socfortress / Wazuh-Rules

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!
https://www.socfortress.co
590 stars 169 forks source link

Sysmon Event 3: Not all logs are exported to Wazuh #10

Open AndrewRi opened 1 year ago

AndrewRi commented 1 year ago

Greetings!

I am using the latest version of Sysmon along with olafhartong's sysmonconfig.xml configuration https://github.com/olafhartong/sysmon-modula. Wazuh rules 102101-MITER_TECHNIQUES_FROM_SYSMON_EVENT3.xml are also installed on the server.

In the Event Viewer, I see the logs I need when establishing connections to remote computers.

For example, there are two logs (both have _RuleName: technique_id=T1021,techniquename=Remote Services): when establishing a connection through the TOTALCMD.EXE and RDCMan.exe processes, respectively.

Network connection detected:
RuleName: technique_id=T1021,technique_name=Remote Services
UtcTime: 2023-03-09 04:09:05.149
ProcessGuid: {a5bd8803-5bc3-6409-9402-000000005400}
ProcessId: 8924
Image: C:\Program Files\totalcmd\TOTALCMD.EXE
User: XXX
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 1.2.3.4
SourceHostname: -
SourcePort: 3272
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 1.2.3.5
DestinationHostname: -
DestinationPort: 22
DestinationPortName: -
Network connection detected:
RuleName: technique_id=T1021,technique_name=Remote Services
UtcTime: 2023-03-09 03:36:23.588
ProcessGuid: {a5bd8803-4fea-6409-1302-000000005400}
ProcessId: 3864
Image: C:\Users\XXX\Desktop\RDCMan.exe
User: XXX
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 1.2.3.4
SourceHostname: -
SourcePort: 2283
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 1.2.3.5
DestinationHostname: -
DestinationPort: 3389
DestinationPortName: -

Wazuh only accepts logs from TOTALCMD.EXE for some reason. I can't figure out what's wrong. Are there any suggestions that it might be wrong with your rules?

{
  "agent": {
    "ip": "XXX,
    "name": "XXX",
    "id": "XXX"
  },
  "manager": {
    "name": "YYY"
  },
  "data": {
    "win": {
      "eventdata": {
        "destinationPort": "22",
        "image": "C:\\\\Program Files\\\\totalcmd\\\\TOTALCMD.EXE",
        "sourcePort": "3272",
        "initiated": "true",
        "destinationIp": "1.2.3.4",
        "protocol": "tcp",
        "processGuid": "{a5bd8803-5bc3-6409-9402-000000005400}",
        "sourceIp": "1.2.3.5",
        "processId": "8924",
        "utcTime": "2023-03-09 04:09:05.149",
        "ruleName": "technique_id=T1021,technique_name=Remote Services",
        "destinationIsIpv6": "false",
        "user": "USER",
        "sourceIsIpv6": "false"
      },
      "system": {
        "eventID": "3",
        "keywords": "0x8000000000000000",
        "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
        "level": "4",
        "channel": "Microsoft-Windows-Sysmon/Operational",
        "opcode": "0",
        "message": "\"Network connection detected:\r\nRuleName: technique_id=T1021,technique_name=Remote Services\r\nUtcTime: 2023-03-09 04:09:05.149\r\nProcessGuid: {a5bd8803-5bc3-6409-9402-000000005400}\r\nProcessId: 8924\r\nImage: C:\\Program Files\\totalcmd\\TOTALCMD.EXE\r\nUser: USER\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.2.3.4\r\nSourceHostname: -\r\nSourcePort: 3272\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 1.2.3.5\r\nDestinationHostname: -\r\nDestinationPort: 22\r\nDestinationPortName: -\"",
        "version": "5",
        "systemTime": "2023-03-09T04:09:05.7444044Z",
        "eventRecordID": "676177",
        "threadID": "5196",
        "computer": "COMPUTER",
        "task": "3",
        "processID": "3404",
        "severityValue": "INFORMATION",
        "providerName": "Microsoft-Windows-Sysmon"
      }
    }
  },
  "rule": {
    "firedtimes": 1,
    "mail": false,
    "level": 3,
    "description": "Sysmon - Event 3: Network connection by C:\\\\Program Files\\\\totalcmd\\\\TOTALCMD.EXE",
    "groups": [
      "windows",
      "sysmon",
      "sysmon_event3"
    ],
    "mitre": {
      "technique": [
        "Remote Services"
      ],
      "id": [
        "T1021"
      ],
      "tactic": [
        "Lateral Movement"
      ]
    },
    "id": "102101"
  },
  "decoder": {
    "name": "windows_eventchannel"
  },
  "input": {
    "type": "log"
  },
  "@timestamp": "2023-03-09T04:09:05.911Z",
  "location": "EventChannel",
  "id": "1678334945.1197067230",
  "timestamp": "2023-03-09T14:09:05.911+1000",
  "_id": "xNSOxIYB1j_ez_bU7kDA"
}