Wazuh Active Response - appears to be not working
1,227 views
Skip to first unread message
Dorsolino
Jul 11, 2022, 4:30:18 AM7/11/22
to Wazuh mailing list
Hey Guys,
I'm in the middle of my testing, monitored windows agents only, and enabled active response that I got from the blog, but I can't seem to make it work.
Btw, I'm already running v4.3.4 both Manager and Agent
Below is my ossec.conf AR config:
Below is my rules:
It also appeared that the defined rule already kicked in:
But, AR appears to have not been kicked off despite the config:
Can you please redirect me to the right direction and troubleshooting?
Sincerely,
Deo
Chema Martinez
Jul 11, 2022, 7:57:45 AM7/11/22
to Wazuh mailing list
Hi Deo,
All the configuration seems to be correct, could you please send us the following information so we can have more information about where the problem can be located?
- The active-response.log from the Windows agent where the Active Response script has to be executed
- The ossec.log from the Windows agent to look for any warning/error messages
- The scheduled-tasks.log from the Windows agent if exists
- The location where the analyze-scheduled-task.cmd has been placed
Thanks in advance!
Dorsolino Dorsolino
Jul 12, 2022, 10:54:46 AM7/12/22
to Chema Martinez, Wazuh mailing list
Hi Chema,
Were you able to reproduce the issue?
Or has somebody able to make this one work?
Cheers,
Deo
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a46fc3ec-ad3f-445d-9462-9761cd4e1c04n%40googlegroups.com.
Chema Martinez
Jul 13, 2022, 3:46:57 AM7/13/22
to Wazuh mailing list
Hi Dorsolino,
The blog you followed is tested and reviewed by several team members before publishing it so I ensure it should work in normal conditions.
That's why I was asking you for the information needed to find out what issue you are facing. I'll paste it again:
- The active-response.log from the Windows agent where the Active Response script has to be executed
- The ossec.log from the Windows agent to look for any warning/error messages
- The scheduled-tasks.log from the Windows agent if exists
- The location where the analyze-scheduled-task.cmd has been placed
If you have doubts or need assistance to gather that information, please let me know.
Thanks!
Dorsolino Dorsolino
Jul 13, 2022, 8:54:18 AM7/13/22
to Chema Martinez, Wazuh mailing list
Hi Chema,
I apologize, as I thought I sent the information you requested.
Anyhow, attached are the files you requested and hope to hear from you soon. The scheduled-tasks.txt has 0 bytes, so it can't be attached to this email.
Best Regards,
Deo
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/08112c26-9211-4783-9e2c-36367ac34f8cn%40googlegroups.com.
Dorsolino Dorsolino
Jul 13, 2022, 10:03:40 AM7/13/22
to Chema Martinez, Wazuh mailing list
Chema,
The analyze-scheduled-task.cmd is in C:\Program Files (x86)\ossec-agent\active-response\bin directory.
On Wed, Jul 13, 2022 at 3:46 PM Chema Martinez <chema.m...@wazuh.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/08112c26-9211-4783-9e2c-36367ac34f8cn%40googlegroups.com.
antonio....@wazuh.com
Jul 14, 2022, 6:08:07 AM7/14/22
to Wazuh mailing list
Hello Dorsolino
I have been testing the blogpost and I was able to make it work. I think there is something strange with the execution of the AR script.
The first thing to check is if the extension of the AR script is correct because I have experienced some troubles when the extension is not correct. Please check this by right-clicking and going to properties, it should look something like this:
If everything is correct, the next step will be to enable the debug mode for Windows. To do this, add the following line to the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf:
windows.debug=2
This will enable the debug mode for all the components, so in order to reduce the verbosity, you will need to temporarily disable the rest of the modules (syscollector, syscheck, rootcheck, and sca), otherwise, it won't be easy to search for the proper logs.
After enabling the debug mode, restart the windows agent. Once the agent is up and running, add a new scheduled task:schtasks /create /tn test-task2 /tr "C:\Windows\System32\calc.exe" /sc onlogon /ru System /f
If everything is correct, you will see the following logs:
2022/07/14 09:52:37 wazuh-agent[3924] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-execd {"version":1,"origin":{"name":"node01","module":"wazuh-analysisd"},"command":"analyze-scheduled-task0","parameters":{"extra_args":[],"alert":{"timestamp":"2022-07-14T09:52:41.388+0000","rule":{"level":6,"description":"A Newly Scheduled Task has been Detected on win2016","id":"115006","mitre":{"id":["T1053"],"tactic":["Execution","Persistence","Privilege Escalation"],"technique":["Scheduled Task/Job"]},"firedtimes":2,"mail":false,"groups":["windows","sysmon"]},"agent":{"id":"002","name":"win2016","ip":"10.0.2.15"},"manager":{"name":"ubuntumanager"},"id":"1657792361.1160472","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"eventID\":\"12\",\"version\":\"2\",\"level\":\"4\",\"task\":\"12\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-07-14T09:52:36.094123700Z\",\"eventRecordID\":\"1189\",\"processID\":\"2600\",\"threadID\":\"3396\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"win2016\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry object added or deleted:\\r\\nRuleName: technique_id=T1053,technique_name=Scheduled Task\\r\\nEventType: CreateKey\\r\\nUtcTime: 2022-07-14 09:52:36.080\\r\\nProcessGuid: {711F9038-DA9F-62CF-1500-000000001000}\\r\\nProcessId: 704\\r\\nImage: C:\\\\Windows\\\\system32\\\\svchost.exe\\r\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task2\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1053,technique_name=Scheduled Task\",\"eventType\":\"CreateKey\",\"utcTime\":\"2022-07-14 09:52:36.080\",\"processGuid\":\"{711F9038-DA9F-62CF-1500-000000001000}\",\"processId\":\"704\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\",\"targetObject\":\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tree\\\\\\\\test-task2\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"12","version":"2","level":"4","task":"12","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-14T09:52:36.094123700Z","eventRecordID":"1189","processID":"2600","threadID":"3396","channel":"Microsoft-Windows-Sysmon/Operational","computer":"win2016","severityValue":"INFORMATION","message":"\"Registry object added or deleted:\r\nRuleName: technique_id=T1053,technique_name=Scheduled Task\r\nEventType: CreateKey\r\nUtcTime: 2022-07-14 09:52:36.080\r\nProcessGuid: {711F9038-DA9F-62CF-1500-000000001000}\r\nProcessId: 704\r\nImage: C:\\Windows\\system32\\svchost.exe\r\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\test-task2\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1053,technique_name=Scheduled Task","eventType":"CreateKey","utcTime":"2022-07-14 09:52:36.080","processGuid":"{711F9038-DA9F-62CF-1500-000000001000}","processId":"704","image":"C:\\\\Windows\\\\system32\\\\svchost.exe","targetObject":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task2","user":"NT AUTHORITY\\\\SYSTEM"}}},"location":"EventChannel"}}}'
2022/07/14 09:52:37 wazuh-agent[3924] notify.c:135 at run_notify(): DEBUG: Sending agent notification.
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] notify.c:204 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows Server 2016 Standard Evaluation [Ver: 10.0.14393] - Wazuh v4.3.4 / e147842d28981caf8eec9e13a9edc661
77606329ed44b1c5c8403ec9b3fbf381 merged.mg
#"_agent_ip":10.0.2.15
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-agent ack '
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] exec.c:102 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-wazuh'. Not using it on this system.
2022/07/14 09:52:37 wazuh-agent[3924] win_execd.c:228 at WinExecdRun(): DEBUG: Executing command 'active-response/bin/analyze-scheduled-task.cmd {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2022-07-14T09:52:41.388+0000","rule":{"level":6,"description":"A Newly Scheduled Task has been Detected on win2016","id":"115006","mitre":{"id":["T1053"],"tactic":["Execution","Persistence","Privilege Escalation"],"technique":["Scheduled Task/Job"]},"firedtimes":2,"mail":false,"groups":["windows","sysmon"]},"agent":{"id":"002","name":"win2016","ip":"10.0.2.15"},"manager":{"name":"ubuntumanager"},"id":"1657792361.1160472","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"eventID\":\"12\",\"version\":\"2\",\"level\":\"4\",\"task\":\"12\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-07-14T09:52:36.094123700Z\",\"eventRecordID\":\"1189\",\"processID\":\"2600\",\"threadID\":\"3396\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"win2016\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry object added or deleted:\\r\\nRuleName: technique_id=T1053,technique_name=Scheduled Task\\r\\nEventType: CreateKey\\r\\nUtcTime: 2022-07-14 09:52:36.080\\r\\nProcessGuid: {711F9038-DA9F-62CF-1500-000000001000}\\r\\nProcessId: 704\\r\\nImage: C:\\\\Windows\\\\system32\\\\svchost.exe\\r\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task2\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1053,technique_name=Scheduled Task\",\"eventType\":\"CreateKey\",\"utcTime\":\"2022-07-14 09:52:36.080\",\"processGuid\":\"{711F9038-DA9F-62CF-1500-000000001000}\",\"processId\":\"704\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\",\"targetObject\":\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tree\\\\\\\\test-task2\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"12","version":"2","level":"4","task":"12","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-14T09:52:36.094123700Z","eventRecordID":"1189","processID":"2600","threadID":"3396","channel":"Microsoft-Windows-Sysmon/Operational","computer":"win2016","severityValue":"INFORMATION","message":"\"Registry object added or deleted:\r\nRuleName: technique_id=T1053,technique_name=Scheduled Task\r\nEventType: CreateKey\r\nUtcTime: 2022-07-14 09:52:36.080\r\nProcessGuid: {711F9038-DA9F-62CF-1500-000000001000}\r\nProcessId: 704\r\nImage: C:\\Windows\\system32\\svchost.exe\r\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\test-task2\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1053,technique_name=Scheduled Task","eventType":"CreateKey","utcTime":"2022-07-14 09:52:36.080","processGuid":"{711F9038-DA9F-62CF-1500-000000001000}","processId":"704","image":"C:\\\\Windows\\\\system32\\\\svchost.exe","targetObject":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task2","user":"NT AUTHORITY\\\\SYSTEM"}}},"location":"EventChannel"},"program":"active-response/bin/analyze-scheduled-task.cmd"}}'
2022/07/14 09:52:37 wazuh-agent[3924] exec_op.c:131 at wpopenv(): DEBUG: path = 'active-response/bin/analyze-scheduled-task.cmd', command = '"active-response/bin/analyze-scheduled-task.cmd"'
2022/07/14 09:52:37 wazuh-agent[3924] logcollector.c:485 at LogCollectorStart(): DEBUG: Performing file check.
2022/07/14 09:52:38 wazuh-agent[3924] state.c:67 at write_state(): DEBUG: Updating state file.
2022/07/14 09:52:40 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:40 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:40 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:40 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/14 09:52:40 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:40 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/14 09:52:42 wazuh-agent[3924] win_execd.c:243 at WinExecdRun(): DEBUG: Active response won't be added to timeout list. Message not received with alert keys from script 'active-response/bin/analyze-scheduled-task.cmd'
2022/07/14 09:52:43 wazuh-agent[3924] state.c:67 at write_state(): DEBUG: Updating state file.
2022/07/14 09:52:44 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:44 wazuh-agent[3924] read_syslog.c:104 at read_syslog(): DEBUG: Reading syslog message: '{"ScheduledTaskAR": {"CimClass":{"CimSuperClassName":"MSFT_TaskA'...
2022/07/14 09:52:44 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 1 lines from logs\scheduled-tasks.log
2022/07/14 09:52:44 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:44 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/14 09:52:44 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:44 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/14 09:52:46 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/14 09:52:46 wazuh-agent[3924] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/14 09:52:47 wazuh-agent[3924] notify.c:135 at run_notify(): DEBUG: Sending agent notification.
2022/07/14 09:52:47 wazuh-agent[3924] notify.c:204 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows Server 2016 Standard Evaluation [Ver: 10.0.14393] - Wazuh v4.3.4 / e147842d28981caf8eec9e13a9edc661
77606329ed44b1c5c8403ec9b3fbf381 merged.mg
#"_agent_ip":10.0.2.15
Dorsolino Dorsolino
Jul 20, 2022, 11:49:04 AM7/20/22
to antonio....@wazuh.com, Wazuh mailing list
Antonio,
Thanks for this.
I ended up reinstalling wazuh agent from my end as it got a bit messed up. After doing it however, it is still the same thing. The following is the one I got my agent's ossec.log file:
2022/07/20 23:22:47 wazuh-agent[2572] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-execd {"version":1,"origin":{"name":"node01","module":"wazuh-analysisd"},"command":"analyze-scheduled-task0","parameters":{"extra_args":[],"alert":{"timestamp":"2022-07-20T23:27:19.671+0800","rule":{"level":6,"description":"A Newly Scheduled Task has been Detected on COC-TVSERVER","id":"115006","mitre":{"id":["T1053"],"tactic":["Execution","Persistence","Privilege Escalation"],"technique":["Scheduled Task/Job"]},"firedtimes":7,"mail":false,"groups":["windows","sysmon"]},"agent":{"id":"036","name":"COC-TVSERVER","ip":"172.16.0.27"},"manager":{"name":"endpoint_manager"},"id":"1658330839.3043107670","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"eventID\":\"12\",\"version\":\"2\",\"level\":\"4\",\"task\":\"12\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-07-20T15:22:46.843696200Z\",\"eventRecordID\":\"440191\",\"processID\":\"1768\",\"threadID\":\"2288\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"COC-TVSERVER\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry object added or deleted:\\r\\nRuleName: technique_id=T1053,technique_name=Scheduled Task\\r\\nEventType: CreateKey\\r\\nUtcTime: 2022-07-20 15:22:46.842\\r\\nProcessGuid: {DACFDF76-DCC6-62D7-1100-000000001A00}\\r\\nProcessId: 812\\r\\nImage: C:\\\\Windows\\\\system32\\\\svchost.exe\\r\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1053,technique_name=Scheduled Task\",\"eventType\":\"CreateKey\",\"utcTime\":\"2022-07-20 15:22:46.842\",\"processGuid\":\"{DACFDF76-DCC6-62D7-1100-000000001A00}\",\"processId\":\"812\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\",\"targetObject\":\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tree\\\\\\\\test-task\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"12","version":"2","level":"4","task":"12","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-20T15:22:46.843696200Z","eventRecordID":"440191","processID":"1768","threadID":"2288","channel":"Microsoft-Windows-Sysmon/Operational","computer":"COC-TVSERVER","severityValue":"INFORMATION","message":"\"Registry object added or deleted:\r\nRuleName: technique_id=T1053,technique_name=Scheduled Task\r\nEventType: CreateKey\r\nUtcTime: 2022-07-20 15:22:46.842\r\nProcessGuid: {DACFDF76-DCC6-62D7-1100-000000001A00}\r\nProcessId: 812\r\nImage: C:\\Windows\\system32\\svchost.exe\r\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\test-task\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1053,technique_name=Scheduled Task","eventType":"CreateKey","utcTime":"2022-07-20 15:22:46.842","processGuid":"{DACFDF76-DCC6-62D7-1100-000000001A00}","processId":"812","image":"C:\\\\Windows\\\\system32\\\\svchost.exe","targetObject":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task","user":"NT AUTHORITY\\\\SYSTEM"}}},"location":"EventChannel"}}}'
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-wazuh'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] win_execd.c:228 at WinExecdRun(): DEBUG: Executing command 'active-response/bin/analyze-scheduled-tasks.cmd {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2022-07-20T23:27:19.671+0800","rule":{"level":6,"description":"A Newly Scheduled Task has been Detected on COC-TVSERVER","id":"115006","mitre":{"id":["T1053"],"tactic":["Execution","Persistence","Privilege Escalation"],"technique":["Scheduled Task/Job"]},"firedtimes":7,"mail":false,"groups":["windows","sysmon"]},"agent":{"id":"036","name":"COC-TVSERVER","ip":"172.16.0.27"},"manager":{"name":"endpoint_manager"},"id":"1658330839.3043107670","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"eventID\":\"12\",\"version\":\"2\",\"level\":\"4\",\"task\":\"12\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-07-20T15:22:46.843696200Z\",\"eventRecordID\":\"440191\",\"processID\":\"1768\",\"threadID\":\"2288\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"COC-TVSERVER.\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry object added or deleted:\\r\\nRuleName: technique_id=T1053,technique_name=Scheduled Task\\r\\nEventType: CreateKey\\r\\nUtcTime: 2022-07-20 15:22:46.842\\r\\nProcessGuid: {DACFDF76-DCC6-62D7-1100-000000001A00}\\r\\nProcessId: 812\\r\\nImage: C:\\\\Windows\\\\system32\\\\svchost.exe\\r\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1053,technique_name=Scheduled Task\",\"eventType\":\"CreateKey\",\"utcTime\":\"2022-07-20 15:22:46.842\",\"processGuid\":\"{DACFDF76-DCC6-62D7-1100-000000001A00}\",\"processId\":\"812\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\",\"targetObject\":\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tree\\\\\\\\test-task\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"12","version":"2","level":"4","task":"12","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-20T15:22:46.843696200Z","eventRecordID":"440191","processID":"1768","threadID":"2288","channel":"Microsoft-Windows-Sysmon/Operational","computer":"COC-TVSERVER","severityValue":"INFORMATION","message":"\"Registry object added or deleted:\r\nRuleName: technique_id=T1053,technique_name=Scheduled Task\r\nEventType: CreateKey\r\nUtcTime: 2022-07-20 15:22:46.842\r\nProcessGuid: {DACFDF76-DCC6-62D7-1100-000000001A00}\r\nProcessId: 812\r\nImage: C:\\Windows\\system32\\svchost.exe\r\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\test-task\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1053,technique_name=Scheduled Task","eventType":"CreateKey","utcTime":"2022-07-20 15:22:46.842","processGuid":"{DACFDF76-DCC6-62D7-1100-000000001A00}","processId":"812","image":"C:\\\\Windows\\\\system32\\\\svchost.exe","targetObject":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task","user":"NT AUTHORITY\\\\SYSTEM"}}},"location":"EventChannel"},"program":"active-response/bin/analyze-scheduled-tasks.cmd"}}'
2022/07/20 23:22:47 wazuh-agent[2572] exec_op.c:131 at wpopenv(): DEBUG: path = 'active-response/bin/analyze-scheduled-tasks.cmd', command = '"active-response/bin/analyze-scheduled-tasks.cmd"'
2022/07/20 23:22:49 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:49 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/20 23:22:50 wazuh-agent[2572] state.c:67 at write_state(): DEBUG: Updating state file.
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.sh'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-ossec.cmd'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] exec.c:100 at ReadExecConfig(): INFO: Active response command not present: 'active-response/bin/restart-wazuh'. Not using it on this system.
2022/07/20 23:22:47 wazuh-agent[2572] win_execd.c:228 at WinExecdRun(): DEBUG: Executing command 'active-response/bin/analyze-scheduled-tasks.cmd {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2022-07-20T23:27:19.671+0800","rule":{"level":6,"description":"A Newly Scheduled Task has been Detected on COC-TVSERVER","id":"115006","mitre":{"id":["T1053"],"tactic":["Execution","Persistence","Privilege Escalation"],"technique":["Scheduled Task/Job"]},"firedtimes":7,"mail":false,"groups":["windows","sysmon"]},"agent":{"id":"036","name":"COC-TVSERVER","ip":"172.16.0.27"},"manager":{"name":"endpoint_manager"},"id":"1658330839.3043107670","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"eventID\":\"12\",\"version\":\"2\",\"level\":\"4\",\"task\":\"12\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2022-07-20T15:22:46.843696200Z\",\"eventRecordID\":\"440191\",\"processID\":\"1768\",\"threadID\":\"2288\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"COC-TVSERVER.\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry object added or deleted:\\r\\nRuleName: technique_id=T1053,technique_name=Scheduled Task\\r\\nEventType: CreateKey\\r\\nUtcTime: 2022-07-20 15:22:46.842\\r\\nProcessGuid: {DACFDF76-DCC6-62D7-1100-000000001A00}\\r\\nProcessId: 812\\r\\nImage: C:\\\\Windows\\\\system32\\\\svchost.exe\\r\\nTargetObject: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1053,technique_name=Scheduled Task\",\"eventType\":\"CreateKey\",\"utcTime\":\"2022-07-20 15:22:46.842\",\"processGuid\":\"{DACFDF76-DCC6-62D7-1100-000000001A00}\",\"processId\":\"812\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\",\"targetObject\":\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tree\\\\\\\\test-task\",\"user\":\"NT AUTHORITY\\\\\\\\SYSTEM\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","eventID":"12","version":"2","level":"4","task":"12","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-07-20T15:22:46.843696200Z","eventRecordID":"440191","processID":"1768","threadID":"2288","channel":"Microsoft-Windows-Sysmon/Operational","computer":"COC-TVSERVER","severityValue":"INFORMATION","message":"\"Registry object added or deleted:\r\nRuleName: technique_id=T1053,technique_name=Scheduled Task\r\nEventType: CreateKey\r\nUtcTime: 2022-07-20 15:22:46.842\r\nProcessGuid: {DACFDF76-DCC6-62D7-1100-000000001A00}\r\nProcessId: 812\r\nImage: C:\\Windows\\system32\\svchost.exe\r\nTargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\test-task\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1053,technique_name=Scheduled Task","eventType":"CreateKey","utcTime":"2022-07-20 15:22:46.842","processGuid":"{DACFDF76-DCC6-62D7-1100-000000001A00}","processId":"812","image":"C:\\\\Windows\\\\system32\\\\svchost.exe","targetObject":"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\test-task","user":"NT AUTHORITY\\\\SYSTEM"}}},"location":"EventChannel"},"program":"active-response/bin/analyze-scheduled-tasks.cmd"}}'
2022/07/20 23:22:47 wazuh-agent[2572] exec_op.c:131 at wpopenv(): DEBUG: path = 'active-response/bin/analyze-scheduled-tasks.cmd', command = '"active-response/bin/analyze-scheduled-tasks.cmd"'
2022/07/20 23:22:49 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:49 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/20 23:22:50 wazuh-agent[2572] state.c:67 at write_state(): DEBUG: Updating state file.
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2022/07/20 23:22:51 wazuh-agent[2572] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from logs\scheduled-tasks.log
I'm afraid my script is not running working as it should, as I tried running it directly, it's just waiting after setting the input variable:
set input=
for /f "delims=" %%a in ('powershell -command "$logInput = Read-Host; Write-Output
$logInput"') do (
set input=%%a
)
for /f "delims=" %%a in ('powershell -command "$logInput = Read-Host; Write-Output
$logInput"') do (
set input=%%a
)
And if I'm not mistaken, the script is looking for what is being called by powershell ($loginput) . Is this a normal behavior? From what it looks like, it appears that the script is reading from $loginput. Is that where the manager sent the alerts when the command got triggered?
Hoping to hear from you soon.
Best Regards,
Deo
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/68a46404-9866-4dcd-9297-b14276c4d94fn%40googlegroups.com.
Dorsolino Dorsolino
Jul 20, 2022, 12:02:12 PM7/20/22
to antonio....@wazuh.com, Wazuh mailing list
After waiting for the script to finish, it gave out the following error:
It wasn't able to find anything from the defined search string.
Btw, I'm running this on a 2012r2 and Powershell 4.0
Reply all
Reply to author
Forward
0 new messages