Cobalt strike detection.. didn't create alerts

Vairamuthu Forlife

unread,

Mar 27, 2023, 6:15:06 AM3/27/23

to wa...@googlegroups.com

Hi,

We gave been workin on cobalt strike POC, but something wrong.. it didn't create alerts as expected..

https://wazuh.com/blog/detecting-cobalt-strike-beacons-using-wazuh/

Followed these steps carefully, double checked once.. but no alerts. I am not sure which step should be troubleshooted.

Can someone have a look at that blog please.. thanks

Diego Mendez Sakugawa

unread,

Mar 27, 2023, 7:30:28 AM3/27/23

to Wazuh mailing list

Hello Vairamuthu,

Could you please confirm if you restarted the Wazuh Manager and Agent after adding the required rules and the Sysmon log collector configuration?

Do you have generated events with eventID: 17 in the Microsoft-Windows-Sysmon/Operational location from the Agent? This would allow us to know if the events were generated from the Agent.

Thank you!

Vairamuthu Forlife

unread,

Mar 28, 2023, 3:25:15 PM3/28/23

to Diego Mendez Sakugawa, Wazuh mailing list

Thanks Diego for your response,

much appreciated.

1). On that blog, it says, we should update the

ossec.conf With this....

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

Please verify the location... As it's having forward slash, instead of backward slash.

2). About ur question of restart...I restarted the agent, i didn't restart the manager(i didn't remember this step from the blog.. let me verify and let me restart as well)

3) Do you have generated events with eventID: 17 in the Microsoft-Windows-Sysmon/Operational location from the Agent?

As suggested on the blog, i have updated the local_rules.xml file..

I am not sure how to generate eventID 17, could you please suggest me the steps.. thanks..

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/de4b1bce-baba-4476-bb4b-eb5061e57994n%40googlegroups.com.

Message has been deleted

Diego Mendez Sakugawa

unread,

Mar 30, 2023, 11:50:35 AM3/30/23

to Wazuh mailing list

Hello Vairamuthu,

Yes, for the agent to get these logs, you will need to add the following configuration to its ossec.conf file:

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

If you followed the guide, you need to restart the agent for the rules to take effect!

Finally, to generate the events as a simulation, you can use the https://github.com/NextronSystems/APTSimulator as stated in the Cobalt Strike article.

Please let me know if you have any remaining questions or issues.

Thank you!

Reply all

Reply to author

Forward