Wazuh-Elastic Training

Lab-Guide - Session 6

Wazuh 4.1.5
Elastic Stack 7.10.0
OpenDistro 1.12.0
 Table of Contents

Osquery Integration with Wazuh

Lab 6a - Set up Osquery across two agents

Sysmon Integration with Wazuh

Lab b - Set up Sysmon on Windows agent
Fetch the SwiftOnSecurity Sysmon config for centralized distribution to agents
Fetch custom rules optimized for the latest Sysmon and the SwiftOnSecurity
config
Restart the Wazuh manager so that the new rules are loaded.
Fetch and Install Sysmon on Windows agent
Centrally distributing and monitoring Sysmon

Integrator system
PagerDuty review
Slack Lab and extensibility discussion
Our class Slack workspace
Add to /var/ossec/etc/ossec.conf on manager
Restart manager
Watch the Slack channel for alerts to start appearing every time one of our linux
systems has a failed ssh login attempt involving a nonexistent user name.
VirusTotal

Wazuh Manager cluster show and tell

CloudTrail

Copyright © 2020 Wazuh, Inc. All rights reserved. 1

 Osquery Integration with Wazuh

Lab 6a - Set up Osquery across two agents

Install osquery on the elastic agent

Install osquery on the elastic system by running these as root:

# wget https://pkg.osquery.io/rpm/osquery-3.3.2-1.linux.x86_64.rpm
...
# rpm -ivh osquery-3.3.2-1.linux.x86_64.rpm
warning: osquery-3.3.2-1.linux.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c9d8b80b:
NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:osquery-3.3.2-1.linux ################################# [100%]

Install osquery on Windows agent

Install osquery on windows-agent by downloading this MSI via Chrome and running it
https://pkg.osquery.io/windows/osquery-3.3.2.msi
then open Powershell as administrator and run this command to remove the Windows service
C:\ProgramData\osquery\osqueryd\osqueryd.exe --uninstall

This particular MSI creates a Windows service we don't want when we are exclusively running
osquery as a subprocess of the Wazuh agent. A more ideal deployment might involve pushing
osquery to all Windows systems via a custom built WPK package that installs Osquery without
creating a Windows service. Or in a more robust deployment of Osquery you might want it
running as a standard service that is independent from Wazuh agent so it can be interactively
queried via something like Kolide Fleet, while still allowing Wazuh agent to run scheduled
queries.

Copyright © 2020 Wazuh, Inc. All rights reserved. 2

 On your manager, replace the Osquery Wodle section in
/var/ossec/etc/shared/windows/agent.conf with this:

<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\ProgramData\osquery\osqueryd</bin_path>
<log_path>C:\ProgramData\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Progra~2\ossec-agent\shared\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>

And replace the Osquery Wodle section in /var/ossec/etc/shared/linux/agent.conf with this:

<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/usr/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/var/ossec/etc/shared/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>

The only variation from the defaults here is that <config_path> points at an osquery.conf file in
the same centralized distribution directory as agent.conf.

Copyright © 2020 Wazuh, Inc. All rights reserved. 3

 On manager, create /var/ossec/etc/shared/windows/osquery.conf

{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"chrome_extension": {
"query": "SELECT name FROM chrome_extensions WHERE uid IN (SELECT uid FROM users);",
"interval": 120
}
}
}

On manager, create /var/ossec/etc/shared/linux/osquery.conf

{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"users_list": {
"query": "select username,description from users;",
"interval": 120
}
}
}

Then change the permissions as follows:

# chown ossec:ossec /var/ossec/etc/shared/linux/osquery.conf

# chown ossec:ossec /var/ossec/etc/shared/windows/osquery.conf

Search Kibana for:

rule.id:24010
You should soon see enumerated users from the Linux systems but nothing about Chrome
extensions as none are presently installed.

Copyright © 2020 Wazuh, Inc. All rights reserved. 4

 Install Google Keep Chrome extension in Windows (skip configuring it)
Search Kibana for:
rule.id:24010
And you should see the Chrome extension accounted for now.

Next add a new user to one of the Linux systems and remove the Google Keep Chrome
extension from the Windows system.

Search Kibana for:

rule.id:24010
This time you should see the new user mentioned with data.osquery.action = added
and the Chrome extension mentioned with data.osquery.action = removed

After the initial query results are collected by Osquery, future findings, which in this lab are
being queried for every 2 minutes, are only reported if something new appears in the results
or something that formerly was in the results ceases to appear there.

This only touches the tip of the iceberg of Osquery and the ability to integrate it with Wazuh.
You can also distribute entire directories of Osquery "packs" consisting of groups of related
queries. These can simply be maintained as a subdirectory of each agent-group's shared
directory, like this on the manager:
/var/ossec/etc/shared/windows/osquery-packs/

Copyright © 2020 Wazuh, Inc. All rights reserved. 5

 Sysmon Integration with Wazuh

Lab 6b - Set up Sysmon on Windows agent

Fetch the SwiftOnSecurity Sysmon config for centralized distribution to agents
On your manager, fetch the latest high-signal tuned Sysmon config file from the SwiftOnSecurity
source. The following two lines are a wrapped one-line command:

# wget -O /var/ossec/etc/shared/windows/sysmonconfig.xml
https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml

Fetch custom rules optimized for the latest Sysmon and the SwiftOnSecurity config
Also on your manager, fetch the custom rules I use with the latest Sysmon version in conjunction with
the above config file. This also is a line-wrapped one-line command:

# wget -O /var/ossec/etc/rules/1100_sysmon.xml
https://raw.githubusercontent.com/branchnetconsulting/wazuh-tools/master/sysmon/1100_sysmon.xml

Restart the Wazuh manager so that the new rules are loaded.

# systemctl restart wazuh-manager

Fetch and Install Sysmon on Windows agent

On your Windows system, download Sysmon 12.03 from
https://download.sysinternals.com/files/Sysmon.zip

Create a directory c:\Program Files (x86)\sysmon-wazuh\ and then extract Sysmon.exe from the
downloaded zip file into that new directory.

Open command prompt as Administrator and run this command. This will install the Sysmon service,
import the xml config file into the registry, and then start the Sysmon service.

# C:\Progra~2\sysmon-wazuh\Sysmon.exe -i C:\progra~2\ossec-agent\shared\sysmonconfig.xml -accepteula

Note that Sysmon uses the configuration that is stored in the registry which is why we specify it above
as part of the install process. Changes to the xml config file will have no impact on Sysmon unless
the updated xml file in reimported with the -c option like this:

# C:\Progra~2\sysmon-wazuh\Sysmon.exe -c C:\progra~2\ossec-agent\shared\sysmonconfig.xml

Copyright © 2020 Wazuh, Inc. All rights reserved. 6

 Centrally distributing and monitoring Sysmon
The Sysmon configuration can also be centrally distributed as follows:

● On the Wazuh Server, create a sysmon agent group via web interface or this
command::

# /var/ossec/bin/agent_groups -a -g sysmon -q

● Download the SwiftonSecurity config into the directory of this new agent group. Note
the second command below is a line-wrapped one line command::

# wget -O /var/ossec/etc/shared/sysmon/sysmonconfig.xml
https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.x
ml

Once an agent is added into this group, the Wazuh Manager will automatically
distribute this config file along with the information from the Sysmon agent group's
agent.conf file. This will also restart the agent on the target host, thus applying the
new agent and Sysmon configuration.

Copyright © 2020 Wazuh, Inc. All rights reserved. 7

 ● Replace /var/ossec/etc/shared/sysmon/agent.conf with this content.

<agent_config>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

<localfile>
<log_format>full_command</log_format>
<alias>reload_sysmon_config</alias>
<command>powershell.exe -Command "If
([Environment]::Is64BitProcess){c:\progra~2\sysmon-wazuh\Sysmon64.exe -c
c:\progra~2\ossec-agent\shared\sysmonconfig.xml} else
{c:\progra~2\sysmon-wazuh\Sysmon.exe -c
c:\progra~2\ossec-agent\shared\sysmonconfig.xml}"</command>
<frequency>86400</frequency>
</localfile>

<localfile>
<log_format>command</log_format>
<alias>get_sysmon_versions</alias>
<command>powershell.exe -Command
"$x=[System.Diagnostics.FileVersionInfo]::GetVersionInfo('c:\windows\SysmonDr
v.sys').FileVersion.Trim();
$y=[System.Diagnostics.FileVersionInfo]::GetVersionInfo('C:\Program Files
(x86)\sysmon-wazuh\Sysmon.exe').FileVersion.Trim(); Write-Output \"driver $x,
exe $y\""</command>
<frequency>86400</frequency>
</localfile>
</agent_config>

Note that the first <localfile> section above is what you previously placed into the
Windows agent.conf file in the above lab. This should only be in one place.

Also, note that the second <localfile> section above initiates a powershell command
to check the driver and executable versions. This command runs on the specified
frequency, which in this case is once every 24 hours.

Copyright © 2020 Wazuh, Inc. All rights reserved. 8

 ● You will then need to create rules to alert on the output of this command, which will
allow you to monitor the sysmon installation. Below are a set of rules that will watch
for the correct version and a missing driver and/or executable,

<rule id="102001" level="12">

<if_sid>530</if_sid>
<match>'get_sysmon_versions'</match>
<description>Sysmon version(s) are wrong.</description>
</rule>

<rule id="102002" level="1">

<if_sid>102001</if_sid>
<match>driver 12.03, exe 12.03</match>
<description>Sysmon versions are right.</description>
</rule>

<rule id="102003" level="12">

<if_sid>102001</if_sid>
<regex>driver , exe $</regex>
<description>Sysmon driver and exe are missing.</description>
</rule>

<rule id="102004" level="12">

<if_sid>102001</if_sid>
<match>driver , </match>
<description>Sysmon driver is missing.</description>
</rule>

<rule id="102005" level="12">

<if_sid>102001</if_sid>
<regex>, exe $</regex>
<description>Sysmon exe is missing.</description>
</rule>

Run something evil-looking from the Windows command shell. Here we use the
standard Microsoft certutil.exe tool as a covert channel file downloader.

# certutil.exe -urlcache -split -f

"https://download.sysinternals.com/files/PSTools.zip" pstools.zip

Copyright © 2020 Wazuh, Inc. All rights reserved. 9

 Search Kibana for
sysmon and *certutil*

Copyright © 2020 Wazuh, Inc. All rights reserved. 10

 Slack Lab and extensibility discussion
Our class Slack workspace

We will be using the #alertas-wazuh channel for our Slack lab.

Add to /var/ossec/etc/ossec.conf on manager

<!-- Slack ssh basic fail to green channel -->
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/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</hook_url>
<rule_id>5710</rule_id>
<alert_format>json</alert_format>
</integration>

Restart manager
systemctl restart wazuh-manager

# systemctl restart wazuh-manager

Watch the Slack channel for alerts to start appearing every time one of
our linux systems has a failed ssh login attempt involving a nonexistent
user name.

VirusTotal

CloudTrail
We will have some discussion about AWS Cloudtrail audit log collection if time permits.

https://documentation.wazuh.com/3.11/amazon/services/cloudtrail.html

Copyright © 2020 Wazuh, Inc. All rights reserved. 11