Professional Documents
Culture Documents
Lab-Guide - Session 6
Wazuh 4.1.5
Elastic Stack 7.10.0
OpenDistro 1.12.0
Table of Contents
Integrator system
PagerDuty review
Slack Lab and extensibility discussion
Our class Slack workspace
Add to /var/ossec/etc/ossec.conf on manager
Restart manager
Watch the Slack channel for alerts to start appearing every time one of our linux
systems has a failed ssh login attempt involving a nonexistent user name.
VirusTotal
CloudTrail
# wget https://pkg.osquery.io/rpm/osquery-3.3.2-1.linux.x86_64.rpm
...
# rpm -ivh osquery-3.3.2-1.linux.x86_64.rpm
warning: osquery-3.3.2-1.linux.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID c9d8b80b:
NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:osquery-3.3.2-1.linux ################################# [100%]
Install osquery on windows-agent by downloading this MSI via Chrome and running it
https://pkg.osquery.io/windows/osquery-3.3.2.msi
then open Powershell as administrator and run this command to remove the Windows service
C:\ProgramData\osquery\osqueryd\osqueryd.exe --uninstall
This particular MSI creates a Windows service we don't want when we are exclusively running
osquery as a subprocess of the Wazuh agent. A more ideal deployment might involve pushing
osquery to all Windows systems via a custom built WPK package that installs Osquery without
creating a Windows service. Or in a more robust deployment of Osquery you might want it
running as a standard service that is independent from Wazuh agent so it can be interactively
queried via something like Kolide Fleet, while still allowing Wazuh agent to run scheduled
queries.
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\ProgramData\osquery\osqueryd</bin_path>
<log_path>C:\ProgramData\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Progra~2\ossec-agent\shared\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/usr/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/var/ossec/etc/shared/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
The only variation from the defaults here is that <config_path> points at an osquery.conf file in
the same centralized distribution directory as agent.conf.
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"chrome_extension": {
"query": "SELECT name FROM chrome_extensions WHERE uid IN (SELECT uid FROM users);",
"interval": 120
}
}
}
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"utc": "true"
},
"schedule": {
"users_list": {
"query": "select username,description from users;",
"interval": 120
}
}
}
Next add a new user to one of the Linux systems and remove the Google Keep Chrome
extension from the Windows system.
After the initial query results are collected by Osquery, future findings, which in this lab are
being queried for every 2 minutes, are only reported if something new appears in the results
or something that formerly was in the results ceases to appear there.
This only touches the tip of the iceberg of Osquery and the ability to integrate it with Wazuh.
You can also distribute entire directories of Osquery "packs" consisting of groups of related
queries. These can simply be maintained as a subdirectory of each agent-group's shared
directory, like this on the manager:
/var/ossec/etc/shared/windows/osquery-packs/
# wget -O /var/ossec/etc/shared/windows/sysmonconfig.xml
https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml
Fetch custom rules optimized for the latest Sysmon and the SwiftOnSecurity config
Also on your manager, fetch the custom rules I use with the latest Sysmon version in conjunction with
the above config file. This also is a line-wrapped one-line command:
# wget -O /var/ossec/etc/rules/1100_sysmon.xml
https://raw.githubusercontent.com/branchnetconsulting/wazuh-tools/master/sysmon/1100_sysmon.xml
Restart the Wazuh manager so that the new rules are loaded.
Create a directory c:\Program Files (x86)\sysmon-wazuh\ and then extract Sysmon.exe from the
downloaded zip file into that new directory.
Open command prompt as Administrator and run this command. This will install the Sysmon service,
import the xml config file into the registry, and then start the Sysmon service.
Note that Sysmon uses the configuration that is stored in the registry which is why we specify it above
as part of the install process. Changes to the xml config file will have no impact on Sysmon unless
the updated xml file in reimported with the -c option like this:
# C:\Progra~2\sysmon-wazuh\Sysmon.exe -c C:\progra~2\ossec-agent\shared\sysmonconfig.xml
● On the Wazuh Server, create a sysmon agent group via web interface or this
command::
# /var/ossec/bin/agent_groups -a -g sysmon -q
● Download the SwiftonSecurity config into the directory of this new agent group. Note
the second command below is a line-wrapped one line command::
# wget -O /var/ossec/etc/shared/sysmon/sysmonconfig.xml
https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.x
ml
Once an agent is added into this group, the Wazuh Manager will automatically
distribute this config file along with the information from the Sysmon agent group's
agent.conf file. This will also restart the agent on the target host, thus applying the
new agent and Sysmon configuration.
<agent_config>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<log_format>full_command</log_format>
<alias>reload_sysmon_config</alias>
<command>powershell.exe -Command "If
([Environment]::Is64BitProcess){c:\progra~2\sysmon-wazuh\Sysmon64.exe -c
c:\progra~2\ossec-agent\shared\sysmonconfig.xml} else
{c:\progra~2\sysmon-wazuh\Sysmon.exe -c
c:\progra~2\ossec-agent\shared\sysmonconfig.xml}"</command>
<frequency>86400</frequency>
</localfile>
<localfile>
<log_format>command</log_format>
<alias>get_sysmon_versions</alias>
<command>powershell.exe -Command
"$x=[System.Diagnostics.FileVersionInfo]::GetVersionInfo('c:\windows\SysmonDr
v.sys').FileVersion.Trim();
$y=[System.Diagnostics.FileVersionInfo]::GetVersionInfo('C:\Program Files
(x86)\sysmon-wazuh\Sysmon.exe').FileVersion.Trim(); Write-Output \"driver $x,
exe $y\""</command>
<frequency>86400</frequency>
</localfile>
</agent_config>
Note that the first <localfile> section above is what you previously placed into the
Windows agent.conf file in the above lab. This should only be in one place.
Also, note that the second <localfile> section above initiates a powershell command
to check the driver and executable versions. This command runs on the specified
frequency, which in this case is once every 24 hours.
Run something evil-looking from the Windows command shell. Here we use the
standard Microsoft certutil.exe tool as a covert channel file downloader.
Restart manager
systemctl restart wazuh-manager
Watch the Slack channel for alerts to start appearing every time one of
our linux systems has a failed ssh login attempt involving a nonexistent
user name.
VirusTotal
CloudTrail
We will have some discussion about AWS Cloudtrail audit log collection if time permits.
https://documentation.wazuh.com/3.11/amazon/services/cloudtrail.html