Logging powershell blockscript log
379 views
Skip to first unread message
serano...@gmail.com
Dec 20, 2022, 3:41:15 PM12/20/22
to Wazuh mailing list
Hi All.
I've this problem that is driving me crazy, i've a Windows Server 2016 test machine, where i've enabled GPO to log Powershell Blockscript, then on wazuh i've these rules to try to collect the logs, what i need is rule id: 100539 to work:
<group name="windows-custom,">
 <rule id="100534" level="5">
 <!--<if_sid>60000</if_sid>-->
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <group>powershell,</group>
  <description>Powershell: Script Block Logging</description>
 </rule>
 <rule id="100535" level="5">
 <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^INFORMATION$</field>
  <group>powershell,</group>
  <description>Powershell Information EventLog</description>
 </rule>
 <rule id="100536" level="7">
  <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^WARNING$</field>
  <group>powershell,</group>
  <description>Powershell Warning EventLog</description>
 </rule>
 <rule id="100537" level="10">
 <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^ERROR$</field>
  <group>powershell,</group>
  <description>Powershell Error EventLog</description>
 </rule>
 <rule id="100538" level="13">
  <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^CRITICAL$</field>
  <group>powershell,</group>
  <description>Powershell Critical EventLog</description>
 </rule>
Â
 <rule id="100539" level="13">
  <if_sid>100534</if_sid>
  <field name="win.system.severityValue">^VERBOSE$</field>
  <group>powershell,</group>
  <description>Powershell: Script Block Logging</description>
 </rule>
Â
  <rule id="100540" level="10">
    <mitre>
      <id>attack.persistence</id>
      <id>attack.t1574.012</id>
    </mitre>
    <description>Registry-Free Process Scope COR_PROFILER</description>
    <options>no_full_log</options>
    <group>windows,ps_script,</group>
    <if_group>powershell</if_group>
    <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\COR_ENABLE_PROFILING|(?i)\COR_PROFILER|(?i)\COR_PROFILER_PATH</field>
  </rule>
 <rule id="100534" level="5">
 <!--<if_sid>60000</if_sid>-->
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <group>powershell,</group>
  <description>Powershell: Script Block Logging</description>
 </rule>
 <rule id="100535" level="5">
 <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^INFORMATION$</field>
  <group>powershell,</group>
  <description>Powershell Information EventLog</description>
 </rule>
 <rule id="100536" level="7">
  <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^WARNING$</field>
  <group>powershell,</group>
  <description>Powershell Warning EventLog</description>
 </rule>
 <rule id="100537" level="10">
 <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^ERROR$</field>
  <group>powershell,</group>
  <description>Powershell Error EventLog</description>
 </rule>
 <rule id="100538" level="13">
  <if_sid>100534</if_sid>
  <field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
  <field name="win.system.severityValue">^CRITICAL$</field>
  <group>powershell,</group>
  <description>Powershell Critical EventLog</description>
 </rule>
Â
 <rule id="100539" level="13">
  <if_sid>100534</if_sid>
  <field name="win.system.severityValue">^VERBOSE$</field>
  <group>powershell,</group>
  <description>Powershell: Script Block Logging</description>
 </rule>
Â
  <rule id="100540" level="10">
    <mitre>
      <id>attack.persistence</id>
      <id>attack.t1574.012</id>
    </mitre>
    <description>Registry-Free Process Scope COR_PROFILER</description>
    <options>no_full_log</options>
    <group>windows,ps_script,</group>
    <if_group>powershell</if_group>
    <field name="win.eventdata.scriptBlockText" negate="no" type="pcre2">(?i)\COR_ENABLE_PROFILING|(?i)\COR_PROFILER|(?i)\COR_PROFILER_PATH</field>
  </rule>
The log i'm using for test is:
{"win":{"system":{"providerName":"Microsoft-Windows-PowerShell","providerGuid":"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}","eventID":"4104","version":"1","level":"5","task":"2","opcode":"15","keywords":"0x0","systemTime":"2022-12-20T19:59:11.398212400Z","eventRecordID":"189359","processID":"3108","threadID":"7260","channel":"Microsoft-Windows-PowerShell/Operational","computer":"SOC-DC01.soc-ngway.local","severityValue":"VERBOSE","message":"\"Creating Scriptblock text (1 of 1):\r\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\r\n\r\nScriptBlock ID: 1c7db94a-9226-49fa-ba38-3bba8d0ce9e9\r\nPath: \""},"eventdata":{"messageNumber":"1","messageTotal":"1","scriptBlockText":"New-ItemProperty -Path 'HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment' -Name \\\"COR_ENABLE_PROFILING\\\" -PropertyType String -Value \\\"1\\\" -Force | Out-Null","scriptBlockId":"1c7db94a-9226-49fa-ba38-3bba8d0ce9e9"}}}
Before test i've edit rule 60000
 <rule id="60000" level="0">
  <category>ossec</category>
  <decoded_as>json</decoded_as>
  <field name="win.system.providerName">\.+</field>
  <options>no_full_log</options>
  <description>Group of windows rules</description>
 </rule>
  <category>ossec</category>
  <decoded_as>json</decoded_as>
  <field name="win.system.providerName">\.+</field>
  <options>no_full_log</options>
  <description>Group of windows rules</description>
 </rule>
and then i run:
/var/ossec/bin/wazuh-logtest-legacy
Everithing is working fine and the rules triggers correctly, but when i move all in production (changing first rule 6000 to default), no alert are triggeret.
What i'm missing?
Thanks and have a nice day.
Mariano Koremblum
Dec 20, 2022, 7:35:56 PM12/20/22
to Wazuh mailing list
Hi Stefano,
Your log is being caught first by rule 91801 and then by 91802, these are the rules:
<rule id="91801" level="0">
<if_sid>60000</if_sid>
<field name="win.system.channel">^Microsoft-Windows-PowerShell/Operational$</field>
<options>no_full_log</options>
<description>Group of Windows rules for the Powershell/Operational channel.</description>
</rule>
<rule id="91802" level="0">
<if_sid>91801</if_sid>
<field name="win.eventdata.ScriptBlockId" type="pcre2">.+</field>
<options>no_full_log</options>
<description>Group of Windows rules for the Powershell/Operational channel.</description>
</rule>
As you can see, the fields being tested in such rules throw a positive match. So, for this particular log, you should inherit from such a rule (91802) instead of rule 60000.
The previous statement is true for Wazuh v4.3.10, what version of the Wazuh manager are you using?
I will be waiting for your reply,
Mariano Koremblum
Reply all
Reply to author
Forward
0 new messages