win.eventdata.sourceProcessGuid: '{118b8ff8-24ea-671f-0fe6-000000005800}'
win.eventdata.sourceProcessId: '50964'
win.eventdata.sourceUser: '*****\\*****'
win.eventdata.startAddress: '0xFFFFB68878B12EF0'
win.eventdata.targetImage: 'C:\\Windows\\System32\\csrss.exe'
win.eventdata.targetProcessGuid: '{118b8ff8-24e7-671f-07e6-000000005800}'
win.eventdata.targetProcessId: '10616'
win.eventdata.targetUser: 'NT AUTHORITY\\SYSTEM'
win.eventdata.utcTime: '2024-10-28 11:42:07.065'
win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
win.system.computer: '************'
win.system.eventID: '8'
win.system.eventRecordID: '76553546'
win.system.keywords: '0x8000000000000000'
win.system.level: '4'
win.system.message: '"CreateRemoteThread detected:
RuleName: technique_id=T1055,technique_name=Process Injection
UtcTime: 2024-10-28 11:42:07.065
SourceProcessGuid: {118b8ff8-24ea-671f-0fe6-000000005800}
SourceProcessId: 50964
SourceImage: C:\Windows\System32\rdpclip.exe
TargetProcessGuid: {118b8ff8-24e7-671f-07e6-000000005800}
TargetProcessId: 10616
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 64912
StartAddress: 0xFFFFB68878B12EF0
StartModule: -
StartFunction: -
SourceUser: *****\*****
TargetUser: NT AUTHORITY\SYSTEM"'
win.system.opcode: '0'
win.system.processID: '3596'
win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
win.system.providerName: 'Microsoft-Windows-Sysmon'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2024-10-28T11:42:07.073670700Z'
win.system.task: '8'
win.system.threadID: '5832'
win.system.version: '2'
**Phase 3: Completed filtering (rules).
id: '100111'
level: '0'
description: 'False positive: Possible process injection activity detected from "C:\\Windows\\System32\\rdpclip.exe" on "C:\\Windows\\System32\\csrss.exe"'
groups: '['windows', 'sysmon']'
firedtimes: '1'
mail: 'False'
mitre.id: '['T1055.001']'
mitre.tactic: '['Defense Evasion', 'Privilege Escalation']'
mitre.technique: '['Dynamic-link Library Injection']'
Kindly restart the Wazuh manager after adding the rule.
Reply all
Reply to author
Forward
0 new messages