Windows AppLocker Eventchannel Not Decoding

[Kevin Neubauer]

Hello,

I am attempting to implement monitoring and alerting of AppLocker. I can get these log entries to be sent from agents to the manager. However, they do not appear to be decoded correctly. What steps do I need to take to get these EventChannel events to pass decoding?

AppLocker uses Windows EventChannel and logs Event IDs 8000 to 8027 per the following documentation:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker

I have configured my agents to include the following logs and restarted the agents:

<localfile>

<location>Microsoft-Windows-AppLocker/EXE and DLL</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-AppLocker/MSI and Script</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-AppLocker/Packaged app-Deployment</location>

<log_format>eventchannel</log_format>

</localfile>

<localfile>

<location>Microsoft-Windows-AppLocker/Packaged app-Execution</location>

<log_format>eventchannel</log_format>

</localfile>

I have enabled <logall>yes</logall> and set <log_alert_level>1</log_alert_level> in the manager ossec.conf and confirmed that archive logs are getting created for Event ID 8002. See example entry.

2021 Jun 23 13:39:58 (server) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-AppLocker","providerGuid":"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}","eventID":"8002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-06-23T20:39:57.448162900Z","eventRecordID":"16691","processID":"15356","threadID":"7800","channel":"Microsoft-Windows-AppLocker/EXE and DLL","computer":"server.fqdn.com","severityValue":"INFORMATION","message":"\"%SYSTEM32%\\WINTYPES.DLL was allowed to run.\""},"ruleAndFileData":{"policyNameLength":"3","policyName":"DLL","ruleId":"{BAC4B0BF-6F1B-40E8-8627-8545FA89C8B6}","ruleNameLength":"37","ruleName":"(Default Rule) Microsoft Windows DLLs","ruleSddlLength":"57","ruleSddl":"D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains \\\"%WINDIR%\\\\*\\\"))","targetUser":"S-1-5-21-1724543075-3879649918-2838239325-7215","targetProcessId":"15356","filePathLength":"23","filePath":"%SYSTEM32%\\\\WINTYPES.DLL","fileHashLength":"32","fileHash":"F19F0A69963FE9F1DB0A0A2639D99178AD539C7E70ABF52EF9B20B0D4EDEB361","fqbnLength":"120","fqbn":"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\\\WINTYPES.DLL\\\\10.0.14393.4467","targetLogonId":"0x155d95b8"}}}

I have added the following to my local_rules.xml config:

  <rule id="100000" level="5">

    <if_sid>60600,60601,60602</if_sid>

    <field name="win.system.eventID">^8002$</field>

    <description>AppLocker Audit</description>

  </rule>

  <rule id="100010" level="10">

    <if_sid>60600,60601,60602</if_sid>

    <field name="win.system.eventID">^8003$|^8006$</field>

    <description>AppLocker Audit Warning</description>

    <options>alert_by_email</options>

  </rule>

  <rule id="100020" level="10">

    <if_sid>60600,60601,60602</if_sid>

    <field name="win.system.eventID">^8004$|^8007$</field>

    <description>AppLocker Block</description>

    <options>alert_by_email</options>

  </rule>

However, Wazuh does not apparently decode these EventChannel logs correctly. I see no matching alerts in alerts.log. Also, the wazuh-logtest binary tells me that no decoder is matched:

Starting wazuh-logtest v4.1.5

Type one log per line

2021 Jun 23 13:39:58 (server) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-AppLocker","providerGuid":"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}","eventID":"8002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-06-23T20:39:57.448162900Z","eventRecordID":"16691","processID":"15356","threadID":"7800","channel":"Microsoft-Windows-AppLocker/EXE and DLL","computer":"server.fqdn.com","severityValue":"INFORMATION","message":"\"%SYSTEM32%\\WINTYPES.DLL was allowed to run.\""},"ruleAndFileData":{"policyNameLength":"3","policyName":"DLL","ruleId":"{BAC4B0BF-6F1B-40E8-8627-8545FA89C8B6}","ruleNameLength":"37","ruleName":"(Default Rule) Microsoft Windows DLLs","ruleSddlLength":"57","ruleSddl":"D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains \\\"%WINDIR%\\\\*\\\"))","targetUser":"S-1-5-21-1724543075-3879649918-2838239325-7215","targetProcessId":"15356","filePathLength":"23","filePath":"%SYSTEM32%\\\\WINTYPES.DLL","fileHashLength":"32","fileHash":"F19F0A69963FE9F1DB0A0A2639D99178AD539C7E70ABF52EF9B20B0D4EDEB361","fqbnLength":"120","fqbn":"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\\\WINTYPES.DLL\\\\10.0.14393.4467","targetLogonId":"0x155d95b8"}}}

**Phase 1: Completed pre-decoding.

        full event: '2021 Jun 23 13:39:58 (server) any->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-AppLocker","providerGuid":"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}","eventID":"8002","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-06-23T20:39:57.448162900Z","eventRecordID":"16691","processID":"15356","threadID":"7800","channel":"Microsoft-Windows-AppLocker/EXE and DLL","computer":"server.fqdn.com","severityValue":"INFORMATION","message":"\"%SYSTEM32%\\WINTYPES.DLL was allowed to run.\""},"ruleAndFileData":{"policyNameLength":"3","policyName":"DLL","ruleId":"{BAC4B0BF-6F1B-40E8-8627-8545FA89C8B6}","ruleNameLength":"37","ruleName":"(Default Rule) Microsoft Windows DLLs","ruleSddlLength":"57","ruleSddl":"D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains \\\"%WINDIR%\\\\*\\\"))","targetUser":"S-1-5-21-1724543075-3879649918-2838239325-7215","targetProcessId":"15356","filePathLength":"23","filePath":"%SYSTEM32%\\\\WINTYPES.DLL","fileHashLength":"32","fileHash":"F19F0A69963FE9F1DB0A0A2639D99178AD539C7E70ABF52EF9B20B0D4EDEB361","fqbnLength":"120","fqbn":"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\\\WINTYPES.DLL\\\\10.0.14393.4467","targetLogonId":"0x155d95b8"}}}'

        timestamp: '2021 Jun 23 13:39:58'

**Phase 2: Completed decoding.

        No decoder matched.

[Yana Zaeva]

Hi,

First of all, I would like to recommend you always enabling the option <logall_json> instead of the <logall> one, as with the JSON option we are able to see a very useful field for these cases, which is full_log. This field should correspond to this information, which is the information that is supposed to be parsed by the decoders: 

{"win":{"system":{"providerName":"Microsoft-Windows-AppLocker","providerGuid":"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}","eventID":"8004","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-06-23T20:39:57.448162900Z","eventRecordID":"16691","processID":"15356","threadID":"7800","channel":"Microsoft-Windows-AppLocker/EXE and DLL","computer":"server.fqdn.com","severityValue":"INFORMATION","message":"\"%SYSTEM32%\\WINTYPES.DLL was allowed to run.\""},"ruleAndFileData":{"policyNameLength":"3","policyName":"DLL","ruleId":"{BAC4B0BF-6F1B-40E8-8627-8545FA89C8B6}","ruleNameLength":"37","ruleName":"(Default Rule) Microsoft Windows DLLs","ruleSddlLength":"57","ruleSddl":"D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains \\\"%WINDIR%\\\\*\\\"))","targetUser":"S-1-5-21-1724543075-3879649918-2838239325-7215","targetProcessId":"15356","filePathLength":"23","filePath":"%SYSTEM32%\\\\WINTYPES.DLL","fileHashLength":"32","fileHash":"F19F0A69963FE9F1DB0A0A2639D99178AD539C7E70ABF52EF9B20B0D4EDEB361","fqbnLength":"120","fqbn":"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\\\WINTYPES.DLL\\\\10.0.14393.4467","targetLogonId":"0x155d95b8"}}}

Please, enable the above-mentioned option and let me know if, in fact, this is the information contained by the full_log field. Regarding the wazuh-logtest binary, it does not parse Windows logs as other regular logs. The way this information is parsed is similar to how it is done with JSON logs. For the testing, I would suggest you change the rule 60000 from this:

<rule id="60000" level="0">
<category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>

To this:

  <rule id="60000" level="5">

    <decoded_as>json</decoded_as>

    <field name="win.system.providerName">\.+</field>

    <options>no_full_log</options>

    <description>Group of windows rules</description>

  </rule>

Once you have done that, restart the Wazuh manager to apply the changes. Now, if you go to the wazuh-logtest binary, and paste the information contained in the <full_log> field, you should be able to see how this information is being parsed. I will attach a file below, where you can see how this log was decoded (the file is called wazuh-logtest.png). You are not receiving any alerts for this event, because this rule level by default is 0. (In my case is 5, because I have modified it for some testing.) You can check the default one here. Once you know that this event is matching rule 60009, you can write custom child rules, like for example these ones (based on the ones you sent above): 

<rule id="234562" level="5">

  <if_sid>60009</if_sid>

    <field name="win.system.eventID">^8002$</field>

    <description>AppLocker Audit</description>

  </rule>

  <rule id="234563" level="10">

    <if_sid>60009</if_sid>

    <field name="win.system.eventID">^8003$|^8006$</field>

    <description>AppLocker Audit Warning</description>

    <options>alert_by_email</options>

  </rule>

  <rule id="234564" level="10">

    <if_sid>60009</if_sid>

    <field name="win.system.eventID">^8004$|^8007$</field>

    <description>AppLocker Block</description>

    <options>alert_by_email</options>

  </rule>

I had attached three images so you can make sure that the events are matching these rules. Feel free to change the level or rule's ID. Do not forget that once you are done with the testing, you will have to modify rule 60000, or it is not going to parse your Windows events. We modified it only to be able to see the output from wazuh-logtest, nothing else. Once you have changed it back, do not forget to restart the manager to apply the changes.

Hope I was helpful. Let me know if you need anything else.

Regards,

Yana.

[Kevin Neubauer]

Thank you for the help! I now have it working. My final custom rules are below. Event ID 8002 and email alerting are commented out on purpose but left there in case we want to enable them in the future.

  <!--

  <rule id="100000" level="1">

    <if_sid>60009</if_sid>

    <field name="win.system.eventID">^8002$</field>

    <description>AppLocker Audit Info</description>

  </rule>

  -->

  <rule id="100010" level="5">

    <if_sid>60010</if_sid>

    <field name="win.system.eventID">^8003$|^8006$</field>

    <description>AppLocker Audit Warning</description>

    <!--<options>alert_by_email</options>-->

  </rule>

  <rule id="100020" level="10">

    <if_sid>60011</if_sid>

    <field name="win.system.eventID">^8004$|^8007$</field>

    <description>AppLocker Block Error</description>

    <!--<options>alert_by_email</options>-->

  </rule>

[Yana Zaeva]

Hi,

That's great to hear. Do not hesitate to contact us if you need anything else.

Regards,

Yana.