The event is from a Windows 10 system.
I have turned on logall. I am having a hard time regenerating event ID
5140, however I have spotted several other event types where the xml field
labels are NOT logged up by OSSEC.
In addition, in the specific example below, the order of the last two
fields is inverted.
As presented by OSSEC, these event types (and several others) are just a
sequence of field content *without* field names. Without viewing the
original event in Window Event Viewer, it is difficult to make head or tail
of the content of such events.
Event 4703 is filtered by the rules I have in place, below is a sanitized
capture of one event from the archives log.
Example event 4703 from archives log:
2017 Feb 20 10:19:04 (AgentName) 192.168.X.Y->WinEvtLog 2017 Feb 20
12:19:00 WinEvtLog: Security: AUDIT_SUCCESS(4703):
Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname:
S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 C:\Program
Files (x86)\OSSEC-Agent\ossec-agent.exe 0x6d0 SeSecurityPrivilege -
*Sanitized Text view in Event Viewer*
A user right was adjusted. <--- Not reported by Windows in XML
Subject:
Security ID: SYSTEM
Account Name: HOSTNAME$
Account Domain: DOMAIN
Logon ID: 0x3E7
Target Account:
Security ID: SYSTEM
Account Name: HOSTNAME$
Account Domain: DOMAIN
Logon ID: 0x3E7
Process Information:
Process ID: 0x6d0
Process Name: C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe
Enabled Privileges:
-
Disabled Privileges:
SeSecurityPrivilege
And the XML Event Data
- <file:///C:/Users/GJahchan/AppData/Local/Temp/tmp4394.xml#> <EventData>
<Data Name="*SubjectUserSid*">S-1-5-18</Data>
<Data Name="*SubjectUserName*">HOSTNAME$</Data>
<Data Name="*SubjectDomainName*">DOMAIN</Data>
<Data Name="*SubjectLogonId*">0x3e7</Data>
<Data Name="*TargetUserSid*">S-1-5-18</Data>
<Data Name="*TargetUserName*">HOSTNAME$</Data>
<Data Name="*TargetDomainName*">DOMAIN</Data>
<Data Name="*TargetLogonId*">0x3e7</Data>
<Data Name="*ProcessName*">C:\Program Files
(x86)\OSSEC-Agent\ossec-agent.exe</Data>
<Data Name="*ProcessId*">0x6d0</Data>
<Data Name="*EnabledPrivilegeList*">-</Data>
<Data Name="*DisabledPrivilegeList*">SeSecurityPrivilege</Data>
</EventData>
The labels in Windows AppLocker events are missing, in addition to certain
fields not being logged at all.
Event in OSSEC:
2017 Feb 20 12:59:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL:
INFORMATION(8002): Microsoft-Windows-AppLocker: Username: HOSTNAME:
Hostname: %SYSTEM32%\NOTEPAD.EXE was allowed to run.
Similar event in Event Viewer:
Log Name: Microsoft-Windows-AppLocker/EXE and DLL Source:
Microsoft-Windows-AppLocker Date: 2017-02-20 12:59:32 Event ID: 8002 Task
Category: None Level: Information Keywords: User: HOSTNAME\Username
Computer: Hostname Description: %SYSTEM32%\NOTEPAD.EXE was allowed to run.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
<System> <Provider Name="Microsoft-Windows-AppLocker"
Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" /> <EventID>8002</EventID>
<Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords> <TimeCreated
SystemTime="2017-02-20T10:59:32.601746800Z" />
<EventRecordID>628604</EventRecordID> <Correlation /> <Execution
ProcessID="12408" ThreadID="6736" />
<Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
<Computer>Hostname</Computer> <Security
UserID="S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" /> </System>
<UserData> <RuleAndFileData
xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0";>
<PolicyName>EXE</PolicyName>
<RuleId>{68A289F7-223A-46C9-A2B2-A7C6F18046DE}</RuleId> <RuleName>Program
Files (x86): MICROSOFT® WINDOWS® OPERATING SYSTEM signed by O=MICROSOFT
CORPORATION, L=REDMOND, S=WASHINGTON, C=US</RuleName>
<RuleSddl>D:(XA;;FX;;;S-1-5-11;((Exists APPID://FQBN) &&
((APPID://FQBN) >= ({"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON,
C=US\MICROSOFT® WINDOWS® OPERATING
SYSTEM\*",2814749767106560}))))</RuleSddl> <TargetUser>S-1-5-21-
XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</TargetUser>
<TargetProcessId>7820</TargetProcessId>
<FilePath>%SYSTEM32%\NOTEPAD.EXE</FilePath>
<FileHash>D7AE8D9D859B4F6DC703E2005CC10E836CCFFC38C4DB97C3C9DEF101D722E417</FileHash>
<Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT®
WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE\10.0.10240.16425</Fqbn>
<TargetLogonId>0x28f2bf</TargetLogonId> </RuleAndFileData> </UserData>
</Event>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
