Install Wazuh Server on Rocky Linux 8<\/a><\/p>\n\n\n\n NOTE: We are running ELK 7.14.2 and Wazuh Manager 4.2.5.<\/p>\n\n\n\n Kibana (ELK) version;<\/p>\n\n\n\n Sample output;<\/p>\n\n\n\n Wazuh Manager version;<\/p>\n\n\n\n Sample output;<\/p>\n\n\n\n In this example setup, I will be using Windows 10 system for demonstration purposes.<\/p>\n\n\n\n To install Wazuh agent on Windows 10 and automatically add it to Wazuh manager, then;<\/p>\n\n\n\n Once the installation is done, Wazuh agent is started and enabled to run on system boot.<\/p>\n\n\n\n It should also be showing on the Kibana Wazuh App.<\/p>\n\n\n\n To confirm on Wazuh Manager command line;<\/p>\n\n\n\n You should see it among the active agents.<\/p>\n\n\n\n In this example setup, we will install Sysmon with a customized SwiftOnSecurity configuration file template with default high-quality event tracing.<\/p>\n\n\n\n Thus;<\/p>\n\n\n\n Next, you need to ensure that Wazuh agent can monitor Sysmon events.<\/p>\n\n\n\n Thus, edit Wazuh agent configuration file, Add the lines below to the config file;<\/p>\n\n\n\n We put them just before the policy monitoring section;<\/p>\n\n\n\n Save and file once you add the lines.<\/p>\n\n\n\n Next, you need to update Wazuh manager rules to process Sysmon events;<\/p>\n\n\n\n Next, in order to verify that Wazuh-Sysmon integration can actually collect process creation events, you need to simulate these events and check whether they are appearing on the Kibana Wazuh App dashboard.<\/p>\n\n\n\n To simulate process creation, try to run some programs. For example, let’s launch Notepad (it can be any program) by clicking the desktop app;<\/p>\n\n\n\n Once it launches, go to Kibana Wazuh App and check the events sent by the Windows host.<\/p>\n\n\n\n The System Process creation events are identified by Event ID 1<\/a>. Hence, be on the look out for such events. See the event highlighted in the sample screenshot below;<\/p>\n\n\n\n You can as well filter the events based on the ID, for example data.win.system.eventID: 1<\/strong>.<\/p>\n\n\n\n Read more about Sysmon Events and IDS on Sysmon Events page<\/a>.<\/p>\n\n\n\n Click the highlighted button to expand and see more details about the event including the extracted fields.<\/p>\n\n\n\n When you scroll down the expanded view, you can see the event message. This is where you can see the details about the process created by launching Notepad++ with all the fields in one place.<\/p>\n\n\n You can also detect the process created by launching a program from powershell. For example, you can launch Notepad++ from Powershell by running;<\/p>\n\n\n\n The events will as well show up on the Kibana Wazuh app events dashboard;<\/p>\n\n\n\n You can compare the two events above.<\/p>\n\n\n\n Another example is to launch a program from powershell and pass the command line arguments. Example to open a file using Notepad++ from command line;<\/p>\n\n\n\n Sample events;<\/p>\n\n\n\n And there you go. That is how you can easily use Wazuh manager to monitor process creation events on Windows systems.<\/p>\n\n\n\n Detecting threats using Wazuh<\/a><\/p>\n\n\n\n Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK<\/a><\/p>\n\n\n\ncat \/usr\/share\/kibana\/package.json | grep version<\/code><\/pre>\n\n\n\n \"version\": \"7.14.2\",<\/code><\/pre>\n\n\n\n\/var\/ossec\/bin\/wazuh-control info | grep WAZUH_VERSION<\/code><\/pre>\n\n\n\nWAZUH_VERSION=\"v4.2.5\"<\/code><\/pre>\n\n\n\nInstall Wazuh Agents on Windows Systems<\/h3>\n\n\n\n
\n
cd C:\\Users\\<username>\\Downloads\\<\/code><\/pre>\n\n\n\n\n
.\\wazuh-agent-4.2.5-1.msi \/q WAZUH_MANAGER=\"192.168.58.26\" WAZUH_REGISTRATION_SERVER=\"192.168.58.26\"<\/code><\/pre>\n\n\n\n\/var\/ossec\/bin\/agent_control -l<\/code><\/pre>\n\n\n\nInstall Sysmon on Windows Systems<\/h3>\n\n\n\n
\n
cd C:\\'Program Files'\\Sysmon<\/code><\/pre>\n\n\n\n.\\Sysmon64.exe -i .\\sysmonconfig-export.xml -accepteula<\/code><\/pre>\n\n\n\nSystem Monitor v13.33 - System activity monitor\nBy Mark Russinovich and Thomas Garnier\nCopyright (C) 2014-2022 Microsoft Corporation\nUsing libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.\nSysinternals - www.sysinternals.com\n\nLoading configuration file with schema version 4.50\nSysmon schema version: 4.81\nConfiguration file validated.\nSysmon64 installed.\nSysmonDrv installed.\nStarting SysmonDrv.\nSysmonDrv started.\nStarting Sysmon64..\nSysmon64 started.\n<\/code><\/pre>\n\n\n\nConfigure Wazuh agent to monitor Sysmon events<\/h3>\n\n\n\n
C:\\Program Files (x86)\\ossec-agent\\ossec.conf<\/code><\/strong> using your preferred notepad as administrator.<\/p>\n\n\n\n <localfile>\n <location>Microsoft-Windows-Sysmon\/Operational<\/location>\n <log_format>eventchannel<\/log_format>\n <\/localfile>\n<\/code><\/pre>\n\n\n\n...\n <localfile>\n <location>active-response\\active-responses.log<\/location>\n <log_format>syslog<\/log_format>\n <\/localfile>\n \n <localfile>\n <location>Microsoft-Windows-Sysmon\/Operational<\/location>\n <log_format>eventchannel<\/log_format>\n <\/localfile><\/strong>\n\n <!-- Policy monitoring -->\n <rootcheck>\n <disabled>no<\/disabled>\n <windows_apps>.\/shared\/win_applications_rcl.txt<\/windows_apps>\n <windows_malware>.\/shared\/win_malware_rcl.txt<\/windows_malware>\n <\/rootcheck>\n ...\n<\/code><\/pre>\n\n\n\nUpdate Wazuh manager Rules<\/h3>\n\n\n\n
cat >> \/var\/ossec\/etc\/rules\/local_rules.xml << 'EOL'\n<group name=\"sysmon,\">\n <rule id=\"220000\" level=\"3\">\n <if_group>sysmon<\/if_group>\n <description>Windows Sysmon event. Event ID: $(win.system.eventID)<\/description>\n <options>no_full_log<\/options>\n <\/rule>\n<\/group>\nEOL\n<\/code><\/pre>\n\n\n\nSimulate Process Creation Events<\/h3>\n\n\n\n
![\"Monitor](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/wazuh-process-creation.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"Monitor](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/wazuh-process-creation-events.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/wazuh-process-creation-events-details.png\" "\\"\\"")
<\/figure><\/div>\n\n\n'C:\\Program Files\\Notepad++\\notepad++.exe'<\/code><\/pre>\n\n\n\n![\"Monitor](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/wazuh-process-creation-events-powershell.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n& 'C:\\Program Files\\Notepad++\\notepad++.exe' 'C:\\Program Files (x86)\\ossec-agent\\ossec.conf'<\/code><\/pre>\n\n\n\n![\"Monitor](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/wazuh-process-creation-events-powershell_1.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"Monitor](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/wazuh-process-creation-events-powershell_2.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\nReference<\/h3>\n\n\n\n
Other Tutorials<\/h3>\n\n\n\n