Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom rule for specific user logon #818

Closed
lucio2047 opened this issue Jan 6, 2021 · 6 comments
Closed

Custom rule for specific user logon #818

lucio2047 opened this issue Jan 6, 2021 · 6 comments
Assignees
@juliancnn
Labels
community

Comments

@lucio2047
Copy link

Hello everyone. Thank you for your helping.

Well, I need to generate an alert by email when specific user make a login to system, for example "hello" user.

Current Wazuh configuration generates alert by email for rules with lever 12 or upper. This configuration is present at ossec.conf. But I would like to generate an alert by mail when user "hello" logon to system through logon type 2 (interactive)

What kind of rule should I do? I made a custom rule inside /var/ossec/etc/rules/local_rules.xml like this but it does not work.
When "hello" user logon to system through interactive mode , I watching event like 60122 with level 3 (rule set predefined).

My custom rule:

60122 ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$ ^example$ Windows Logon Failure alert_by_mail

Thank you very much.
@juliancnn
Copy link
Member

juliancnn commented Jan 6, 2021
edited

Hi @lucio2047,

This happens because of the operation of the wazuh rules engine.
To have a high performance, when the Manager starts, it creates the rule tree.
When an event hits the rules engine:

  1. try to match the rules
  2. If you match a rule, it tries to match the child rules.

The interactive login event is captured by the rule with id 60118. If you want to create a rule for a specific user login, you should inherit this rule.
For example, if you want to create a level 12 alert when user test_user logs in, the rule could be like the following:

<rule id="100098" level="12">
    <if_sid>60118</if_sid>
    <field name="win.eventdata.targetUserName">^test_user$</field>
    <description>test_user log in</description>
</rule>

Please let me know if this information is useful to you and don't hesitate to ask.
Regards,
Julian

@lucio2047
Copy link
Author

Hello juliancnn, thank you very mucha for your help. I am gonna test it as soon as possible.

Right now I`m writing another custom rule from 60122 rule in order to detect when user "hello" try to connect to server through RDP without privilege. Following my custom rule:

60122 win_authentication_failed, windows, windows_security hello PRUEBA PARA USUARIO hello alert_by_email

But nothing happens. When "hello" user try to make a RDP to a server, I only watch 60122 event ID with level 5 (default rule) and obviously email alert is not arrived to my inbox.

What is wrong?

@lucio2047
Copy link
Author

Sorry, my custom rule is:

image

@juliancnn
Copy link
Member

juliancnn commented Jan 6, 2021
edited

The problem is the user field.
Wazuh collects some events from the Windows Event Channel.
These events are sent to the manager with the Windows field hierarchy.
This could be seen in the windows event viewer:

image

When the rdp login fails, an event like the following is generated:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2021-01-06T17:06:01.5697884Z" />
    <EventRecordID>10240</EventRecordID>
    <Correlation ActivityID="{19970f9d-e44d-0002-b00f-97194de4d601}" />
    <Execution ProcessID="700" ThreadID="4640" />
    <Channel>Security</Channel>
    <Computer>33-w10-agent4</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">vagrant</Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">PegasusII</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">192.168.0.5</Data>
    <Data Name="IpPort">0</Data>
  </EventData>
</Event>

This event triggers an alert in the wazuh manager, and it could be seen from Kibaba in JSON format.

{
  "_index": "wazuh-alerts-4.x-2021.01.06",
  "_type": "_doc",
  "_id": "Pamp2HYB4nOjpivmquKu",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "10.0.2.15",
      "name": "33-w10-agent4",
      "id": "003"
    },
    "manager": {
      "name": "30-u20-manager"
    },
    "data": {
      "win": {
        "eventdata": {
          "subjectLogonId": "0x0",
          "ipAddress": "192.168.0.5",
          "authenticationPackageName": "NTLM",
          "workstationName": "PegasusII",
          "subStatus": "0xc000006a",
          "logonProcessName": "NtLmSsp",
          "targetUserName": "vagrant",
          "keyLength": "0",
          "subjectUserSid": "S-1-0-0",
          "processId": "0x0",
          "ipPort": "0",
          "failureReason": "%%2313",
          "targetUserSid": "S-1-0-0",
          "logonType": "3",
          "status": "0xc000006d"
        },
        "system": {
          "eventID": "4625",
          "keywords": "0x8010000000000000",
          "providerGuid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
          "level": "0",
          "channel": "Security",
          "opcode": "0",
          "message": "\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tvagrant\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tPegasusII\r\n\tSource Network Address:\t192.168.0.5\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"",
          "version": "0",
          "systemTime": "2021-01-06T17:06:01.5697884Z",
          "eventRecordID": "10240",
          "threadID": "4640",
          "computer": "33-w10-agent4",
          "task": "12544",
          "processID": "700",
          "severityValue": "AUDIT_FAILURE",
          "providerName": "Microsoft-Windows-Security-Auditing"
        }
      }
    },
    "rule": {
      "firedtimes": 1,
      "mail": false,
      "level": 5,
      "pci_dss": [
        "10.2.4",
        "10.2.5"
      ],
      "hipaa": [
        "164.312.b"
      ],
      "tsc": [
        "CC6.1",
        "CC6.8",
        "CC7.2",
        "CC7.3"
      ],
      "description": "Logon Failure - Unknown user or bad password",
      "groups": [
        "windows",
        "windows_security",
        "win_authentication_failed"
      ],
      "id": "60122",
      "nist_800_53": [
        "AU.14",
        "AC.7"
      ],
      "gpg13": [
        "7.1"
      ],
      "gdpr": [
        "IV_35.7.d",
        "IV_32.2"
      ]
    },
    "location": "EventChannel",
    "decoder": {
      "name": "windows_eventchannel"
    },
    "id": "1609952761.804785",
    "timestamp": "2021-01-06T17:06:01.331+0000"
  },
  "fields": {
    "timestamp": [
      "2021-01-06T17:06:01.331Z"
    ]
  },
  "highlight": {
    "manager.name": [
      "@kibana-highlighted-field@30-u20-manager@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1609952761331
  ]
}

The available fields are inside the json object with key=data.
The field that we could use to trigger the rule is the targetUserName field, contained within eventdata within win.

Finally, the rule could be like the following.

<rule id="100098" level="12">
    <if_sid>60122</if_sid>
    <field name="win.eventdata.targetUserName">^hello$</field>
    <description>RDP: failed login attempt for user hello</description>
</rule>

Please let me know if this new rule works

@lucio2047
Copy link
Author

Yes!,thank you very much.

@juliancnn
Copy link
Member

You're welcome, if you have new concerns do not hesitate to ask.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juliancnn juliancnn

Labels
community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jnasselle @juliancnn @lucio2047