RDP alert still not show alerts
Massimiliano De Falco
I have read various posts regarding this and have configured my ossec.conf with this
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
and local_rules.conf with this:
<group name="local,syslog,sshd,windows,">
<rule id="100002" level="0">
<if_group>syscheck</if_group>
<field name="file">\\~\$\.+$</field>
<description>Ignore temporary files on Windows agents</description>
<group>syscheck_ignored,</group>
</rule>
<rule id="100100" level="3">
<if_sid>67027</if_sid>
<description>New process $(win.eventdata.newProcessName) was created by user $(win.eventdata.subjectUserName)</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100100" level="5">
<if_sid>100100</if_sid>
<field name="win.eventdata.parentProcessName">powershell.exe$</field>
<description>New process $(win.eventdata.newProcessName) created from a PowerShell script executed by user $(win.eventdata.subjectUserName)</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
<rule id="100100" level="5">
<if_sid>60009</if_sid>
<field name="win.system.channel">^Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational$</field>
<options>no_full_log</options>
<description>Terminal Services Remote Connection Manager</description>
</rule>
</group>
The problem I have is that I continue not to receive alerts in end-point->threat Hunting
Thanks.
Mainor Rodriguez Rodriguez
I will assist you today. I will review your inquiry and inform you about the next steps shortly.
Regards,
Mainor Rodriguez Rodriguez
Hello Massimiliano,
By default, Wazuh monitors RDP Login success and failure with the stock rules 60122 for Failure and 92657 for Success login. However, to differentiate RDP Login failure from local login failures, we will need to create a rule based on rule 60105. Still, first, we must ensure that Success and Failure Auditing is enabled on your Windows machine.
Step 1. Enable Success and Failure Auditing.
Do Windows + R > and type gpedit.msc > then expand Computer configuration > Security Settings > Advance Audit Policy Configuration > System Audit Policies - Local Group Policy Object > and double click on Logon/Logoff > Double click on Audit Logon > and check the boxes to select Success and Failure.
So the it looks like this:
Step 2. Create Rule for Audit Login Failure events
Login to the Wazuh Dashboard and click on the Hamburger menu > Server management > Rules > Custom rules > local_rules.xml button > go to the bottom of the file and paste the following rule before the </group> closing tag
<rule id="100200" level="7">
<if_sid>60105</if_sid>
<field name="win.system.eventID">^4625$</field>
<field name="win.eventdata.authenticationPackageName">^NTLM$</field>
<description>RDP Logon Failure - Unknown user or bad password</description>
<options>no_full_log</options>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1531</id>
</mitre>
</rule>
Then Click on Save and Restart.
Step 3. Test the login alerts and view them on the Threat Hunting.
I hope this information is helpful. Let me know if you have questions.
Regards,