Localfile commands for Windows
192 views
Skip to first unread message
Bloom
Sep 4, 2023, 8:36:56 AM9/4/23
to Wazuh | Mailing List
Hello Wazuh Team,
<log_format>full_command</log_format>
<command>tasklist</command>
<frequency>60</frequency>
I hope you're doing well !
I have some doubts regarding the command execution capability offered by Localfile, specifically for windows agents.
I've noticed that some commands work and get logged as expected while some others simply do not work.
It's not a configuration problem, since the same agent returns other command outputs. And it's not a problem with the command itself, since it works when executed directly in the server.
A simple example of this is :
This one works perfectly :
<localfile><log_format>full_command</log_format>
<command>tasklist</command>
<frequency>60</frequency>
</localfile>
This one refuses to be executed :
<localfile>
<log_format>full_command</log_format>
<command>quser</command>
<frequency>60</frequency>
<log_format>full_command</log_format>
<command>quser</command>
<frequency>60</frequency>
</localfile>
Is there a specific reason for this ? Perhaps a pool of allowed commands for Windows agents ? What do you think of this ?
Thanks in advance !
Bloom
Javier Medeot
Sep 4, 2023, 9:24:09 AM9/4/23
to Wazuh | Mailing List
Hello Bloom.
Could you share your relevant rules to alert about the findings in the tasklist and in the quser command outputs? Could you share an example of those command executions that do work and get logged as expected that you mentioned?
You can see an example on how to configure the Command monitoring capability for Windows in the following documents. Also, let me tell you that there's no limited pool of allowed commands.
Looking forward to your reply. Thank you.
Javier
Bloom
Sep 4, 2023, 11:03:40 AM9/4/23
to Wazuh | Mailing List
Hello Javier,
Thanks for the quick reply.
For the tasklist command :
Output is in french :
ossec: output: 'tasklist':
Nom de l'image PID Nom de la sessio Num�ro de s Utilisation
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 8 Ko
System 4 Services 0 32 Ko
Registry 92 Services 0 14�300 Ko
smss.exe 308 Services 0 244 Ko
csrss.exe 424 Services 0 1�844 Ko
wininit.exe 500 Services 0 456 Ko
The rule for this is :
<rule id="100042" level="3">
<if_sid>530</if_sid>
<match>^ossec: output: 'tasklist'</match>
<description>running procs</description>
</rule>
<if_sid>530</if_sid>
<match>^ossec: output: 'tasklist'</match>
<description>running procs</description>
</rule>
The same template is used for quser :
<rule id="100043" level="3">
<if_sid>530</if_sid>
<match>^ossec: output: 'quser'</match>
<description>open sessions</description>
</rule>
<if_sid>530</if_sid>
<match>^ossec: output: 'quser'</match>
<description>open sessions</description>
</rule>
This isn't the only command that doesn't work, I've had this problem before and had to search for other replacements to achieve what I wanted.
Thanks.
Javier Medeot
Sep 5, 2023, 12:33:52 PM9/5/23
to Wazuh | Mailing List
Hello Bloom.
I talked with the team. Try using:
<command>\Windows\SysNative\quser</command>
Unlike tasklist, the quser command is not found in SysWOW64. The agent works as 32-bit program so to use System32\ you need to force it using SysNative\
You'll also need to modify your rule to match this
<match>^ossec: output: '\Windows\SysNative\quser'</match>
I hope this helps. Let me know of anything else related top this you might need. Thank you
Bloom
Sep 6, 2023, 3:57:31 AM9/6/23
to Wazuh | Mailing List
Hello Javier !
I confirm that this solves the problem. I now understand why some commands didn't work before.
This has been really helpful, thank you !
Reply all
Reply to author
Forward
0 new messages