Wazuh alert exclusion issues
250 views
Skip to first unread message
Bob
Jul 18, 2023, 6:54:10 PM7/18/23
to Wazuh mailing list
Hello Wazuh Mailing List.
I'm running Wazuh 4.4.3 with two worker nodes, a kibana server, and three node elastic cluster. I've installed sysmon on some test windows servers and updated the local_rules.conf file to include sysmon event rules.
I'm trying to do alert tuning as I keep getting alerts for a normal scheduled task that runs a script on the test servers. I've created a new rule which sets the alert value to 0 for the powershell 7 binary when it executes the script, but I'm still getting alerts at level 12 and I'm not sure if I'm doing something wrong or if there is an issue with the regex I am using. Maybe there's a better way? I've restarted the wazuh services after the rule changes as well.
Here is the alert info:
{
"data": {
"win": {
"eventdata": {
"originalFileName": "pwsh.dll",
"image": "C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe",
"product": "PowerShell",
"parentProcessGuid": "{51ef10dc-1427-64a7-2700-000000007700}",
"description": "pwsh",
"logonGuid": "{51ef10dc-1426-64a7-e703-000000000000}",
"parentCommandLine": "C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule",
"processGuid": "{51ef10dc-fb1c-64b6-d25f-000000007700}",
"logonId": "0x3e7",
"parentProcessId": "2660",
"processId": "11700",
"currentDirectory": "C:\\\\Windows\\\\system32\\\\",
"utcTime": "2023-07-18 20:50:36.513",
"hashes": "SHA1=674B52D8C77862FAB2EBB232593997B96EEF758F,MD5=CDA46F784F208DF453242E0CD97985DA,SHA256=04983EF8066C112D46D7FB164AC0AE10EDDBFD0613AC44B168CA60CAF1B55EC6,IMPHASH=EA4DD374D22E48FDCFFCC7AD5E323053",
"parentImage": "C:\\\\Windows\\\\System32\\\\svchost.exe",
"ruleName": "technique_id=T1083,technique_name=File and Directory Discovery",
"company": "Microsoft Corporation",
"commandLine": "\\\"C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe\\\" -ExecutionPolicy ByPass c:\\\\tools\\\\scriptnamehere.ps1",
"integrityLevel": "System",
"fileVersion": "7.1.2.0",
"user": "NT AUTHORITY\\\\SYSTEM",
"terminalSessionId": "0",
"parentUser": "NT AUTHORITY\\\\SYSTEM"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1083,technique_name=File and Directory Discovery\r\nUtcTime: 2023-07-18 20:50:36.513\r\nProcessGuid: {51ef10dc-fb1c-64b6-d25f-000000007700}\r\nProcessId: 11700\r\nImage: C:\\Program Files\\PowerShell\\7\\pwsh.exe\r\nFileVersion: 7.1.2.0\r\nDescription: pwsh\r\nProduct: PowerShell\r\nCompany: Microsoft Corporation\r\nOriginalFileName: pwsh.dll\r\nCommandLine: \"C:\\Program Files\\PowerShell\\7\\pwsh.exe\" -ExecutionPolicy ByPass c:\\tools\\scriptnamehere.ps1\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: NT AUTHORITY\\SYSTEM\r\nLogonGuid: {51ef10dc-1426-64a7-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA1=674B52D8C77862FAB2EBB232593997B96EEF758F,MD5=CDA46F784F208DF453242E0CD97985DA,SHA256=04983EF8066C112D46D7FB164AC0AE10EDDBFD0613AC44B168CA60CAF1B55EC6,IMPHASH=EA4DD374D22E48FDCFFCC7AD5E323053\r\nParentProcessGuid: {51ef10dc-1427-64a7-2700-000000007700}\r\nParentProcessId: 2660\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\r\nParentUser: NT AUTHORITY\\SYSTEM\"",
"version": "5",
"systemTime": "2023-07-18T20:50:36.514777700Z",
"eventRecordID": "2995072",
"threadID": "2764",
"computer": "computer.domain.removed",
"task": "1",
"processID": "11412",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"rule": {
"firedtimes": 45,
"mail": true,
"level": 12,
"description": "Microsoft Office Product Spawning Windows Shell",
"groups": [
"sysmon",
"sysmon_process-anomalies"
],
"id": "255008"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-07-18T20:50:37.723Z",
"location": "EventChannel",
"_id": "VN_EaokBw7hJmUQi8vVn"
}
Here is the rule in local_files.xml:
<rule id="255008" level="12">
<if_sid>255006</if_sid>
<field name="win.eventdata.Image">\\cmd.exe||\\powershell.exe||\\wscript.exe||\\cscript.exe||\\sh.exe||\\bash.exe||\\scrcons.exe||\\schtasks.exe||\\regsvr32.exe||\\hh.exe</field>
<description>Microsoft Office Product Spawning Windows Shell</description>
</rule>
Here is the exclusion I've tried to make:
<!-- sysmon exclude alerts -->
<group name="sysmon,disablealert,exclude">
<rule id="755008" level="0">
<if_sid>255008</if_sid>
<description>Exclude known scheduled tasks from alerting</description>
<group>sysmon,disablealert,exclude</group>
<field name="win.eventdata.commandLine">"C:\\Program Files\\PowerShell\\7\\pwsh.exe" -ExecutionPolicy ByPass c:\\tools\\checkinloginonly.ps1</field>
</rule>
</group>
I'm running Wazuh 4.4.3 with two worker nodes, a kibana server, and three node elastic cluster. I've installed sysmon on some test windows servers and updated the local_rules.conf file to include sysmon event rules.
I'm trying to do alert tuning as I keep getting alerts for a normal scheduled task that runs a script on the test servers. I've created a new rule which sets the alert value to 0 for the powershell 7 binary when it executes the script, but I'm still getting alerts at level 12 and I'm not sure if I'm doing something wrong or if there is an issue with the regex I am using. Maybe there's a better way? I've restarted the wazuh services after the rule changes as well.
Here is the alert info:
{
"data": {
"win": {
"eventdata": {
"originalFileName": "pwsh.dll",
"image": "C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe",
"product": "PowerShell",
"parentProcessGuid": "{51ef10dc-1427-64a7-2700-000000007700}",
"description": "pwsh",
"logonGuid": "{51ef10dc-1426-64a7-e703-000000000000}",
"parentCommandLine": "C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule",
"processGuid": "{51ef10dc-fb1c-64b6-d25f-000000007700}",
"logonId": "0x3e7",
"parentProcessId": "2660",
"processId": "11700",
"currentDirectory": "C:\\\\Windows\\\\system32\\\\",
"utcTime": "2023-07-18 20:50:36.513",
"hashes": "SHA1=674B52D8C77862FAB2EBB232593997B96EEF758F,MD5=CDA46F784F208DF453242E0CD97985DA,SHA256=04983EF8066C112D46D7FB164AC0AE10EDDBFD0613AC44B168CA60CAF1B55EC6,IMPHASH=EA4DD374D22E48FDCFFCC7AD5E323053",
"parentImage": "C:\\\\Windows\\\\System32\\\\svchost.exe",
"ruleName": "technique_id=T1083,technique_name=File and Directory Discovery",
"company": "Microsoft Corporation",
"commandLine": "\\\"C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe\\\" -ExecutionPolicy ByPass c:\\\\tools\\\\scriptnamehere.ps1",
"integrityLevel": "System",
"fileVersion": "7.1.2.0",
"user": "NT AUTHORITY\\\\SYSTEM",
"terminalSessionId": "0",
"parentUser": "NT AUTHORITY\\\\SYSTEM"
},
"system": {
"eventID": "1",
"keywords": "0x8000000000000000",
"providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"level": "4",
"channel": "Microsoft-Windows-Sysmon/Operational",
"opcode": "0",
"message": "\"Process Create:\r\nRuleName: technique_id=T1083,technique_name=File and Directory Discovery\r\nUtcTime: 2023-07-18 20:50:36.513\r\nProcessGuid: {51ef10dc-fb1c-64b6-d25f-000000007700}\r\nProcessId: 11700\r\nImage: C:\\Program Files\\PowerShell\\7\\pwsh.exe\r\nFileVersion: 7.1.2.0\r\nDescription: pwsh\r\nProduct: PowerShell\r\nCompany: Microsoft Corporation\r\nOriginalFileName: pwsh.dll\r\nCommandLine: \"C:\\Program Files\\PowerShell\\7\\pwsh.exe\" -ExecutionPolicy ByPass c:\\tools\\scriptnamehere.ps1\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: NT AUTHORITY\\SYSTEM\r\nLogonGuid: {51ef10dc-1426-64a7-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA1=674B52D8C77862FAB2EBB232593997B96EEF758F,MD5=CDA46F784F208DF453242E0CD97985DA,SHA256=04983EF8066C112D46D7FB164AC0AE10EDDBFD0613AC44B168CA60CAF1B55EC6,IMPHASH=EA4DD374D22E48FDCFFCC7AD5E323053\r\nParentProcessGuid: {51ef10dc-1427-64a7-2700-000000007700}\r\nParentProcessId: 2660\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\r\nParentUser: NT AUTHORITY\\SYSTEM\"",
"version": "5",
"systemTime": "2023-07-18T20:50:36.514777700Z",
"eventRecordID": "2995072",
"threadID": "2764",
"computer": "computer.domain.removed",
"task": "1",
"processID": "11412",
"severityValue": "INFORMATION",
"providerName": "Microsoft-Windows-Sysmon"
}
}
},
"rule": {
"firedtimes": 45,
"mail": true,
"level": 12,
"description": "Microsoft Office Product Spawning Windows Shell",
"groups": [
"sysmon",
"sysmon_process-anomalies"
],
"id": "255008"
},
"decoder": {
"name": "windows_eventchannel"
},
"input": {
"type": "log"
},
"@timestamp": "2023-07-18T20:50:37.723Z",
"location": "EventChannel",
"_id": "VN_EaokBw7hJmUQi8vVn"
}
Here is the rule in local_files.xml:
<rule id="255008" level="12">
<if_sid>255006</if_sid>
<field name="win.eventdata.Image">\\cmd.exe||\\powershell.exe||\\wscript.exe||\\cscript.exe||\\sh.exe||\\bash.exe||\\scrcons.exe||\\schtasks.exe||\\regsvr32.exe||\\hh.exe</field>
<description>Microsoft Office Product Spawning Windows Shell</description>
</rule>
Here is the exclusion I've tried to make:
<!-- sysmon exclude alerts -->
<group name="sysmon,disablealert,exclude">
<rule id="755008" level="0">
<if_sid>255008</if_sid>
<description>Exclude known scheduled tasks from alerting</description>
<group>sysmon,disablealert,exclude</group>
<field name="win.eventdata.commandLine">"C:\\Program Files\\PowerShell\\7\\pwsh.exe" -ExecutionPolicy ByPass c:\\tools\\checkinloginonly.ps1</field>
</rule>
</group>
Reply all
Reply to author
Forward
0 new messages