wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
65 stars 32 forks source link

System tests: Repeated offenders not working/implemented in windows #2946

Closed damarisg closed 1 year ago

damarisg commented 2 years ago
Version Component Core issue Core development branch QA development branch
4.4  Active Response  https://github.com/wazuh/wazuh/issues/8400    

Description

This issue aims to implement, the lack of the ability to repeat offenders in active response for windows. The same functionality of repeated offenders in Linux for Windows.

Type Value
Debug mode 1
Log message "Repeated offender. Setting timeout to '%ds'"

Usefull Documentation:

Use cases

Case 1: If there is a recurrence before the timeout expires ### Settings ``` no host-deny defined-agent 001 3 3 ``` ``` no 1,5,7 ``` ### Check ``` - The first log is for the configured timeout for the AR. - The second log(first recurrence) where the waiting time would become 1 minutes. - The third log(second recurrence) where the waiting time would become 5 minutes. - The fourth log(third recurrence) where the timeout would become 7 minutes. - The fifth log(fourth recurrence) where the waiting time would become 3 minutes. ```
Case 2: Timeout negative value. ### Settings ``` no host-deny defined-agent 001 3 -10 ``` ``` no 1,5,10 ``` ### Check ``` - Error or takes a default value? ```
Case 3: Timeout valid where a repeated_offenders negative value. ### Settings ``` no host-deny defined-agent 001 3 2 ``` ``` no 1,-1,4 ``` ### Check ``` - Error or takes a default value? ```
Case 4: Repeat_offenders exceeds the established recurrence limit. ### Settings ``` no host-deny defined-agent 001 3 2 ``` ``` no 1,3,5,1,4,10 ``` ### Check ``` - The first log is for the configured timeout(2) for the AR. - The second log(first recurrence) where the waiting time would become 1 minutes. - The third log(second recurrence) where the waiting time would become 3 minutes. - The fourth log(third recurrence) where the timeout would become 5 minutes. - The fifth log(fourth recurrence) where the waiting time would become 4 minutes. - The sixth log is for the configured timeout(2) for the AR. ```
Case 5: Repeat_offenders values are set more than once. ### Settings ``` no host-deny defined-agent 001 3 2 ``` ``` no 1,3,5 3,1 ``` ### Check ``` - Error? takes the first values? take both values? ```

Development stage

fedepacher commented 2 years ago

Update 2022/09/02

manager-side configuration test

<active-response>
  <disabled>no</disabled>
  <command>host-deny</command>
  <location>defined-agent</location>
  <agent_id>001</agent_id>
  <rules_id>5712</rules_id>
  <timeout>5</timeout>
</active-response>

Linux agent-side configuration test

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>1,2,3</repeated_offenders>
</active-response>

local_internal_option configuration

Logs expected on the agent side (ossec.log)

2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 1 (for #1)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 2 (for #2)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 3 (for #3)

It has attempted an ssh attack. To do so:

ssh randomuser@<IP>

Case 1: If there is a recurrence before the timeout expires

For this case, it was expected to get blocked the IP as follows:

Test

First ssh attack output log: #### Start active-response ``` 2022/08/31 04:05:20 wazuh-execd[23525] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:05:21.413+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661918721.10620559","previous_output":"Aug 31 04:05:17 ubuntu-bionic sshd[24548]: Invalid user blimey from 192.168.56.23 port 46766\nAug 31 04:05:16 ubuntu-bionic sshd[24540]: Invalid user blimey from 192.168.56.23 port 46764\nAug 31 04:05:14 ubuntu-bionic sshd[24535]: Invalid user blimey from 192.168.56.23 port 46762\nAug 31 04:05:13 ubuntu-bionic sshd[24527]: Invalid user blimey from 192.168.56.23 port 46760\nAug 31 04:05:12 ubuntu-bionic sshd[24525]: Invalid user blimey from 192.168.56.23 port 46758\nAug 31 04:05:11 ubuntu-bionic sshd[24520]: Invalid user blimey from 192.168.56.23 port 38328\nAug 31 04:04:55 ubuntu-bionic sshd[24470]: Invalid user blimey from 192.168.56.23 port 44658","full_log":"Aug 31 04:05:19 ubuntu-bionic sshd[24553]: Invalid user blimey from 192.168.56.23 port 46768","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:05:19","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"46768","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '5s'. ``` #### End active-response ``` 2022/08/31 04:05:26 wazuh-execd[23525] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:05:21.413+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661918721.10620559","previous_output":"Aug 31 04:05:17 ubuntu-bionic sshd[24548]: Invalid user blimey from 192.168.56.23 port 46766\nAug 31 04:05:16 ubuntu-bionic sshd[24540]: Invalid user blimey from 192.168.56.23 port 46764\nAug 31 04:05:14 ubuntu-bionic sshd[24535]: Invalid user blimey from 192.168.56.23 port 46762\nAug 31 04:05:13 ubuntu-bionic sshd[24527]: Invalid user blimey from 192.168.56.23 port 46760\nAug 31 04:05:12 ubuntu-bionic sshd[24525]: Invalid user blimey from 192.168.56.23 port 46758\nAug 31 04:05:11 ubuntu-bionic sshd[24520]: Invalid user blimey from 192.168.56.23 port 38328\nAug 31 04:04:55 ubuntu-bionic sshd[24470]: Invalid user blimey from 192.168.56.23 port 44658","full_log":"Aug 31 04:05:19 ubuntu-bionic sshd[24553]: Invalid user blimey from 192.168.56.23 port 46768","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:05:19","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"46768","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '5s' ```
Second ssh attack output log: #### Start active-response ``` 2022/08/31 04:06:25 wazuh-execd[23525] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '60s' 2022/08/31 04:06:25 wazuh-execd[23525] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:06:25.704+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661918785.10638973","previous_output":"Aug 31 04:06:22 ubuntu-bionic sshd[24779]: Invalid user blimey from 192.168.56.23 port 45348\nAug 31 04:06:18 ubuntu-bionic sshd[24765]: Invalid user blimey from 192.168.56.23 port 53630\nAug 31 04:06:17 ubuntu-bionic sshd[24760]: Invalid user blimey from 192.168.56.23 port 53628\nAug 31 04:06:15 ubuntu-bionic sshd[24752]: Invalid user blimey from 192.168.56.23 port 53626\nAug 31 04:06:12 ubuntu-bionic sshd[24741]: Invalid user blimey from 192.168.56.23 port 53624\nAug 31 04:06:09 ubuntu-bionic sshd[24730]: Invalid user blimey from 192.168.56.23 port 51370\nAug 31 04:06:07 ubuntu-bionic sshd[24722]: Invalid user blimey from 192.168.56.23 port 51368","full_log":"Aug 31 04:06:24 ubuntu-bionic sshd[24787]: Invalid user blimey from 192.168.56.23 port 45350","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:06:24","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"45350","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '60s'. ``` #### End active-response ``` 2022/08/31 04:07:26 wazuh-execd[23525] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:06:25.704+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661918785.10638973","previous_output":"Aug 31 04:06:22 ubuntu-bionic sshd[24779]: Invalid user blimey from 192.168.56.23 port 45348\nAug 31 04:06:18 ubuntu-bionic sshd[24765]: Invalid user blimey from 192.168.56.23 port 53630\nAug 31 04:06:17 ubuntu-bionic sshd[24760]: Invalid user blimey from 192.168.56.23 port 53628\nAug 31 04:06:15 ubuntu-bionic sshd[24752]: Invalid user blimey from 192.168.56.23 port 53626\nAug 31 04:06:12 ubuntu-bionic sshd[24741]: Invalid user blimey from 192.168.56.23 port 53624\nAug 31 04:06:09 ubuntu-bionic sshd[24730]: Invalid user blimey from 192.168.56.23 port 51370\nAug 31 04:06:07 ubuntu-bionic sshd[24722]: Invalid user blimey from 192.168.56.23 port 51368","full_log":"Aug 31 04:06:24 ubuntu-bionic sshd[24787]: Invalid user blimey from 192.168.56.23 port 45350","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:06:24","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"45350","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '60s' ```
Third ssh attack output log: #### Start active-response ``` 2022/08/31 04:16:53 wazuh-execd[23525] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '120s' 2022/08/31 04:16:53 wazuh-execd[23525] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:16:54.697+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661919414.10653123","previous_output":"Aug 31 04:16:52 ubuntu-bionic sshd[26828]: Invalid user blimey from 192.168.56.23 port 50542\nAug 31 04:16:51 ubuntu-bionic sshd[26823]: Invalid user blimey from 192.168.56.23 port 50540\nAug 31 04:16:50 ubuntu-bionic sshd[26818]: Invalid user blimey from 192.168.56.23 port 50538\nAug 31 04:16:48 ubuntu-bionic sshd[26813]: Invalid user blimey from 192.168.56.23 port 50536\nAug 31 04:16:47 ubuntu-bionic sshd[26808]: Invalid user blimey from 192.168.56.23 port 50534\nAug 31 04:16:45 ubuntu-bionic sshd[26797]: Invalid user blimey from 192.168.56.23 port 50532\nAug 31 04:16:43 ubuntu-bionic sshd[26779]: Invalid user blimey from 192.168.56.23 port 50530","full_log":"Aug 31 04:16:53 ubuntu-bionic sshd[26833]: Invalid user blimey from 192.168.56.23 port 59720","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:16:53","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"59720","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '120s'. ``` #### End active-response ``` 2022/08/31 04:18:54 wazuh-execd[23525] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:16:54.697+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661919414.10653123","previous_output":"Aug 31 04:16:52 ubuntu-bionic sshd[26828]: Invalid user blimey from 192.168.56.23 port 50542\nAug 31 04:16:51 ubuntu-bionic sshd[26823]: Invalid user blimey from 192.168.56.23 port 50540\nAug 31 04:16:50 ubuntu-bionic sshd[26818]: Invalid user blimey from 192.168.56.23 port 50538\nAug 31 04:16:48 ubuntu-bionic sshd[26813]: Invalid user blimey from 192.168.56.23 port 50536\nAug 31 04:16:47 ubuntu-bionic sshd[26808]: Invalid user blimey from 192.168.56.23 port 50534\nAug 31 04:16:45 ubuntu-bionic sshd[26797]: Invalid user blimey from 192.168.56.23 port 50532\nAug 31 04:16:43 ubuntu-bionic sshd[26779]: Invalid user blimey from 192.168.56.23 port 50530","full_log":"Aug 31 04:16:53 ubuntu-bionic sshd[26833]: Invalid user blimey from 192.168.56.23 port 59720","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:16:53","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"59720","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '120s' ```
Fourth ssh attack output log: #### Start active-response ``` 2022/08/31 04:20:37 wazuh-execd[23525] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '180s' 2022/08/31 04:20:37 wazuh-execd[23525] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:20:38.639+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":5,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661919638.10667682","previous_output":"Aug 31 04:20:35 ubuntu-bionic sshd[27516]: Invalid user blimey from 192.168.56.23 port 57304\nAug 31 04:20:34 ubuntu-bionic sshd[27508]: Invalid user blimey from 192.168.56.23 port 57302\nAug 31 04:20:33 ubuntu-bionic sshd[27503]: Invalid user blimey from 192.168.56.23 port 57300\nAug 31 04:20:31 ubuntu-bionic sshd[27495]: Invalid user blimey from 192.168.56.23 port 58404\nAug 31 04:20:30 ubuntu-bionic sshd[27490]: Invalid user blimey from 192.168.56.23 port 58402\nAug 31 04:20:29 ubuntu-bionic sshd[27485]: Invalid user blimey from 192.168.56.23 port 58400\nAug 31 04:20:23 ubuntu-bionic sshd[27465]: Invalid user blimey from 192.168.56.23 port 58398","full_log":"Aug 31 04:20:37 ubuntu-bionic sshd[27521]: Invalid user blimey from 192.168.56.23 port 57306","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:20:37","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"57306","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '180s'. ``` #### End active-response ``` 2022/08/31 04:23:38 wazuh-execd[23525] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:20:38.639+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":5,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661919638.10667682","previous_output":"Aug 31 04:20:35 ubuntu-bionic sshd[27516]: Invalid user blimey from 192.168.56.23 port 57304\nAug 31 04:20:34 ubuntu-bionic sshd[27508]: Invalid user blimey from 192.168.56.23 port 57302\nAug 31 04:20:33 ubuntu-bionic sshd[27503]: Invalid user blimey from 192.168.56.23 port 57300\nAug 31 04:20:31 ubuntu-bionic sshd[27495]: Invalid user blimey from 192.168.56.23 port 58404\nAug 31 04:20:30 ubuntu-bionic sshd[27490]: Invalid user blimey from 192.168.56.23 port 58402\nAug 31 04:20:29 ubuntu-bionic sshd[27485]: Invalid user blimey from 192.168.56.23 port 58400\nAug 31 04:20:23 ubuntu-bionic sshd[27465]: Invalid user blimey from 192.168.56.23 port 58398","full_log":"Aug 31 04:20:37 ubuntu-bionic sshd[27521]: Invalid user blimey from 192.168.56.23 port 57306","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:20:37","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"57306","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '180s' ```
Fiveth ssh attack output log: #### Start active-response ``` 2022/08/31 04:24:26 wazuh-execd[23525] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '180s' 2022/08/31 04:24:26 wazuh-execd[23525] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:24:27.061+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":6,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661919867.10681832","previous_output":"Aug 31 04:24:24 ubuntu-bionic sshd[28226]: Invalid user blimey from 192.168.56.23 port 41576\nAug 31 04:24:23 ubuntu-bionic sshd[28221]: Invalid user blimey from 192.168.56.23 port 41574\nAug 31 04:24:22 ubuntu-bionic sshd[28216]: Invalid user blimey from 192.168.56.23 port 41572\nAug 31 04:24:21 ubuntu-bionic sshd[28208]: Invalid user blimey from 192.168.56.23 port 49718\nAug 31 04:24:19 ubuntu-bionic sshd[28203]: Invalid user blimey from 192.168.56.23 port 49716\nAug 31 04:24:18 ubuntu-bionic sshd[28198]: Invalid user blimey from 192.168.56.23 port 49714\nAug 31 04:24:15 ubuntu-bionic sshd[28187]: Invalid user blimey from 192.168.56.23 port 49712","full_log":"Aug 31 04:24:26 ubuntu-bionic sshd[28231]: Invalid user blimey from 192.168.56.23 port 41578","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:24:26","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"41578","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '180s'. ``` #### End active-response ``` 2022/08/31 04:27:27 wazuh-execd[23525] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:24:27.061+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":6,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661919867.10681832","previous_output":"Aug 31 04:24:24 ubuntu-bionic sshd[28226]: Invalid user blimey from 192.168.56.23 port 41576\nAug 31 04:24:23 ubuntu-bionic sshd[28221]: Invalid user blimey from 192.168.56.23 port 41574\nAug 31 04:24:22 ubuntu-bionic sshd[28216]: Invalid user blimey from 192.168.56.23 port 41572\nAug 31 04:24:21 ubuntu-bionic sshd[28208]: Invalid user blimey from 192.168.56.23 port 49718\nAug 31 04:24:19 ubuntu-bionic sshd[28203]: Invalid user blimey from 192.168.56.23 port 49716\nAug 31 04:24:18 ubuntu-bionic sshd[28198]: Invalid user blimey from 192.168.56.23 port 49714\nAug 31 04:24:15 ubuntu-bionic sshd[28187]: Invalid user blimey from 192.168.56.23 port 49712","full_log":"Aug 31 04:24:26 ubuntu-bionic sshd[28231]: Invalid user blimey from 192.168.56.23 port 41578","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:24:26","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"41578","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '180s'. ```
Sixth ssh attack output log (when the waiting time was longer than the last repeated_offenders timeout (> 3 min)): #### Start active-response ``` 2022/08/31 04:28:42 wazuh-execd[23525] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '180s' 2022/08/31 04:28:42 wazuh-execd[23525] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:28:43.561+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":7,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661920123.10695982","previous_output":"Aug 31 04:28:41 ubuntu-bionic sshd[29012]: Invalid user blimey from 192.168.56.23 port 44110\nAug 31 04:28:40 ubuntu-bionic sshd[29007]: Invalid user blimey from 192.168.56.23 port 44108\nAug 31 04:28:39 ubuntu-bionic sshd[29002]: Invalid user blimey from 192.168.56.23 port 44106\nAug 31 04:28:39 ubuntu-bionic sshd[29000]: Invalid user blimey from 192.168.56.23 port 44104\nAug 31 04:28:38 ubuntu-bionic sshd[28995]: Invalid user blimey from 192.168.56.23 port 44102\nAug 31 04:28:37 ubuntu-bionic sshd[28990]: Invalid user blimey from 192.168.56.23 port 44100\nAug 31 04:28:36 ubuntu-bionic sshd[28985]: Invalid user blimey from 192.168.56.23 port 44098","full_log":"Aug 31 04:28:41 ubuntu-bionic sshd[29014]: Invalid user blimey from 192.168.56.23 port 44112","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:28:41","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"44112","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '180s'. ``` #### End active-response ``` 2022/08/31 04:31:43 wazuh-execd[23525] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:28:43.561+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":7,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661920123.10695982","previous_output":"Aug 31 04:28:41 ubuntu-bionic sshd[29012]: Invalid user blimey from 192.168.56.23 port 44110\nAug 31 04:28:40 ubuntu-bionic sshd[29007]: Invalid user blimey from 192.168.56.23 port 44108\nAug 31 04:28:39 ubuntu-bionic sshd[29002]: Invalid user blimey from 192.168.56.23 port 44106\nAug 31 04:28:39 ubuntu-bionic sshd[29000]: Invalid user blimey from 192.168.56.23 port 44104\nAug 31 04:28:38 ubuntu-bionic sshd[28995]: Invalid user blimey from 192.168.56.23 port 44102\nAug 31 04:28:37 ubuntu-bionic sshd[28990]: Invalid user blimey from 192.168.56.23 port 44100\nAug 31 04:28:36 ubuntu-bionic sshd[28985]: Invalid user blimey from 192.168.56.23 port 44098","full_log":"Aug 31 04:28:41 ubuntu-bionic sshd[29014]: Invalid user blimey from 192.168.56.23 port 44112","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:28:41","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"44112","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '180s' ```

Case 2: Timeout negative value.

manager-side configuration test

<timeout>-5</timeout>

There is no information in ossec.log about the negative value.

Test

First ssh attack output log (agent side):

2022/08/31 04:59:51 wazuh-execd[4395] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:59:52.256+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661921992.10741103","previous_output":"Aug 31 04:59:49 ubuntu-bionic sshd[4984]: Invalid user blimey from 192.168.56.23 port 56598\nAug 31 04:59:48 ubuntu-bionic sshd[4979]: Invalid user blimey from 192.168.56.23 port 56596\nAug 31 04:59:47 ubuntu-bionic sshd[4974]: Invalid user blimey from 192.168.56.23 port 56594\nAug 31 04:59:47 ubuntu-bionic sshd[4972]: Invalid user blimey from 192.168.56.23 port 56592\nAug 31 04:59:46 ubuntu-bionic sshd[4967]: Invalid user blimey from 192.168.56.23 port 56590\nAug 31 04:59:45 ubuntu-bionic sshd[4962]: Invalid user blimey from 192.168.56.23 port 56588\nAug 31 04:59:44 ubuntu-bionic sshd[4957]: Invalid user blimey from 192.168.56.23 port 56586","full_log":"Aug 31 04:59:50 ubuntu-bionic sshd[4989]: Invalid user blimey from 192.168.56.23 port 56600","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:59:50","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"56600","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '-5s'.
2022/08/31 04:59:51 wazuh-execd[4395] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-08-31T04:59:52.256+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ubuntu1","ip":"FE80:0000:0000:0000:0077:D8FF:FE76:0EB8"},"manager":{"name":"ubuntu2"},"id":"1661921992.10741103","previous_output":"Aug 31 04:59:49 ubuntu-bionic sshd[4984]: Invalid user blimey from 192.168.56.23 port 56598\nAug 31 04:59:48 ubuntu-bionic sshd[4979]: Invalid user blimey from 192.168.56.23 port 56596\nAug 31 04:59:47 ubuntu-bionic sshd[4974]: Invalid user blimey from 192.168.56.23 port 56594\nAug 31 04:59:47 ubuntu-bionic sshd[4972]: Invalid user blimey from 192.168.56.23 port 56592\nAug 31 04:59:46 ubuntu-bionic sshd[4967]: Invalid user blimey from 192.168.56.23 port 56590\nAug 31 04:59:45 ubuntu-bionic sshd[4962]: Invalid user blimey from 192.168.56.23 port 56588\nAug 31 04:59:44 ubuntu-bionic sshd[4957]: Invalid user blimey from 192.168.56.23 port 56586","full_log":"Aug 31 04:59:50 ubuntu-bionic sshd[4989]: Invalid user blimey from 192.168.56.23 port 56600","predecoder":{"program_name":"sshd","timestamp":"Aug 31 04:59:50","hostname":"ubuntu-bionic"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.23","srcport":"56600","srcuser":"blimey"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '-5s'

This log comes out altogether at the same time and the IP is not blocked (timeout = -5 does not take effect) Second attack and so on work as mentioned in the first case.

Case 3: Timeout valid where a repeated_offenders negative value.

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>-1,2,3</repeated_offenders>
</active-response>

The ossec.log in the agent side:

2022/08/31 05:18:20 wazuh-execd[13455] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: -1 (for #1)
2022/08/31 05:18:20 wazuh-execd[13455] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:18:20 wazuh-execd[13455] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 05:18:20 wazuh-execd[13473] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: -1 (for #1)
2022/08/31 05:18:20 wazuh-execd[13473] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:18:20 wazuh-execd[13473] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)

Test

First ssh attack output log (agent side):

2022/09/14 17:37:19 wazuh-execd[3733] execd.c:379 at ExecdRun(): DEBUG: Adding command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-14T17:37:19.907+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-11-156","ip":"FE80:0000:0000:0000:0080:2CFF:FE31:5001"},"manager":{"name":"ip-172-31-3-33"},"id":"1663177039.1172393","previous_output":"Sep 14 17:37:18 ip-172-31-11-156 sshd[4654]: Invalid user fede from 172.31.6.132 port 34636\nSep 14 17:37:16 ip-172-31-11-156 sshd[4652]: Invalid user fede from 172.31.6.132 port 34634\nSep 14 17:37:15 ip-172-31-11-156 sshd[4650]: Invalid user fede from 172.31.6.132 port 34632\nSep 14 17:37:13 ip-172-31-11-156 sshd[4648]: Invalid user fede from 172.31.6.132 port 34630\nSep 14 17:37:11 ip-172-31-11-156 sshd[4646]: Invalid user fede from 172.31.6.132 port 34628\nSep 14 17:37:08 ip-172-31-11-156 sshd[4644]: Invalid user fede from 172.31.6.132 port 34626\nSep 14 17:36:57 ip-172-31-11-156 sshd[4641]: Invalid user fede from 172.31.6.132 port 34622","full_log":"Sep 14 17:37:19 ip-172-31-11-156 sshd[4656]: Invalid user fede from 172.31.6.132 port 34638","predecoder":{"program_name":"sshd","timestamp":"Sep 14 17:37:19","hostname":"ip-172-31-11-156"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.31.6.132","srcport":"34638","srcuser":"fede"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' to the timeout list, with a timeout of '5s'.
2022/09/14 17:37:25 wazuh-execd[3733] execd.c:147 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/host-deny {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-14T17:37:19.907+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system. Non existent user.","id":"5712","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8,"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss":["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-11-156","ip":"FE80:0000:0000:0000:0080:2CFF:FE31:5001"},"manager":{"name":"ip-172-31-3-33"},"id":"1663177039.1172393","previous_output":"Sep 14 17:37:18 ip-172-31-11-156 sshd[4654]: Invalid user fede from 172.31.6.132 port 34636\nSep 14 17:37:16 ip-172-31-11-156 sshd[4652]: Invalid user fede from 172.31.6.132 port 34634\nSep 14 17:37:15 ip-172-31-11-156 sshd[4650]: Invalid user fede from 172.31.6.132 port 34632\nSep 14 17:37:13 ip-172-31-11-156 sshd[4648]: Invalid user fede from 172.31.6.132 port 34630\nSep 14 17:37:11 ip-172-31-11-156 sshd[4646]: Invalid user fede from 172.31.6.132 port 34628\nSep 14 17:37:08 ip-172-31-11-156 sshd[4644]: Invalid user fede from 172.31.6.132 port 34626\nSep 14 17:36:57 ip-172-31-11-156 sshd[4641]: Invalid user fede from 172.31.6.132 port 34622","full_log":"Sep 14 17:37:19 ip-172-31-11-156 sshd[4656]: Invalid user fede from 172.31.6.132 port 34638","predecoder":{"program_name":"sshd","timestamp":"Sep 14 17:37:19","hostname":"ip-172-31-11-156"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.31.6.132","srcport":"34638","srcuser":"fede"},"location":"/var/log/auth.log"},"program":"active-response/bin/host-deny"}}' after a timeout of '5s'

The first attack was reflected on the agent side ossec.log file but the next attacks we not registered. On the other hand, the manager keeps getting alerts about the attacks.

Manager alerts.json file

{"timestamp":"2022-09-14T17:41:28.142+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110.001","T1021.004","T1078"],"tactic":["Credential Access","Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Password Guessing","SSH","Valid Accounts"]},"firedtimes":42,"mail":false,"groups":["syslog","sshd","authentication_failed","invalid_login"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-11-156","ip":"FE80:0000:0000:0000:0080:2CFF:FE31:5001"},"manager":{"name":"ip-172-31-3-33"},"id":"1663177288.1214723","full_log":"Sep 14 17:41:27 ip-172-31-11-156 sshd[4755]: Invalid user fede from 172.31.6.132 port 34718","predecoder":{"program_name":"sshd","timestamp":"Sep 14 17:41:27","hostname":"ip-172-31-11-156"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.31.6.132","srcport":"34718","srcuser":"fede"},"location":"/var/log/auth.log"}

Case 4: Repeat_offenders exceeds the established recurrence limit.

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>1,2,3,4,5,6,7</repeated_offenders>
</active-response>

The ossec.log in the agent side:

2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 4 (for #4)
2022/08/31 05:29:53 wazuh-execd[22804] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 5 (for #5)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 4 (for #4)
2022/08/31 05:29:53 wazuh-execd[22822] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 5 (for #5)

Case 5: Repeat_offenders values are set more than once.

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>1,2,3</repeated_offenders>
  <repeated_offenders>4,5</repeated_offenders>
</active-response>

The ossec.log in the agent side:

2022/08/31 06:01:09 wazuh-execd[30581] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 06:01:09 wazuh-execd[30581] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 06:01:09 wazuh-execd[30581] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/08/31 06:01:09 wazuh-execd[30597] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/08/31 06:01:09 wazuh-execd[30597] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/08/31 06:01:09 wazuh-execd[30597] config.c:140 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)

Take the first repeated_offenders tag. This behavior is not expected because it is supposed to take the second repeated_offenders to overwrite the first appearance.

fedepacher commented 2 years ago

Update 2022/09/13

manager-side configuration test

<active-response>
  <disabled>no</disabled>
  <command>netsh</command>
  <location>defined-agent</location>
  <agent_id>002</agent_id>
  <rules_id>60122</rules_id>
  <timeout>5</timeout>
</active-response>

Windows agent-side configuration test

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>1,2,3</repeated_offenders>
</active-response>

local_internal_option configuration

Logs expected on the agent side (ossec.log)

2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 1 (for #1)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 2 (for #2)
2022/08/30 15:57:16 wazuh-execd: INFO: Adding offenders timeout: 3 (for #3)

It has attempted an rdp attack. To do so:

hydra -l <user> -p <wrong-password> rdp://<IP>

Case 1: If there is a recurrence before the timeout expires

For this case, it was expected to get blocked the IP as follows:

Test

First rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:06:41 wazuh-agent[580] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:06:41.252+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":1,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663088801.7374934","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:06:40.5779621Z","eventRecordID":"61809","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '5s'. ``` #### End active-response ``` 2022/09/13 17:06:47 wazuh-agent[580] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:06:41.252+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":1,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663088801.7374934","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:06:40.5779621Z","eventRecordID":"61809","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '5s' ```
Second rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:06:56 wazuh-agent[580] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '60s' 2022/09/13 17:06:56 wazuh-agent[580] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:06:56.400+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":2,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663088816.7399328","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:06:55.7351659Z","eventRecordID":"61810","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '60s'. ``` #### End active-response ``` 2022/09/13 17:07:57 wazuh-agent[580] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:06:56.400+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":2,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663088816.7399328","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:06:55.7351659Z","eventRecordID":"61810","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '60s' ```
Third rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:08:05 wazuh-agent[580] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '120s' 2022/09/13 17:08:05 wazuh-agent[580] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:08:04.808+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":3,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663088884.7423722","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:08:04.1630799Z","eventRecordID":"61811","processID":"712","threadID":"4100","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '120s'. ``` #### End active-response ``` 2022/09/13 17:10:06 wazuh-agent[580] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:08:04.808+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":3,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663088884.7423722","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:08:04.1630799Z","eventRecordID":"61811","processID":"712","threadID":"4100","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '120s' ```
Fourth rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:10:18 wazuh-agent[580] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '180s' 2022/09/13 17:10:18 wazuh-agent[580] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:10:17.996+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":4,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663089017.7448122","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:10:17.3354683Z","eventRecordID":"61812","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '180s'. ``` #### End active-response ``` 2022/09/13 17:13:19 wazuh-agent[580] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:10:17.996+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":4,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663089017.7448122","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:10:17.3354683Z","eventRecordID":"61812","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '180s' ```
Fiveth rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:13:42 wazuh-agent[580] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '180s' 2022/09/13 17:13:42 wazuh-agent[580] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:13:42.268+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":5,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663089222.7487160","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:13:41.5911700Z","eventRecordID":"61817","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '180s'. ``` #### End active-response ``` 2022/09/13 17:16:43 wazuh-agent[580] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:13:42.268+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":5,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663089222.7487160","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:13:41.5911700Z","eventRecordID":"61817","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '180s' ```
Sixth rdp attack (when the waiting time was longer than the last timeout (> 3 min). output log (agent side): #### Start active-response ``` 2022/09/13 17:22:23 wazuh-agent[580] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '180s' 2022/09/13 17:22:23 wazuh-agent[580] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:22:23.366+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":6,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663089743.7511554","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:22:22.7141305Z","eventRecordID":"61818","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '180s'. ``` #### End active-response ``` 2022/09/13 17:25:24 wazuh-agent[580] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:22:23.366+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":6,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663089743.7511554","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:22:22.7141305Z","eventRecordID":"61818","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '180s' ```

Case 2: Timeout negative value.

manager-side configuration test

<timeout>-5</timeout>

There is no information in ossec.log about the negative value.

Test

First rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:54:21 wazuh-agent[1600] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:54:21.421+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":2,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663091661.7566626","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:54:20.7641548Z","eventRecordID":"61850","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '-5s'. 2022/09/13 17:54:22 wazuh-agent[1600] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:54:21.421+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":2,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663091661.7566626","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:54:20.7641548Z","eventRecordID":"61850","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '-5s' ``` #### End active-response ``` nothing here ```
Second rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:57:03 wazuh-agent[1600] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '60s' 2022/09/13 17:57:03 wazuh-agent[1600] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:57:03.157+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":3,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663091823.7591020","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:57:02.4618801Z","eventRecordID":"61851","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '60s'. ``` #### End active-response ``` 2022/09/13 17:58:04 wazuh-agent[1600] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:57:03.157+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":3,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663091823.7591020","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:57:02.4618801Z","eventRecordID":"61851","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '60s' ```
Third rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 17:58:22 wazuh-agent[1600] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '120s' 2022/09/13 17:58:22 wazuh-agent[1600] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:58:21.795+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":4,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663091901.7606259","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:58:21.1377326Z","eventRecordID":"61852","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '120s'. ``` #### End active-response ``` 2022/09/13 18:00:23 wazuh-agent[1600] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T17:58:21.795+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":4,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663091901.7606259","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T17:58:21.1377326Z","eventRecordID":"61852","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '120s' ```
Fourth rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 18:00:40 wazuh-agent[1600] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '180s' 2022/09/13 18:00:40 wazuh-agent[1600] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:00:39.959+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":1,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092039.7630653","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:00:39.2187990Z","eventRecordID":"61853","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '180s'. ``` #### End active-response ``` 2022/09/13 18:03:41 wazuh-agent[1600] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:00:39.959+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":1,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092039.7630653","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:00:39.2187990Z","eventRecordID":"61853","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '180s' ```

The first attack does not execute the active response.

Manager side (alerts.json for the first attack): ``` {"timestamp":"2022-09-13T18:04:40.424+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":2,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092280.7664880","full_log":"{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4625\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12544\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2022-09-13T18:04:39.6723561Z\",\"eventRecordID\":\"61864\",\"processID\":\"712\",\"threadID\":\"764\",\"channel\":\"Security\",\"computer\":\"EC2AMAZ-N9OLJ1L\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"An account failed to log on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nAccount For Which Logon Failed:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\tqa\\r\\n\\tAccount Domain:\\t\\t\\r\\n\\r\\nFailure Information:\\r\\n\\tFailure Reason:\\t\\tUnknown user name or bad password.\\r\\n\\tStatus:\\t\\t\\t0xC000006D\\r\\n\\tSub Status:\\t\\t0xC000006A\\r\\n\\r\\nProcess Information:\\r\\n\\tCaller Process ID:\\t0x0\\r\\n\\tCaller Process Name:\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tip-172-31-1-106\\r\\n\\tSource Network Address:\\t172.31.1.106\\r\\n\\tSource Port:\\t\\t0\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tNtLmSsp \\r\\n\\tAuthentication Package:\\tNTLM\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\\r\\n\\r\\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe Process Information fields indicate which account and process on the system requested the logon.\\r\\n\\r\\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-0-0\",\"subjectLogonId\":\"0x0\",\"targetUserSid\":\"S-1-0-0\",\"targetUserName\":\"qa\",\"status\":\"0xc000006d\",\"failureReason\":\"%%2313\",\"subStatus\":\"0xc000006a\",\"logonType\":\"3\",\"logonProcessName\":\"NtLmSsp\",\"authenticationPackageName\":\"NTLM\",\"workstationName\":\"ip-172-31-1-106\",\"keyLength\":\"0\",\"processId\":\"0x0\",\"ipAddress\":\"172.31.1.106\",\"ipPort\":\"0\"}}}","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:04:39.6723561Z","eventRecordID":"61864","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"} {"timestamp":"2022-09-13T18:04:41.179+0000","agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092281.7664880","full_log":"2022/09/13 18:04:40 active-response/bin/netsh.exe: Starting","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"location":"active-response\\active-responses.log"} {"timestamp":"2022-09-13T18:04:41.179+0000","rule":{"level":3,"description":"Active response: active-response/bin/netsh.exe - add","id":"657","firedtimes":3,"mail":false,"groups":["ossec","active_response"],"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092281.7670973","full_log":"2022/09/13 18:04:40 active-response/bin/netsh.exe: {\"version\":1,\"origin\":{\"name\":\"node01\",\"module\":\"wazuh-execd\"},\"command\":\"add\",\"parameters\":{\"extra_args\":[],\"alert\":{\"timestamp\":\"2022-09-13T18:04:40.424+0000\",\"rule\":{\"level\":5,\"description\":\"Logon failure - Unknown user or bad password.\",\"id\":\"60122\",\"mitre\":{\"id\":[\"T1078\",\"T1531\"],\"tactic\":[\"Defense Evasion\",\"Persistence\",\"Privilege Escalation\",\"Initial Access\",\"Impact\"],\"technique\":[\"Valid Accounts\",\"Account Access Removal\"]},\"firedtimes\":2,\"mail\":false,\"groups\":[\"windows\",\"windows_security\",\"authentication_failed\"],\"gdpr\":[\"IV_32.2\",\"IV_35.7.d\"],\"gpg13\":[\"7.1\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AC.7\",\"AU.14\"],\"pci_dss\":[\"10.2.4\",\"10.2.5\"],\"tsc\":[\"CC6.1\",\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"004\",\"name\":\"EC2AMAZ-N9OLJ1L\",\"ip\":\"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA\"},\"manager\":{\"name\":\"ip-172-31-0-15\"},\"id\":\"1663092280.7664545\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4625\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12544\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2022-09-13T18:04:39.6723561Z\",\"eventRecordID\":\"61864\",\"processID\":\"712\",\"threadID\":\"764\",\"channel\":\"Security\",\"computer\":\"EC2AMAZ-N9OLJ1L\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"An account failed to log on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nAccount For Which Logon Failed:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\tqa\\r\\n\\tAccount Domain:\\t\\t\\r\\n\\r\\nFailure Information:\\r\\n\\tFailure Reason:\\t\\tUnknown user name or bad password.\\r\\n\\tStatus:\\t\\t\\t0xC000006D\\r\\n\\tSub Status:\\t\\t0xC000006A\\r\\n\\r\\nProcess Information:\\r\\n\\tCaller Process ID:\\t0x0\\r\\n\\tCaller Process Name:\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tip-172-31-1-106\\r\\n\\tSource Network Address:\\t172.31.1.106\\r\\n\\tSource Port:\\t\\t0\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tNtLmSsp \\r\\n\\tAuthentication Package:\\tNTLM\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\\r\\n\\r\\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe Process Information fields indicate which account and process on the system requested the logon.\\r\\n\\r\\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-0-0\",\"subjectLogonId\":\"0x0\",\"targetUserSid\":\"S-1-0-0\",\"targetUserName\":\"qa\",\"status\":\"0xc000006d\",\"failureReason\":\"%%2313\",\"subStatus\":\"0xc000006a\",\"logonType\":\"3\",\"logonProcessName\":\"NtLmSsp\",\"authenticationPackageName\":\"NTLM\",\"workstationName\":\"ip-172-31-1-106\",\"keyLength\":\"0\",\"processId\":\"0x0\",\"ipAddress\":\"172.31.1.106\",\"ipPort\":\"0\"}}},\"location\":\"EventChannel\"},\"program\":\"active-response/bin/netsh.exe\"}}","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"data":{"srcip":"172.31.1.106","version":"1","origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:04:40.424+0000","rule":{"level":"5","description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":"2","mail":"false","groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092280.7664545","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:04:39.6723561Z","eventRecordID":"61864","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}},"location":"active-response\\active-responses.log"} {"timestamp":"2022-09-13T18:04:41.187+0000","agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092281.7670973","full_log":"2022/09/13 18:04:40 active-response/bin/netsh.exe: {\"version\":1,\"origin\":{\"name\":\"netsh.exe\",\"module\":\"active-response\"},\"command\":\"check_keys\",\"parameters\":{\"keys\":[\"172.31.1.106\"]}}","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"data":{"version":"1","origin":{"name":"netsh.exe","module":"active-response"},"command":"check_keys","parameters":{"keys":["172.31.1.106"]}},"location":"active-response\\active-responses.log"} {"timestamp":"2022-09-13T18:04:41.194+0000","agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092281.7670973","full_log":"2022/09/13 18:04:40 active-response/bin/netsh.exe: {\"version\":1,\"origin\":{\"name\":\"node01\",\"module\":\"wazuh-execd\"},\"command\":\"continue\",\"parameters\":{\"extra_args\":[],\"alert\":{\"timestamp\":\"2022-09-13T18:04:40.424+0000\",\"rule\":{\"level\":5,\"description\":\"Logon failure - Unknown user or bad password.\",\"id\":\"60122\",\"mitre\":{\"id\":[\"T1078\",\"T1531\"],\"tactic\":[\"Defense Evasion\",\"Persistence\",\"Privilege Escalation\",\"Initial Access\",\"Impact\"],\"technique\":[\"Valid Accounts\",\"Account Access Removal\"]},\"firedtimes\":2,\"mail\":false,\"groups\":[\"windows\",\"windows_security\",\"authentication_failed\"],\"gdpr\":[\"IV_32.2\",\"IV_35.7.d\"],\"gpg13\":[\"7.1\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AC.7\",\"AU.14\"],\"pci_dss\":[\"10.2.4\",\"10.2.5\"],\"tsc\":[\"CC6.1\",\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"004\",\"name\":\"EC2AMAZ-N9OLJ1L\",\"ip\":\"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA\"},\"manager\":{\"name\":\"ip-172-31-0-15\"},\"id\":\"1663092280.7664545\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4625\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12544\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2022-09-13T18:04:39.6723561Z\",\"eventRecordID\":\"61864\",\"processID\":\"712\",\"threadID\":\"764\",\"channel\":\"Security\",\"computer\":\"EC2AMAZ-N9OLJ1L\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"An account failed to log on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nAccount For Which Logon Failed:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\tqa\\r\\n\\tAccount Domain:\\t\\t\\r\\n\\r\\nFailure Information:\\r\\n\\tFailure Reason:\\t\\tUnknown user name or bad password.\\r\\n\\tStatus:\\t\\t\\t0xC000006D\\r\\n\\tSub Status:\\t\\t0xC000006A\\r\\n\\r\\nProcess Information:\\r\\n\\tCaller Process ID:\\t0x0\\r\\n\\tCaller Process Name:\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tip-172-31-1-106\\r\\n\\tSource Network Address:\\t172.31.1.106\\r\\n\\tSource Port:\\t\\t0\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tNtLmSsp \\r\\n\\tAuthentication Package:\\tNTLM\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\\r\\n\\r\\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe Process Information fields indicate which account and process on the system requested the logon.\\r\\n\\r\\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-0-0\",\"subjectLogonId\":\"0x0\",\"targetUserSid\":\"S-1-0-0\",\"targetUserName\":\"qa\",\"status\":\"0xc000006d\",\"failureReason\":\"%%2313\",\"subStatus\":\"0xc000006a\",\"logonType\":\"3\",\"logonProcessName\":\"NtLmSsp\",\"authenticationPackageName\":\"NTLM\",\"workstationName\":\"ip-172-31-1-106\",\"keyLength\":\"0\",\"processId\":\"0x0\",\"ipAddress\":\"172.31.1.106\",\"ipPort\":\"0\"}}},\"location\":\"EventChannel\"},\"program\":\"active-response/bin/netsh.exe\"}}","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"data":{"srcip":"172.31.1.106","version":"1","origin":{"name":"node01","module":"wazuh-execd"},"command":"continue","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:04:40.424+0000","rule":{"level":"5","description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":"2","mail":"false","groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092280.7664545","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:04:39.6723561Z","eventRecordID":"61864","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}},"location":"active-response\\active-responses.log"} {"timestamp":"2022-09-13T18:04:41.210+0000","agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092281.7670973","full_log":"2022/09/13 18:04:40 active-response/bin/netsh.exe: Ended","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"location":"active-response\\active-responses.log"} {"timestamp":"2022-09-13T18:04:45.192+0000","agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092285.7670973","full_log":"2022/09/13 18:04:41 active-response/bin/netsh.exe: Starting","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"location":"active-response\\active-responses.log"} {"timestamp":"2022-09-13T18:04:45.192+0000","rule":{"level":3,"description":"Active response: active-response/bin/netsh.exe - delete","id":"657","firedtimes":4,"mail":false,"groups":["ossec","active_response"],"pci_dss":["11.4"],"gdpr":["IV_35.7.d"],"nist_800_53":["SI.4"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3","CC7.4"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092285.7680119","full_log":"2022/09/13 18:04:41 active-response/bin/netsh.exe: {\"version\":1,\"origin\":{\"name\":\"node01\",\"module\":\"wazuh-execd\"},\"command\":\"delete\",\"parameters\":{\"extra_args\":[],\"alert\":{\"timestamp\":\"2022-09-13T18:04:40.424+0000\",\"rule\":{\"level\":5,\"description\":\"Logon failure - Unknown user or bad password.\",\"id\":\"60122\",\"mitre\":{\"id\":[\"T1078\",\"T1531\"],\"tactic\":[\"Defense Evasion\",\"Persistence\",\"Privilege Escalation\",\"Initial Access\",\"Impact\"],\"technique\":[\"Valid Accounts\",\"Account Access Removal\"]},\"firedtimes\":2,\"mail\":false,\"groups\":[\"windows\",\"windows_security\",\"authentication_failed\"],\"gdpr\":[\"IV_32.2\",\"IV_35.7.d\"],\"gpg13\":[\"7.1\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AC.7\",\"AU.14\"],\"pci_dss\":[\"10.2.4\",\"10.2.5\"],\"tsc\":[\"CC6.1\",\"CC6.8\",\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"004\",\"name\":\"EC2AMAZ-N9OLJ1L\",\"ip\":\"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA\"},\"manager\":{\"name\":\"ip-172-31-0-15\"},\"id\":\"1663092280.7664545\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"4625\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12544\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2022-09-13T18:04:39.6723561Z\",\"eventRecordID\":\"61864\",\"processID\":\"712\",\"threadID\":\"764\",\"channel\":\"Security\",\"computer\":\"EC2AMAZ-N9OLJ1L\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"An account failed to log on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nAccount For Which Logon Failed:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\tqa\\r\\n\\tAccount Domain:\\t\\t\\r\\n\\r\\nFailure Information:\\r\\n\\tFailure Reason:\\t\\tUnknown user name or bad password.\\r\\n\\tStatus:\\t\\t\\t0xC000006D\\r\\n\\tSub Status:\\t\\t0xC000006A\\r\\n\\r\\nProcess Information:\\r\\n\\tCaller Process ID:\\t0x0\\r\\n\\tCaller Process Name:\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tip-172-31-1-106\\r\\n\\tSource Network Address:\\t172.31.1.106\\r\\n\\tSource Port:\\t\\t0\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tNtLmSsp \\r\\n\\tAuthentication Package:\\tNTLM\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\\r\\n\\r\\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe Process Information fields indicate which account and process on the system requested the logon.\\r\\n\\r\\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"\"},\"eventdata\":{\"subjectUserSid\":\"S-1-0-0\",\"subjectLogonId\":\"0x0\",\"targetUserSid\":\"S-1-0-0\",\"targetUserName\":\"qa\",\"status\":\"0xc000006d\",\"failureReason\":\"%%2313\",\"subStatus\":\"0xc000006a\",\"logonType\":\"3\",\"logonProcessName\":\"NtLmSsp\",\"authenticationPackageName\":\"NTLM\",\"workstationName\":\"ip-172-31-1-106\",\"keyLength\":\"0\",\"processId\":\"0x0\",\"ipAddress\":\"172.31.1.106\",\"ipPort\":\"0\"}}},\"location\":\"EventChannel\"},\"program\":\"active-response/bin/netsh.exe\"}}","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"data":{"srcip":"172.31.1.106","version":"1","origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:04:40.424+0000","rule":{"level":"5","description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":"2","mail":"false","groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092280.7664545","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:04:39.6723561Z","eventRecordID":"61864","processID":"712","threadID":"764","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}},"location":"active-response\\active-responses.log"} {"timestamp":"2022-09-13T18:04:45.206+0000","agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092285.7680119","full_log":"2022/09/13 18:04:41 active-response/bin/netsh.exe: Ended","decoder":{"parent":"ar_log_json","name":"ar_log_json"},"location":"active-response\\active-responses.log"} ```

Case 3: Timeout valid where a repeated_offenders negative value.

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>-1,2,3</repeated_offenders>
</active-response>

The ossec.log in the agent side:

2022/09/13 18:10:36 wazuh-agent[4460] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: -1 (for #1)
2022/09/13 18:10:36 wazuh-agent[4460] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/09/13 18:10:36 wazuh-agent[4460] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)

Test

First rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 18:11:30 wazuh-agent[4460] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:11:30.284+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":1,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092690.7692752","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:11:29.5951960Z","eventRecordID":"61885","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '5s'. ``` #### End active-response ``` 2022/09/13 18:11:36 wazuh-agent[4460] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:11:30.284+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":1,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092690.7692752","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:11:29.5951960Z","eventRecordID":"61885","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '5s' ```
Second rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 18:11:54 wazuh-agent[4460] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '-60s' 2022/09/13 18:11:54 wazuh-agent[4460] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:11:53.770+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":2,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092713.7717146","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:11:53.1222326Z","eventRecordID":"61886","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '-60s'. ``` #### End active-response ``` 2022/09/13 18:11:55 wazuh-agent[4460] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:11:53.770+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":2,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092713.7717146","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:11:53.1222326Z","eventRecordID":"61886","processID":"712","threadID":"808","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '-60s' ```
Third rdp attack output log (agent side): #### Start active-response ``` 2022/09/13 18:12:26 wazuh-agent[4460] execd.c:325 at ExecdRun(): DEBUG: Repeated offender. Setting timeout to '120s' 2022/09/13 18:12:26 wazuh-agent[4460] execd.c:375 at ExecdRun(): DEBUG: Adding command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:12:26.342+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":3,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092746.7732385","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:12:25.6867211Z","eventRecordID":"61887","processID":"712","threadID":"1400","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' to the timeout list, with a timeout of '120s'. ``` #### End active-response ``` 2022/09/13 18:14:27 wazuh-agent[4460] execd.c:143 at ExecdTimeoutRun(): DEBUG: Executing command 'active-response/bin/netsh.exe {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"delete","parameters":{"extra_args":[],"alert":{"timestamp":"2022-09-13T18:12:26.342+0000","rule":{"level":5,"description":"Logon failure - Unknown user or bad password.","id":"60122","mitre":{"id":["T1078","T1531"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access","Impact"],"technique":["Valid Accounts","Account Access Removal"]},"firedtimes":3,"mail":false,"groups":["windows","windows_security","authentication_failed"],"gdpr":["IV_32.2","IV_35.7.d"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:3CE9:E64B:C186:0DFA"},"manager":{"name":"ip-172-31-0-15"},"id":"1663092746.7732385","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2022-09-13T18:12:25.6867211Z","eventRecordID":"61887","processID":"712","threadID":"1400","channel":"Security","computer":"EC2AMAZ-N9OLJ1L","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tqa\r\n\tAccount Domain:\t\t\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tip-172-31-1-106\r\n\tSource Network Address:\t172.31.1.106\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"qa","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"ip-172-31-1-106","keyLength":"0","processId":"0x0","ipAddress":"172.31.1.106","ipPort":"0"}}},"location":"EventChannel"},"program":"active-response/bin/netsh.exe"}}' after a timeout of '120s' ```

Case 4: Repeat_offenders exceeds the established recurrence limit.

Agent configuration

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>1,2,3,4,5,6,7</repeated_offenders>
</active-response>

Test

The ossec.log in the agent side:

2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 4 (for #4)
2022/09/14 12:43:25 wazuh-agent[6000] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 5 (for #5)

Case 5: Repeat_offenders values are set more than once.

Agent configuration

<active-response>
  <disabled>no</disabled>
  <repeated_offenders>1,2,3</repeated_offenders>
  <repeated_offenders>4,5</repeated_offenders>
</active-response>

Test

The ossec.log in the agent side:

2022/09/14 13:44:52 wazuh-agent[4512] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 1 (for #1)
2022/09/14 13:44:52 wazuh-agent[4512] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 2 (for #2)
2022/09/14 13:44:52 wazuh-agent[4512] config.c:139 at ExecdConfig(): INFO: Adding offenders timeout: 3 (for #3)

Take the first repeated_offenders tag. This behavior is not expected because it is supposed to take the second repeated_offenders to overwrite the first appearance.

juliamagan commented 1 year ago

Blocked by https://github.com/wazuh/wazuh/issues/15171