Microsoft Windows file-share auditing

[Costantino Davies]

I have a problem with Microsoft Windows file-share auditing, basically I created a rule with a decoder and through the ruletest it activates and goes directly to phase 3 triggering also the rule I wrote, the problem is that when I look on the dashboard, I see the logs but I don't see the rule activated because it is "intercepted" by the decoder windows_eventchannel, I tried to look for it but I can't find it and after a careful search I discovered that it is triggered by the rule wazuh/ruleset/rules/0575-win-base_rules. xml which is a rule, not a decoder! any advice?
this are the link that i've been searching the answer on:
https://groups.google.com/g/wazuh/c/i4oOe19YqME
https://github.com/wazuh/wazuh/issues/7651
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html 

here is my decoder and rules that i designed

============================================================

DECODER
<decoder name="win_security_audit_log">
<prematch>(?s)EventID: 5145.*data\.win\.eventdata\.accessMask.*data\.win\.system\.providerName</prematch>
<regex>Object Type:\s+([A-Za-z]+)\s+Source Address:\s+([\d.]+)\s+Source Port:\s+(\d+)\s+Share Name:\\\\(.+?)\\(.+?)\s+Share Path:\\\\(.+?)\\(.+?)\\(.+?)\s+Relative Target Name:\\\\(.+?)\s+Access Mask:\s+(0x[A-Fa-f0-9]+)</regex>
<order>objectType, ipAddress, ipPort, shareName, shareLocalPath, relativeTargetName, accessMask</order>
</decoder>

===========================================================

RULES
<group name="access_mask_values">
<rule id="11001" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x110080\.*</field>
<description>DELETE/SYNCHRONIZE/ReadAttributes</description>
</rule>
 <rule id="11002" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x80\.*</field>
<description>ReadAttributes</description>
</rule>
 <rule id="11003" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x20080\.*</field>
<description>Read_control</description>
</rule>
 <rule id="11004" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.0x120089*\.*</field>
<description>READ_CONTROL/SYNCHRONIZE/ReadData (or ListDirectory)/ReadEA/ReadAttributes</description>
</rule>
 <rule id="11005" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x16019F\.*</field>
<description>READ_CONTROL/WRITE_DAC/SYNCHRONIZE/ReadData (or ListDirectory)/WriteData (or AddFile)/AppendData (or AddSubdirectory or CreatePipeInstance)/ReadEA/WriteEA/ReadAttributes/WriteAttributes</description>
</rule>
 <rule id="11006" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x4\.*</field>
<description>AppendData (or AddSubdirectory ore)</description>
</rule>
 <rule id="11007" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x100080\.*</field>
<description>SYNCHRONIZE/ReadAttributes</description>
</rule>
 <rule id="11008" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x100081\.*</field>
<description>SYNCHRONIZE/ReadData (or ListDirectory)/ReadAttributes</description>
</rule>
 <rule id="11009" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">0x17019b</field>
<description>DELETE/READ_CONTROL/WRITE_DAC/SYNCHRONIZE/ReadData (or ListDirectory)/WriteData (or AddFile)/ReadEA/WriteEA/ReadAttributes/WriteAttributes</description>
</rule>
 <rule id="11010" level="5">
<decoded_as>json</decoded_as>
<field name="win.eventdata.accessMask">\.*0x17019b\.*</field>
<description>ReadData (or ListDirectory)</description>
</rule>
</group>

=========================================================================
here is a log example:

{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"5145","version":"0","level":"0","task":"12811","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-03-11T16:17:49.6695197Z","eventRecordID":"97684","processID":"4","threadID":"5480","channel":"Security","computer":"WIN-V54Q7HIHJ2B.local.com","severityValue":"AUDIT_SUCCESS","message":"\"A network share object was checked to see whether client can be granted desired access.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-825165689-1151723712-911292549-1111\r\n\tAccount Name:\t\tgiggi\r\n\tAccount Domain:\t\tLOCAL\r\n\tLogon ID:\t\t0x4E934D\r\n\r\nNetwork Information:\t\r\n\tObject Type:\t\tFile\r\n\tSource Address:\t\t192.168.124.1\r\n\tSource Port:\t\t1129\r\n\t\r\nShare Information:\r\n\tShare Name:\t\t\\\\*\\Share\r\n\tShare Path:\t\t\\??\\C:\\Share\r\n\tRelative Target Name:\t\\\r\n\r\nAccess Request Information:\r\n\tAccess Mask:\t\t0x100080\r\n\tAccesses:\t\tSYNCHRONIZE\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\nAccess Check Results:\r\n\tSYNCHRONIZE:\tGranted by\tD:(A;;FA;;;WD)\r\n\t\t\t\tReadAttributes:\tGranted by\tD:(A;;FA;;;WD)\r\n\t\t\t\t\r\n\""},"eventdata":{"subjectUserSid":"S-1-5-21-825165689-1151723712-911292549-1111","subjectUserName":"Mike","subjectDomainName":"LOCAL","subjectLogonId":"0x4e934d","objectType":"File","ipAddress":"192.168.124.1","ipPort":"1129","shareName":"\\\\\\\\*\\\\Share","shareLocalPath":"\\\\??\\\\C:\\\\Share","relativeTargetName":"\\\\","accessMask":"0x100080","accessList":"%%1541      %%4423","accessReason":"%%1541: %%1801\\tD:(A;;FA;;;WD)      %%4423: %%1801\\tD:(A;;FA;;;WD)"}}}

[Rodolfo Arce Sannemann]

Hello Constantino

Events from the Windows Event Channel are not decoded as json; hence, the <decoded_as>json</decoded_as> won't work to make it a child rule.

You can use other XML tags, like <if_group>windows<if_group>, that will allow you to make child rules from it.

Regards.. R