Detecting mimikatz on window events
286 views
Skip to first unread message
osama
Aug 1, 2024, 4:57:17 AM8/1/24
to Wazuh | Mailing List
Hy i have created rule on detecting mimikatz on windows security event but i dont know why its not been triggered i have added in local_rules.xml from UI.
This is rule
<group name="windows, sysmon, sysmon_process-anomalies">
<rule id="100014" level="12">
<if_sid>60002</if_sid> <!-- Event logs -->
<field name="win.system.eventID">4656</field> <!-- Object handle -->
<field name="win.eventdata.processName" type="pcre2">(?i)(mimikatz)</field> <!-- Regex on mimikatz -->
<description>Mimikatz detected</description>
<options>no_full_log</options>
<mitre>
<id>T1003.001</id> <!-- Credential Dumping: LSASS Memory -->
<id>T1003.002</id> <!-- Credential Dumping: Security Account Manager -->
<id>T1003.003</id> <!-- Credential Dumping: NTDS.dit -->
<id>T1550.001</id> <!-- Adversarial Use of Credentials: Application Access -->
<id>T1550.002</id> <!-- Adversarial Use of Credentials: Login -->
<id>T1550.003</id> <!-- Adversarial Use of Credentials: Domain Accounts -->
<id>T1555.001</id> <!-- Credentials from Web Browsers: Credential Dumping -->
</mitre>
</rule>
</group>
<group name="windows, sysmon, sysmon_process-anomalies">
<rule id="100014" level="12">
<if_sid>60002</if_sid> <!-- Event logs -->
<field name="win.system.eventID">4656</field> <!-- Object handle -->
<field name="win.eventdata.processName" type="pcre2">(?i)(mimikatz)</field> <!-- Regex on mimikatz -->
<description>Mimikatz detected</description>
<options>no_full_log</options>
<mitre>
<id>T1003.001</id> <!-- Credential Dumping: LSASS Memory -->
<id>T1003.002</id> <!-- Credential Dumping: Security Account Manager -->
<id>T1003.003</id> <!-- Credential Dumping: NTDS.dit -->
<id>T1550.001</id> <!-- Adversarial Use of Credentials: Application Access -->
<id>T1550.002</id> <!-- Adversarial Use of Credentials: Login -->
<id>T1550.003</id> <!-- Adversarial Use of Credentials: Domain Accounts -->
<id>T1555.001</id> <!-- Credentials from Web Browsers: Credential Dumping -->
</mitre>
</rule>
</group>
This is log so i am sure the logs are coming
Stuti Gupta
Aug 1, 2024, 6:25:55 AM8/1/24
to Wazuh | Mailing List
hi
osama
The reason your rule is not working is because of a regex error that field name="win.eventdata.processName" type="pcre2. You can write it as:
<field name="win.eventdata.processName" type="pcre2">(?i)mimikatz</field>
or
<field name="win.eventdata.processName">\.+mimikatz</field>
You can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
If the issue is still persistent then please share the /var/osses/logs/archives/archives.json related to the rule you created.
I look forward to hearing from you soon.
The reason your rule is not working is because of a regex error that field name="win.eventdata.processName" type="pcre2. You can write it as:
<field name="win.eventdata.processName" type="pcre2">(?i)mimikatz</field>
or
<field name="win.eventdata.processName">\.+mimikatz</field>
You can refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
If the issue is still persistent then please share the /var/osses/logs/archives/archives.json related to the rule you created.
I look forward to hearing from you soon.
osama
Aug 4, 2024, 5:05:13 AM8/4/24
to Wazuh | Mailing List
still; not work for me :(
then i try on win.eventdata.image
<group name="windows, sysmon, sysmon_process-anomalies">
<rule id="100014" level="12">
<if_sid>60002</if_sid> <!-- Event logs -->
<field name="win.eventdata.image">\.+mimikatz</field>
<description>Mimikatz detected</description>
<options>no_full_log</options>
<mitre>
<id>T1003.001</id> <!-- Credential Dumping: LSASS Memory -->
<id>T1003.002</id> <!-- Credential Dumping: Security Account Manager -->
<id>T1003.003</id> <!-- Credential Dumping: NTDS.dit -->
<id>T1550.001</id> <!-- Adversarial Use of Credentials: Application Access -->
<id>T1550.002</id> <!-- Adversarial Use of Credentials: Login -->
<id>T1550.003</id> <!-- Adversarial Use of Credentials: Domain Accounts -->
<id>T1555.001</id> <!-- Credentials from Web Browsers: Credential Dumping -->
</mitre>
</rule>
then i try on win.eventdata.image
<group name="windows, sysmon, sysmon_process-anomalies">
<rule id="100014" level="12">
<if_sid>60002</if_sid> <!-- Event logs -->
<description>Mimikatz detected</description>
<options>no_full_log</options>
<mitre>
<id>T1003.001</id> <!-- Credential Dumping: LSASS Memory -->
<id>T1003.002</id> <!-- Credential Dumping: Security Account Manager -->
<id>T1003.003</id> <!-- Credential Dumping: NTDS.dit -->
<id>T1550.001</id> <!-- Adversarial Use of Credentials: Application Access -->
<id>T1550.002</id> <!-- Adversarial Use of Credentials: Login -->
<id>T1550.003</id> <!-- Adversarial Use of Credentials: Domain Accounts -->
<id>T1555.001</id> <!-- Credentials from Web Browsers: Credential Dumping -->
</mitre>
</rule>
</group>
but no luck..
none of my rule is working on event security data, but when i try on sysmon it works.
the issue is need to work on window security event. kindly guide me
the issue is need to work on window security event. kindly guide me
Message has been deleted
osama
Aug 5, 2024, 5:02:51 AM8/5/24
to Wazuh | Mailing List
hi @stuti.gupta did you find any issue.?
On Sunday, August 4, 2024 at 4:05:14 PM UTC+3 osama wrote:
I have attached the archive.json
https://drive.google.com/file/d/1LNHu5JAwwxDSUXxc5aDQ-7sIPlJYyPdO/view?usp=sharing
Stuti Gupta
Aug 5, 2024, 6:05:42 AM8/5/24
to Wazuh | Mailing List
Hi Osama
The file you have shared is too large please share a sample of the log related to win.system.eventID" 4656 that has mimikatz field. Also, I would just delete this file from here as if it has any confidential data.
Hope to hear from you soon
osama
Aug 5, 2024, 8:20:14 AM8/5/24
to Wazuh | Mailing List
This is sample and rule.
<rule id="100033" level="10">
<if_sid>60103</if_sid> <field name="
win.eventdata.processName
">\.+mimikatz</field>
<options>no_full_log</options><description>Windows success event.</description>
</rule>
i have attached log
osama
Aug 6, 2024, 2:43:30 AM8/6/24
to Wazuh | Mailing List
<rule id="100031" level="10">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4658$</field>
<options>no_full_log</options>
<description>Windows audit success event.</description>
</rule>
<rule id="100033" level="10">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4658$</field>
<field name="win.system.message">.*mimikatz.*</field>
<options>no_full_log</options>
<description>Windows success event.</description>
</rule>
i was able to trigger this 100031 but i am not able to trigger 100033 on attached log.
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4658$</field>
<options>no_full_log</options>
<description>Windows audit success event.</description>
</rule>
<rule id="100033" level="10">
<if_sid>60103</if_sid>
<field name="win.system.message">.*mimikatz.*</field>
<options>no_full_log</options>
<description>Windows success event.</description>
</rule>
Stuti Gupta
Aug 6, 2024, 5:32:04 AM8/6/24
to Wazuh | Mailing List
Hi Osama,
Your first rule (100031) satisfied the log condition, which is why rule 100033 was triggered. To ensure rule 100033 triggers correctly, you can create it as a child rule of 100031 since the `win.system.eventID` is 4658 in both cases.
Here is an example:
<group name="windows">
<rule id="100031" level="10">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4658$</field>
<options>no_full_log</options>
<description>Windows audit success event.</description>
</rule>
<!-- This rule will trigger if win.system.eventID is 4658 -->
<rule id="100033" level="10">
<if_sid>100031</if_sid>
<field name="win.system.message">\.+mimikatz\.+</field>
<options>no_full_log</options>
<description>Windows success event with mimikatz.</description>
</rule>
<!-- This rule will trigger if rule 100031 matches and the win.system.message field of rule 100033 contains "mimikatz" -->
</group>
Refer to documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid
Hope this helps
Your first rule (100031) satisfied the log condition, which is why rule 100033 was triggered. To ensure rule 100033 triggers correctly, you can create it as a child rule of 100031 since the `win.system.eventID` is 4658 in both cases.
Here is an example:
<group name="windows">
<rule id="100031" level="10">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4658$</field>
<options>no_full_log</options>
<description>Windows audit success event.</description>
</rule>
<rule id="100033" level="10">
<field name="win.system.message">\.+mimikatz\.+</field>
<options>no_full_log</options>
<description>Windows success event with mimikatz.</description>
</rule>
<!-- This rule will trigger if rule 100031 matches and the win.system.message field of rule 100033 contains "mimikatz" -->
</group>
Refer to documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid
Hope this helps
osama
Aug 6, 2024, 9:08:16 AM8/6/24
to Wazuh | Mailing List
Hi Stuti thanks this works for me.
Reply all
Reply to author
Forward
0 new messages