Add windows rules

[vil...@gmail.com]

Hello, 

                   I need some help about how to  create a new windows rules for wazuh i tried to do it one local_rules.xml and also on 0580-ms-sec-rules but il seems not work: 

That is my rules :

<group name="windowssecurity1">

 <rule id="100014" level="7">

      <field name="win.system.eventID">^4698$</field>

      <description>A scheduled task has been created on this machine</description>

 </rule>

</group>

Best Regads

Rali

[Caio Oliveira]

Hello,

If this eventID has a another rule, I believe that you need to inform the previous rule_id

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6b381ae3-d50b-46e0-8be2-f9e5108a4addn%40googlegroups.com.

[Yana Zaeva]

Hi Rali,

It is not advisable to modify the already existing rule files such as 0580-win-security_rules.xml, because during an upgrade all the changes will be lost. You can always add new rules to the /var/ossec/etc/rules/local_rules.xml file, or just add a new file to the directory  /var/ossec/etc/rules/ with an XML extension. 

Regarding your rule itself it is probably not working thus there are not any decoders for this event. You can check this using the /var/ossec/bin/ossec-logtest binary and if when you paste the event log you get the output "No decoder matched." that means that there are no decoders for these events. The rule is not working as the field tag takes the field win.system.eventID that must have been parsed by the decoder previously. You can share the event for which you want to create the rules, and I will help you to write a decoder for it.  

Also, I would like to leave here a couple of links that you might find interesting:

- Rules syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

- Decoder syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

Hope I was helpful. Send me your events when possible.

Regards,

Yana.

[vil...@gmail.com]

Thanks all for you help, i  think it's decoder i will try to start working on it now. It will be the first time creating decoder i hope it will work. 

The event generated for the rule is : 

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

  <EventID>4698</EventID>

  <Version>1</Version>

  <Level>0</Level>

  <Task>12804</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8020000000000000</Keywords>

  <TimeCreated SystemTime="2021-03-04T15:34:01.111121700Z" />

  <EventRecordID>2119096</EventRecordID>

  <Correlation ActivityID="{7a9c7011-0617-0003-c370-9c7a1706d701}" />

  <Execution ProcessID="672" ThreadID="11000" />

  <Channel>Security</Channel>

  <Computer>XXXXXXXXXXXX</Computer>

  <Security />

  </System>

- <EventData>

  <Data Name="SubjectUserSid">S-1-5-21-4561461654-65415466-61846416541-1121</Data>

  <Data Name="SubjectUserName">XXXXXXI</Data>

  <Data Name="SubjectDomainName">XXXXXX</Data>

  <Data Name="SubjectLogonId">0x3c3c8e1c</Data>

  <Data Name="TaskName">\T1053_005_OnLogon</Data>

  <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2021-03-04T16:34:01</Date> <Author>XXXXXXXX\XXXXXXX</Author> <URI>\T1053_005_OnLogon</URI> </RegistrationInfo> <Triggers> <LogonTrigger> <StartBoundary>2021-03-04T16:34:00</StartBoundary> <Enabled>true</Enabled> </LogonTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>cmd.exe</Command> <Arguments>/c calc.exe</Arguments> </Exec> </Actions> <Principals> <Principal id="Author"> <UserId>XXXXXXX\XXXXXXX</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task></Data>

  <Data Name="ClientProcessStartKey">564564654654654</Data>

  <Data Name="ClientProcessId">2300</Data>

  <Data Name="ParentProcessId">31504</Data>

  <Data Name="RpcCallClientLocality">0</Data>

  <Data Name="FQDN">XXXXXXXXXX</Data>

  </EventData>

  </Event>

Thanks for helping 

Best regards,

Rali

[Yana Zaeva]

Hi Rali,

My apologies for the confusion. All Windows events are automatically decoded by event_channel, so it will not be necessary to write a customized one. The rule for all the events that are decoded using event_channel is 60000. Then, there is a child rule with the field specifying that specifies the system channel, which in your case is Security. The rule ID for this rule is 60002, and, as Caio said before you can use this ID as a parent for your new rule, which will be something like this: 

<rule id="100014" level="7">

      <if_sid>60002</if_sid>

      <field name="win.system.eventID">^4698$</field>

      <description>A scheduled task has been created on this machine</description>

 </rule>

Also, Windows rules cannot be tested using ossec-logtest nor wazuh-logtest. Once again, my apologies for the misunderstanding. 

Let me know if that worked!

Regards,

Yana.