Bug in Windows ossec-agent: Windows event ID 4664 is misread.

[InfoSec]

Agent is running in debug 2 mode.

In the agent debug log, event ID: 4664 is read by the agent as:

2017 Mar 30 10:59:52 WinEvtLog: Security: AUDIT_SUCCESS(4664): Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: An attempt was made to create a hard link.    Subject:   Account Name:  S-1-5-18   Account Name:  XXXXXXX$   Account Domain:  XXXXXXXXX   Logon ID:  0x3E7    Link Information:   File Name: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7967.57601.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png   Link Name: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7967.57661.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png   Transaction ID: {00000000-0000-0000-0000-000000000000}

The first Account Name (in red above) following Subject: should have been: Security ID.

Remainder of event is read correctly.

[Pedro Sanchez]

Hi Jahchan,

I think your issue is related with this ossec-list email thread: https://groups.google.com/forum/#!topic/ossec-list/GnA9qGZw9MU is not it?

Brief summary, correct me if I am wrong:

AppLocker (or others) events contain, for example, an useful block of information called "UserData" which is not being fetched/sent by OSSEC, the same behavior could apply to other events or channels, it could be related with the way OSSEC is getting those events (WMI, eventlog, eventchannel), in your case there is a "Security ID" field that OSSEC is not extracting.

Am I right? I think that could be strictly related with how OSSEC parses the WinEvtLog: https://github.com/wazuh/wazuh/blob/master/src/logcollector/read_win_event_channel.c#L738-L745

I think we will need to expand that schema, not only getting the well known fields as: name, id, src, uid, computer, time_created, keywords and level.

I believe there is a specific moment when calling get_message where we specified what fields are we requesting from the EventChannel, that is why not all the fields present on the original events are being fetched by OSSEC.

I'll take a look into it, maybe some other users could bring some light here.

Regards,

Pedro.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/de5a356b-898e-42ea-8f23-ab0a6e6548e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jahchan, Georges J.]

Hello Pedro,

This issue is unique to security event ID 4664. Most other security events have the exact same fields, and Subject: Security ID: field is correctly labeled as such by the agent.

As far as I can tell, apart from the missing fields reported earlier, no other security events exhibited a behavior similar to event ID 4664 (a mislabeled field). Fields may not be logged in agent output, but none are labeled as something else.