Issues Noticed - ecrawford-0/Whids-Testing GitHub Wiki

Introduction

The following documents process to try get the whids rules working using both version 1.7.0 and beta version 1.8.0 v8.

Trying to use v1.8.0 beta8

When setting up the endpoint everything went fine. There were several other options to the menu added as well.

image

The config file was also expanded. It added many helpful settings. Specifically the ones for actions, dump settings, and reporting were not present in the stable version

image

I also tested out the audit settings and they seemed to work!

image

File Audit notes

First create a folder to audit. For testing I created a folder on the desktop.

image

Right-click and select properties

image

Go to the Security Tab and select advanced

image

Go the the auditing tab

image

For The principle select Users

image

Select the Type can be success or success + failure, and leave the basic permission to be modify, read & execute, list folder contents, read, and write

image

Then click apply and OK

image

Then go to the config file

image

Next scroll down to the where it says [audit]. enable audit policies, next make sure to specify the audit dirs.

image

image

Go to the folder being monitored

image

create a new file

image

Add contents to the file

image

Navigate to C:\Program Files\Whids\Logs\Alerts

image

Open the alerts file. Scrolling to the bottom of the file will show an alert for the new file created.

image

Trying to connect to the manager

Setting up the manger is slightly different than in the stable version. Notably is how endpoints and users are managed.

There are many more options

image

Also when the dump-config option is used it doesn't generate a endpoint uuid and key, and won't generate the admin key.

image

Using the user option to create an admin user does work, and it will generate credentials

image

But trying to access information with a curl commend doesn't work as the admin user created isn't part of the admin group

image

The beta seems to store more info in a database file

image

There's even a json file located in server.AdminAPIUser. However opening this file shows the same user that was created as the identifier is the same and the key is the same

image

There was a line for group. I tried to make it part of the admin group but it still said unauthorized. I also can't add an endpoint and don't know the format of how to do it. In the options there was something to generate a key.

image

However a uuid is not generated, and it doesn't specify where in the configuration file to put this key since there is no where in the config file that has a place already designated for the endpoint info.

The only way of generating a uuid seems to be via the user command, but this also generates a user which isn't needed. Its also unclear if this is the way a uuid for a server is supposed to be generated.

Troubles with v 1.7.0 stable release

With the stable release its easy to connect and endpoint to a manager. However the issue is trying to get rules to work or verify how the rules function. I can download rules and have successfully done so in this wiki page

The rules are also shown to be loaded when checking the stats

image

Creating custom rules is also difficult. When trying to create a rules it says "Matches only apply on the fields located under the EventData section of Windows Events." But Looking at some of the rules they are referring to fields that aren't part of the Windows Events EventData. The following test rule was created to detect a whoami.

image

However this rule does not appear to work even after it is added. It is also unclear what should happen if whids successfully detects something on the detection list.