Change rule-level of a default rule for a specific pattern
398 views
Skip to first unread message
khaled helal
Dec 22, 2022, 2:39:08 AM12/22/22
to Wazuh mailing list
Hello,
for the last 3 days i was trying to edit a rule-level and rule.id of a default rule "sysmon_eid11_detections" this rule.id "92204" and have a mitre T1105 for a specific pattern "C:\\Windows\\system32\\cleanmgr.exe" in my customized rule "sysmon.xml" form rule.level"15" to "6" and rule.id from "92204" to "101116". But nothing have been changed
Please can anyone help
<group name="sysmon_eid11_detections,">
<rule id="101116" level="6">
<if_sid>92204</if_sid>
<if_group> sysmon_eid11_detections</if_group>
<field name="data.win.eventdata.image">^C:\\Windows\\system32\\cleanmgr.exe</field>
<description>Executable file dropped in folder commonly used by malware.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
<if_group> sysmon_eid11_detections</if_group>
<field name="data.win.eventdata.image">^C:\\Windows\\system32\\cleanmgr.exe</field>
<description>Executable file dropped in folder commonly used by malware.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
Juan Cabrera
Dec 22, 2022, 5:37:47 AM12/22/22
to Wazuh mailing list
Hello khaled,
I need some more information to be able to help you.
- What version of Wazuh are you using?
- Could you paste me the log you want to match with this new rule?
So I can test it and give you an answer.
Regards,
Juan Cabrera
khaled helal
Dec 22, 2022, 7:18:08 AM12/22/22
to Wazuh mailing list
Hello Juan,
<description>Executable file dropped in folder commonly used by malware.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
thank you for your response
- Wazuh App version: 4.3.10 and that wazuh app is for kibana 7.17.6
- This is the full log
full_log:
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-12-22T08:22:01.8738755Z","eventRecordID":"1514725","processID":"5820","threadID":"8372","channel":"Microsoft-Windows-Sysmon/Operational","computer":"Khaled-Helal","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: DLL\r\nUtcTime: 2022-12-22 08:22:01.873\r\nProcessGuid: {6c5c177c-13a7-63a4-480f-000000008f00}\r\nProcessId: 11056\r\nImage: C:\\Windows\\system32\\cleanmgr.exe\r\nTargetFilename: C:\\Users\\KHALED~1.HEL\\AppData\\Local\\Temp\\73802D92-8DF7-458B-886C-10202D62EF0C\\WimProvider.dll\r\nCreationUtcTime: 2022-12-22 08:22:01.872\r\nUser: STP\\khaled.helal\""},"eventdata":{"ruleName":"DLL","utcTime":"2022-12-22 08:22:01.873","processGuid":"{6c5c177c-13a7-63a4-480f-000000008f00}","processId":"11056","image":"C:\\\\Windows\\\\system32\\\\cleanmgr.exe","targetFilename":"C:\\\\Users\\\\KHALED~1.HEL\\\\AppData\\\\Local\\\\Temp\\\\73802D92-8DF7-458B-886C-10202D62EF0C\\\\WimProvider.dll","creationUtcTime":"2022-12-22 08:22:01.872","user":"STP\\\\khaled.helal"}}}
- and that some more info
rule.description: Executable file dropped in folder commonly used by malware.
rule.groups: sysmon_eid11_detections
rule.id: 92204
rule.level: 15
rule.mitre.id: T1105
- and this is the deafult rule with 92204 rule id
<group name="sysmon_eid11_detections,">
<rule id="92204" level="15">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|bin|dll|vbs|bat|js)</field>
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|bin|dll|vbs|bat|js)</field>
<description>Executable file dropped in folder commonly used by malware.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
Regards,
Khaled Helal
Juan Cabrera
Dec 22, 2022, 9:26:14 AM12/22/22
to Wazuh mailing list
Hello Khaled,
There are a couple of changes to be made:
- On the one hand, the
fieldshould not carry the data, it would be onlywin.eventdata.image. - On the other hand, it is necessary to escape the regex.
If this is changed in the rule it would be:
<group name="sysmon_eid11_detections,">
<rule id="101116" level="6">
<if_sid>92204</if_sid>
<if_group>sysmon_eid11_detections</if_group>
<field name="win.eventdata.image">^C:\\\\Windows\\\\system32\\\\cleanmgr.exe</field>
<description>Executable file dropped in folder commonly used by malware.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
You can see see the output:
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-12-22T08:22:01.8738755Z","eventRecordID":"1514725","processID":"5820","threadID":"8372","channel":"Microsoft-Windows-Sysmon/Operational","computer":"Khaled-Helal","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: DLL\r\nUtcTime: 2022-12-22 08:22:01.873\r\nProcessGuid: {6c5c177c-13a7-63a4-480f-000000008f00}\r\nProcessId: 11056\r\nImage: C:\\Windows\\system32\\cleanmgr.exe\r\nTargetFilename: C:\\Users\\KHALED~1.HEL\\AppData\\Local\\Temp\\73802D92-8DF7-458B-886C-10202D62EF0C\\WimProvider.dll\r\nCreationUtcTime: 2022-12-22 08:22:01.872\r\nUser: STP\\khaled.helal\""},"eventdata":{"ruleName":"DLL","utcTime":"2022-12-22 08:22:01.873","processGuid":"{6c5c177c-13a7-63a4-480f-000000008f00}","processId":"11056","image":"C:\\\\Windows\\\\system32\\\\cleanmgr.exe","targetFilename":"C:\\\\Users\\\\KHALED~1.HEL\\\\AppData\\\\Local\\\\Temp\\\\73802D92-8DF7-458B-886C-10202D62EF0C\\\\WimProvider.dll","creationUtcTime":"2022-12-22 08:22:01.872","user":"STP\\\\khaled.helal"}}}
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-12-22T08:22:01.8738755Z","eventRecordID":"1514725","processID":"5820","threadID":"8372","channel":"Microsoft-Windows-Sysmon/Operational","computer":"Khaled-Helal","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: DLL\r\nUtcTime: 2022-12-22 08:22:01.873\r\nProcessGuid: {6c5c177c-13a7-63a4-480f-000000008f00}\r\nProcessId: 11056\r\nImage: C:\\Windows\\system32\\cleanmgr.exe\r\nTargetFilename: C:\\Users\\KHALED~1.HEL\\AppData\\Local\\Temp\\73802D92-8DF7-458B-886C-10202D62EF0C\\WimProvider.dll\r\nCreationUtcTime: 2022-12-22 08:22:01.872\r\nUser: STP\\khaled.helal\""},"eventdata":{"ruleName":"DLL","utcTime":"2022-12-22 08:22:01.873","processGuid":"{6c5c177c-13a7-63a4-480f-000000008f00}","processId":"11056","image":"C:\\\\Windows\\\\system32\\\\cleanmgr.exe","targetFilename":"C:\\\\Users\\\\KHALED~1.HEL\\\\AppData\\\\Local\\\\Temp\\\\73802D92-8DF7-458B-886C-10202D62EF0C\\\\WimProvider.dll","creationUtcTime":"2022-12-22 08:22:01.872","user":"STP\\\\khaled.helal"}}}'
**Phase 2: Completed decoding.
name: 'json'
win.eventdata.creationUtcTime: '2022-12-22 08:22:01.872'
win.eventdata.image: 'C:\\Windows\\system32\\cleanmgr.exe'
win.eventdata.processGuid: '{6c5c177c-13a7-63a4-480f-000000008f00}'
win.eventdata.processId: '11056'
win.eventdata.ruleName: 'DLL'
win.eventdata.targetFilename: 'C:\\Users\\KHALED~1.HEL\\AppData\\Local\\Temp\\73802D92-8DF7-458B-886C-10202D62EF0C\\WimProvider.dll'
win.eventdata.user: 'STP\\khaled.helal'
win.eventdata.utcTime: '2022-12-22 08:22:01.873'
win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
win.system.computer: 'Khaled-Helal'
win.system.eventID: '11'
win.system.eventRecordID: '1514725'
win.system.keywords: '0x8000000000000000'
win.system.level: '4'
win.system.message: '"File created:
RuleName: DLL
UtcTime: 2022-12-22 08:22:01.873
ProcessGuid: {6c5c177c-13a7-63a4-480f-000000008f00}
ProcessId: 11056
Image: C:\Windows\system32\cleanmgr.exe
TargetFilename: C:\Users\KHALED~1.HEL\AppData\Local\Temp\73802D92-8DF7-458B-886C-10202D62EF0C\WimProvider.dll
CreationUtcTime: 2022-12-22 08:22:01.872
User: STP\khaled.helal"'
win.system.opcode: '0'
win.system.processID: '5820'
win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
win.system.providerName: 'Microsoft-Windows-Sysmon'
win.system.severityValue: 'INFORMATION'
win.system.systemTime: '2022-12-22T08:22:01.8738755Z'
win.system.task: '11'
win.system.threadID: '8372'
win.system.version: '2'
**Phase 3: Completed filtering (rules).
id: '101116'
level: '6'
description: 'Executable file dropped in folder commonly used by malware.'
groups: '['sysmon_eid11_detections']'
firedtimes: '1'
mail: 'False'
mitre.id: '['T1105']'
mitre.tactic: '['Command and Control']'
mitre.technique: '['Ingress Tool Transfer']'
**Alert to be generated.
Regards,
Juan Cabrera
khaled helal
Dec 22, 2022, 9:55:39 AM12/22/22
to Wazuh mailing list
Hello Juan
thank you for your fast response
iam trying the rule that you changed and try it on (ruleset test) but it reply with that and still doesn't work
**Messages:
WARNING: (7003): '0efaa7f6' token expires
INFO: (7202): Session initialized with token 'fa18e5ba'
**Phase 1: Completed pre-decoding.
full event: '<group name="sysmon_eid11_detections,">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <rule id="101116" level="6">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <if_sid>92204</if_sid>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <if_group>sysmon_eid11_detections</if_group> '
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="win.eventdata.image">^C:\\\\Windows\\\\system32\\\\cleanmgr.exe</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <description>Executable file dropped in folder commonly used by malware.</description>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <mitre>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <id>T1105</id>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' </mitre>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' </rule>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: '</group>'
**Phase 2: Completed decoding.
No decoder matched.
Juan Cabrera
Dec 23, 2022, 6:29:40 AM12/23/22
to Wazuh mailing list
Hi,
The rule must be written in the file /var/ossec/etc/rules/local_rules.xml. After this, restart the manager to apply the changes.
The logtest tool is used to test logs and check which rule is matched.
Regards !
Juan Cabrera
Reply all
Reply to author
Forward
0 new messages