Pass the Hash - Silencing Noise
978 views
Skip to first unread message
Logan Simmons
Jun 22, 2022, 1:31:43 PM6/22/22
to Wazuh mailing list
Hi!
We have a software deployment server that accesses other pc's in our environment that uses LAPS as credentials for install.
I am receiving a lot of alerts (SID# 92652: Successful Remote Logon Detected - NTLM authentication, possible pass-the-hash attack).
I would like to silence the alerts from these accounts/machine pushing the software. Below is my custom rule, but wazuh seems to ignore it. Formatting is correct but as I type this the below looks a little wonky from pasting.
<rule id="10021" level="0">
<if_matched_sid>92652</if_matched_sid>
<field name="win.eventdata.targetUserName">^LAPSAdmin$|^lapsadmin$</field>
<field name="win.eventdata.workstationName">^PDQ-DEPLOY$</field>
<description>Silencing PDQ-Deploy installments (Remote Logon)</description>
</rule>
Am I doing something wrong? I have had success with other rules. Just specifically not this one. All help is appreciated in advance!
We have a software deployment server that accesses other pc's in our environment that uses LAPS as credentials for install.
I am receiving a lot of alerts (SID# 92652: Successful Remote Logon Detected - NTLM authentication, possible pass-the-hash attack).
I would like to silence the alerts from these accounts/machine pushing the software. Below is my custom rule, but wazuh seems to ignore it. Formatting is correct but as I type this the below looks a little wonky from pasting.
<rule id="10021" level="0">
<if_matched_sid>92652</if_matched_sid>
<field name="win.eventdata.targetUserName">^LAPSAdmin$|^lapsadmin$</field>
<field name="win.eventdata.workstationName">^PDQ-DEPLOY$</field>
<description>Silencing PDQ-Deploy installments (Remote Logon)</description>
</rule>
Am I doing something wrong? I have had success with other rules. Just specifically not this one. All help is appreciated in advance!
Jesus Linares
Jun 27, 2022, 5:34:47 AM6/27/22
to Wazuh mailing list
Hi,
<field name="win.eventdata.targetUserName">^LAPSAdmin$|^lapsadmin$</field>
<field name="win.eventdata.workstationName">^PDQ-DEPLOY$</field>
<description>Silencing PDQ-Deploy installments (Remote Logon)</description>
</rule>
Probably, the issue is that you are using "if_matched_sid" instead of "if_sid". Here is the difference:
- if_sid: It works similar to parent decoder. It will match when a rule ID on the list has previously matched.
- if_matched_sid: Similar to if_sid but it will only match if the ID has been triggered in a period of time.
So, your rule should look like:
<rule id="10021" level="0">
<if_sid>92652</if_sid>
<field name="win.eventdata.targetUserName">^LAPSAdmin$|^lapsadmin$</field>
<field name="win.eventdata.workstationName">^PDQ-DEPLOY$</field>
<description>Silencing PDQ-Deploy installments (Remote Logon)</description>
</rule>
If it doesn't work, please, share the alert that you want to ignore in order to review the fields.
I hope it helps.
Logan Simmons
Jun 28, 2022, 2:30:56 PM6/28/22
to Wazuh mailing list
Thank you! I was unsure of the difference between the 2. I will try that out and report back
Logan Simmons
Jun 29, 2022, 5:47:42 PM6/29/22
to Wazuh mailing list
Can confirm that works. Thank you again as I did not see in the documentation the difference between the two
Jesus Linares
Jul 4, 2022, 4:44:23 AM7/4/22
to Wazuh mailing list
Great. I'm glad to help!
Reply all
Reply to author
Forward
0 new messages