Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix documentation for "MITRE ATT&CK framework". Section "Customization" #7567

Closed
matias-braida opened this issue Jul 24, 2024 · 5 comments
Closed

Fix documentation for "MITRE ATT&CK framework". Section "Customization" #7567

matias-braida opened this issue Jul 24, 2024 · 5 comments
Assignees
@cborla
Labels
level/task Task issue type/bug Bug issue

Comments

@matias-braida
Copy link
Member

During the wazuh/wazuh#24852, I deployed a distributed Wazuh (one server for each central component) using the Offline Installation method step by step.

The related documentation is here: https://documentation-dev.wazuh.com/v4.9.0-alpha3/deployment-options/offline-installation/step-by-step.html

After a successful installation, I execute the MITRE ATT&CK Customization.

The related documentation is here: https://documentation-dev.wazuh.com/v4.9.0-alpha3/user-manual/ruleset/mitre.html#customization

After executing each step, I found that no alert was present in the dashboard with rule.id "110011", which is expected to be generated in this test.
The test was done in a first attempt using an agent Windows Server 2019. In a second attempt using an agent Windows 11 as the documentation describes.
In both cases, no alerts with rule.id "110011" were present on the dashboard.
@matias-braida matias-braida added level/task Task issue type/bug Bug issue labels Jul 24, 2024
@wazuhci wazuhci moved this to Triage in Release 4.9.0 Jul 24, 2024
@matias-braida matias-braida mentioned this issue Jul 24, 2024
Closed
2 tasks
@ooniagbi ooniagbi self-assigned this Jul 25, 2024
@ooniagbi
Copy link
Member

ooniagbi commented Jul 25, 2024
edited
Loading

Initial test

I tested the documentation on my current Wazuh setup (v4.7.4), and everything works, as seen in the screenshot below:

image

This implies that the error is not from the rule or the steps in the documentation.

Alert log

{
  "_index": "wazuh-alerts-4.x-2024.07.25",
  "_id": "UV2z6ZABrUKp1xjkGupd",
  "_version": 1,
  "_score": null,
  "_source": {
    "input": {
      "type": "log"
    },
    "agent": {
      "ip": "192.168.56.172",
      "name": "DESKTOP-I1PBMQ1",
      "id": "002"
    },
    "manager": {
      "name": "wazuh-server"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\\\Windows\\\\system32\\\\services.exe",
          "targetObject": "HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName",
          "processGuid": "{66774b51-6c61-66a2-0b00-000000000e00}",
          "processId": "708",
          "utcTime": "2024-07-25 08:50:48.923",
          "ruleName": "technique_id=T1543,technique_name=Service Creation",
          "details": "LocalSystem",
          "eventType": "SetValue",
          "user": "NT AUTHORITY\\\\SYSTEM"
        },
        "system": {
          "eventID": "13",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2024-07-25 08:50:48.923\r\nProcessGuid: {66774b51-6c61-66a2-0b00-000000000e00}\r\nProcessId: 708\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\"",
          "version": "2",
          "systemTime": "2024-07-25T08:50:48.9367520Z",
          "eventRecordID": "23679",
          "threadID": "4800",
          "computer": "DESKTOP-I1PBMQ1",
          "task": "13",
          "processID": "3420",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "rule": {
      "firedtimes": 7,
      "mail": false,
      "level": 10,
      "description": "PsExec service running as NT AUTHORITY\\\\SYSTEM has been created on DESKTOP-I1PBMQ1.",
      "groups": [
        "windows",
        "sysmon",
        "privilege-escalation"
      ],
      "mitre": {
        "technique": [
          "Windows Service"
        ],
        "id": [
          "T1543.003"
        ],
        "tactic": [
          "Persistence",
          "Privilege Escalation"
        ]
      },
      "id": "110011"
    },
    "location": "EventChannel",
    "decoder": {
      "name": "windows_eventchannel"
    },
    "id": "1721897449.6317303",
    "timestamp": "2024-07-25T08:50:49.715+0000"
  },
  "fields": {
    "timestamp": [
      "2024-07-25T08:50:49.715Z"
    ]
  },
  "highlight": {
    "agent.id": [
      "@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@"
    ],
    "manager.name": [
      "@opensearch-dashboards-highlighted-field@wazuh-server@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1721897449715
  ]
}

@wazuhci wazuhci moved this from Triage to On hold in Release 4.9.0 Jul 25, 2024
@ooniagbi
Copy link
Member

ooniagbi commented Jul 25, 2024
edited
Loading

Testing on 4.9.0

2024/07/25 17:09:09 wazuh-analysisd[23261] winevtchannel.c:142 at DecodeWinevt(): WARNING: Could not read XML string: '<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-07-25T17:09:08.2691305Z'/><EventRecordID>27414</EventRecordID><Correlation/><Execution ProcessID='3308' ThreadID='5784'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>DESKTOP-I1PBMQ1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>technique_id=T1047,technique_name=Windows Management Instrumentation</Data><Data Name='UtcTime'>2024-07-25 17:09:08.262</Data><Data Name='ProcessGuid'>{66774b51-86b4-66a2-8403-000000000f00}</Data><Data Name='ProcessId'>6044</Data><Data Name='Image'>C:\Windows\System32\wbem\WmiPrvSE.exe</Data><Data Name='FileVersion'>10.0.22621.1 (WinBuild.160101.0800)</Data><Data Name='Description'>WMI Provider Host</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Wmiprvse.exe</Data><Data Name='CommandLine'>C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\NETWORK SERVICE</Data><Data Name='LogonGuid'>{66774b51-e422-66a2-e403-000000000000}</Data><Data Name='LogonId'>0x3e4</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>SHA1=91180ED89976D16353404AC982A422A707F2AE37,MD5=7528CCABACCD5C1748E63E192097472A,SHA256=196CABED59111B6C4BBF78C84A56846D96CBBC4F06935A4FD4E6432EF0AE4083,IMPHASH=144C0DFA3875D7237B37631C52D608CB</Data><Data Name='ParentProcessGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='ParentProcessId'>876</Data><Data Name='ParentImage'>-</Data><Data Name='ParentCommandLine'>-</Data><Data Name='ParentUser'>-</Data></EventData></Event>'
  • Archive logs
{
  "_index": "wazuh-archives-4.x-2024.07.25",
  "_id": "XN8E65ABf57TS6_MTNzV",
  "_score": 0,
  "_source": {
    "agent": {
      "ip": "192.168.56.172",
      "name": "DESKTOP-I1PBMQ1",
      "id": "001"
    },
    "manager": {
      "name": "ubuntu2204.localdomain"
    },
    "data": {
      "win": {
        "eventdata": {
          "image": "C:\\Windows\\system32\\services.exe",
          "targetObject": "HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName",
          "processGuid": "{66774b51-e421-66a2-0b00-000000000f00}",
          "processId": "708",
          "utcTime": "2024-07-25 17:50:42.822",
          "ruleName": "technique_id=T1543,technique_name=Service Creation",
          "details": "LocalSystem",
          "eventType": "SetValue",
          "user": "NT AUTHORITY\\SYSTEM"
        },
        "system": {
          "eventID": "13",
          "keywords": "0x8000000000000000",
          "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
          "level": "4",
          "channel": "Microsoft-Windows-Sysmon/Operational",
          "opcode": "0",
          "message": "\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2024-07-25 17:50:42.822\r\nProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}\r\nProcessId: 708\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\"",
          "version": "2",
          "systemTime": "2024-07-25T17:50:42.8381418Z",
          "eventRecordID": "28615",
          "threadID": "5784",
          "computer": "DESKTOP-I1PBMQ1",
          "task": "13",
          "processID": "3308",
          "severityValue": "INFORMATION",
          "providerName": "Microsoft-Windows-Sysmon"
        }
      }
    },
    "decoder": {
      "name": "windows_eventchannel"
    },
    "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"13\",\"version\":\"2\",\"level\":\"4\",\"task\":\"13\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-07-25T17:50:42.8381418Z\",\"eventRecordID\":\"28615\",\"processID\":\"3308\",\"threadID\":\"5784\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-I1PBMQ1\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Registry value set:\\r\\nRuleName: technique_id=T1543,technique_name=Service Creation\\r\\nEventType: SetValue\\r\\nUtcTime: 2024-07-25 17:50:42.822\\r\\nProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}\\r\\nProcessId: 708\\r\\nImage: C:\\\\Windows\\\\system32\\\\services.exe\\r\\nTargetObject: HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName\\r\\nDetails: LocalSystem\\r\\nUser: NT AUTHORITY\\\\SYSTEM\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1543,technique_name=Service Creation\",\"eventType\":\"SetValue\",\"utcTime\":\"2024-07-25 17:50:42.822\",\"processGuid\":\"{66774b51-e421-66a2-0b00-000000000f00}\",\"processId\":\"708\",\"image\":\"C:\\\\Windows\\\\system32\\\\services.exe\",\"targetObject\":\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName\",\"details\":\"LocalSystem\",\"user\":\"NT AUTHORITY\\\\SYSTEM\"}}}",
    "input": {
      "type": "log"
    },
    "@timestamp": "2024-07-25T17:50:44.337Z",
    "location": "EventChannel",
    "id": "1721929844.2537500",
    "timestamp": "2024-07-25T17:50:44.337+0000"
  },
  "fields": {
    "@timestamp": [
      "2024-07-25T17:50:44.337Z"
    ],
    "timestamp": [
      "2024-07-25T17:50:44.337Z"
    ]
  }
}
  • Logtest showing the base rule 61615 is triggered
**Messages:
	INFO: analysisd/logtest.c:1098 at w_logtest_process_request_log_processing(): (7202): Session initialized with token '949df666'

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
	name: 'json'
	win.eventdata.details: 'LocalSystem'
	win.eventdata.eventType: 'SetValue'
	win.eventdata.image: 'C:\Windows\system32\services.exe'
	win.eventdata.processGuid: '{66774b51-e421-66a2-0b00-000000000f00}'
	win.eventdata.processId: '708'
	win.eventdata.ruleName: 'technique_id=T1543,technique_name=Service Creation'
	win.eventdata.targetObject: 'HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName'
	win.eventdata.user: 'NT AUTHORITY\SYSTEM'
	win.eventdata.utcTime: '2024-07-25 17:50:42.822'
	win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
	win.system.computer: 'DESKTOP-I1PBMQ1'
	win.system.eventID: '13'
	win.system.eventRecordID: '28615'
	win.system.keywords: '0x8000000000000000'
	win.system.level: '4'
	win.system.message: '"Registry value set:
RuleName: technique_id=T1543,technique_name=Service Creation
EventType: SetValue
UtcTime: 2024-07-25 17:50:42.822
ProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}
ProcessId: 708
Image: C:\Windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName
Details: LocalSystem
User: NT AUTHORITY\SYSTEM"'
	win.system.opcode: '0'
	win.system.processID: '3308'
	win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
	win.system.providerName: 'Microsoft-Windows-Sysmon'
	win.system.severityValue: 'INFORMATION'
	win.system.systemTime: '2024-07-25T17:50:42.8381418Z'
	win.system.task: '13'
	win.system.threadID: '5784'
	win.system.version: '2'

**Phase 3: Completed filtering (rules).
	id: '61615'
	level: '0'
	description: 'Sysmon - Event 13: RegistryEvent SetValue on HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName by C:\Windows\system32\services.exe'
	groups: '["windows","sysmon","sysmon_event_13"]'
	firedtimes: '1'
	mail: 'false'

@wazuhci wazuhci moved this from On hold to In progress in Release 4.9.0 Jul 25, 2024
@ooniagbi
Copy link
Member

ooniagbi commented Jul 25, 2024
edited
Loading

Possible fix

After several tests and tweaks, I noticed the Windows alert logs I copied from the 4.7.4 server had 4 slashes (\\\\), while the Windows alert logs in 4.9.0 had 2 slashes (\\). I modified the rule in the documentation to look like this:

<group name="windows,sysmon,privilege-escalation">

  <rule id="110011" level="10">
    <if_sid>61615</if_sid>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC</field>
    <field name="win.eventdata.eventType" type="pcre2">^SetValue$</field>
    <field name="win.eventdata.user" type="pcre2">NT AUTHORITY\\SYSTEM</field>
    <description>PsExec service running as $(win.eventdata.user) has been created on $(win.system.computer).</description>
    <mitre>
      <id>T1543.003</id>
    </mitre>
  </rule>
</group>

This works. I am guessing there has been a change in how Windows logs are processed which means that rules that were written to account for the extra slashes would no longer work. The successful test result is below:

**Messages:
	WARNING: analysisd/logtest.c:1085 at w_logtest_process_request_log_processing(): (7003): '5f23af43' token expires
	INFO: analysisd/logtest.c:1098 at w_logtest_process_request_log_processing(): (7202): Session initialized with token '075ccd2e'

**Phase 1: Completed pre-decoding.
	full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"13","version":"2","level":"4","task":"13","opcode":"0","keywords":"0x8000000000000000","systemTime":"2024-07-25T17:50:42.8381418Z","eventRecordID":"28615","processID":"3308","threadID":"5784","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-I1PBMQ1","severityValue":"INFORMATION","message":"\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2024-07-25 17:50:42.822\r\nProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}\r\nProcessId: 708\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"ruleName":"technique_id=T1543,technique_name=Service Creation","eventType":"SetValue","utcTime":"2024-07-25 17:50:42.822","processGuid":"{66774b51-e421-66a2-0b00-000000000f00}","processId":"708","image":"C:\\Windows\\system32\\services.exe","targetObject":"HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName","details":"LocalSystem","user":"NT AUTHORITY\\SYSTEM"}}}'

**Phase 2: Completed decoding.
	name: 'json'
	win.eventdata.details: 'LocalSystem'
	win.eventdata.eventType: 'SetValue'
	win.eventdata.image: 'C:\Windows\system32\services.exe'
	win.eventdata.processGuid: '{66774b51-e421-66a2-0b00-000000000f00}'
	win.eventdata.processId: '708'
	win.eventdata.ruleName: 'technique_id=T1543,technique_name=Service Creation'
	win.eventdata.targetObject: 'HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName'
	win.eventdata.user: 'NT AUTHORITY\SYSTEM'
	win.eventdata.utcTime: '2024-07-25 17:50:42.822'
	win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
	win.system.computer: 'DESKTOP-I1PBMQ1'
	win.system.eventID: '13'
	win.system.eventRecordID: '28615'
	win.system.keywords: '0x8000000000000000'
	win.system.level: '4'
	win.system.message: '"Registry value set:
RuleName: technique_id=T1543,technique_name=Service Creation
EventType: SetValue
UtcTime: 2024-07-25 17:50:42.822
ProcessGuid: {66774b51-e421-66a2-0b00-000000000f00}
ProcessId: 708
Image: C:\Windows\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\PSEXESVC\ObjectName
Details: LocalSystem
User: NT AUTHORITY\SYSTEM"'
	win.system.opcode: '0'
	win.system.processID: '3308'
	win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
	win.system.providerName: 'Microsoft-Windows-Sysmon'
	win.system.severityValue: 'INFORMATION'
	win.system.systemTime: '2024-07-25T17:50:42.8381418Z'
	win.system.task: '13'
	win.system.threadID: '5784'
	win.system.version: '2'

**Phase 3: Completed filtering (rules).
	id: '110011'
	level: '10'
	description: 'PsExec service running as NT AUTHORITY\SYSTEM has been created on DESKTOP-I1PBMQ1.'
	groups: '["windows","sysmon","privilege-escalation"]'
	firedtimes: '1'
	mail: 'false'
	mitre.id: '["T1543.003"]'
	mitre.tactic: '["Persistence","Privilege Escalation"]'
	mitre.technique: '["Windows Service"]'
**Alert to be generated.

@ooniagbi
Copy link
Member

ooniagbi commented Jul 25, 2024
edited
Loading

Testing this fix with the documentation use case

image

@wazuhci wazuhci moved this from In progress to On hold in Release 4.9.0 Jul 26, 2024
@juliamagan juliamagan mentioned this issue Jul 29, 2024
Closed
@wazuhci wazuhci moved this from On hold to Triage in Release 4.9.0 Jul 29, 2024
@cborla cborla assigned cborla and unassigned ooniagbi Jul 29, 2024
@wazuhci wazuhci moved this from Triage to Backlog in Release 4.9.0 Jul 29, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.9.0 Jul 29, 2024
@cborla cborla mentioned this issue Jul 29, 2024
Closed
@cborla
Copy link
Member

cborla commented Jul 30, 2024

I will keep this issue open until I close the corresponding issue in wazuh/wazuh, but no documentation changes will be made, the parser functionality will be left as it works in 4.8.1.
Related issue.

@gdiazlo gdiazlo closed this as completed Jul 30, 2024
@wazuhci wazuhci moved this from In progress to Done in Release 4.9.0 Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cborla cborla

Labels
level/task Task issue type/bug Bug issue
Projects
No open projects
Release 4.9.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gdiazlo @cborla @ooniagbi @matias-braida