rule.id 92656 triggered by proper operation of Windows Remote Desktop Web services
379 views
Skip to first unread message
Steve D
Sep 6, 2022, 2:29:58 PM9/6/22
to Wazuh mailing list
rule.id 92656 plz add exception for Group named RdWeb or similar
or do a check for server + RdWeb system files
or do a check for server + RdWeb system files
server version 4.3.7
yes i could just change this on my install but RdWeb is a common windows application
Jose Camargo
Sep 6, 2022, 3:32:39 PM9/6/22
to Wazuh mailing list
Hi, thank you for using Wazuh
This rule is specifically targeted to check for possibly compromised servers, as it might indicate that it has a backdoor installed that forwards the connection to RDP server. Probably a reverse tunnel, maybe the RDP port itself is exposed to the internet. So it's worth checking.
But you can filter events depending on your needs. If this is what you want, you can do the following (as shown here https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule):
Please let me know if you need anything else, always glad to help.
This rule is specifically targeted to check for possibly compromised servers, as it might indicate that it has a backdoor installed that forwards the connection to RDP server. Probably a reverse tunnel, maybe the RDP port itself is exposed to the internet. So it's worth checking.
But you can filter events depending on your needs. If this is what you want, you can do the following (as shown here https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule):
- Copy the rule and paste it on the /var/ossec/etc/rules/local_rules.xml with these modifications:
<rule id="92656" level="0" overwrite="yes">
<if_sid>60106</if_sid>
<field name="win.eventdata.logonType" type="pcre2">^10$</field>
<field name="win.eventdata.ipAddress" type="pcre2">::1|127\.0\.0\.1</field>
<description>User: $(win.eventdata.subjectDomainName)\$(win.eventdata.targetUserName) logged using Remote Desktop Connection (RDP) from loopback address, possible exploit over reverse tunneling using stolen credentials.</description>
<mitre>
<id>T1021.001</id>
<id>T1078.002</id>
</mitre>
</rule>
this is if you want to silence the rule altogether.
- If what you want is just to silence specific events, if you have the logs that correspond to them, you can then do the following:
<rule id="100100" level="0">
<if_sid>92656</if_sid>
<field name="win.eventdata.xxx" type="pcre2">xxx</field>
<description>Specific RDP event ignored</description>
</rule>
You'll have to use some specific field that differentiates those events you want to silence and add it in the <field> option.
Please let me know if you need anything else, always glad to help.
Regards,
Jose Camargo
Reply all
Reply to author
Forward
0 new messages