search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.15k stars 2.17k forks source link

Renamed ZOHO Dctask64 Execution is creating 30.000 alerts / hour in Security Onion #4979

Closed Carlos-mb closed 1 month ago

Carlos-mb commented 1 month ago

Rule UUID

340a090b-c4e9-412e-bb36-b4b16fe96f9b

Example EventLog

event_data.log.file.path /nsm/zeek/logs/current/conn.log
event_data.log.id.uid CUQiLX2Td0eFVZFbej
event_data.log.offset 806882
event_data.message {"ts":1724138278.367143,"uid":"CUQiLX2Td0eFVZFbej","id.orig_h":"fe80::7e1a:71f5:fb93:f092","id.orig_p":5353,"id.resp_h":"ff02::fb","id.resp_p":5353,"proto":"udp","service":"dns","duration":4.892620086669922,"orig_bytes":897,"resp_bytes":0,"conn_state":"S0","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":10,"orig_ip_bytes":1377,"resp_pkts":0,"resp_ip_bytes":0,"community_id":"1:mAxQNL3FsNEDlu/AyGQ18YXJQME=","orig_mac_oui":"Proxmox Server Solutions GmbH"}

Description

I don't know what kind of information can I give, so I start by the Alert Console and some alerts:

image

image

I don't know if I'm understanding this but, Could it be that many alerts are related to network traffic and log content?

image

9.000 alerts where created from linux systems, but the rule is only for windows. Does it make sense?

Please, let me know what info can I send in order to help

Regards, Carlos

github-actions[bot] commented 1 month ago

Welcome @Carlos-mb :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

nasbench commented 1 month ago

This looks like an issue of mapping to me. It seems behind the scene the rule is being applied to incorrect sources and fields? Can you look at one of the matches and see what it's being matched?

The example you linked looks like a DNS log which should never match with this.

Carlos-mb commented 1 month ago

More info...

image

The ElasticAgent is running in 10.0.0.53 and there are alerts on many other systems, including Security Onion nodes, and Android devices!

If I stop ElasticAgent in 10.0.0.53, the alerts stop appear in any host.

If I enable ElasticAgent, the alerts start appear in all system again.

nasbench commented 1 month ago

@Carlos-mb I think you missed my comment above. If so please check again and provide me with a windows log entry if you can. Thanks

Carlos-mb commented 1 month ago

@nasbench I guess we wrote at the same time :)

I agree with you, there are a lot of entries from different sources and hosts:

| 333,035 | sigma.alert   | 135,416 | system.syslog   | 100,367 | soc.server   | 43,406 | soc.sensoroni   | 20,780 | zeek.conn   | 15,718 | endpoint.events.file   | 14,819 | endpoint.events.registry   | 12,726 | elastic_agent.filebeat   | 11,522 | zeek.dns   | 10,665 | endpoint.events.network   | 6,947 | kratos.access   | 5,396 | system.security   | 4,676 | zeek.ssl   | 4,310 | endpoint.events.library   | 4,108 | elastic_agent.endpoint_security   | 3,075 | endpoint.events.process   | 2,753 | elastic_agent.osquerybeat   | 2,326 | zeek.weird   | 1,522 | elasticsearch.server   | 1,500 | soc.detections   | 1,041 | zeek.file   | 819 | zeek.http   | 667 | system.application   | 448 | system.auth   | 372 | elastic_agent.fleet_server   | 295 | elastic_agent   | 278 | endpoint.events.security   | 234 | kratos.application   | 234 | kratos.audit   | 111 | zeek.x509   | 107 | zeek.notice   | 86 | system.system   | 66 | ti_otx.pulses_subscribed   | 48 | zeek.syslog   | 19 | zeek.software   | 17 | zeek.dhcp   | 4 | suricata.alert   | 3 | soc.salt_relay   | 3 | zeek.dpd   | 3 | zeek.tunnel   | 2 | windows.powershell   | 2 | winlog.winlog   | 1 | zeek.ssh

This is one of the 2 from winlog.winlog:

event.agent_id_status | missing
event.dataset | sigma.alert
event.ingested | 2024-08-19T20:03:17Z
event.module | sigma
event.severity | 4
event.severity_label | high
event_data.@timestamp | 2024-08-19T20:01:54.781Z
event_data.@version | 1
event_data._id | gj07bJEBhESOmVFBeRie
event_data._index | .ds-logs-winlog.winlog-default-2024.08.02-000002
event_data.agent.ephemeral_id | 7207d885-f727-4e19-90f6-906a970348a4
event_data.agent.id | 7ba5881a-e711-44a4-b643-32e93d845031
event_data.agent.name | xxxxxxxxxxxxx
event_data.agent.type | filebeat
event_data.agent.version | 8.10.4
event_data.data_stream.dataset | winlog.winlog
event_data.data_stream.namespace | default
event_data.data_stream.type | logs
event_data.ecs.version | 8.0.0
event_data.elastic_agent.id | 7ba5881a-e711-44a4-b643-32e93d845031
event_data.elastic_agent.snapshot | false
event_data.elastic_agent.version | 8.10.4
event_data.event.action | None
event_data.event.agent_id_status | auth_metadata_missing
event_data.event.code | 1151
event_data.event.created | 2024-08-19T20:01:55.846Z
event_data.event.dataset | winlog.winlog
event_data.event.ingested | 2024-08-19T20:02:02Z
event_data.event.kind | event
event_data.event.module | winlog
event_data.event.provider | Microsoft-Windows-Windows Defender
event_data.host.architecture | x86_64
event_data.host.hostname | xxxxxxxxxx
event_data.host.id | 4620046a-9457-45c9-aacb-2fe731cfad01
event_data.host.ip | [   "xxxxxxxxx" ]
event_data.host.mac | [   "xxxxxx" ]
event_data.host.name | xxxxxxxx
event_data.host.os.build | 22631.4037
event_data.host.os.family | windows
event_data.host.os.kernel | 10.0.22621.4036 (WinBuild.160101.0800)
event_data.host.os.name | Windows 11 Pro
event_data.host.os.platform | windows
event_data.host.os.type | windows
event_data.host.os.version | 10.0
event_data.input.type | winlog
event_data.log.level | information
event_data.message | Endpoint Protection client health report (time in UTC):    Platform version: 4.18.24070.5      Engine version: 1.1.24070.3     Network Realtime Inspection engine version: 1.1.24070.3     Antivirus security intelligence version: 1.417.183.0    Antispyware security intelligence version: 1.417.183.0      Network Realtime Inspection security intelligence version: 1.417.183.0      RTP state: Enabled      OA state: Enabled   IOAV state: Enabled     BM state: Enabled   Antivirus security intelligence age: 1      Antispyware security intelligence age: 1    Last quick scan age: 0      Last full scan age: 4294967295      Antivirus security intelligence creation time: 2024-08-18T01:42:04Z     Antispyware security intelligence creation time: 2024-08-18T01:42:05Z   Last quick scan start time: 2024-08-19T13:01:49Z    Last quick scan end time: 2024-08-19T13:02:14Z      Last quick scan source: 2   Last full scan start time: 1601-01-01T00:00:00Z     Last full scan end time: 1601-01-01T00:00:00Z   Last full scan source: 0    Product status: 0x00080000
event_data.metadata.beat | filebeat
event_data.metadata.input.beats.host.ip | xxxxxxx
event_data.metadata.input_id | winlog-winlogs-4603cbe1-d139-44be-933d-46951f4451dd
event_data.metadata.raw_index | logs-winlog.winlog-default
event_data.metadata.stream_id | winlog-winlog.winlog-4603cbe1-d139-44be-933d-46951f4451dd
event_data.metadata.type | _doc
event_data.metadata.version | 8.10.4
event_data.num_hits | 5000
event_data.num_matches | 5000
event_data.tags | [   "elastic-agent",   "input-xxxxxx",   "beats_input_codec_plain_applied",   "winlog" ]
event_data.winlog.api | wineventlog
event_data.winlog.channel | Microsoft-Windows-Windows Defender/Operational
event_data.winlog.computer_name | xxxxxxx
event_data.winlog.event_data.AS security intelligence creation time | 2024-08-18T01:42:05Z
event_data.winlog.event_data.AS security intelligence version | 1.417.183.0
event_data.winlog.event_data.AV security intelligence creation time | 2024-08-18T01:42:04Z
event_data.winlog.event_data.AV security intelligence version | 1.417.183.0
event_data.winlog.event_data.BM state | Enabled
event_data.winlog.event_data.Engine up-to-date | 0
event_data.winlog.event_data.Engine version | 1.1.24070.3
event_data.winlog.event_data.IOAV state | Enabled
event_data.winlog.event_data.Last AS security intelligence age | 1
event_data.winlog.event_data.Last AV security intelligence age | 1
event_data.winlog.event_data.Last full scan age | 4294967295
event_data.winlog.event_data.Last full scan end time | 1601-01-01T00:00:00Z
event_data.winlog.event_data.Last full scan source | 0
event_data.winlog.event_data.Last full scan start time | 1601-01-01T00:00:00Z
event_data.winlog.event_data.Last quick scan age | 0
event_data.winlog.event_data.Last quick scan end time | 2024-08-19T13:02:14Z
event_data.winlog.event_data.Last quick scan source | 2
event_data.winlog.event_data.Last quick scan start time | 2024-08-19T13:01:49Z
event_data.winlog.event_data.Latest engine version | 1.1.24070.3
event_data.winlog.event_data.Latest platform version | 4.18.24070.5
event_data.winlog.event_data.NRI engine version | 1.1.24070.3
event_data.winlog.event_data.NRI security intelligence version | 1.417.183.0
event_data.winlog.event_data.OA state | Enabled
event_data.winlog.event_data.Platform up-to-date | 1
event_data.winlog.event_data.Platform version | 4.18.24070.5
event_data.winlog.event_data.Product Name | Microsoft Defender Antivirus
event_data.winlog.event_data.Product status | 0x00080000
event_data.winlog.event_data.RTP state | Enabled
event_data.winlog.event_id | 1151
event_data.winlog.opcode | Info
event_data.winlog.process.pid | 3404
event_data.winlog.process.thread.id | 8304
event_data.winlog.provider_guid | {11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}
event_data.winlog.provider_name | Microsoft-Windows-Windows Defender
event_data.winlog.record_id | 1866
event_data.winlog.task | None
event_data.winlog.user.domain | NT AUTHORITY
event_data.winlog.user.identifier | S-1-5-18
event_data.winlog.user.name | SYSTEM
event_data.winlog.user.type | User
rule.category | process_creation
rule.name | Renamed ZOHO Dctask64 Execution
rule.product | windows
rule.uuid | 340a090b-c4e9-412e-bb36-b4b16fe96f9b
sigma_level | high
tags | [   "alert",   "alert" ]
soc_id | gj08bJEBhESOmVFBm0bi
soc_score | 13.630279
soc_type |  
soc_timestamp | 2024-08-19T20:03:17.000Z
soc_source | xxxxxxx:.ds-logs-detections.alerts-so-2024.08.02-000001

And this is the other:

event.agent_id_status | missing
event.dataset | sigma.alert
event.ingested | 2024-08-19T20:03:17Z
event.module | sigma
event.severity | 4
event.severity_label | high
event_data.@timestamp | 2024-08-19T20:01:54.778Z
event_data.@version | 1
event_data._id | fj07bJEBhESOmVFBeRid
event_data._index | .ds-logs-winlog.winlog-default-2024.08.02-000002
event_data.agent.ephemeral_id | 7207d885-f727-4e19-90f6-906a970348a4
event_data.agent.id | 7ba5881a-e711-44a4-b643-32e93d845031
event_data.agent.name | xxxxx
event_data.agent.type | filebeat
event_data.agent.version | 8.10.4
event_data.data_stream.dataset | winlog.winlog
event_data.data_stream.namespace | default
event_data.data_stream.type | logs
event_data.ecs.version | 8.0.0
event_data.elastic_agent.id | 7ba5881a-e711-44a4-b643-32e93d845031
event_data.elastic_agent.snapshot | false
event_data.elastic_agent.version | 8.10.4
event_data.event.action | None
event_data.event.agent_id_status | auth_metadata_missing
event_data.event.code | 1150
event_data.event.created | 2024-08-19T20:01:55.846Z
event_data.event.dataset | winlog.winlog
event_data.event.ingested | 2024-08-19T20:02:02Z
event_data.event.kind | event
event_data.event.module | winlog
event_data.event.provider | Microsoft-Windows-Windows Defender
event_data.host.architecture | x86_64
event_data.host.hostname | xxxxx
event_data.host.id | 4620046a-9457-45c9-aacb-2fe731cfad01
event_data.host.ip | [   "xxxxxx ]
event_data.host.mac | [   "xxxxx" ]
event_data.host.name | xxxxx
event_data.host.os.build | 22631.4037
event_data.host.os.family | windows
event_data.host.os.kernel | 10.0.22621.4036 (WinBuild.160101.0800)
event_data.host.os.name | Windows 11 Pro
event_data.host.os.platform | windows
event_data.host.os.type | windows
event_data.host.os.version | 10.0
event_data.input.type | winlog
event_data.log.level | information
event_data.message | Endpoint Protection client is up and running in a healthy state.   Platform version: 4.18.24070.5      Engine version: 1.1.24070.3     Security intelligence version: 1.417.183.0
event_data.metadata.beat | filebeat
event_data.metadata.input.beats.host.ip | xxxxx
event_data.metadata.input_id | winlog-winlogs-4603cbe1-d139-44be-933d-46951f4451dd
event_data.metadata.raw_index | logs-winlog.winlog-default
event_data.metadata.stream_id | winlog-winlog.winlog-4603cbe1-d139-44be-933d-46951f4451dd
event_data.metadata.type | _doc
event_data.metadata.version | 8.10.4
event_data.num_hits | 5000
event_data.num_matches | 5000
event_data.tags | [   "elastic-agent",   "input-xxxxx",   "beats_input_codec_plain_applied",   "winlog" ]
event_data.winlog.api | wineventlog
event_data.winlog.channel | Microsoft-Windows-Windows Defender/Operational
event_data.winlog.computer_name | xxxxx
event_data.winlog.event_data.Engine version | 1.1.24070.3
event_data.winlog.event_data.Platform version | 4.18.24070.5
event_data.winlog.event_data.Product Name | Microsoft Defender Antivirus
event_data.winlog.event_data.Security intelligence version | 1.417.183.0
event_data.winlog.event_id | 1150
event_data.winlog.opcode | Info
event_data.winlog.process.pid | 3404
event_data.winlog.process.thread.id | 8304
event_data.winlog.provider_guid | {11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}
event_data.winlog.provider_name | Microsoft-Windows-Windows Defender
event_data.winlog.record_id | 1865
event_data.winlog.task | None
event_data.winlog.user.domain | NT AUTHORITY
event_data.winlog.user.identifier | S-1-5-18
event_data.winlog.user.name | SYSTEM
event_data.winlog.user.type | User
rule.category | process_creation
rule.name | Renamed ZOHO Dctask64 Execution
rule.product | windows
rule.uuid | 340a090b-c4e9-412e-bb36-b4b16fe96f9b
sigma_level | high
tags | [   "alert",   "alert" ]
soc_id | fT08bJEBhESOmVFBm0aN
soc_score | 13.630279
soc_type |  
soc_timestamp | 2024-08-19T20:03:16.000Z
soc_source | xxxxxx:.ds-logs-detections.alerts-so-2024.08.02-000001
nasbench commented 1 month ago

From the looks of it, it is indeed an issue with a config from sec onion side. As the windows event matching are from Windows Defender provider (which shouldn't be possible as the logsource is "process_creation"). I don't have proper knowledge on sec onion. So perhaps @defensivedepth can shed some light on the issue.

defensivedepth commented 1 month ago

Yes, I see that you have already created a Discussion over in https://github.com/Security-Onion-Solutions/securityonion/discussions, we can continue to troubleshoot over there -

Thanks @nasbench, feel free to close this.

nasbench commented 1 month ago

Closing this in favor of https://github.com/Security-Onion-Solutions/securityonion/discussions/13520