Extra backlash on eventchannel

[JcabreraC]

Wazuh version	Component	Install type
v3.11.1	EventChannel	win agent

When we generate eventChannel alerts, we find extra bars in the processName field. When that information comes from Windows, it should appear with its correct path, like C:\Windows\System32\winlogon.exe. However, the folder paths now contain an additional backslash after each folder name, such as C:\\Windows\\System32\\winlogon.exe.

output alert.log

** Alert 1580127053.479192: - windows, windows_security,authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,
2020 Jan 27 13:10:53 (vm-win7) 10.0.0.7->EventChannel
Rule: 60106 (level 3) -> 'Windows Logon Success'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-01-27T12:10:51.673398400Z","eventRecordID":"25759160","processID":"488","threadID":"2384","channel":"Security","computer":"vm-win7","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tVM-WIN7$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nLogon Type:\t\t\t7\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-113165128-1553860840-679742685-1000\r\n\tAccount Name:\t\tvagrant\r\n\tAccount Domain:\t\tVM-WIN7\r\n\tLogon ID:\t\t0x262d39\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1b8\r\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tVM-WIN7\r\n\tSource Network Address:\t127.0.0.1\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tUser32 \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"VM-WIN7$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","targetUserSid":"S-1-5-21-113165128-1553860840-679742685-1000","targetUserName":"vagrant","targetDomainName":"VM-WIN7","targetLogonId":"0x262d39","logonType":"7","logonProcessName":"User32","authenticationPackageName":"Negotiate","workstationName":"VM-WIN7","logonGuid":"{00000000-0000-0000-0000-000000000000}","keyLength":"0","processId":"0x1b8","processName":"C:\\\\Windows\\\\System32\\\\winlogon.exe","ipAddress":"127.0.0.1","ipPort":"0"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-A5BA-3E3B0328C30D}
win.system.eventID: 4624
win.system.version: 0
win.system.level: 0
win.system.task: 12544
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2020-01-27T12:10:51.673398400Z
win.system.eventRecordID: 25759160
win.system.processID: 488
win.system.threadID: 2384
win.system.channel: Security
win.system.computer: vm-win7
win.system.severityValue: AUDIT_SUCCESS
win.system.message: "An account was successfully logged on.
Subject:
    Security ID:        S-1-5-18
    Account Name:       VM-WIN7$
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7
Logon Type:         7
New Logon:
    Security ID:        S-1-5-21-113165128-1553860840-679742685-1000
    Account Name:       vagrant
    Account Domain:     VM-WIN7
    Logon ID:       0x262d39
    Logon GUID:     {00000000-0000-0000-0000-000000000000}
Process Information:
    Process ID:     0x1b8
    Process Name:       C:\Windows\System32\winlogon.exe
Network Information:
    Workstation Name:   VM-WIN7
    Source Network Address: 127.0.0.1
    Source Port:        0
Detailed Authentication Information:
    Logon Process:      User32 
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
win.eventdata.subjectUserSid: S-1-5-18
win.eventdata.subjectUserName: VM-WIN7$
win.eventdata.subjectDomainName: WORKGROUP
win.eventdata.subjectLogonId: 0x3e7
win.eventdata.targetUserSid: S-1-5-21-113165128-1553860840-679742685-1000
win.eventdata.targetUserName: vagrant
win.eventdata.targetDomainName: VM-WIN7
win.eventdata.targetLogonId: 0x262d39
win.eventdata.logonType: 7
win.eventdata.logonProcessName: User32
win.eventdata.authenticationPackageName: Negotiate
win.eventdata.workstationName: VM-WIN7
win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000}
win.eventdata.keyLength: 0
win.eventdata.processId: 0x1b8
win.eventdata.processName: C:\\Windows\\System32\\winlogon.exe
win.eventdata.ipAddress: 127.0.0.1
win.eventdata.ipPort: 0

Output alert.json

{"timestamp":"2020-01-27T13:10:53.702+0100","rule":{"level":3,"description":"Windows Logon Success","id":"60106","firedtimes":2,"mail":false,"groups":["windows"," windows_security","authentication_success"],"pci_dss":["10.2.5"],"gpg13":["7.1","7.2"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"]},"agent":{"id":"006","name":"vm-win7","ip":"10.0.2.15"},"manager":{"name":"cabrera-Machine"},"id":"1580127053.479192","cluster":{"name":"wazuh","node":"master_node"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2020-01-27T12:10:51.673398400Z","eventRecordID":"25759160","processID":"488","threadID":"2384","channel":"Security","computer":"vm-win7","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tVM-WIN7$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nLogon Type:\t\t\t7\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-113165128-1553860840-679742685-1000\r\n\tAccount Name:\t\tvagrant\r\n\tAccount Domain:\t\tVM-WIN7\r\n\tLogon ID:\t\t0x262d39\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1b8\r\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tVM-WIN7\r\n\tSource Network Address:\t127.0.0.1\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tUser32 \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"VM-WIN7$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","targetUserSid":"S-1-5-21-113165128-1553860840-679742685-1000","targetUserName":"vagrant","targetDomainName":"VM-WIN7","targetLogonId":"0x262d39","logonType":"7","logonProcessName":"User32","authenticationPackageName":"Negotiate","workstationName":"VM-WIN7","logonGuid":"{00000000-0000-0000-0000-000000000000}","keyLength":"0","processId":"0x1b8","processName":"C:\\\\Windows\\\\System32\\\\winlogon.exe","ipAddress":"127.0.0.1","ipPort":"0"}}},"location":"EventChannel"

[chemamartinez]

Hi @JcabreraC,

Have you checked the behavior since this change? I think it can be related to the modification of the function replace_win_format().

Regards.

[rhysxevans]

Hi

I am seeing this behavior on 3.11.3

Thanks

[branchnetconsulting]

This is still happening in Wazuh 4.2.5. It's not only a cosmetic issue, but also complicates attempts to use Sigma rules against Wazuh alerts stored in Elasticsearch, because many Sigma rules reference file paths containing single rather than double backslashes. Is there anything in particular that would prevent us from cleaning this up?

[branchnetconsulting]

Example Sigma rule that is incompatible with Wazuh-stored Windows events: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml

[jctello]

@chemamartinez I can confirm this is still present in 4.2.5 and 4.3.0-RC. As mentioned by @branchnetconsulting this on top of being a visual issue can also break integrations with external software.

[ccMatze]

I can confirm the issue is still present in 4.8.0. Any chances to see a fix here soon?