Windows Eventi 4103 colleciton problem
290 views
Skip to first unread message
serano...@gmail.com
Feb 16, 2022, 6:43:26 AM2/16/22
to Wazuh mailing list
Hi All
I'm trying to collect Windows event 4103 with these rules:
<group name="Powershell,">
<rule id="500200" level="6">
<if_sid>60000</if_sid>
<field name="win.system.providerName">Microsoft-Windows-PowerShell</field>
<description>Powershell Log Group 1</description>
</rule>
<rule id="500201" level="10">
<if_sid>500200</if_sid>
<field name="win.system.eventID">4103</field>
<options>no_full_log</options>
<group>PS1-Script,</group>
<description>Powershell: Script Block Logging</description>
</rule>
<rule id="500200" level="6">
<if_sid>60000</if_sid>
<field name="win.system.providerName">Microsoft-Windows-PowerShell</field>
<description>Powershell Log Group 1</description>
</rule>
<rule id="500201" level="10">
<if_sid>500200</if_sid>
<field name="win.system.eventID">4103</field>
<options>no_full_log</options>
<group>PS1-Script,</group>
<description>Powershell: Script Block Logging</description>
</rule>
</group>
But it keep to go into Archived log instead to trigger the rules, i don't understand what i'm missing. Attached you could find a sample.
Coud you help me figured out?
Thank!
John Soliani
Feb 16, 2022, 9:07:21 PM2/16/22
to Wazuh mailing list
Hello Serano,
<field name="win.system.providerName">Microsoft-Windows-PowerShell</field>
<description>Powershell Log Group 1</description>
</rule>
<rule id="500201" level="10">
<if_sid>500200</if_sid>
<field name="win.system.eventID">4103</field>
<options>no_full_log</options>
<group>PS1-Script,</group>
<description>Powershell: Script Block Logging</description>
</rule>
Thanks for using our communities!
First, you should check if stock rules are not monitoring the eventID 4103, we can do this with:
# grep 'eventID"' /var/ossec/ruleset/rules/* | grep '4103'
/var/ossec/ruleset/rules/0585-win-application_rules.xml: <field name="win.system.eventID">^4103$</field>
/var/ossec/ruleset/rules/0585-win-application_rules.xml: <field name="win.system.eventID">^4103$</field>
/var/ossec/ruleset/rules/0601-win-vipre_rules.xml: <field name="win.system.eventID">^4103$</field>
Here we can see stock rules in 0585 and 0601 files are monitoring the eventID 4103 and keep in mind that the stock rules and decoders have priority over customs. So your rules are not able to get the log and validate the conditions to generate the custom alerts. After checking those stock rules, we can see they are matching different values than yours, so we need to continue from the rule.ID 60009, this one:
/var/ossec/ruleset/rules/0585-win-application_rules.xml: <field name="win.system.eventID">^4103$</field>
/var/ossec/ruleset/rules/0601-win-vipre_rules.xml: <field name="win.system.eventID">^4103$</field>
Here we can see stock rules in 0585 and 0601 files are monitoring the eventID 4103 and keep in mind that the stock rules and decoders have priority over customs. So your rules are not able to get the log and validate the conditions to generate the custom alerts. After checking those stock rules, we can see they are matching different values than yours, so we need to continue from the rule.ID 60009, this one:
<rule id="60009" level="0">
<if_sid>60000</if_sid>
<field name="win.system.severityValue">^INFORMATION$</field>
<description>Windows informational event</description>
<options>no_full_log</options>
</rule>
<if_sid>60000</if_sid>
<field name="win.system.severityValue">^INFORMATION$</field>
<description>Windows informational event</description>
<options>no_full_log</options>
</rule>
Knowing this, the correct custom rules would be:
<group name="Powershell,">
<rule id="500200" level="6">
<rule id="500200" level="6">
<if_sid>60009</if_sid>
<field name="win.system.providerName">Microsoft-Windows-PowerShell</field>
<description>Powershell Log Group 1</description>
</rule>
<rule id="500201" level="10">
<if_sid>500200</if_sid>
<field name="win.system.eventID">4103</field>
<options>no_full_log</options>
<group>PS1-Script,</group>
<description>Powershell: Script Block Logging</description>
</rule>
</group>
How did I know the Rule.ID 60009 is matching your log? There's a trick to check in logtest tool the windows logs. First, edit the file /var/ossec/ruleset/rules/0575-win-base_rules.xml, and modify the rule ID 60000, like this:
NOTE: Just for testing purposes! You must change it back as it was after using the logtest tool, otherwise you could brake stock rules.
<rule id="60000" level="0">
<!--category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as-->
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>
<!--category>ossec</category>
<decoded_as>windows_eventchannel</decoded_as-->
<decoded_as>json</decoded_as>
<field name="win.system.providerName">\.+</field>
<options>no_full_log</options>
<description>Group of windows rules</description>
</rule>
Now, DO NOT restart the manager, execute the tool /var/ossec/bin/wazuh-logtest-legacy to test your log, paste it (clean) there and press enter, you will get this result:
**Phase 1: Completed pre-decoding.
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-PowerShell","providerGuid":"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}","eventID":"4103","version":"1","level":"4","task":"106","opcode":"20","keywords":"0x0","systemTime":"2022-02-...
full event: '{"win":{"system":{"providerName":"Microsoft-Windows-PowerShell","providerGuid":"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}","eventID":"4103","version":"1","level":"4","task":"106","opcode":"20","keywords":"0x0","systemTime":"2022-02-...
timestamp: '(null)'
hostname: 'c7-ag3-83'
program_name: '(null)'
log: '{"win":{"system":{"providerName":"Microsoft-Windows-PowerShell","providerGuid":"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}","eventID":"4103","version":"1","level":"4","task":"106","opcode":"20","keywords":"0x0","systemTime":"2022-02-16T11:31:51.371999900Z","eventRecordID":"124782","processID":"588","threadID":"1380","channel":"Microsoft-Windows-PowerShell/Operational","computer":"SOC-PENTEST","severityValue":"INFORMATION","message":"\"CommandInvocation(Set-StrictMode): \"Set-StrictMode\"\r\nParameterBinding(Set-StrictMode): name=\"Off\"; value=\"True\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.17763.592\r\n Host ID = 72c46615-31a7-403c-97cf-7eb9d521e3bd\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n Engine Version = 5.1.17763.592\r\n Runspace ID = 6c5bb21f-dee3-4f04-b659-beabc95c5dea\r\n Pipeline ID = 40\r\n Command Name = Set-StrictMode\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadLine.psm1\r\n Command Path = \r\n Sequence Number = 104\r\n User = SOC-PENTEST\\Administrator\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n\""},"eventdata":{"contextInfo":" Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17763.592 Host ID = 72c46615-31a7-403c-97cf-7eb9d521e3bd Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe Engine Version = 5.1.17763.592 Runspace ID = 6c5bb21f-dee3-4f04-b659-beabc95c5dea Pipeline ID = 40 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\PSReadline\\\\2.0.0\\\\PSReadLine.psm1 Command Path = Sequence Number = 104 User = SOC-PENTEST\\\\Administrator Connected User = Shell ID = Microsoft.PowerShell","payload":"CommandInvocation(Set-StrictMode): \\\"Set-StrictMode\\\" ParameterBinding(Set-StrictMode): name=\\\"Off\\\"; value=\\\"True\\\""}}}'
**Phase 2: Completed decoding.
decoder: 'json'
win.system.providerName: 'Microsoft-Windows-PowerShell'
win.system.providerGuid: '{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'
...
hostname: 'c7-ag3-83'
program_name: '(null)'
log: '{"win":{"system":{"providerName":"Microsoft-Windows-PowerShell","providerGuid":"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}","eventID":"4103","version":"1","level":"4","task":"106","opcode":"20","keywords":"0x0","systemTime":"2022-02-16T11:31:51.371999900Z","eventRecordID":"124782","processID":"588","threadID":"1380","channel":"Microsoft-Windows-PowerShell/Operational","computer":"SOC-PENTEST","severityValue":"INFORMATION","message":"\"CommandInvocation(Set-StrictMode): \"Set-StrictMode\"\r\nParameterBinding(Set-StrictMode): name=\"Off\"; value=\"True\"\r\n\r\n\r\nContext:\r\n Severity = Informational\r\n Host Name = ConsoleHost\r\n Host Version = 5.1.17763.592\r\n Host ID = 72c46615-31a7-403c-97cf-7eb9d521e3bd\r\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n Engine Version = 5.1.17763.592\r\n Runspace ID = 6c5bb21f-dee3-4f04-b659-beabc95c5dea\r\n Pipeline ID = 40\r\n Command Name = Set-StrictMode\r\n Command Type = Cmdlet\r\n Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadLine.psm1\r\n Command Path = \r\n Sequence Number = 104\r\n User = SOC-PENTEST\\Administrator\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n\""},"eventdata":{"contextInfo":" Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17763.592 Host ID = 72c46615-31a7-403c-97cf-7eb9d521e3bd Host Application = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe Engine Version = 5.1.17763.592 Runspace ID = 6c5bb21f-dee3-4f04-b659-beabc95c5dea Pipeline ID = 40 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\PSReadline\\\\2.0.0\\\\PSReadLine.psm1 Command Path = Sequence Number = 104 User = SOC-PENTEST\\\\Administrator Connected User = Shell ID = Microsoft.PowerShell","payload":"CommandInvocation(Set-StrictMode): \\\"Set-StrictMode\\\" ParameterBinding(Set-StrictMode): name=\\\"Off\\\"; value=\\\"True\\\""}}}'
**Phase 2: Completed decoding.
decoder: 'json'
win.system.providerName: 'Microsoft-Windows-PowerShell'
win.system.providerGuid: '{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'
...
win.system.severityValue: 'INFORMATION'
win.system.message: '"CommandInvocation(Set-StrictMode): "Set-StrictMode"
ParameterBinding(Set-StrictMode): name="Off"; value="True"
Context:
Severity = Informational
Host Name = ConsoleHost
...
ParameterBinding(Set-StrictMode): name="Off"; value="True"
Context:
Severity = Informational
Host Name = ConsoleHost
...
User = SOC-PENTEST\Administrator
Connected User =
Shell ID = Microsoft.PowerShell
Shell ID = Microsoft.PowerShell
User Data:
"'
win.eventdata.contextInfo: ' Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17763.592 Host ID = 72c46615-31a7-403c-97cf-7eb9d521e3bd Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Engine Version = 5.1.17763.592 Runspace ID = 6c5bb21f-dee3-4f04-b659-beabc95c5dea Pipeline ID = 40 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadLine.psm1 Command Path = Sequence Number = 104 User = SOC-PENTEST\\Administrator Connected User = Shell ID = Microsoft.PowerShell'
win.eventdata.payload: 'CommandInvocation(Set-StrictMode): \"Set-StrictMode\" ParameterBinding(Set-StrictMode): name=\"Off\"; value=\"True\"'
**Phase 3: Completed filtering (rules).
Rule id: '60009'
Level: '0'
Description: 'Windows informational event'
"'
win.eventdata.contextInfo: ' Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17763.592 Host ID = 72c46615-31a7-403c-97cf-7eb9d521e3bd Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Engine Version = 5.1.17763.592 Runspace ID = 6c5bb21f-dee3-4f04-b659-beabc95c5dea Pipeline ID = 40 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadLine.psm1 Command Path = Sequence Number = 104 User = SOC-PENTEST\\Administrator Connected User = Shell ID = Microsoft.PowerShell'
win.eventdata.payload: 'CommandInvocation(Set-StrictMode): \"Set-StrictMode\" ParameterBinding(Set-StrictMode): name=\"Off\"; value=\"True\"'
**Phase 3: Completed filtering (rules).
Rule id: '60009'
Level: '0'
Description: 'Windows informational event'
Here, we can see it ended in rule.ID 60009, a stock rule from Wazuh level 0 (won't generate an alert). So we can take from here our custom rule!
REMEMBER to revert the changes in /var/ossec/ruleset/rules/0575-win-base_rules.xml and you DO NOT need to restart the manager, we never applied the changes, the -legacy logtest tool, recompiles the rules every time you execute it, without the need to restart the service to apply them! Isn't it great?!
Let me know if this helped.
John.-
Reply all
Reply to author
Forward
0 new messages