Whitelisting Alerts

347 views
Skip to first unread message

Zero Two

unread,
May 21, 2024, 1:05:23 PM5/21/24
to Wazuh | Mailing List
Greetings, I posted this over in Reddit but have not found the solution, yet. 

We are being flooded by DCSync Attack Alerts. Normally, notice is good but these warnings are being fired every time and only if the acting account is ADSYNC. This account is legit and is appropriately limited to the task at hand.

We want to monitor for potential DCSync Attacks but I would like to whitelist ADSYNC so that Wazuh stops firing an alert when the potential "DCSync Attack" is associated with account ADSYNC.

Otherwise_Crab2819 proposed the following:

Hi!

If you take note of the rule format, we are muting the alert level by downgrading it to 0 (if the rule ID and the event's field name match.)

<group name="DSattack\_Whitelist,">

<rule id="100113" level="0">

<if_sid>RULEID</if_sid>

<field name="acting account field">ADSYNC|ADCHECK</field>

Whitelisting for acting account field ADSYNC|ADCHECK (muted)

</rule>

</group> -----------------------

However, we can share with you the precise rule to use if you already have a sample of the log string from "Windows Event Manager," including the eventID (perhaps you can capture that using the archives.json).

For any questions, please let us know!

I attempted to utilize this template as follows:

think I did this correctly but obviously didn't because it isn't working. On the Wazuh-Manager Node, in /var/ossec/ruleset/rules I created a ruleset called "100100-whitelist.xml". Here is the file:

<group name="Alert_Whitelist,"> <rule id="100101" level="0"> <if_sid>110001</if_sid> <field name="data.win.eventdata.subjectUserName">^adsync$</field> <description>False Positive: Possible DCSync Attack</description> </rule> <rule id="100102" level="0"> <if_sid>110003</if_sid> <description>Stop the Golden Ticket Flood</description> </rule> </group

the <if_sid> entries, above, are the respective related rules I want to whitelist.

With respect to "Possible DCSync Attack", 11001 is the associated rule ID as shown in the dashboard

With respect to "Golden Tickets", its 110003.

I restarted Wazuh-Manager.Service but I am still receiving alerts.

I am sure I am misunderstanding how Wazuh processes rules so any assistance is greatly appreciated.


Any suggestions for next steps?  Thank you!

Fabian Ruiz

unread,
May 21, 2024, 10:33:22 PM5/21/24
to Wazuh | Mailing List
Hi,  Zero Two

You could try this rule this way:

<group name="Alert_Whitelist,">
  <rule id="100101" level="0">
    <if_sid>110001</if_sid>
    <field name="win.eventdata.subjectUserName">^adsync$</field>

    <description>False Positive: Possible DCSync Attack</description>
  </rule>
</group

On the other hand if possible you can send me an example using the wazuh-logtest to analyse what is happening with an example of the raw log to help you better:


Regards.

Zero Two

unread,
May 28, 2024, 2:30:13 PM5/28/24
to Wazuh | Mailing List
Fabian:

Apologies for the late response.  I got bogged down in some fires at work.

Note sure where are on this but here is some additional info:
Windows Event in XML that I would want whitelisted because the actor is adsync:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
  <EventID>4662</EventID>
  <Version>0</Version>
  <Level>0</Level>
  <Task>14080</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2024-05-24T18:52:47.8899705Z" />
  <EventRecordID>31908609</EventRecordID>
  <Correlation />
  <Execution ProcessID="776" ThreadID="888" />
  <Channel>Security</Channel>
  <Computer>ad.foo.bar</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-3553857315-2347844133-1096870106-4216</Data>
  <Data Name="SubjectUserName">adsync</Data>
  <Data Name="SubjectDomainName">foo.bar</Data>
  <Data Name="SubjectLogonId">0x154e5a09</Data>
  <Data Name="ObjectServer">DS</Data>
  <Data Name="ObjectType">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
  <Data Name="ObjectName">%{1b20f7f1-991f-4938-ae59-6c09f393eccf}</Data>
  <Data Name="OperationType">Object Access</Data>
  <Data Name="HandleId">0x0</Data>
  <Data Name="AccessList">%%7688</Data>
  <Data Name="AccessMask">0x100</Data>
  <Data Name="Properties">%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
  <Data Name="AdditionalInfo">-</Data>
  <Data Name="AdditionalInfo2" />
  </EventData>
  </Event>


Here is my custom rule located in /var/ossec/etc/rules/000100-custom_rules.xml:

<group name="False Positives">
  <rule id="000101" level="0">
    <if_sid>60103</if_sid>
    <field name="win.eventdata.subjectUserName">adsync</field>
    <field name="win.system.eventID">4662</field>

    <description>False Positive: Possible DCSync Attack</description>
  </rule>
</group>

However the following /var/ossec/etc/rules/local_rules.xml still takes precedence:

<group name="security_event, windows,">

  <!-- This rule detects DCSync attacks using windows security event on the domain controller -->

    <rule id="110001" level="12">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4662$</field>
    <field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
    <options>no_full_log</options>
    <description>Directory Service Access. Possible DCSync attack</description>
  </rule>

...

</group>

Any thoughts?

Fabian Ruiz

unread,
May 28, 2024, 10:58:40 PM5/28/24
to Wazuh | Mailing List

Hi  Zero Two

What you should do for this is to match the 110001 rule instead of the 60103 rule so that this one takes relevance over the other one, for this I would recommend you to have these rules in the same file because this can cause a problem of rule generation inside the engine, then this way your local_rules.xml file should look like this:

/var/ossec/etc/rules/local_rules.xml:

<group name="security_event, windows,">

    <rule id="110001" level="12">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4662$</field>
    <field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
    <options>no_full_log</options>
    <description>Directory Service Access. Possible DCSync attack</description>
  </rule>
</group>

<group name="False Positives">
  <rule id="000101" level="0">
    <if_sid>110001</if_sid>

    <field name="win.eventdata.subjectUserName">adsync</field>
    <field name="win.system.eventID">4662</field>
    <description>False Positive: Possible DCSync Attack</description>
  </rule>
</group>

Keep in mind the order of the rules so that you do not have a problem with their generation and they are not ignored by the engine.

Regards.

Zero Two

unread,
May 30, 2024, 1:48:24 PM5/30/24
to Wazuh | Mailing List

This was the answer; thank you, Fabian!
Reply all
Reply to author
Forward
0 new messages