Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sysmon Event 3: Not all logs are exported to Wazuh #10

Open
AndrewRi opened this issue Mar 9, 2023 · 0 comments
Open

Sysmon Event 3: Not all logs are exported to Wazuh #10

AndrewRi opened this issue Mar 9, 2023 · 0 comments

Comments

@AndrewRi
Copy link

AndrewRi commented Mar 9, 2023

Greetings!

I am using the latest version of Sysmon along with olafhartong's sysmonconfig.xml configuration https://github.com/olafhartong/sysmon-modula. Wazuh rules 102101-MITER_TECHNIQUES_FROM_SYSMON_EVENT3.xml are also installed on the server.

In the Event Viewer, I see the logs I need when establishing connections to remote computers.

For example, there are two logs (both have RuleName: technique_id=T1021,technique_name=Remote Services): when establishing a connection through the TOTALCMD.EXE and RDCMan.exe processes, respectively.

Network connection detected:
RuleName: technique_id=T1021,technique_name=Remote Services
UtcTime: 2023-03-09 04:09:05.149
ProcessGuid: {a5bd8803-5bc3-6409-9402-000000005400}
ProcessId: 8924
Image: C:\Program Files\totalcmd\TOTALCMD.EXE
User: XXX
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 1.2.3.4
SourceHostname: -
SourcePort: 3272
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 1.2.3.5
DestinationHostname: -
DestinationPort: 22
DestinationPortName: -

Network connection detected:
RuleName: technique_id=T1021,technique_name=Remote Services
UtcTime: 2023-03-09 03:36:23.588
ProcessGuid: {a5bd8803-4fea-6409-1302-000000005400}
ProcessId: 3864
Image: C:\Users\XXX\Desktop\RDCMan.exe
User: XXX
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 1.2.3.4
SourceHostname: -
SourcePort: 2283
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 1.2.3.5
DestinationHostname: -
DestinationPort: 3389
DestinationPortName: -

Wazuh only accepts logs from TOTALCMD.EXE for some reason. I can't figure out what's wrong. Are there any suggestions that it might be wrong with your rules?

{
  "agent": {
    "ip": "XXX,
    "name": "XXX",
    "id": "XXX"
  },
  "manager": {
    "name": "YYY"
  },
  "data": {
    "win": {
      "eventdata": {
        "destinationPort": "22",
        "image": "C:\\\\Program Files\\\\totalcmd\\\\TOTALCMD.EXE",
        "sourcePort": "3272",
        "initiated": "true",
        "destinationIp": "1.2.3.4",
        "protocol": "tcp",
        "processGuid": "{a5bd8803-5bc3-6409-9402-000000005400}",
        "sourceIp": "1.2.3.5",
        "processId": "8924",
        "utcTime": "2023-03-09 04:09:05.149",
        "ruleName": "technique_id=T1021,technique_name=Remote Services",
        "destinationIsIpv6": "false",
        "user": "USER",
        "sourceIsIpv6": "false"
      },
      "system": {
        "eventID": "3",
        "keywords": "0x8000000000000000",
        "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
        "level": "4",
        "channel": "Microsoft-Windows-Sysmon/Operational",
        "opcode": "0",
        "message": "\"Network connection detected:\r\nRuleName: technique_id=T1021,technique_name=Remote Services\r\nUtcTime: 2023-03-09 04:09:05.149\r\nProcessGuid: {a5bd8803-5bc3-6409-9402-000000005400}\r\nProcessId: 8924\r\nImage: C:\\Program Files\\totalcmd\\TOTALCMD.EXE\r\nUser: USER\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 1.2.3.4\r\nSourceHostname: -\r\nSourcePort: 3272\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 1.2.3.5\r\nDestinationHostname: -\r\nDestinationPort: 22\r\nDestinationPortName: -\"",
        "version": "5",
        "systemTime": "2023-03-09T04:09:05.7444044Z",
        "eventRecordID": "676177",
        "threadID": "5196",
        "computer": "COMPUTER",
        "task": "3",
        "processID": "3404",
        "severityValue": "INFORMATION",
        "providerName": "Microsoft-Windows-Sysmon"
      }
    }
  },
  "rule": {
    "firedtimes": 1,
    "mail": false,
    "level": 3,
    "description": "Sysmon - Event 3: Network connection by C:\\\\Program Files\\\\totalcmd\\\\TOTALCMD.EXE",
    "groups": [
      "windows",
      "sysmon",
      "sysmon_event3"
    ],
    "mitre": {
      "technique": [
        "Remote Services"
      ],
      "id": [
        "T1021"
      ],
      "tactic": [
        "Lateral Movement"
      ]
    },
    "id": "102101"
  },
  "decoder": {
    "name": "windows_eventchannel"
  },
  "input": {
    "type": "log"
  },
  "@timestamp": "2023-03-09T04:09:05.911Z",
  "location": "EventChannel",
  "id": "1678334945.1197067230",
  "timestamp": "2023-03-09T14:09:05.911+1000",
  "_id": "xNSOxIYB1j_ez_bU7kDA"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AndrewRi