Sysmon - Event 3: Network connection to 127.0.0.1

[Viacheslav]

Hello, 

We receive thousands of logs from sysmon: "Sysmon - Event 3: Network connection to 127.0.0.1:61379 by C:\\Program Files\\Lens\\Lens.exe"
How to exclude this log?
I tried to create exclusion in agent.conf bu receive error, so something wrong there. May be some one can help with this? My "broken" exclusion added:
<localfile>
    <log_format>eventchannel</log_format>
    <query>Event[System[Provider[@Name='Microsoft-Windows-Sysmon'] and (EventID=3)]] and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])</query>
</localfile>

[J. Rome]

Hello Viacheslav,

Can you share the error message you're getting?

You could also specify the location to look into sysmon with:
<location>Microsoft-Windows-Sysmon/Operational</location>

[Viacheslav]

Error on screenshot. 
The problem with flooded sysmon logs. I already excluded eventID = 4673 but dont know what to do with connections to local host 127.0.0.1. We used docker/kuber and this software generate annormous numbers of logs in sysmon. Ofc I can just shutdown all  Sysmon - Event 3 logs using <query></query> but realy dont wont, and hope someone can help me :)

середу, 10 квітня 2024 р. о 17:54:54 UTC+3 J. Rome пише:

[J. Rome]

Hi again,

The error says that the <location> tag is missing. Have you tried adding it? As in:

<location>Microsoft-Windows-Sysmon/Operational</location>

[Viacheslav]

Hello, 

Add <location>Microsoft-Windows-Sysmon/Operational</location>, so rule looks like:

<localfile>

        <location>Microsoft-Windows-Sysmon/Operational</location>

        <log_format>eventchannel</log_format>

        <query>Event[System[Provider[@Name='Microsoft-Windows-Sysmon'] and (EventID=3)]] and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])</query>

    </localfile>

No errors, but now I don’t receive all sysmon event 3 logs, not only DestinationIp='127.0.0.1'

Looks like Wazuh don’t understand part after EventID=3

Tried and not (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])

Tried and (EventData[Data[@Name='DestinationIp'] and (Data='127.0.0.1')])

With same result.

Thanks for your help.

четвер, 11 квітня 2024 р. о 15:05:55 UTC+3 J. Rome пише:

[J. Rome]

hi Viacheslav, sorry for the delay in getting back to you.

Could you try the following configuration to check that you're getting events with the expected id?

<localfile>
        <location>Microsoft-Windows-Sysmon/Operational</location>
        <log_format>eventchannel</log_format>

        <query>Event[System/EventID = 3]</query>
</localfile>

By the way, have you seen this blog post on how to setup sysmon? https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/

Also, can you share with us one of the original events you want to filter (the xml or json logged event) and your ossec.log file? (please hide any sensitive data)

Thank you.

[Viacheslav]

Hello,

Your rule:

<localfile>
        <location>Microsoft-Windows-Sysmon/Operational</location>
        <log_format>eventchannel</log_format>

        <query>Event[System/EventID = 3]</query>
</localfile>

do nothing, for suppressing all EventID = 3 you must change <query> part to:

<query>Event/System[EventID != 3]</query>

With lack of documentation, I’m tried a lot of different variants and this looks like the best.

But problems begin when you need to specify not all EventID = 3 but EventID = 3 + IP (127.0.0.1)

Ofc you can silence this event using rule with level = 0, but I don’t need to store hundreds of billions of events on server (One PC with Kubernetes generate ~1000-2000 events per 10 sec)

May be there is some solution how to ignore all events from Programs\\\\Lens\\\\Lens.exe if this possible.

Original massage added:

{"true":1713256214.809649,"timestamp":"2024-04-16T08:30:14.794+0000","rule":{"level":3,"description":"Sysmon - Event 3: Network connection to 127.0.0.1:65503 by C:\\\\Users\\\\ \\\\AppData\\\\Local\\\\Programs\\\\Lens\\\\Lens.exe","id":"61605","firedtimes":39125,"mail":false,"groups":["windows","sysmon","sysmon_event3"]},"agent":{"id":"013","name":"sb159","ip":"10.14.2.26","labels":{"customer":"zaritskyi"}},"manager":{"name":"wazuhserver"},"id":"1713256214.2278996538","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-04-16T08:30:13.5386528Z","eventRecordID":"798566980","processID":"5204","threadID":"5432","channel":"Microsoft-Windows-Sysmon/Operational","computer":"","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: -\r\nUtcTime: 2024-04-16 08:30:15.770\r\nProcessGuid: {c3656c19-cd33-661c-7424-00000000b101}\r\nProcessId: 7772\r\nImage: C:\\Users\\ \\AppData\\Local\\Programs\\Lens\\Lens.exe\r\nUser: IT\\ \r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 127.0.0.1\r\nSourceHostname: sb159.it.ua\r\nSourcePort: 58475\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 127.0.0.1\r\nDestinationHostname: sb159.it.ua\r\nDestinationPort: 65503\r\nDestinationPortName: -\""},"eventdata":{"utcTime":"2024-04-16 08:30:15.770","processGuid":"{c3656c19-cd33-661c-7424-00000000b101}","processId":"7772","image":"C:\\\\Users\\\\ \\\\AppData\\\\Local\\\\Programs\\\\Lens\\\\Lens.exe","user":"","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"127.0.0.1","sourceHostname":"","sourcePort":"58475","destinationIsIpv6":"false","destinationIp":"127.0.0.1","destinationHostname":"","destinationPort":"65503"}}},"location":"EventChannel"}

понеділок, 15 квітня 2024 р. о 20:11:25 UTC+3 J. Rome пише:

[J. Rome]

Could you please provide the original XML event before it goes through any filters, as well as the ossec.log file? This will help ensure that everything is being captured correctly. Also, could you send it in debug mode? Thank you!

[Viacheslav]

Hello, I cant provide xml from OS with this event, but add json from discovery. What ossec.log you need, from serve or agent? And debug mode controlled from /var/ossec/etc/internal_options.conf? If yes so what you need windows.debug=2 or else? May be you can say if some one tried to create same type of ryle for supressing agent logs? May be not for IP but for process_image?Its looks like common task in my perspective, but I more experiensed with commertial solutions :(

вівторок, 16 квітня 2024 р. о 23:17:21 UTC+3 J. Rome пише:

[J. Rome]

Hello again,

Using this tool xml as example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>3</EventID>
        <Version>5</Version>
        <Level>4</Level>
        <Task>3</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" />
        <EventRecordID>10953</EventRecordID>
        <Correlation />
        <Execution ProcessID="3216" ThreadID="3976" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-18" />
    </System>
    <EventData>
        <Data Name="RuleName">RDP</Data>
        <Data Name="UtcTime">2017-04-28 22:12:22.557</Data>
        <Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
        <Data Name="ProcessId">13220</Data>
        <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
        <Data Name="User">LAB\rsmith</Data>
        <Data Name="Protocol">tcp</Data>
        <Data Name="Initiated">true</Data>
        <Data Name="SourceIsIpv6">false</Data>
        <Data Name="SourceIp">192.168.1.250</Data>
        <Data Name="SourceHostname">rfsH.lab.local</Data>
        <Data Name="SourcePort">3328</Data>
        <Data Name="SourcePortName">-</Data>
        <Data Name="DestinationIsIpv6">false</Data>
        <Data Name="DestinationIp">127.0.0.1</Data>
        <Data Name="DestinationHostname">lab-sc-100</Data>
        <Data Name="DestinationPort">3389</Data>
        <Data Name="DestinationPortName">ms-wbt-server</Data>
    </EventData>
</Event>

And a tool to test the xpath query (you can search for one googling for freeformatter XPath Tester - Evaluator, for example), it looks like there's a mistake in the query after all.

Could you try this updated version?

<localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>

    <query>Event[System[Provider[@Name='Microsoft-Windows-Sysmon'] and (EventID=3)]] and not (Event/EventData/Data[@Name='DestinationIp' and .='127.0.0.1'])</query>
</localfile>

Hope this works!

[Viacheslav]

Hello, thanks for your help, you tried :) Same with this rule. As wazuh agent drop all sysmon events when I trying to use this kind of rule, I assume that agent just dont read all rule and stops catching sysmon after it find Event[System[Provider[@Name='Microsoft-Windows-Sysmon']
 Im ready to drop this task, will continue from sysmon side.
Still, Im ready to test any variation of this rule:)
Thanks for help. 

середу, 17 квітня 2024 р. о 18:59:52 UTC+3 J. Rome пише: