Alerts/events not being log

xoverride commented 2 years ago

Version: 1.8.0-beta.7 OS: Windows 10 19044 (VM)

I am having issues with this version that no log is being generated for events. I did have events/alerts logged and dumps worked with beta.6

rules are loaded into the engine. SHA256: e9815cbc8bbad9b74eefd21887e71f421b8ccba60028018eb591411c9f1c9348
criticality-threshold in conf is set to 5, and I believe that rule DefenderMalwareDetected has a Criticality of 10.
I have tried both local and connected to a manager.
Endpoint has been rebooted. I reboot it every time I make a change to the configuration file.

With that being said I am still not getting any event log. I appreciate your help and please let me know what else you need to help debug.

qjerome commented 2 years ago

Thank you @RickyXwang for reporting that issue. Unfortunately, I'll not be able to investigate this issue before monday morning. You'll very likely get a solution on next monday. Cheers

qjerome commented 2 years ago

@RickyXwang, when you stop the service some statistics about number of events scanned and alerts reported is printed in whids.log file. Can you please confirm both these statistics shows zeros ?

xoverride commented 2 years ago

The number of events scanned is not zero, but it seems too low. Alerts Reported is zero.

Attach screenshot.

badboycxcc commented 2 years ago

2022/08/05 17:15:15 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 2022/08/05 17:15:15 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 2022/08/05 17:15:15 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 2022/08/05 17:15:15 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 2022/08/05 17:15:15 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 2022/08/05 17:15:15 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 2022/08/05 17:15:15 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 2022/08/05 17:15:15 INFO - Number of rules loaded in engine: 2 2022/08/05 17:15:15 INFO - Scheduler running: Log forwarder 2022/08/05 17:15:15 INFO - Scheduler running: Canary configuration 2022/08/05 17:15:15 INFO - Scheduler running: Action Handler 2022/08/05 17:15:15 INFO - Scheduler running: Action Handler File Compression 2022/08/05 17:15:15 INFO - Scheduler running: Sysmon archived files cleaner 2022/08/06 13:49:26 ERROR - [sysmon archived files cleaner] failed to remove archived file: remove C:\Sysmon\A2AAE742C3CD2C7F36CF0AC802A216476E763933B5E896B53DA0813FA7BFBBACAC68EA16392680B6A817E4531D5EF123EC446CFADBFD1C04ABF97B478D9119B347E8C98700000000000000000000000000000000.7E: Access is denied. 2022/08/06 13:49:26 ERROR - [sysmon archived files cleaner] failed to remove archived file: remove C:\Sysmon\D0A772AB6741E02F3659C18DAB6E07D477B408061803523F380B7AC9041FE696CFB74A61369B7B6A152581C13F5BFC6E1A42A85D0CC7B41E12478833ED7B100818FF8E3B00000000000000000000000000000000.80: Access is denied. 2022/08/06 13:49:26 ERROR - [sysmon archived files cleaner] failed to remove archived file: remove C:\Sysmon\F414D76F12608D864BF05A9CCB1276D108ACDFF0042BE5EC85CD55694EB8B19371BA6F867A1D8ED6ABEB66D8171E5A8683DF8C9522CE4E63999BE17F7A67F33C6ED0090900000000000000000000000000000000.E6: Access is denied. 2022/08/06 14:11:13 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 2022/08/07 14:03:10 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected.

badboycxcc commented 2 years ago

C:\Program Files\Whids\Logs\Alerts No Files

qjerome commented 2 years ago

@RickyXwang I just saw a something abnormal in your logs, the line with Failed to delete autologger ! This version of the EDR uses ETW autologger to make its job and I see that in your case it seems it has not been installed (because autologger update is failing at autologger deletion).

This is probably because you did not use the manage.bat script to install and run the EDR. Could you please confirm that ? If you did use manage.bat to install the thing it means the issue is in there.

You can create the EDR autologger configuration by running whids.exe -autologger (this command should actually be ran by manage.bat) script. Once that is done, check the registry key HKLM\System\CurrentControlSet\Control\WMI\Autologger\EdrTrace, if it is existing and contains all the ETW providers you want to scan events from, everything is OK. You will just need to reboot the machine because new autologger session will be created only after next reboot.

NB: the fact that you don't see many event scanned is because the EDR autologger session is not configured. You see a few events because you received some from Eventlog-Security session which is always existing and configured as additional session to scan in default EDR configuration.

@badboycxcc can you please take a look at HKLM\System\CurrentControlSet\Control\WMI\Autologger\EdrTrace registry key as well and run whids.exe -autologger if not existing ?

xoverride commented 2 years ago

@qjerome I did use the manage.bat script. When doing so, I used [i] Install WHIDS from scratch (removes older installation) to upgrade from beta.6.

TLDR, running whids.exe -autologger seems to make it work, but there were some weird things going on.

So I was trying to configure the autologger manually. But this time after the endpoint bootup, I do see alerts being generated, for a short while. See log:

2022/08/05 11:05:58 INFO - Number of rules loaded in engine: 134 
2022/08/05 11:05:58 INFO - Scheduler running: Log forwarder 
2022/08/05 11:05:58 INFO - Scheduler running: Canary configuration 
2022/08/05 11:05:58 INFO - Scheduler running: Action Handler 
2022/08/05 11:05:58 INFO - Scheduler running: Action Handler File Compression 
2022/08/05 11:05:58 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/05 14:11:21 INFO - Stopping HIDS 
2022/08/05 14:11:21 INFO - Closing forwarder 
2022/08/05 14:11:21 INFO - Closing event provider 
2022/08/05 14:11:21 INFO - Updating autologger configuration 
2022/08/05 14:11:21 INFO - HIDS main loop terminated 
2022/08/05 14:11:21 ERROR - Failed to delete autologger: err:exit status 1 out:ERROR: The system was unable to find the specified registry key or value.

2022/08/05 14:11:23 INFO - HIDS stopped 
2022/08/05 14:11:23 INFO - Time Running: 3h5m25.9552911s 
2022/08/05 14:11:23 INFO - Count Event Scanned: 143 
2022/08/05 14:11:23 INFO - Average Event Rate: 0.01 EPS 
2022/08/05 14:11:23 INFO - Alerts Reported: 0 
2022/08/05 14:11:23 INFO - Count Rules Used (loaded + generated): 134 
2022/08/08 09:03:53 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 
2022/08/08 09:03:53 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 
2022/08/08 09:03:53 INFO - Loading container edr_iocs from path C:\Program Files\Whids\Database\Containers\edr_iocs.cont.gz 
2022/08/08 09:03:53 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 
2022/08/08 09:03:53 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 
2022/08/08 09:03:53 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 
2022/08/08 09:03:53 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 
2022/08/08 09:03:53 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 
2022/08/08 09:03:53 WARNING - Unknown container "blacklist" used in rule "BlacklistedDomain" 
2022/08/08 09:03:53 WARNING - Rule "BlacklistedDomain" has been disabled at compile time 
2022/08/08 09:03:53 WARNING - Unknown container "blacklist" used in rule "BlacklistedHash" 
2022/08/08 09:03:53 WARNING - Rule "BlacklistedHash" has been disabled at compile time 
2022/08/08 09:03:53 WARNING - Unknown container "blacklist" used in rule "BlacklistedImphash" 
2022/08/08 09:03:53 WARNING - Rule "BlacklistedImphash" has been disabled at compile time 
2022/08/08 09:03:53 WARNING - Unknown container "misp" used in rule "DomainInMisp" 
2022/08/08 09:03:53 WARNING - Rule "DomainInMisp" has been disabled at compile time 
2022/08/08 09:03:53 WARNING - Rule "HeurSuspFileWrite" operand $user_proc not used 
2022/08/08 09:03:53 WARNING - Unknown container "whitelist" used in rule "NotWhitelisted" 
2022/08/08 09:03:53 WARNING - Rule "NotWhitelisted" has been disabled at compile time 
2022/08/08 09:03:53 WARNING - Unknown container "misp" used in rule "SysmonDomainInMisp" 
2022/08/08 09:03:53 WARNING - Rule "SysmonDomainInMisp" has been disabled at compile time 
2022/08/08 09:03:53 INFO - Number of rules loaded in engine: 134 
2022/08/08 09:03:53 INFO - Scheduler running: Log forwarder 
2022/08/08 09:03:53 INFO - Scheduler running: Canary configuration 
2022/08/08 09:03:53 INFO - Scheduler running: Action Handler 
2022/08/08 09:03:53 INFO - Scheduler running: Action Handler File Compression 
2022/08/08 09:03:53 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/08 09:04:09 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:09 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:09 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:09 INFO - Rotating logfile every 5h0m0s 
2022/08/08 09:04:25 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 
2022/08/08 09:04:25 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 
2022/08/08 09:04:25 INFO - Loading container edr_iocs from path C:\Program Files\Whids\Database\Containers\edr_iocs.cont.gz 
2022/08/08 09:04:25 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 
2022/08/08 09:04:25 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 
2022/08/08 09:04:25 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 
2022/08/08 09:04:25 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 
2022/08/08 09:04:25 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 
2022/08/08 09:04:25 WARNING - Unknown container "blacklist" used in rule "BlacklistedDomain" 
2022/08/08 09:04:25 WARNING - Rule "BlacklistedDomain" has been disabled at compile time 
2022/08/08 09:04:25 WARNING - Unknown container "blacklist" used in rule "BlacklistedHash" 
2022/08/08 09:04:25 WARNING - Rule "BlacklistedHash" has been disabled at compile time 
2022/08/08 09:04:25 WARNING - Unknown container "blacklist" used in rule "BlacklistedImphash" 
2022/08/08 09:04:25 WARNING - Rule "BlacklistedImphash" has been disabled at compile time 
2022/08/08 09:04:25 WARNING - Unknown container "misp" used in rule "DomainInMisp" 
2022/08/08 09:04:25 WARNING - Rule "DomainInMisp" has been disabled at compile time 
2022/08/08 09:04:25 WARNING - Rule "HeurSuspFileWrite" operand $user_proc not used 
2022/08/08 09:04:25 WARNING - Unknown container "whitelist" used in rule "NotWhitelisted" 
2022/08/08 09:04:25 WARNING - Rule "NotWhitelisted" has been disabled at compile time 
2022/08/08 09:04:25 WARNING - Unknown container "misp" used in rule "SysmonDomainInMisp" 
2022/08/08 09:04:25 WARNING - Rule "SysmonDomainInMisp" has been disabled at compile time 
2022/08/08 09:04:25 INFO - Number of rules loaded in engine: 134 
2022/08/08 09:04:25 INFO - Scheduler running: Log forwarder 
2022/08/08 09:04:25 INFO - Scheduler running: Canary configuration 
2022/08/08 09:04:25 INFO - Scheduler running: Action Handler 
2022/08/08 09:04:25 INFO - Scheduler running: Action Handler File Compression 
2022/08/08 09:04:25 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/08 09:04:26 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 
2022/08/08 09:04:26 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 
2022/08/08 09:04:26 INFO - Loading container edr_iocs from path C:\Program Files\Whids\Database\Containers\edr_iocs.cont.gz 
2022/08/08 09:04:26 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 
2022/08/08 09:04:26 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 
2022/08/08 09:04:26 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 
2022/08/08 09:04:26 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 
2022/08/08 09:04:26 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 
2022/08/08 09:04:26 WARNING - Unknown container "blacklist" used in rule "BlacklistedDomain" 
2022/08/08 09:04:26 WARNING - Rule "BlacklistedDomain" has been disabled at compile time 
2022/08/08 09:04:26 WARNING - Unknown container "blacklist" used in rule "BlacklistedHash" 
2022/08/08 09:04:26 WARNING - Rule "BlacklistedHash" has been disabled at compile time 
2022/08/08 09:04:26 WARNING - Unknown container "blacklist" used in rule "BlacklistedImphash" 
2022/08/08 09:04:26 WARNING - Rule "BlacklistedImphash" has been disabled at compile time 
2022/08/08 09:04:26 WARNING - Unknown container "misp" used in rule "DomainInMisp" 
2022/08/08 09:04:26 WARNING - Rule "DomainInMisp" has been disabled at compile time 
2022/08/08 09:04:26 WARNING - Rule "HeurSuspFileWrite" operand $user_proc not used 
2022/08/08 09:04:26 WARNING - Unknown container "whitelist" used in rule "NotWhitelisted" 
2022/08/08 09:04:26 WARNING - Rule "NotWhitelisted" has been disabled at compile time 
2022/08/08 09:04:26 WARNING - Unknown container "misp" used in rule "SysmonDomainInMisp" 
2022/08/08 09:04:26 WARNING - Rule "SysmonDomainInMisp" has been disabled at compile time 
2022/08/08 09:04:26 INFO - Number of rules loaded in engine: 134 
2022/08/08 09:04:26 INFO - Scheduler running: Log forwarder 
2022/08/08 09:04:26 INFO - Scheduler running: Canary configuration 
2022/08/08 09:04:26 INFO - Scheduler running: Action Handler 
2022/08/08 09:04:26 INFO - Scheduler running: Action Handler File Compression 
2022/08/08 09:04:26 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/08 09:04:27 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:27 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:27 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:27 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:27 WARNING - Sysmon process termination events seem to be missing. WHIDS won't work as expected. 
2022/08/08 09:04:29 INFO - Rotating logfile every 5h0m0s 
2022/08/08 09:04:56 WARNING - Average event rate above limit of 300.00 e/s in the last 30s: 7850.56 e/s 
2022/08/08 09:04:56 CRITICAL - Event throughput above 26x the limit, if repeated consider filtering out events 
2022/08/08 09:05:26 WARNING - Average event rate above limit of 300.00 e/s in the last 30s: 8548.67 e/s 
2022/08/08 09:05:26 CRITICAL - Event throughput above 28x the limit, if repeated consider filtering out events 
2022/08/08 09:05:56 WARNING - Average event rate above limit of 300.00 e/s in the last 30s: 6183.35 e/s 
2022/08/08 09:05:56 CRITICAL - Event throughput above 21x the limit, if repeated consider filtering out events 
2022/08/08 09:05:59 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 
2022/08/08 09:05:59 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 
2022/08/08 09:05:59 INFO - Loading container edr_iocs from path C:\Program Files\Whids\Database\Containers\edr_iocs.cont.gz 
2022/08/08 09:05:59 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 
2022/08/08 09:05:59 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 
2022/08/08 09:05:59 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 
2022/08/08 09:05:59 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 
2022/08/08 09:05:59 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 
2022/08/08 09:05:59 WARNING - Unknown container "blacklist" used in rule "BlacklistedDomain" 
2022/08/08 09:05:59 WARNING - Rule "BlacklistedDomain" has been disabled at compile time 
2022/08/08 09:05:59 WARNING - Unknown container "blacklist" used in rule "BlacklistedHash" 
2022/08/08 09:05:59 WARNING - Rule "BlacklistedHash" has been disabled at compile time 
2022/08/08 09:05:59 WARNING - Unknown container "blacklist" used in rule "BlacklistedImphash" 
2022/08/08 09:05:59 WARNING - Rule "BlacklistedImphash" has been disabled at compile time 
2022/08/08 09:05:59 WARNING - Unknown container "misp" used in rule "DomainInMisp" 
2022/08/08 09:05:59 WARNING - Rule "DomainInMisp" has been disabled at compile time 
2022/08/08 09:05:59 WARNING - Rule "HeurSuspFileWrite" operand $user_proc not used 
2022/08/08 09:05:59 WARNING - Unknown container "whitelist" used in rule "NotWhitelisted" 
2022/08/08 09:05:59 WARNING - Rule "NotWhitelisted" has been disabled at compile time 
2022/08/08 09:05:59 WARNING - Unknown container "misp" used in rule "SysmonDomainInMisp" 
2022/08/08 09:05:59 WARNING - Rule "SysmonDomainInMisp" has been disabled at compile time 
2022/08/08 09:05:59 INFO - Number of rules loaded in engine: 134 
2022/08/08 09:05:59 INFO - Scheduler running: Log forwarder 
2022/08/08 09:05:59 INFO - Scheduler running: Canary configuration 
2022/08/08 09:05:59 INFO - Scheduler running: Action Handler 
2022/08/08 09:05:59 INFO - Scheduler running: Action Handler File Compression 
2022/08/08 09:05:59 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/08 09:06:01 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 
2022/08/08 09:06:01 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 
2022/08/08 09:06:01 INFO - Loading container edr_iocs from path C:\Program Files\Whids\Database\Containers\edr_iocs.cont.gz 
2022/08/08 09:06:01 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 
2022/08/08 09:06:01 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 
2022/08/08 09:06:01 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 
2022/08/08 09:06:01 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 
2022/08/08 09:06:01 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 
2022/08/08 09:06:01 WARNING - Unknown container "blacklist" used in rule "BlacklistedDomain" 
2022/08/08 09:06:01 WARNING - Rule "BlacklistedDomain" has been disabled at compile time 
2022/08/08 09:06:01 WARNING - Unknown container "blacklist" used in rule "BlacklistedHash" 
2022/08/08 09:06:01 WARNING - Rule "BlacklistedHash" has been disabled at compile time 
2022/08/08 09:06:01 WARNING - Unknown container "blacklist" used in rule "BlacklistedImphash" 
2022/08/08 09:06:01 WARNING - Rule "BlacklistedImphash" has been disabled at compile time 
2022/08/08 09:06:01 WARNING - Unknown container "misp" used in rule "DomainInMisp" 
2022/08/08 09:06:01 WARNING - Rule "DomainInMisp" has been disabled at compile time 
2022/08/08 09:06:01 WARNING - Rule "HeurSuspFileWrite" operand $user_proc not used 
2022/08/08 09:06:01 WARNING - Unknown container "whitelist" used in rule "NotWhitelisted" 
2022/08/08 09:06:01 WARNING - Rule "NotWhitelisted" has been disabled at compile time 
2022/08/08 09:06:01 WARNING - Unknown container "misp" used in rule "SysmonDomainInMisp" 
2022/08/08 09:06:01 WARNING - Rule "SysmonDomainInMisp" has been disabled at compile time 
2022/08/08 09:06:01 INFO - Number of rules loaded in engine: 134 
2022/08/08 09:06:01 INFO - Scheduler running: Log forwarder 
2022/08/08 09:06:01 INFO - Scheduler running: Canary configuration 
2022/08/08 09:06:01 INFO - Scheduler running: Action Handler 
2022/08/08 09:06:01 INFO - Scheduler running: Action Handler File Compression 
2022/08/08 09:06:01 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/08 09:06:01 INFO - Found self GUID: {1022a640-0a38-62f1-f300-000000001600} 
2022/08/08 09:06:02 INFO - Rotating logfile every 5h0m0s 
2022/08/08 09:06:09 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 
2022/08/08 09:06:09 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 
2022/08/08 09:06:09 INFO - Loading container edr_iocs from path C:\Program Files\Whids\Database\Containers\edr_iocs.cont.gz 
2022/08/08 09:06:09 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 
2022/08/08 09:06:09 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 
2022/08/08 09:06:09 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 
2022/08/08 09:06:09 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 
2022/08/08 09:06:09 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 
2022/08/08 09:06:09 WARNING - Unknown container "blacklist" used in rule "BlacklistedDomain" 
2022/08/08 09:06:09 WARNING - Rule "BlacklistedDomain" has been disabled at compile time 
2022/08/08 09:06:09 WARNING - Unknown container "blacklist" used in rule "BlacklistedHash" 
2022/08/08 09:06:09 WARNING - Rule "BlacklistedHash" has been disabled at compile time 
2022/08/08 09:06:09 WARNING - Unknown container "blacklist" used in rule "BlacklistedImphash" 
2022/08/08 09:06:09 WARNING - Rule "BlacklistedImphash" has been disabled at compile time 
2022/08/08 09:06:09 WARNING - Unknown container "misp" used in rule "DomainInMisp" 
2022/08/08 09:06:09 WARNING - Rule "DomainInMisp" has been disabled at compile time 
2022/08/08 09:06:09 WARNING - Rule "HeurSuspFileWrite" operand $user_proc not used 
2022/08/08 09:06:09 WARNING - Unknown container "whitelist" used in rule "NotWhitelisted" 
2022/08/08 09:06:09 WARNING - Rule "NotWhitelisted" has been disabled at compile time 
2022/08/08 09:06:09 WARNING - Unknown container "misp" used in rule "SysmonDomainInMisp" 
2022/08/08 09:06:09 WARNING - Rule "SysmonDomainInMisp" has been disabled at compile time 
2022/08/08 09:06:09 INFO - Number of rules loaded in engine: 134 
2022/08/08 09:06:09 INFO - Scheduler running: Log forwarder 
2022/08/08 09:06:09 INFO - Scheduler running: Canary configuration 
2022/08/08 09:06:09 INFO - Scheduler running: Action Handler 
2022/08/08 09:06:09 INFO - Scheduler running: Action Handler File Compression 
2022/08/08 09:06:09 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/08 09:06:09 INFO - Found self GUID: {1022a640-0a40-62f1-0001-000000001600} 
2022/08/08 09:06:10 INFO - Rotating logfile every 5h0m0s 
2022/08/08 09:07:02 INFO - Scheduling archive cleanup loop for directory: C:\Sysmon\ 
2022/08/08 09:07:02 INFO - Loading HIDS containers (used in rules) from: C:\Program Files\Whids\Database\Containers 
2022/08/08 09:07:02 INFO - Loading container edr_iocs from path C:\Program Files\Whids\Database\Containers\edr_iocs.cont.gz 
2022/08/08 09:07:02 WARNING - Unknown container "edr_iocs" used in rule "Builtin:HashIoC" 
2022/08/08 09:07:02 WARNING - Rule "Builtin:HashIoC" has been disabled at compile time 
2022/08/08 09:07:02 WARNING - Unknown container "edr_iocs" used in rule "Builtin:DomainIoC" 
2022/08/08 09:07:02 WARNING - Rule "Builtin:DomainIoC" has been disabled at compile time 
2022/08/08 09:07:02 INFO - Loading HIDS rules from: C:\Program Files\Whids\Database\Rules 
2022/08/08 09:07:02 WARNING - Unknown container "blacklist" used in rule "BlacklistedDomain" 
2022/08/08 09:07:02 WARNING - Rule "BlacklistedDomain" has been disabled at compile time 
2022/08/08 09:07:02 WARNING - Unknown container "blacklist" used in rule "BlacklistedHash" 
2022/08/08 09:07:02 WARNING - Rule "BlacklistedHash" has been disabled at compile time 
2022/08/08 09:07:02 WARNING - Unknown container "blacklist" used in rule "BlacklistedImphash" 
2022/08/08 09:07:02 WARNING - Rule "BlacklistedImphash" has been disabled at compile time 
2022/08/08 09:07:02 WARNING - Unknown container "misp" used in rule "DomainInMisp" 
2022/08/08 09:07:02 WARNING - Rule "DomainInMisp" has been disabled at compile time 
2022/08/08 09:07:02 WARNING - Rule "HeurSuspFileWrite" operand $user_proc not used 
2022/08/08 09:07:02 WARNING - Unknown container "whitelist" used in rule "NotWhitelisted" 
2022/08/08 09:07:02 WARNING - Rule "NotWhitelisted" has been disabled at compile time 
2022/08/08 09:07:02 WARNING - Unknown container "misp" used in rule "SysmonDomainInMisp" 
2022/08/08 09:07:02 WARNING - Rule "SysmonDomainInMisp" has been disabled at compile time 
2022/08/08 09:07:02 INFO - Number of rules loaded in engine: 134 
2022/08/08 09:07:02 INFO - Scheduler running: Log forwarder 
2022/08/08 09:07:02 INFO - Scheduler running: Canary configuration 
2022/08/08 09:07:02 INFO - Scheduler running: Action Handler 
2022/08/08 09:07:02 INFO - Scheduler running: Action Handler File Compression 
2022/08/08 09:07:02 INFO - Scheduler running: Sysmon archived files cleaner 
2022/08/08 09:07:02 INFO - Found self GUID: {1022a640-0a75-62f1-1b01-000000001600} 
2022/08/08 09:07:02 INFO - Rotating logfile every 5h0m0s 
2022/08/08 09:07:22 ERROR - Cannot check process integrity process with PID=7256 is stopped 
2022/08/08 09:10:57 INFO - Boot sequence completed 
2022/08/08 09:11:00 ERROR - Failed to resolve service from PID=3876: Failed to open service manager: A system shutdown is in progress. 
2022/08/08 09:11:00 ERROR - Failed to resolve service from PID=3876: Failed to open service manager: A system shutdown is in progress. 
2022/08/08 09:11:00 ERROR - Failed to resolve service from PID=3876: Failed to open service manager: A system shutdown is in progress. 
2022/08/08 09:11:00 ERROR - Failed to resolve service from PID=3876: Failed to open service manager: A system shutdown is in progress. 
2022/08/08 09:11:00 ERROR - Failed to resolve service from PID=3876: Failed to open service manager: A system shutdown is in progress.

Unforturenaly it stopped itself, and whids seem to be crashing again, with multiple rules loading logged and with events that show The Whids service terminated unexpectedly.

After this, I attempted to reboot the VM but I did not see this happen again(no new event/alerts), and I did run whids.exe -autologger. Here is the screenshot of the reg: All 4 providers are there. After another reboot, it seems everything is working as expected. I will be doing some more testing.

qjerome commented 2 years ago

Hi @RickyXwang and @badboycxcc,

I think I have fixed your issue ! It was due to two silly bugs introduced while refactoring some part of the code. One of them was causing the service to crash ! Unfortunately, I did not have the time to thoroughly test beta.7 as I was on holidays, that is why I did not notice them ... sorry for that inconvenience. Anyway, I pushed a new release: https://github.com/0xrawsec/whids/releases/tag/v1.8.0-beta.8 that you can try and which is supposed to work :). Please let me know if everything works on your side.

xoverride commented 2 years ago

@qjerome Thanks, updated to beta.8; so far, so good!

qjerome commented 2 years ago

Hi @badboycxcc,

Can you confirm please confirm if it works for you ?

0xrawsec / whids

Alerts/events not being log #126