- Remotely Upgrading Wazuh Agents – CLI Method
- Adversary emulation with Caldera and Wazuh: Part 02
- Ingesting OPNsense logs into Wazuh SIEM
- Wazuh: Detecting Web Attacks
Views: 21
Deploy Agents on Linux machines
2 Windows and 1 Linux agents
Configure sysmon
We configure the agent to capture Sysmon events by adding the following settings to the agent configuration file in "C:\Program Files (x86)\ossec-agent\ossec.conf"
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
Restart the Wazh agent after modifying the agent configuration file.
Detection using Wazuh
The attacks against the Linux agent are detected using the default out-of-the-box set of rules used for threat detection.Â
We will write a custom rule to detect these techniques on the Windows agent. The following rules are added to the /var/ossec/etc/rules/local_rules.xml
 file on the Wazuh server.
<group name="windows">
<rule id="180001" level="8" ignore="120">
<if_group>windows</if_group>
<match>bitsadmin.exe /transfer /Download /priority Foreground</match>
<description>Suspicious download and execution with BITS job on $(win.system.computer)</description>
<mitre>
<id>T1197</id>
</mitre>
</rule>
<rule id="180002" level="8" ignore="120">
<if_group>windows</if_group>
<match type="pcre2">(?i)(tshark|wireshark)</match>
<description>Network sniffing tool discovered on $(win.system.computer)</description>
<mitre>
<id>T1040</id>
</mitre>
</rule>
<rule id="180003" level="8" ignore="120">
<if_group>windows</if_group>
<field name="win.eventdata.commandline" type="pcre2" > reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\" /v PortNumber /t REG_DWORD *</field>
<description>RDP port has been changed on $(win.system.computer)</description>
<mitre>
<id>T1021.001</id>
</mitre>
</rule>
</group>
Restart the Wazuh Manager after adding the above rules.
Setup adversary profiles with MITRE techniques
Linux endpoint
From the CALDERA server URL, navigate to the adversary section and create an adversary profile. For this blog post, we create an adversary profile named Linux-Adver-Profile. For easy identification of this profile, we add the description Linux MITRE techniques.Â
After creating the profile, proceed to add the MITRE techniques using the Add Ability feature of CALDERA.Â
Windows endpoint
We create an adversary profile named Windows-Adver-Profile. For easy identification of this profile, we add the description Windows MITRE techniques.
After creating the profile, we add the MITRE techniques using the Add Ability feature of CALDERA. We add the three techniques to be emulated and these can be seen in the image below. Click on Save Profile to save the abilities to the profile.
Run operations for the two adversarial profiles created
To run the attack against the endpoints, we follow these steps:
- Navigate to the operations section and create a new operation.Â
- Add a new operation name and select either of the two adversary profiles.Â
- Select Linux adversary profile for Linux endpoints, or Windows adversary profile for Windows endpoint.
- Click on start to run the attack, upon completion we click on stop to begin the cleanup process.
Windows Victims
Operation executed on Windows Agents:
Wazuh Detection
Linux Victim
Run the operation on Linux host
Wazuh Detection
Conclusion
We can use CALDERA to emulate known adversary behavior. We can detect those adversary activities by creating effective Detection Rules in Wazuh platform.