PowerShell commands monittoring

545 views
Skip to first unread message

Gal Akavia

unread,
Jan 14, 2022, 4:57:35 PM1/14/22
to Wazuh mailing list
Hi pro's,
I set my environment to monitor PS events.
For example i insert th following command #ps> curl http://someFalseURL.bla
Capture.PNG

As can see in the picture above, what is the proper field to insert in the rule to wazuh recognized i want to fire the rule each time this command is execute?
Capture1.PNG

I don't think the rule i set below is working correctlly -

<rule id="100535" level="10">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
<field name="win.eventdata.data">Invoke-WebRequest</field>
<group>powershell,</group>
<description>Powershell Information EventLog</description>
</rule>

Will be gratefull to some help, i have many commands i want to monitor as above..

Thank's in advance :)

Emiliano Zorn

unread,
Jan 14, 2022, 5:48:24 PM1/14/22
to Wazuh mailing list
Hi there! hope you're doing good.

Our team has been working on creating rules for powershell, it will come with Wazuh 4.3.
https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0915-win-powershell_rules.xml

Unfortunately, I can't help you by modifying the rule for you, but I can guide you.

I recommend you to start filtering by the event, in this case, it would be 800.

If you can provide me the XML of the event and I will see how else I can help you.

You can also create your own rules according to your needs.
Useful Links:

Gal Akavia

unread,
Jan 15, 2022, 1:52:30 AM1/15/22
to Wazuh mailing list
Glad to know :)
Sure emiliano i share 2 events-log for example, big thank's in advance !

- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" />
  <EventID>4103</EventID>
  <Version>1</Version>
  <Level>4</Level>
  <Task>106</Task>
  <Opcode>20</Opcode>
  <Keywords>0x0</Keywords>
  <TimeCreated SystemTime="2022-01-14T22:18:55.021810600Z" />
  <EventRecordID>2748499</EventRecordID>
  <Correlation ActivityID="{0A7CF99F-C2C4-0001-E9AF-E50AC4C2D701}" />
  <Execution ProcessID="12660" ThreadID="8460" />
  <Channel>microsoft-windows-powershell/operational</Channel>
  <Computer>DC1.test.domain</Computer>
  <Security UserID="S-1-5-21-3890911477-1625004340-2957451748-****" />
  </System>
- <EventData>
  <Data Name="ContextInfo">Severity = Informational Host Name = ServerRemoteHost Host Version = 1.0.0.0 Host ID = 6020f27f-87b1-41bc-ba10-cd9c8e8721f9 Host Application = C:\Windows\system32\wsmprovhost.exe -Embedding Engine Version = 5.1.14409.1018 Runspace ID = 08f54d90-71e6-405d-adbf-cad52d91db1b Pipeline ID = 1 Command Name = Get-ItemProperty Command Type = Cmdlet Script Name = Command Path = Sequence Number = 42 User = TEST\demo Connected User =  TEST\demo Shell ID = Microsoft.PowerShell</Data>
  <Data Name="UserData" />
  <Data Name="Payload">CommandInvocation(Get-ItemProperty): "Get-ItemProperty" ParameterBinding(Get-ItemProperty): name="Path"; value="HKLM:\SYSTEM\CurrentControlSet\Services\Tssdis\Parameters" ParameterBinding(Get-ItemProperty): name="Name"; value="DBConnString" NonTerminatingError(Get-ItemProperty): "Property DBConnString does not exist at path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tssdis\Parameters."</Data>
  </EventData>
  </Event>

** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** 

- <System>
  <Provider Name="PowerShell" />
  <EventID Qualifiers="0">800</EventID>
  <Level>4</Level>
  <Task>8</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2022-01-15T06:46:12.000000000Z" />
  <EventRecordID>3387099</EventRecordID>
  <Channel>Windows PowerShell</Channel>
  <Computer> DC1.test.domain</Computer>
  <Security />
  </System>
- <EventData>
  <Data>Invoke-Expression -Command whoami</Data>
  <Data>DetailSequence=1 DetailTotal=1 SequenceNumber=47 UserId= TEST\demo HostName=ConsoleHost HostVersion=5.1.14409.1018 HostId=632332e3-d55f-4217-aa94-f1e1934250f6 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe EngineVersion=5.1.14409.1018 RunspaceId=779adf5c-3ee4-47ad-baac-4eeba50a2264 PipelineId=14 ScriptName= CommandLine=Invoke-Expression -Command whoami</Data>
  <Data>CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="whoami"</Data>
  </EventData>
  </Event>

** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** 

Capture.PNG

- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" />
  <EventID>40962</EventID>
  <Version>1</Version>
  <Level>4</Level>
  <Task>4</Task>
  <Opcode>2</Opcode>
  <Keywords>0x0</Keywords>
  <TimeCreated SystemTime="2022-01-15T06:50:40.611398400Z" />
  <EventRecordID>2750663</EventRecordID>
  <Correlation ActivityID="{0A7CF99F-C2C4-0001-4CEE-E50AC4C2D701}" />
  <Execution ProcessID="13272" ThreadID="13660" />
  <Channel>microsoft-windows-powershell/operational</Channel>
  <Computer>DC1.test.domain</Computer>
  <Security UserID="S-1-5-21-3890911477-1625004340-2957451748-2106" />
  </System>
  <EventData />
  </Event>

Emiliano Zorn

unread,
Jan 26, 2022, 6:46:13 PM1/26/22
to Wazuh mailing list
Hello there!

I have been working on the rule for event 4103.

Try the following rule:

<rule id="200001" level="3">
    <if_sid>60009</if_sid>
    <field name="win.system.eventid">^4103$</field>
    <options>no_full_log</options>
    <description>PowerShell 4103: Executing Pipeline</description>
 </rule>

However, we cannot yet granularize because this is a modification of the log so that it can be captured by WAZUH.

Regards,
Emiliano Zorn.
Reply all
Reply to author
Forward
0 new messages