Questions regarding kerberos event logs and wazuh agent in VDI env

428 views
Skip to first unread message

Frank

unread,
Feb 24, 2022, 3:12:33 PM2/24/22
to Wazuh mailing list
Howdy,

Currently I'm trying to learn wazuh bit by bit and I'm getting little confused with some windows event logs rule grouping, or to be more specific - ones related to kerberos.

For example

Launching kerberoasting attack. Can see the events present on DC:
2022-02-24 21_32_25-Franken_corp (DC) (Before AD generator) [Running] - Oracle VM VirtualBox.png

Reviewing if alerts were triggered. 
2022-02-24 21_55_44-Window.png
^ Can see that alerts were created (although missing 4768) but grouped as Windows Login Success.

1. Is this expected behavior? If yes, If I wanted to edit the rules so description would be more specific, I would need to copy the existing rule and create custom one, correct?
----

Also I have noticed that one of the agents is displayed as alive but not sending logs. 
2022-02-24 22_02_40-Window.png
2022-02-24 22_03_05-Window.png
Restarting wazuh service solved the issue.

2. Is this a known issue in virtualized environments? How should wazuh agents be handled in VDI environment where VM's are often remade from single image? 

Thank you

Ariel Ivan Ojeda

unread,
Feb 25, 2022, 3:47:33 PM2/25/22
to Wazuh mailing list

Hi Frank,

              I hope you are doing great today. About your questions, yes, this is expected behavior as rule 60106 is a default rule that captures windows login succesful events, You can see the rule below:

              Foto1.jpg

Here you will notice that this rule matches the eventID to one of several values, you can see 4769 but not 4768, which is why it is not matching the eventID you want. You could write a custom rule by copying this rule and then updating it to match your needs. I'll explain with an example and how you can do this.

To find the rule you want to check you can use the Kibana interface, go to Wazuh -> Management -> Rules, and here you can search for the rule id 60106 as shown below:

Foto2.jpg

You can click the file name to view it, in here you will see several rules, you can scroll down to find 60106 and can copy the rule to your clipboard.. Then you need to go back and select Add new rules file from the options:


Foto3.jpg

This will allow you to create a custom rule:

Foto4.jpg

 You can paste the rule from the previous step and edit it and use a different file name, this is just an example. You may notice I removed the groups tags and mitre tags, you may leave them if you wish. Once you are done with the change, you can save the file and restart the manager using the button that will appear. You can find more information below:

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

You can copy the rule from here:


<group name="windows,windows_security,">

  <rule id="100006" level="3">

    <if_sid>60103</if_sid>

    <field name="win.system.eventID">^4769$</field>

    <description>You custom description for the rule</description>

    <options>no_full_log</options>

   </rule>

</group>

The other option would be to override the original rule, you would need to do something similar to what we did, but you would not change the Rule Id, also you would need the overwrite command in the Rule tag, like this:

Foto5.jpg

More information here:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Best regards,

Ariel

Reply all
Reply to author
Forward
0 new messages