wazuh-ruleset
wazuh-ruleset copied to clipboard
wazuh
Regex Changes fpr msauth
Changed the regex as suggested here ...
https://github.com/wazuh/wazuh-ruleset/pull/125 ... Works perfectly for German Version. Try to check more language version clients soon.
Hi @ervet ,
We already added the PR https://github.com/wazuh/wazuh-ruleset/pull/125.
So, your change would be: from:
ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0
to:
ID:\s+%{S-1-1-0}|\s*ID:\s+S-1-1-0
The \s* is not really needed because both regexes are going to match if there is at least one space before "ID".
Thanks, Jesus.
Hi Jesus,
thx for the email.
That is true ... But as in the issue 125 on github reported in Englisch Version it Version it is called Security ID so the regex you suggested is ok. But for example in German it is called Sicherheits-ID so mine regex with the \s* catches both languages. Or am I missing something here.
And their is another "bug". At the rule 18217 the fix is missing.
Many Greetings ERik
´
2018-05-14 14:58 GMT+02:00 Jesús Linares [email protected]:
Hi @ervet https://github.com/ervet ,
We already added the PR #125 https://github.com/wazuh/wazuh-ruleset/pull/125.
So, your change would be: from:
ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0
to:
ID:\s+%{S-1-1-0}|*\s**ID:\s+S-1-1-0
The \s* is not really needed because both regexes are going to match if there is at least one space before "ID".
Thanks, Jesus.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh-ruleset/pull/129#issuecomment-388807309, or mute the thread https://github.com/notifications/unsubscribe-auth/AlD000AgyndcjZkbN-aJHFNvwhEOgYWTks5tyX96gaJpZM4Tu-KB .
Hi @ervet,
OK, I see your point, the goal is to capture Security ID: and Sicherheits-ID:. I will check it.
Thanks!. Jesus.
Hello @ervet,
We have been testing the rules and they are right, great job. We greatly appreciate the efforts and contributions the community makes to help us improve.
We have to consider the option of also changing the decoders because even if the rules work well and are activated correctly, the information we get in the decoder is wrong and we should check it.
For example:
- Security ID:
2018 Jul 07 00:11:46 WinEvtLog: Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: Sanitized: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: SANITIZED$ Account Domain: SANITIZED Logon ID: 0x3E7 Member: Security ID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -
**Phase 1: Completed pre-decoding.
full event: '2018 Jul 07 00:11:46 WinEvtLog: Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: Sanitized: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: SANITIZED$ Account Domain: SANITIZED Logon ID: 0x3E7 Member: Security ID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -'
timestamp: '2018 Jul 07 00:11:46'
hostname: 'manager'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: Sanitized: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: SANITIZED$ Account Domain: SANITIZED Logon ID: 0x3E7 Member: Security ID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '4732'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'Sanitized'
subject.security_id: 'S-1-5-18'
subject.account_name: 'SANITIZED$'
subject.account_domain: 'SANITIZED'
subject.logon_id: '0x3E7'
security_id: 'S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx'
account_domain: 'SANITIZED'
**Phase 3: Completed filtering (rules).
Rule id: '18217'
Level: '12'
Description: 'Windows: Administrators Group Changed'
Info - Text: 'http://support.microsoft.com/kb/243330'
**Alert to be generated.
- Security-ID:
2018 Jul 07 00:11:46 WinEvtLog: Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: Sanitized: A member was added to a security-enabled local group. Subject: Security-ID: S-1-5-18 Account Name: SANITIZED$ Account Domain: SANITIZED Logon ID: 0x3E7 Member: Security-ID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group: Security-ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -
**Phase 1: Completed pre-decoding.
full event: '2018 Jul 07 00:11:46 WinEvtLog: Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: Sanitized: A member was added to a security-enabled local group. Subject: Security-ID: S-1-5-18 Account Name: SANITIZED$ Account Domain: SANITIZED Logon ID: 0x3E7 Member: Security-ID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group: Security-ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -'
timestamp: '2018 Jul 07 00:11:46'
hostname: 'manager'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(4732): Microsoft-Windows-Security-Auditing: (no user): no domain: Sanitized: A member was added to a security-enabled local group. Subject: Security-ID: S-1-5-18 Account Name: SANITIZED$ Account Domain: SANITIZED Logon ID: 0x3E7 Member: Security-ID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx Account Name: - Group: Security-ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Security'
status: 'AUDIT_SUCCESS'
id: '4732'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'Sanitized'
account_name: 'SANITIZED$'
account_domain: 'SANITIZED'
**Phase 3: Completed filtering (rules).
Rule id: '18217'
Level: '12'
Description: 'Windows: Administrators Group Changed'
Info - Text: 'http://support.microsoft.com/kb/243330'
**Alert to be generated.
As we can see, in both cases we get the same rule activated in front of each event, but in phase two "complete decoding" we do not get the information correctly when we have a dash. This is because of the decoders.
For example:
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>Subject\s*:\t*\s*Security ID:\t*\s*(\S\S+)\t*\s*Account Name:\t*\s*(\S\S+)\t*\s*Account Domain:\t*\s*(\S\S+)\t*\s*Logon ID:\t*\s*(\S\S+)</regex>
<order>subject.security_id, subject.account_name, subject.account_domain, subject.logon_id</order>
</decoder>
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_regex">Security ID:\t*\s*(\S\S+)</regex>
<order>security_id</order>
</decoder>
Most probably we will merge this PR with a parallel branch that we will create specifically. Then we will change the decoders and merge the branch with the Master. We can not say for sure because in the future we will get the windows events in JSON format and the obtaining of each field will be trivial, facilitating and improving the functioning of the ruleset #905.
Thank you very much for your collaboration.
Kind regards,
Alfonso Ruiz-Bravo
