custom Active Response on Windows

[dmitri munteanu]

Hi all,

I want to create an active response with shutdown the PC when is triggered a rule. 
I did the following, but doesn't work:

1. on a PC (C:\Program Files (x86)\ossec-agent\active-response\bin) created a script "shutdown.bat", containing:

    

@echo off
shutdown /s /f /t 0

2. on Wazuh Manager (/var/ossec/etc/ossec.conf) added:

  <command>
    <name>shutdown</name>
    <executable>shutdown.bat</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <command>shutdown</command>
    <location>local</location>
    <rules_id>109003</rules_id>
    <timeout>60</timeout>
  </active-response>

3. Restarted the Wazuh-Manager.
Alert "109003" triggered, but no shutdown of the PC.

[Chantal Belen Kelm]

Hello, how are you? Here is a link to the documentation on how to create a custom Active Response for windows, there are several points to check.
The configuration on the manager side should be something like this
 

<command>
    <name>shutdown</name>
    <executable>shutdown.bash</executable>

    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>

    <disabled>no</disabled>

    <command>shutdown</command>
    <location>local</location>
    <rules_id>109003</rules_id>

  </active-response>

Otherwise what you can try is to make it work with the example in the link which is a launcher, kind of intermediate app to run the python, you can make a python that turns off or modify the luncher.
You can also check what error message you get in the agent in the file C:\Program Files (x86)\ossec-agent-agent-active-response-responses if you have something there, it is because the Active Response was triggered but for something could not run the .bash

I will be here waiting for your answer!

Regards!!!

[dmitri]

Hi Chantal Belen Kelm, 
Isn't working any of this...

[Chantal Belen Kelm]

Hello, how are you? Have you checked what error message you get in the agent in the file C:\Program Files (x86)\ossec-agent-agent-agent-active-response-responses, if you have something there, it is because the Active Response was triggered but something could not run the .bash, send me what error you get. Have you tried to put in practice the documentation example?

I will be here waiting for your answer!

Remember not to share sensitive information, as this is a public channel.

Regards!!!

[dmitri]

Hi, 

 in active-responses.log file is not any records about my script ”shutdown.bat” and exe file ”shutdown.exe”, except active-response/bin/restart-wazuh.exe. 

[Chantal Belen Kelm]

Hello, how are you doing? Could you pass me the agent's ar.conf and ossec.log to see if we can get some information about what is going on?

I'll be here waiting for your answer!

Regards!!!

[Alberto Ribeiro]

Has anyone found a solution for this? I tried to trigger a .bat when an event occurred, but it doesn't work, if I put the .exe, for example reset-wazuh.exe, it works.