1 Sysmon event type missing in Alerts
97 views
Skip to first unread message
Sergey E.
Jul 26, 2023, 12:42:09 PM7/26/23
to Wazuh mailing list
Hi team,
I have 1 issue with sysmon event channel.
- I have 2 events in Windows EventViewer first one started the second. I get first event in alerts, but not the second one.
- All levels in rules *.xml for Windows changed from 0,1,2 to 3.
- Tried an easy custom rule:
<rule id="100003" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</field>
<description>Sysmon - powershell.exe from System32</description>
<options>no_full_log</options>
</rule>
But nope.
I have 1 issue with sysmon event channel.
- I have 2 events in Windows EventViewer first one started the second. I get first event in alerts, but not the second one.
- All levels in rules *.xml for Windows changed from 0,1,2 to 3.
- Tried an easy custom rule:
<rule id="100003" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</field>
<description>Sysmon - powershell.exe from System32</description>
<options>no_full_log</options>
</rule>
But nope.
1)----------------------------- EventRecordID
9408502--------------
EventData
ProcessId 8500
Image C:\Windows\System32\cmd.exe
FileVersion 10.0.17763.1697
Description Windows Command Processor
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName Cmd.Exe
CommandLine C:\Windows\system32\cmd.exe /c ""c:\Program Files\SplunkUniversalForwarder\etc\apps\inputs\bin\runpowershell.cmd" nt6-repl-stat.ps1"
CurrentDirectory C:\Windows\system32\
User NT AUTHORITY\SYSTEM
LogonGuid {7211-64b1-e703-000000000000}
LogonId 0x3e7
TerminalSessionId 0
IntegrityLevel System
Hashes SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F552
ParentProcessGuid {7220-64b1-5800-000000000f00}
ParentProcessId 3968
ParentImage C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
ParentCommandLine "c:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
ProcessId 8500
Image C:\Windows\System32\cmd.exe
FileVersion 10.0.17763.1697
Description Windows Command Processor
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName Cmd.Exe
CommandLine C:\Windows\system32\cmd.exe /c ""c:\Program Files\SplunkUniversalForwarder\etc\apps\inputs\bin\runpowershell.cmd" nt6-repl-stat.ps1"
CurrentDirectory C:\Windows\system32\
User NT AUTHORITY\SYSTEM
LogonGuid {7211-64b1-e703-000000000000}
LogonId 0x3e7
TerminalSessionId 0
IntegrityLevel System
Hashes SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F552
ParentProcessGuid {7220-64b1-5800-000000000f00}
ParentProcessId 3968
ParentImage C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
ParentCommandLine "c:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
2)----------------------------- EventRecordID 9408503--------------
Process Create:
RuleName: -
UtcTime: 2023-07-26 16:00:06.809
ProcessGuid: {-4306-64c1-ca43-020000000f00}
ProcessId: 10044
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.17763.1
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". 'c:\Program Files\SplunkUniversalForwarder\etc\apps\inputs\bin\powershell\nt6-repl-stat.ps1'"
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {7211-64b1-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=DE96A6E6994433537
ParentProcessGuid: {4306-64c1-c943-020000000f00}
ParentProcessId: 8500
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe /c ""c:\Program Files\SplunkUniversalForwarder\etc\apps\inputs\bin\runpowershell.cmd" nt6-repl-stat.ps1"
RuleName: -
UtcTime: 2023-07-26 16:00:06.809
ProcessGuid: {-4306-64c1-ca43-020000000f00}
ProcessId: 10044
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.17763.1
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". 'c:\Program Files\SplunkUniversalForwarder\etc\apps\inputs\bin\powershell\nt6-repl-stat.ps1'"
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {7211-64b1-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=DE96A6E6994433537
ParentProcessGuid: {4306-64c1-c943-020000000f00}
ParentProcessId: 8500
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe /c ""c:\Program Files\SplunkUniversalForwarder\etc\apps\inputs\bin\runpowershell.cmd" nt6-repl-stat.ps1"
Any ideas where to dig?
Franco Giovanolli
Jul 31, 2023, 7:01:32 AM7/31/23
to Wazuh mailing list
Hi Sergey!
Thank you for your interest in Wazuh!
Can you share the alert generated by the EventRecordID 9408502 event?
Regards,
Franco.
Thank you for your interest in Wazuh!
Can you share the alert generated by the EventRecordID 9408502 event?
Regards,
Franco.
Sergey E.
Jul 31, 2023, 9:35:37 AM7/31/23
to Wazuh mailing list
Hi Franco,
Here is an alert:
----------------------------------------------------------------------------------------------------
</meta><result offset='0'>
<field k='_raw'><v xml:space='preserve' trunc='0'>{";timestamp";:";2023-07-26T19:00:07.891+0300";,";rule";:{";level";:12,";description";:";Sysmon - Suspicious Process - powershell.exe";,";id";:";100000";,";firedtimes";:1,";mail";:true,";groups";:[";windows";,"; sysmon";]},";agent";:{";id";:";699";,";name";:";addc";,";ip";:";10.111.111.111";},";manager";:{";name";:";wazwor-01p";},";id";:";1690387207.4792811172";,";cluster";:{";name";:";wazuh";,";node";:";worker1";},";decoder";:{";name";:";windows_eventchannel";},";data";:{";win";:{";system";:{";providerName";:";Microsoft-Windows-Sysmon";,";providerGuid";:";{5770385f-c22a-43e0-bf4c-06f5698ffbd9}";,";eventID";:";1";,";version";:";5";,";level";:";4";,";task";:";1";,";opcode";:";0";,";keywords";:";0x8000000000000000";,";systemTime";:";2023-07-26T16:00:06.792478000Z";,";eventRecordID";:";9408502";,";processID";:";3652";,";threadID";:";4560";,";channel";:";Microsoft-Windows-Sysmon/Operational";,";computer";:";addc";,";severityValue";:";INFORMATION";,";message";:";\";Process Create:\r\nRuleName: -\r\nUtcTime: 2023-07-26 16:00:06.773\r\nProcessGuid: {912fddc4-4306-64c1-c943-020000000f00}\r\nProcessId: 8500\r\nImage: C:\\Windows\\System32\\cmd.exe\r\nFileVersion: 10.0.17763.1697 (WinBuild.160101.0800)\r\nDescription: Windows Command Processor\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: Cmd.Exe\r\nCommandLine: C:\\Windows\\system32\\cmd.exe /c \";\";c:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\inputs\\bin\\runpowershell.cmd\"; nt6-repl-stat.ps1\";\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: NT AUTHORITY\\SYSTEM\r\nLogonGuid: {912fddc4-7211-64b1-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA256=634DC282C7A0E609DA17A8FA05B0744C0EC527\r\nParentProcessGuid: {912fddc4-7220-64b1-5800-000000000f00}\r\nParentProcessId: 3968\r\nParentImage: C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\r\nParentCommandLine: \";c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\"; service\";";},";eventdata";:{";utcTime";:";2023-07-26 16:00:06.773";,";processGuid";:";{912fddc4-4306-64c1-c943-020000000f00}";,";processId";:";8500";,";image";:";C:\\\\Windows\\\\System32\\\\cmd.exe";,";fileVersion";:";10.0.17763.1697 (WinBuild.160101.0800)";,";description";:";Windows Command Processor";,";product";:";Microsoft® Windows® Operating System";,";company";:";Microsoft Corporation";,";originalFileName";:";Cmd.Exe";,";commandLine";:";C:\\\\Windows\\\\system32\\\\cmd.exe /c \\\";\\\";c:\\\\Program Files\\\\SplunkUniversalForwarder\\\\etc\\\\apps\\\\inputs\\\\bin\\\\runpowershell.cmd\\\"; nt6-repl-stat.ps1\\\";";,";currentDirectory";:";C:\\\\Windows\\\\system32\\\\";,";user";:";NT AUTHORITY\\\\SYSTEM";,";logonGuid";:";{912fddc1-64b1-e703-000000000000}";,";logonId";:";0x3e7";,";terminalSessionId";:";0";,";integrityLevel";:";System";,";hashes";:";SHA256=DA37E24DC2634DC282C7E6F5209DA17A8FA105B07";,";parentProcessGuid";:";{9124-7220-64b1-5800-000000000f00}";,";parentProcessId";:";3968";,";parentImage";:";C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\splunkd.exe";,";parentCommandLine";:";\\\";c:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\splunkd.exe\\\"; service";}}},";location";:";EventChannel";}</v></field>
---------------------------------------------------------------------------------------------
Here is the rule:
<group name="windows, sysmon,">
<rule id="100000" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">\\cmd.exe||\\powershell.exe</field>
<description>Sysmon - Suspicious Process - powershell.exe</description>
<options>no_full_log</options>
</rule>
<rule id="100000" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.image">\\cmd.exe||\\powershell.exe</field>
<description>Sysmon - Suspicious Process - powershell.exe</description>
<options>no_full_log</options>
</rule>
Thank you.
понедельник, 31 июля 2023 г. в 14:01:32 UTC+3, Franco Giovanolli:
Franco Giovanolli
Aug 23, 2023, 8:51:21 AM8/23/23
to Wazuh mailing list
Hi Sergey, sorry for the delay in my response, do you still have this problem?
Regards,
Franco
Regards,
Franco
Sergey E.
Aug 29, 2023, 9:52:10 AM8/29/23
to Wazuh | Mailing List
Hi Franco,
Yes, it's still exists. Have no ideas how to fix.
среда, 23 августа 2023 г. в 15:51:21 UTC+3, Franco Giovanolli:
Reply all
Reply to author
Forward
0 new messages