Help Needed: Custom Wazuh Local Rules Not Triggering for DCSync and PsExec Detection
184 views
Skip to first unread message
Kali Track
May 27, 2024, 3:24:30 AM5/27/24
to Wazuh | Mailing List
Hi everyone,
I'm having trouble with my custom `local_rules.xml` on the Wazuh manager. Despite following the blog posts on detecting Active Directory attacks, I can't see any alerts in the dashboard when simulating a DCSync attack with Mimikatz or PsExec execution. Here's my `local_rules.xml`:
```xml
<group name="security_event, windows,">
<rule id="110001" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4662$</field>
<field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
<options>no_full_log</options>
<description>Directory Service Access. Possible DCSync attack</description>
</rule>
<rule id="110004" level="12">
<if_sid>61600</if_sid>
<field name="win.system.eventID" type="pcre2">17|18</field>
<field name="win.eventdata.PipeName" type="pcre2">\\PSEXESVC|\\PSHost|\\RemCom|\\.powershell</field>
<options>no_full_log</options>
<description>PsExec service launched for possible lateral movement within the domain</description>
</rule>
<!-- other rules -->
</group>
```
Sysmon is logging events, and my agent config includes:
```xml
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
```
Resources followed:
- [Detecting Active Directory Attacks with Wazuh - Part 1](https://wazuh.com/blog/how-to-detect-active-directory-attacks-with-wazuh-part-1/)
- [Detecting Active Directory Attacks with Wazuh - Part 2](https://wazuh.com/blog/how-to-detect-active-directory-attacks-with-wazuh-part-2/)
Any ideas on why my rules aren't triggering?
Thanks!
Javier Sanchez Gil
May 27, 2024, 4:21:18 AM5/27/24
to Wazuh | Mailing List
Hello,
I need you to check the following:
cat /var/ossec/logs/ossec.log | grep -i -E "(error|critical|warning)"
cat /var/ossec/logs/alerts.log | grep -i -E "(error|critical|warning)"
Or search for logs related to Active Directory to see if we can find any errors or if alerts are being generated but not reaching the Wazuh Dashboard.
If there are no errors, I will also send you documentation on visualizing events in the Dashboard:
https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#enabling-the-wazuh-archives
I need you to check the following:
cat /var/ossec/logs/ossec.log | grep -i -E "(error|critical|warning)"
cat /var/ossec/logs/alerts.log | grep -i -E "(error|critical|warning)"
Or search for logs related to Active Directory to see if we can find any errors or if alerts are being generated but not reaching the Wazuh Dashboard.
If there are no errors, I will also send you documentation on visualizing events in the Dashboard:
https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#enabling-the-wazuh-archives
Kali Track
May 27, 2024, 6:18:18 AM5/27/24
to Wazuh | Mailing List
Hello sir,
I hope this email finds you well.
I am still encountering the same issue with detecting Sysmon Event ID 17 (PsExec detection) in Wazuh. Although Sysmon is correctly logging the events on the Windows endpoint, the corresponding Wazuh rule does not seem to trigger.
Current Observations:
The above was triggered using impacket-psexec in kali
2- Wazuh Logs:
Checked /var/ossec/logs/ossec.log and /var/ossec/logs/alerts.log for errors or warnings. Relevant log output:
3- Wazuh Dashboard:
Various alerts are shown, but none for Event ID 17.
Screenshot of the Wazuh dashboard:
In the wazuh archives:
Thank you for your assistance.
Best regards,
I hope this email finds you well.
I am still encountering the same issue with detecting Sysmon Event ID 17 (PsExec detection) in Wazuh. Although Sysmon is correctly logging the events on the Windows endpoint, the corresponding Wazuh rule does not seem to trigger.
Current Observations:
1- Sysmon Configuration:
Event ID 17 is logged as expected.
Screenshot from the Event Viewer:
Event ID 17 is logged as expected.
Screenshot from the Event Viewer:
The above was triggered using impacket-psexec in kali
2- Wazuh Logs:
Checked /var/ossec/logs/ossec.log and /var/ossec/logs/alerts.log for errors or warnings. Relevant log output:
3- Wazuh Dashboard:
Various alerts are shown, but none for Event ID 17.
Screenshot of the Wazuh dashboard:
In the wazuh archives:
Thank you for your assistance.
Best regards,
Javier Sanchez Gil
May 28, 2024, 5:05:42 AM5/28/24
to Wazuh | Mailing List
Hi Kali Track,
Everything seems to be in order!
What type of attack simulation did you use for this?
To generate the alert on the Wazuh dashboard when PsExec is initiated remotely to perform lateral movement within the domain, you need to simulate the Pass the Hash attack as described in https://wazuh.com/blog/how-to-detect-active-directory-attacks-with-wazuh-part-2/
If you have already used this technique and did not receive any alerts, please let me know so we can continue investigating!
Everything seems to be in order!
What type of attack simulation did you use for this?
To generate the alert on the Wazuh dashboard when PsExec is initiated remotely to perform lateral movement within the domain, you need to simulate the Pass the Hash attack as described in https://wazuh.com/blog/how-to-detect-active-directory-attacks-with-wazuh-part-2/
If you have already used this technique and did not receive any alerts, please let me know so we can continue investigating!
Reply all
Reply to author
Forward
0 new messages