sysmon

[Felipe Andres Concha Sepúlveda]

Hello,

This is for Wazuh 3.9.2 with W10 and sysmon enabled.

I'm trying to trigger an alert when the powershell is open. I'm using the following rule:

<group name="sysmon">
 <rule id="255000" level="12">
 <if_group>sysmon_event1</if_group>
 <field name="sysmon.image">\\PowerShell.exe</field>
 <description>Sysmon - Event 1: Bad exe: $(sysmon.image)</description>
 <group>sysmon_event1,powershell_execution,</group>
 </rule>
</group>

However Wazuh does not trigger any alert. There isn't anything logged in alerts.log. Is there anything I'm missing? Needless to say that sysmon detects the event.  

Thank you

[Juan Pablo Saez]

Hi Felipe,

I've made a couple of modifications to the rule.

• Fields name must begin with win.eventdata.
  
• I generated the same event (open a Powershell) and for the field image i have this value: "image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" This is why i decided to use originalFileName, is shorther without the full path to powershell. You can use the fields as you wish.
  

 <rule id="255000" level="12">
 <if_group>sysmon_event1</if_group>

 <field name="win.eventdata.originalFileName">Powershell.EXE</field>

 <description>Sysmon - Event 1: Bad exe: $(sysmon.image)</description>
 <group>sysmon_event1,powershell_execution,</group>
 </rule>

This is the alert output when the event "Opening a Powershell" occurs in my windows server 2016 environment:

Event:

2019 Jul 08 17:20:35 (SERV2016) 192.168.105.130->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-07-08T15:20:34.485479800Z","eventRecordID":"20","processID":"1688","threadID":"2580","channel":"Microsoft-Windows-Sysmon/Operational","computer":"WIN-8ONS2J4ICIU","severityValue":"INFORMATION","message":"Process Create:"},"eventdata":{"utcTime":"2019-07-08 15:20:34.477","processGuid":"{3E301281-5F42-5D23-0000-0010768F5D00}","processId":"4968","image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","fileVersion":"10.0.14393.206 (rs1_release.160915-0644)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"PowerShell.EXE","commandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"","currentDirectory":"C:\\Users\\Administrador\\","user":"WIN-8ONS2J4ICIU\\Administrador","logonGuid":"{3E301281-ABA7-5D1C-0000-00204F660700}","logonId":"0x7664f","terminalSessionId":"2","integrityLevel":"High","hashes":"MD5=097CE5761C89434367598B34FE32893B","parentProcessGuid":"{3E301281-ABA7-5D1C-0000-0010C19A0700}","parentProcessId":"4432","parentImage":"C:\\Windows\\explorer.exe","parentCommandLine":"C:\\Windows\\Explorer.EXE"}}}

Alert output

** Alert 1562600110.220150: mail  - local,syslog,sshd,sysmon_event1,powershell_execution,
2019 Jul 08 17:35:10 (SERV2016) 192.168.105.130->EventChannel
Rule: 255000 (level 12) -> 'Sysmon - Event 1: Bad exe: '
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2019-07-08T15:35:08.685183000Z","eventRecordID":"24","processID":"1688","threadID":"2580","channel":"Microsoft-Windows-Sysmon/Operational","computer":"WIN-8ONS2J4ICIU","severityValue":"INFORMATION","message":"Process Create:"},"eventdata":{"utcTime":"2019-07-08 15:35:08.682","processGuid":"{3E301281-62AC-5D23-0000-0010C71A6500}","processId":"2052","image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","fileVersion":"10.0.14393.206 (rs1_release.160915-0644)","description":"Windows PowerShell","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"PowerShell.EXE","commandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"","currentDirectory":"C:\\Users\\Administrador\\","user":"WIN-8ONS2J4ICIU\\Administrador","logonGuid":"{3E301281-ABA7-5D1C-0000-00204F660700}","logonId":"0x7664f","terminalSessionId":"2","integrityLevel":"High","hashes":"MD5=097CE5761C89434367598B34FE32893B","parentProcessGuid":"{3E301281-ABA7-5D1C-0000-0010C19A0700}","parentProcessId":"4432","parentImage":"C:\\Windows\\explorer.exe","parentCommandLine":"C:\\Windows\\Explorer.EXE"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}
win.system.eventID: 1
win.system.version: 5
win.system.level: 4
win.system.task: 1
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2019-07-08T15:35:08.685183000Z
win.system.eventRecordID: 24
win.system.processID: 1688
win.system.threadID: 2580
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: WIN-8ONS2J4ICIU
win.system.severityValue: INFORMATION
win.system.message: Process Create:
win.eventdata.utcTime: 2019-07-08 15:35:08.682
win.eventdata.processGuid: {3E301281-62AC-5D23-0000-0010C71A6500}
win.eventdata.processId: 2052
win.eventdata.image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
win.eventdata.fileVersion: 10.0.14393.206 (rs1_release.160915-0644)
win.eventdata.description: Windows PowerShell
win.eventdata.product: Microsoft® Windows® Operating System
win.eventdata.company: Microsoft Corporation
win.eventdata.originalFileName: PowerShell.EXE
win.eventdata.commandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
win.eventdata.currentDirectory: C:\Users\Administrador\
win.eventdata.user: WIN-8ONS2J4ICIU\Administrador
win.eventdata.logonGuid: {3E301281-ABA7-5D1C-0000-00204F660700}
win.eventdata.logonId: 0x7664f
win.eventdata.terminalSessionId: 2
win.eventdata.integrityLevel: High
win.eventdata.hashes: MD5=097CE5761C89434367598B34FE32893B
win.eventdata.parentProcessGuid: {3E301281-ABA7-5D1C-0000-0010C19A0700}
win.eventdata.parentProcessId: 4432
win.eventdata.parentImage: C:\Windows\explorer.exe
win.eventdata.parentCommandLine: C:\Windows\Explorer.EXE

Next time you are testing rules I recommend that you set the option <logall> to yes on /var/ossec/etc/ossec.conf. This way if Wazuh manager gets events that don't trigger a rule, these events are stored in /var/ossec/logs/archives/archives.log.

This is how I found the event in the manager when your rule still didn't work.

Please let me know if it helps. Do not hesitate to ask whatever you need to clarify!

Kind regards,

Juan Pablo Sáez

[Felipe Andres Concha Sepúlveda]

Thank Juan Pablo!!!

we will test it and will tell you!!!

regards

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1ec12fe7-4f6e-4984-b793-8c8109d595fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Branch]

One warning about using  "win.eventdata.originalFileName":  At least with Sysmon 10.1, there are many Sysmon event types (other than #1), which have "win.eventdata.image" but have no "win.eventdata.originalFileName" field at all.  In cases like that you would need your rule to compare to "win.eventdata.image" with some regex, I believe something like this:

 <field name="win.eventdata.image">\.*Powershell.EXE$</field>

Kevin

--