Wazuh Scheduled Task Use Case Does not work based on the Article

[Daria Leonteva]

Good afternoon,

I was trying to follow the article  about implementation scheduled task use case for Wazuh, however even though I have input all needed configuration described, the triggered scheduled task does not even appear in the Wazuh console. 

I think it failed somewhere when I try to create Active response script and after that active response log should be generated (but it's not generating by itself in my case/ partially generating main schema at times):

I put the Active response script manually as it is to the specified file path: C:\Program Files (x86)\ossec-agent\active-response\bin\analyze-scheduled-task.cmd

The following log sample is gotten in the active response log file (C:\Program Files (x86)\ossec-agent\logs\scheduled-tasks.log) proving that the script works. (However it is not generating in my case/ partially generating schema), I have created the same file manually as empty initially. 

What could be the issue that the response script is not generating/ partially generating?

I have tried the following:

- checked the script permissions

- could it be a version conflict? I am currently running Wazuh server 4.7 however this article describes how it's done on the Wazuh server 4.3.3.

- changed the configuration on the wazuh agent and wazuh server to the following (identical on both). Is this configuration correct?

<!-- Wazuh Test based on Wazuh Community Advice -->
  <command>
    <name>analyze-scheduled-task</name>
    <executable>C:\Program Files (x86)\ossec-agent\active-response\bin\analyze-scheduled-task.cmd</executable>
    <timeout_allowed>yes</timeout_allowed>
   </command>   <active-response>

     <command>analyze-scheduled-task</command>
     <location>local</location>
     <level>7</level>
     <timeout>600</timeout>
   </active-response>

However, it does not seem to work. It does not generate the alerts on the dashboard. However, I have noticed the following even before the change that I did above ( Please see the attached file):

The scheduled-task.log (that I created) file was initially empty, but it started to fill up with the information. I am not sure if my change has broken anything. Or how can I further proceed.

Thank you.

[Matías Mercado]

Hi,

First I would like to change something on this tutorial, on this part:

-----------------------------

[...]

Next we create a rule to detect when a task has been scheduled. Another rule is also created to suppress events that are generated by the Windows update orchestrator service. The update orchestrator is responsible for downloading, installing, and verifying your computer updates. It constantly creates and deletes scheduled tasks, therefore generating a lot of alerts on the Wazuh dashboard which can become overwhelming for the analysts. The following rules are added to /var/ossec/etc/rules/local_rules.xml :

<group name="windows,sysmon,">

<rule id="115006" level="6">

<if_group>windows</if_group>

<field name="win.eventdata.ruleName" type="pcre2">^technique_id=T1053,technique_name=Scheduled Task$</field>

<field name="win.eventdata.eventType" type="pcre2">^CreateKey$</field>

<description>A Newly Scheduled Task has been Detected on $(win.system.computer)</description>

<mitre>

<id>T1053</id>

</mitre>

</rule>

<rule id="115007" level="0">

<if_sid>115006</if_sid>

<field name="win.eventdata.targetObject" type="pcre2">^HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator$</field>

<description>Suppression rule for scheduled task created by update orchestrator</description>

</rule>

</group>

-----------------------------

Please do that on the Wazuh Dashboard Web --> Rules --> Custom rules. It is easier to manage your custom rules from here:

----------------------

Which version of Windows are you running? I will try to reproduce this tutorial locally.

Regards,
Matías.

[Daria Leonteva]

Good afternoon Matias,

Thank you for replying. I always create the rules via the CLI in the "local_rules.xml" file since I have issues creating the rules via GUI for some reason. 

Based on the your instructions, should I create the separate file in local rules by clicking "Add new rules file" and paste the rule you shared there? if so, it gives me the error in the console (Please see the screenshots). I have the same rule configured in the "local_rules.xml" file via CLI (just a note). Why should I create it in a separate file specifically? 

As for the operating system, the Wazuh server runs on the VMware ESXi host and the agent that's being monitored for the scheduled task is Windows Server 2019. 

Please see the screenshots below: