search

wazuh / wazuh-documentation

Wazuh - Project documentation
https://wazuh.com
197 stars 356 forks source link

Fix documentation for "MITRE ATT&CK framework". Section "Customization" #7567

Closed matias-braida closed 3 months ago

matias-braida commented 3 months ago

During the https://github.com/wazuh/wazuh/issues/24852, I deployed a distributed Wazuh (one server for each central component) using the Offline Installation method step by step.

The related documentation is here: https://documentation-dev.wazuh.com/v4.9.0-alpha3/deployment-options/offline-installation/step-by-step.html

After a successful installation, I execute the MITRE ATT&CK Customization.

The related documentation is here: https://documentation-dev.wazuh.com/v4.9.0-alpha3/user-manual/ruleset/mitre.html#customization

After executing each step, I found that no alert was present in the dashboard with rule.id "110011", which is expected to be generated in this test. The test was done in a first attempt using an agent Windows Server 2019. In a second attempt using an agent Windows 11 as the documentation describes. In both cases, no alerts with rule.id "110011" were present on the dashboard.

ooniagbi commented 3 months ago

Initial test

I tested the documentation on my current Wazuh setup (v4.7.4), and everything works, as seen in the screenshot below:

image

This implies that the error is not from the rule or the steps in the documentation.

Alert log

{
  "_index": "wazuh-alerts-4.x-2024.07.25",
  "_id": "UV2z6ZABrUKp1xjkGupd",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "192.168.56.172",
      "name": "DESKTOP-I1PBMQ1",
      "id": "002"
    },
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\Windows\\\\system32\\\\services.exe",
          "targetObject": "HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName",
          "processGuid": "{66774b51-6c61-66a2-0b00-000000000e00}",
          "processId": "708",
          "utcTime": "2024-07-25 08:50:48.923",
          "ruleName": "technique_id=T1543,technique_name=Service Creation",
          "details": "LocalSystem",
          "eventType": "SetValue",
          "user": "NT AUTHORITY\\\\SYSTEM"
        },
        "system": {
          "eventID": "13",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2024-07-25 08:50:48.923\r\nProcessGuid: {66774b51-6c61-66a2-0b00-000000000e00}\r\nProcessId: 708\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\"",
          "version": "2",
          "systemTime": "2024-07-25T08:50:48.9367520Z",
          "eventRecordID": "23679",
          "threadID": "4800",
          "computer": "DESKTOP-I1PBMQ1",
          "task": "13",
          "processID": "3420",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "rule": {
      "firedtimes": 7,
      "mail": false,
      "level": 10,
      "description": "PsExec service running as NT AUTHORITY\\\\SYSTEM has been created on DESKTOP-I1PBMQ1.",
      "groups": [
        "windows",
        "sysmon",
        "privilege-escalation"
      ],
      "mitre": {
        "technique": [
          "Windows Service"
        ],
        "id": [
          "T1543.003"
        ],
        "tactic": [
          "Persistence",
          "Privilege Escalation"
        ]
      },
      "id": "110011"
    },
    "location": "EventChannel",
    "decoder": {
      "name": "windows_eventchannel"
    },
    "id": "1721897449.6317303",
    "timestamp": "2024-07-25T08:50:49.715+0000"
  },
  "fields": {
    "timestamp": [
      "2024-07-25T08:50:49.715Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@"
    ],
    "manager.name": [
      "@opensearch-dashboards-highlighted-field@wazuh-server@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1721897449715
  ]
}
ooniagbi commented 3 months ago

Testing on 4.9.0

2024/07/25 17:09:09 wazuh-analysisd[23261] winevtchannel.c:142 at DecodeWinevt(): WARNING: Could not read XML string: '<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-07-25T17:09:08.2691305Z'/><EventRecordID>27414</EventRecordID><Correlation/><Execution ProcessID='3308' ThreadID='5784'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-I1PBMQ1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>technique_id=T1047,technique_name=Windows Management Instrumentation</Data><Data Name='UtcTime'>2024-07-25 17:09:08.262</Data><Data Name='ProcessGuid'>{66774b51-86b4-66a2-8403-000000000f00}</Data><Data Name='ProcessId'>6044</Data><Data Name='Image'>C:\Windows\System32\wbem\WmiPrvSE.exe</Data><Data Name='FileVersion'>10.0.22621.1 (WinBuild.160101.0800)</Data><Data Name='Description'>WMI Provider Host</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Wmiprvse.exe</Data><Data Name='CommandLine'>C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\NETWORK SERVICE</Data><Data Name='LogonGuid'>{66774b51-e422-66a2-e403-000000000000}</Data><Data Name='LogonId'>0x3e4</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>SHA1=91180ED89976D16353404AC982A422A707F2AE37,MD5=7528CCABACCD5C1748E63E192097472A,SHA256=196CABED59111B6C4BBF78C84A56846D96CBBC4F06935A4FD4E6432EF0AE4083,IMPHASH=144C0DFA3875D7237B37631C52D608CB</Data><Data Name='ParentProcessGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='ParentProcessId'>876</Data><Data Name='ParentImage'>-</Data><Data Name='ParentCommandLine'>-</Data><Data Name='ParentUser'>-</Data></EventData></Event>'
{
  "_index": "wazuh-archives-4.x-2024.07.25",
  "_id": "XN8E65ABf57TS6_MTNzV",
  "_score": 0,
  "_source": {
    "agent": {
      "ip": "192.168.56.172",
      "name": "DESKTOP-I1PBMQ1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu2204.localdomain"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\Windows\\system32\\services.exe",
          "targetObject": "HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName",
          "processGuid": "{66774b51-e421-66a2-0b00-000000000f00}",
          "processId": "708",
          "utcTime": "2024-07-25 17:50:42.822",
          "ruleName": "technique_id=T1543,technique_name=Service Creation",
          "details": "LocalSystem",
          "eventType": "SetValue",
          "user": "NT AUTHORITY\\SYSTEM"
        },
        "system": {
          "eventID": "13",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2024-07-25 17:50:42.822\r\nProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}\r\nProcessId: 708\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\"",
          "version": "2",
          "systemTime": "2024-07-25T17:50:42.8381418Z",
          "eventRecordID": "28615",
          "threadID": "5784",
          "computer": "DESKTOP-I1PBMQ1",
          "task": "13",
          "processID": "3308",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"13\",\"version\":\"2\",\"level\":\"4\",\"task\":\"13\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-07-25T17:50:42.8381418Z\",\"eventRecordID\":\"28615\",\"processID\":\"3308\",\"threadID\":\"5784\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-I1PBMQ1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry value set:\\r\\nRuleName: technique_id=T1543,technique_name=Service Creation\\r\\nEventType: SetValue\\r\\nUtcTime: 2024-07-25 17:50:42.822\\r\\nProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}\\r\\nProcessId: 708\\r\\nImage: C:\\\\Windows\\\\system32\\\\services.exe\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName\\r\\nDetails: LocalSystem\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1543,technique_name=Service Creation\",\"eventType\":\"SetValue\",\"utcTime\":\"2024-07-25 17:50:42.822\",\"processGuid\":\"{66774b51-e421-66a2-0b00-000000000f00}\",\"processId\":\"708\",\"image\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"targetObject\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName\",\"details\":\"LocalSystem\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2024-07-25T17:50:44.337Z",
    "location": "EventChannel",
    "id": "1721929844.2537500",
    "timestamp": "2024-07-25T17:50:44.337+0000"
  },
  "fields": {
    "@timestamp": [
      "2024-07-25T17:50:44.337Z"
    ],
    "timestamp": [
      "2024-07-25T17:50:44.337Z"
    ]
  }
}
**Messages:
    INFO: analysisd/logtest.c:1098 at w_logtest_process_request_log_processing(): (7202): Session initialized with token '949df666'

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.details: 'LocalSystem'
    win.eventdata.eventType: 'SetValue'
    win.eventdata.image: 'C:\Windows\system32\services.exe'
    win.eventdata.processGuid: '{66774b51-e421-66a2-0b00-000000000f00}'
    win.eventdata.processId: '708'
    win.eventdata.ruleName: 'technique_id=T1543,technique_name=Service Creation'
    win.eventdata.targetObject: 'HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName'
    win.eventdata.user: 'NT AUTHORITY\SYSTEM'
    win.eventdata.utcTime: '2024-07-25 17:50:42.822'
    win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
    win.system.computer: 'DESKTOP-I1PBMQ1'
    win.system.eventID: '13'
    win.system.eventRecordID: '28615'
    win.system.keywords: '0x8000000000000000'
    win.system.level: '4'
    win.system.message: '"Registry value set:
RuleName: technique_id=T1543,technique_name=Service Creation
EventType: SetValue
UtcTime: 2024-07-25 17:50:42.822
ProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}
ProcessId: 708
Image: C:\Windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName
Details: LocalSystem
User: NT AUTHORITY\SYSTEM"'
    win.system.opcode: '0'
    win.system.processID: '3308'
    win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
    win.system.providerName: 'Microsoft-Windows-Sysmon'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2024-07-25T17:50:42.8381418Z'
    win.system.task: '13'
    win.system.threadID: '5784'
    win.system.version: '2'

**Phase 3: Completed filtering (rules).
    id: '61615'
    level: '0'
    description: 'Sysmon - Event 13: RegistryEvent SetValue on HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName by C:\Windows\system32\services.exe'
    groups: '["windows","sysmon","sysmon_event_13"]'
    firedtimes: '1'
    mail: 'false'
ooniagbi commented 3 months ago

Possible fix

After several tests and tweaks, I noticed the Windows alert logs I copied from the 4.7.4 server had 4 slashes (\\\\), while the Windows alert logs in 4.9.0 had 2 slashes (\\). I modified the rule in the documentation to look like this:

<group name="windows,sysmon,privilege-escalation">

  <rule id="110011" level="10">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC</field>
    <field name="win.eventdata.eventType" type="pcre2">^SetValue$</field>
    <field name="win.eventdata.user" type="pcre2">NT AUTHORITY\\SYSTEM</field>
    <description>PsExec service running as $(win.eventdata.user) has been created on $(win.system.computer).</description>
    <mitre>
      <id>T1543.003</id>
    </mitre>
  </rule>
</group>

This works. I am guessing there has been a change in how Windows logs are processed which means that rules that were written to account for the extra slashes would no longer work. The successful test result is below:

**Messages:
    WARNING: analysisd/logtest.c:1085 at w_logtest_process_request_log_processing(): (7003): '5f23af43' token expires
    INFO: analysisd/logtest.c:1098 at w_logtest_process_request_log_processing(): (7202): Session initialized with token '075ccd2e'

**Phase 1: Completed pre-decoding.
    full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"13","version":"2","level":"4","task":"13","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-07-25T17:50:42.8381418Z","eventRecordID":"28615","processID":"3308","threadID":"5784","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-I1PBMQ1","severityValue":"INFORMATION","message":"\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2024-07-25 17:50:42.822\r\nProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}\r\nProcessId: 708\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1543,technique_name=Service Creation","eventType":"SetValue","utcTime":"2024-07-25 17:50:42.822","processGuid":"{66774b51-e421-66a2-0b00-000000000f00}","processId":"708","image":"C:\\Windows\\system32\\services.exe","targetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName","details":"LocalSystem","user":"NT AUTHORITY\\SYSTEM"}}}'

**Phase 2: Completed decoding.
    name: 'json'
    win.eventdata.details: 'LocalSystem'
    win.eventdata.eventType: 'SetValue'
    win.eventdata.image: 'C:\Windows\system32\services.exe'
    win.eventdata.processGuid: '{66774b51-e421-66a2-0b00-000000000f00}'
    win.eventdata.processId: '708'
    win.eventdata.ruleName: 'technique_id=T1543,technique_name=Service Creation'
    win.eventdata.targetObject: 'HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName'
    win.eventdata.user: 'NT AUTHORITY\SYSTEM'
    win.eventdata.utcTime: '2024-07-25 17:50:42.822'
    win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
    win.system.computer: 'DESKTOP-I1PBMQ1'
    win.system.eventID: '13'
    win.system.eventRecordID: '28615'
    win.system.keywords: '0x8000000000000000'
    win.system.level: '4'
    win.system.message: '"Registry value set:
RuleName: technique_id=T1543,technique_name=Service Creation
EventType: SetValue
UtcTime: 2024-07-25 17:50:42.822
ProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}
ProcessId: 708
Image: C:\Windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName
Details: LocalSystem
User: NT AUTHORITY\SYSTEM"'
    win.system.opcode: '0'
    win.system.processID: '3308'
    win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
    win.system.providerName: 'Microsoft-Windows-Sysmon'
    win.system.severityValue: 'INFORMATION'
    win.system.systemTime: '2024-07-25T17:50:42.8381418Z'
    win.system.task: '13'
    win.system.threadID: '5784'
    win.system.version: '2'

**Phase 3: Completed filtering (rules).
    id: '110011'
    level: '10'
    description: 'PsExec service running as NT AUTHORITY\SYSTEM has been created on DESKTOP-I1PBMQ1.'
    groups: '["windows","sysmon","privilege-escalation"]'
    firedtimes: '1'
    mail: 'false'
    mitre.id: '["T1543.003"]'
    mitre.tactic: '["Persistence","Privilege Escalation"]'
    mitre.technique: '["Windows Service"]'
**Alert to be generated.
ooniagbi commented 3 months ago

Testing this fix with the documentation use case

image

cborla commented 3 months ago

I will keep this issue open until I close the corresponding issue in wazuh/wazuh, but no documentation changes will be made, the parser functionality will be left as it works in 4.8.1. Related issue.