False Positive
608 views
Skip to first unread message
Louis
Jul 15, 2024, 11:11:58 PM7/15/24
to Wazuh | Mailing List
Hello,
Sorry, still new to rules. Added a rule to detect DCSync attack per the tutorial in your documentation, which involved installing sysmon on the domain controller. Now we are getting a lot of these alerts (partial log here):
Received From: (dc01) any->EventChannel
Rule: 92213 fired (level 15) -> "Executable file dropped in folder commonly used by malware"
User: IMAUI\user"
Portion of the log(s):
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-07-15T07:35:19.2214962Z","eventRecordID":"19608006","processID":"2480","threadID":"5848","channel":"Microsoft-Windows-Sysmon/Operational","computer":"dc01.i.maui.hawaii.edu","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: technique_id=T1047,technique_name=File System Permissions Weakness\r\nUtcTime: 2024-07-15 07:35:19.206\r\nProcessGuid: {74f10e67-d132-6694-e47a-030000003100}\r\nProcessId: 2696\r\nImage: C:\\Windows\\system32\\cleanmgr.exe\r\nTargetFilename: C:\\Users\user~1\\AppData\\Local\\Temp\\CEB97F0A-77C8-4601-A7F2-BEF3B26E9F5C\\AppxProvider.dll\r\nCreationUtcTime: 2024-07-15 07:35:19.206\r\nUser: IMAUI\\user\""},"eventdata":{"ruleName":"technique_id=T1047,technique_name=File System Permissions Weakness","utcTime":"20
24-07-15 07:35:19.206","processGuid":"{74f10e67-d132-6694-e47a-030000003100}","processId":"2696","image":"C:\\\\Windows\\\\system32\\\\cleanmgr.exe","targetFilename":"C:\\\\Users\\\\user~1\\\\AppData\\\\Local\\\\Temp\\\\CEB97F0A-77C8-4601-A7F2-BEF3B26E9F5C\\\\AppxProvider.dll","creationUtcTime":"2024-07-15
Rule: 92213 fired (level 15) -> "Executable file dropped in folder commonly used by malware"
User: IMAUI\user"
Portion of the log(s):
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"11","version":"2","level":"4","task":"11","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-07-15T07:35:19.2214962Z","eventRecordID":"19608006","processID":"2480","threadID":"5848","channel":"Microsoft-Windows-Sysmon/Operational","computer":"dc01.i.maui.hawaii.edu","severityValue":"INFORMATION","message":"\"File created:\r\nRuleName: technique_id=T1047,technique_name=File System Permissions Weakness\r\nUtcTime: 2024-07-15 07:35:19.206\r\nProcessGuid: {74f10e67-d132-6694-e47a-030000003100}\r\nProcessId: 2696\r\nImage: C:\\Windows\\system32\\cleanmgr.exe\r\nTargetFilename: C:\\Users\user~1\\AppData\\Local\\Temp\\CEB97F0A-77C8-4601-A7F2-BEF3B26E9F5C\\AppxProvider.dll\r\nCreationUtcTime: 2024-07-15 07:35:19.206\r\nUser: IMAUI\\user\""},"eventdata":{"ruleName":"technique_id=T1047,technique_name=File System Permissions Weakness","utcTime":"20
24-07-15 07:35:19.206","processGuid":"{74f10e67-d132-6694-e47a-030000003100}","processId":"2696","image":"C:\\\\Windows\\\\system32\\\\cleanmgr.exe","targetFilename":"C:\\\\Users\\\\user~1\\\\AppData\\\\Local\\\\Temp\\\\CEB97F0A-77C8-4601-A7F2-BEF3B26E9F5C\\\\AppxProvider.dll","creationUtcTime":"2024-07-15
would like to write a rule for it, saw a few examples, the takeaway i get is it will be a child rule with an id 0 so when the parent matches and this is evaluated it is ignored.. like this?
<rule id="111129" level="0">
<if_sid>92213</if_sid>
<field name="win.eventdata.targetFilename" type="sregex">C:\\Users\\<multiple users here>\\AppData\\Local\\Temp\\<random filename here></field>
<description>Ignore RULE</description>
</rule>
<if_sid>92213</if_sid>
<field name="win.eventdata.targetFilename" type="sregex">C:\\Users\\<multiple users here>\\AppData\\Local\\Temp\\<random filename here></field>
<description>Ignore RULE</description>
</rule>
thanks in advance,
Louis
Abdullah Al Rafi Fahim
Jul 17, 2024, 2:30:09 AM7/17/24
to Wazuh | Mailing List
Hello Louis,
The Windows sysmon event here triggers rule ID 92213 which describes as below:
<rule id="92213" level="15">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe)</field>
<options>no_full_log</options>
<description>Executable file dropped in folder commonly used by malware</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
This rule will be triggered whenever a executable file (exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe) is dropped in the "C:\\Users\\USER_NAME\\AppData\\Local\\Temp\\" directory.
Now, if you want to whitelist some specific file or user within this path, you can do this by creating a child rule of 92213 with relevant conditions with rule level 0 as below:
<description>Ignore RULE</description>
</rule>
The Windows sysmon event here triggers rule ID 92213 which describes as below:
<rule id="92213" level="15">
<if_group>sysmon_event_11</if_group>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.(exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe)</field>
<options>no_full_log</options>
<description>Executable file dropped in folder commonly used by malware</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
This rule will be triggered whenever a executable file (exe|com|dll|vbs|js|bat|cmd|pif|wsh|ps1|msi|vbe) is dropped in the "C:\\Users\\USER_NAME\\AppData\\Local\\Temp\\" directory.
Now, if you want to whitelist some specific file or user within this path, you can do this by creating a child rule of 92213 with relevant conditions with rule level 0 as below:
<rule id="111129" level="0">
<if_sid>92213</if_sid>
<if_sid>92213</if_sid>
<field name="win.eventdata.targetFilename">AppxProvider.dll</field>
<options>no_full_log</options>
<description>Ignore RULE</description>
</rule>
You can learn more about the rule syntax and regular expressions here:
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
I hope it helps. Please let us know if you need anything else here.
Louis
Jul 26, 2024, 4:46:14 PM7/26/24
to Wazuh | Mailing List
Hello,
Thanks for the tip, able to silence more alerts. however, this one is tricky. 92213 is triggered with the following file, it seems like it's applocker running a powershell test? (let me know if it's otherwise) :
__PSScriptPolicyTest_i0ub2ofo.upk.ps1
So, looking at the pcre documentation....I noticed that the last part of the filename is a random sequence, how do i represent it in an ignore file? like this?
<field name="win.eventdata.targetFilename">__PSScriptPolicyTest_*.ps1</field>
thanks
wazuh
Jul 27, 2024, 8:15:47 AM7/27/24
to Wazuh | Mailing List
PSScriptPolicyTest always has random 8 symbols followed by random 3 symbols. you could make your rule as such:
<field type="pcre2" name="win.eventdata.targetFilename">__PSScriptPolicyTest_\w{8}.\w{3}.ps1</field>
\w{8} will have to match any 8 random digit or letter symbol
<field type="pcre2" name="win.eventdata.targetFilename">__PSScriptPolicyTest_\w{8}.\w{3}.ps1</field>
\w{8} will have to match any 8 random digit or letter symbol
you can read more on the regex in wazuh rules here:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
Reply all
Reply to author
Forward
0 new messages