Adding rules for Sysmon ID 20 events

72nomada commented 2 years ago

Target version	Related issue	Related PR
4.4.0	https://github.com/wazuh/wazuh-qa/issues/3396	https://github.com/wazuh/wazuh/pull/13673

juliamagan commented 1 year ago

Tester review

Tester	PR commit
@juliamagan	https://github.com/wazuh/wazuh/pull/13673/commits/b0a1c2f4cf3e225916b1c534c47fdb98cb0fbf04

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
CentOS	CentOS 8	Vagrant	qactl/centos_8

Tested packages

`wazuh-manager`
4.4.0

[x] In progress
[x] Pending Review
[x] QA Manager approved (@jmv74211)
[x] Development team leader approved (@72nomada)

Conclusion

juliamagan commented 1 year ago

Testing results

Changes reflected in PR description :green_circle:

![image](https://user-images.githubusercontent.com/80041853/200805266-80ca635c-225b-4f01-b941-da54dc9f5db1.png)

runtests.py :green_circle:

|Component | Tested | Total | Coverage | | -------- | -------- | -------- | -------- | | Rules | 1188 | 4116 | 28.86% | | Decoders | 120 | 165 | 72.73% | | File | Passed | Failed | Status | | -------- | -------- | -------- | -------- | |./tests/sysmon.ini | 25 | 0 | ✅ | |./tests/proftpd.ini | 7 | 0 | ✅ | |./tests/fortimail.ini | 6 | 0 | ✅ | |./tests/dovecot.ini | 15 | 0 | ✅ | |./tests/test_expr_negation.ini| 56 | 0 | ✅ | |./tests/exim.ini | 7 | 0 | ✅ | |./tests/win_application.ini| 0 | 0 | ✅ | |./tests/gcp.ini | 31 | 0 | ✅ | |./tests/pix.ini | 22 | 0 | ✅ | |./tests/cpanel.ini | 7 | 0 | ✅ | |./tests/sophos.ini | 8 | 0 | ✅ | |./tests/syslog.ini | 6 | 0 | ✅ | |./tests/checkpoint_smart1.ini| 18 | 0 | ✅ | |./tests/nextcloud.ini | 8 | 0 | ✅ | |./tests/iptables.ini | 8 | 0 | ✅ | |./tests/samba.ini | 4 | 0 | ✅ | |./tests/cisco_asa.ini | 88 | 0 | ✅ | |./tests/dropbear.ini | 3 | 0 | ✅ | |./tests/systemd.ini | 2 | 0 | ✅ | |./tests/SonicWall.ini | 11 | 0 | ✅ | |./tests/vsftpd.ini | 4 | 0 | ✅ | |./tests/firewalld.ini | 2 | 0 | ✅ | |./tests/mailscanner.ini | 1 | 0 | ✅ | |./tests/owlh.ini | 4 | 0 | ✅ | |./tests/fortiauth.ini | 4 | 0 | ✅ | |./tests/cisco_ios.ini | 17 | 0 | ✅ | |./tests/vuln_detector.ini| 2 | 0 | ✅ | |./tests/sysmon_eid_20.ini| 2 | 0 | ✅ | |./tests/openldap.ini | 9 | 0 | ✅ | |./tests/kernel_usb.ini | 6 | 0 | ✅ | |./tests/auditd.ini | 31 | 0 | ✅ | |./tests/glpi.ini | 3 | 0 | ✅ | |./tests/f5_big_ip.ini | 48 | 0 | ✅ | |./tests/mcafee_epo.ini | 1 | 0 | ✅ | |./tests/opensmtpd.ini | 7 | 0 | ✅ | |./tests/sudo.ini | 8 | 0 | ✅ | |./tests/unbound.ini | 0 | 0 | ✅ | |./tests/netscreen.ini | 4 | 0 | ✅ | |./tests/php.ini | 2 | 0 | ✅ | |./tests/doas.ini | 4 | 0 | ✅ | |./tests/pam.ini | 5 | 0 | ✅ | |./tests/arbor.ini | 2 | 0 | ✅ | |./tests/office365.ini | 128 | 0 | ✅ | |./tests/paloalto.ini | 16 | 0 | ✅ | |./tests/test_osregex_regex.ini| 28 | 0 | ✅ | |./tests/fortigate.ini | 45 | 0 | ✅ | |./tests/ossec.ini | 5 | 0 | ✅ | |./tests/web_rules.ini | 10 | 0 | ✅ | |./tests/oscap.ini | 32 | 0 | ✅ | |./tests/exchange.ini | 2 | 0 | ✅ | |./tests/squid_rules.ini | 2 | 0 | ✅ | |./tests/cisco_ftd.ini | 42 | 0 | ✅ | |./tests/sophos_fw.ini | 10 | 0 | ✅ | |./tests/github.ini | 324 | 0 | ✅ | |./tests/postfix.ini | 2 | 0 | ✅ | |./tests/audit_scp.ini | 8 | 0 | ✅ | |./tests/api.ini | 21 | 0 | ✅ | |./tests/rsh.ini | 2 | 0 | ✅ | |./tests/apparmor.ini | 5 | 0 | ✅ | |./tests/nginx.ini | 12 | 0 | ✅ | |./tests/named.ini | 5 | 0 | ✅ | |./tests/test_pcre2_regex.ini| 33 | 0 | ✅ | |./tests/fortiddos.ini | 1 | 0 | ✅ | |./tests/openvpn_ldap.ini | 2 | 0 | ✅ | |./tests/cimserver.ini | 2 | 0 | ✅ | |./tests/test_osmatch_regex.ini| 6 | 0 | ✅ | |./tests/freepbx.ini | 6 | 0 | ✅ | |./tests/overwrite.ini | 10 | 0 | ✅ | |./tests/sshd.ini | 48 | 0 | ✅ | |./tests/junos.ini | 3 | 0 | ✅ | |./tests/modsecurity.ini | 6 | 0 | ✅ | |./tests/pfsense.ini | 2 | 0 | ✅ | |./tests/test_features.ini| 5 | 0 | ✅ | |./tests/cloudflare-waf.ini| 13 | 0 | ✅ | |./tests/web_appsec.ini | 31 | 0 | ✅ | |./tests/huawei_usg.ini | 3 | 0 | ✅ | |./tests/su.ini | 5 | 0 | ✅ | |./tests/apache.ini | 12 | 0 | ✅ | |./tests/gitlab.ini | 27 | 0 | ✅ | |./tests/aws_s3_access.ini| 10 | 0 | ✅ | |./tests/test_static_filters.ini| 28 | 0 | ✅ | |./tests/eset.ini | 8 | 0 | ✅ | |./tests/fireeye.ini | 3 | 0 | ✅ | |./tests/panda_paps.ini | 8 | 0 | ✅ |

Rule 89501 :green_circle:

- Fields: - `type` :green_circle: : Type of event consumer - Description: :green_circle:

Rule 89502 :yellow_circle:

- Fields: - `destination` :yellow_circle: : Process executed by the consumer Could the destination be any executable? For example, [here](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020), the destination is `evil.exe`. - Description: :green_circle:

fabamatic commented 1 year ago

Setting other executables should be covered by 89501. 89502 only exists to rise the alert level when extra scary command interpreters are registered. Probably the description could be improved and and it looks like the if_group tag is superfluous

juliamagan commented 1 year ago

Testing after requested changes

Tester: @juliamagan
PR commit: https://github.com/wazuh/wazuh/pull/13673/commits/0429cd521361da81c8579a695df94cf52608fd02

Results

Rule 89502 :green_circle:

- Fields: - `destination` :green_circle:

Conclusion :green_circle:

Everything has been fixed

jmv74211 commented 1 year ago

Closing conclusion 👍🏼


🟢	Solved

The development is approved taking into account the following considerations:

(1) Improve destination field from rule 89502. 🟢

wazuh / wazuh-qa