Missing UserData in windows events
16 views
Skip to first unread message
Bloom
Oct 7, 2024, 9:01:52 AMOct 7
to Wazuh | Mailing List
Hello, wazuh team !
I hope you're having a good day.
I was trying to supervise user certificate events on my windows machines.
These events are situated in the following path :
Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
Agent configuration :
<localfile>
<location>Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<location>Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
Rules :
<rule id="150031" level="3">
<if_sid>60009,60010,60011,60012</if_sid>
<field name="win.system.providerName">CertificateServicesClient-Lifecycle-User</field>
<description>Unspecified User Certificate Event</description>
</rule>
<rule id="150032" level="8">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1002</field>
<description>User Certificate Expired</description>
</rule>
<rule id="150033" level="8">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1004</field>
<description>User Certificate Deleted</description>
</rule>
<rule id="150034" level="8">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1007</field>
<description>User Certificate Exported</description>
</rule>
<rule id="150035" level="3">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1006</field>
<description>User Certificate Installed</description>
</rule>
<rule id="150036" level="3">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1001</field>
<description>User Certificate Replaced</description>
</rule>
<rule id="150037" level="3">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1003</field>
<description>User Certificate Almost Expired</description>
</rule>
<if_sid>60009,60010,60011,60012</if_sid>
<field name="win.system.providerName">CertificateServicesClient-Lifecycle-User</field>
<description>Unspecified User Certificate Event</description>
</rule>
<rule id="150032" level="8">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1002</field>
<description>User Certificate Expired</description>
</rule>
<rule id="150033" level="8">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1004</field>
<description>User Certificate Deleted</description>
</rule>
<rule id="150034" level="8">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1007</field>
<description>User Certificate Exported</description>
</rule>
<rule id="150035" level="3">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1006</field>
<description>User Certificate Installed</description>
</rule>
<rule id="150036" level="3">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1001</field>
<description>User Certificate Replaced</description>
</rule>
<rule id="150037" level="3">
<if_sid>150031</if_sid>
<field name="win.system.eventID">1003</field>
<description>User Certificate Almost Expired</description>
</rule>
This configuration works and I can see alerts being generated, the problem is not all the information I need is being displayed.
This is the full_log reflected in the alert :
{"win":{"system":{"providerName":"Microsoft-Windows-CertificateServicesClient-Lifecycle-User","providerGuid":"{bea18b89-126f-4155-9ee4-d36038b02680}","eventID":"1003","version":"0","level":"3","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-10-07T08:48:58.7773964Z","eventRecordID":"26","processID":"5604","threadID":"11396","channel":"Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational","computer":"hostname","severityValue":"WARNING","message":"\"A certificate is about to expire. Please refer to the "Details" section for more information.\""},"certNotificationData":{}}}
The event is about a user certificate that is almost expired. There is no indication about which certificate or the date of expiration.
When I check the original XML event in the event viewer, this is what I get :
The event is about a user certificate that is almost expired. There is no indication about which certificate or the date of expiration.
When I check the original XML event in the event viewer, this is what I get :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-Lifecycle-User" Guid="{bea18b89-126f-4155-9ee4-d36038b02680}" />
<EventID>1003</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-10-07T08:48:58.7773964Z" />
<EventRecordID>26</EventRecordID>
<Correlation />
<Execution ProcessID="5604" ThreadID="11396" />
<Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational</Channel>
<Computer>hostname</Computer>
<Security UserID="S-1-5-21-XXXXXXXXXXx" />
</System>
- <UserData>
- <CertNotificationData ProcessName="taskhostw.exe" AccountName="username" Context="User">
- <CertificateDetails Thumbprint="3XXXXX">
<Template Name="NAME" OID="X.X.XXXXXX.XXXX" />
- <EKUs>
<EKU Name="XXXX" OID="X.X.X.X.X" />
<EKU Name="XXXX" OID="X.X.X.X.X" />
<EKU Name="XXXX" OID="X.X.X.X.X" />
</EKUs>
<NotValidAfter>2024-10-13T14:15:49Z</NotValidAfter>
</CertificateDetails>
</CertNotificationData>
</UserData>
</Event>
- <System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-Lifecycle-User" Guid="{bea18b89-126f-4155-9ee4-d36038b02680}" />
<EventID>1003</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-10-07T08:48:58.7773964Z" />
<EventRecordID>26</EventRecordID>
<Correlation />
<Execution ProcessID="5604" ThreadID="11396" />
<Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational</Channel>
<Computer>hostname</Computer>
<Security UserID="S-1-5-21-XXXXXXXXXXx" />
</System>
- <UserData>
- <CertNotificationData ProcessName="taskhostw.exe" AccountName="username" Context="User">
- <CertificateDetails Thumbprint="3XXXXX">
<Template Name="NAME" OID="X.X.XXXXXX.XXXX" />
- <EKUs>
<EKU Name="XXXX" OID="X.X.X.X.X" />
<EKU Name="XXXX" OID="X.X.X.X.X" />
<EKU Name="XXXX" OID="X.X.X.X.X" />
</EKUs>
<NotValidAfter>2024-10-13T14:15:49Z</NotValidAfter>
</CertificateDetails>
</CertNotificationData>
</UserData>
</Event>
The whole UserData part is not being transmitted, and strangely, only an empty CertNotificationData gets sent.
the alert is being decoded by decoder.name "windows_eventchannel", which is not included the decoders list in the configuration but I might have found it mentioned here.
the alert is being decoded by decoder.name "windows_eventchannel", which is not included the decoders list in the configuration but I might have found it mentioned here.
Is there some way to include the UserData section, to be able to get the certificate template name and validity ?
Do you have any other ideas to get the same results or some other ways to do this ?
Thanks a lot !
Manuel Pedro Gomez Castro
Oct 7, 2024, 10:32:52 AMOct 7
to Wazuh | Mailing List
Hi! Thank you for reaching out to us!
For most alerts, Wazuh uses XML decoders to parse the information in your endpoints and generate events and alerts. However, due to technical limitations, some are parsed by decoders embedded in wazuh's code, such as the one you mentioned.
Your alerts depend on alerts 6000X that depend on alert 600000 which is decoded with the decoder "windows_eventchannel", making this effect cascade down to your custom alerts and not providing you with the information you are looking for.
Another user faced a similar issue here, I would suggest taking a look to see if perhaps their solution could be useful in your case.
Otherwise, I would suggest opening an issue on our github repository requesting a change on the decoder
If you have any question on creating the custom rules you need, I'd be happy to assist!
For most alerts, Wazuh uses XML decoders to parse the information in your endpoints and generate events and alerts. However, due to technical limitations, some are parsed by decoders embedded in wazuh's code, such as the one you mentioned.
Your alerts depend on alerts 6000X that depend on alert 600000 which is decoded with the decoder "windows_eventchannel", making this effect cascade down to your custom alerts and not providing you with the information you are looking for.
Another user faced a similar issue here, I would suggest taking a look to see if perhaps their solution could be useful in your case.
Otherwise, I would suggest opening an issue on our github repository requesting a change on the decoder
If you have any question on creating the custom rules you need, I'd be happy to assist!
Reply all
Reply to author
Forward
0 new messages