Monitoring Windows System
454 views
Skip to first unread message
Wade
Aug 7, 2018, 2:57:57 PM8/7/18
to Wazuh mailing list
Hey Everyone,
This may be pretty obvious, but is there some concise documentation that tells me how to setup monitoring on Windows clients. I have gone through the documentation, and it seems to be very long, and in some cases very confusing.
I was able to install Wazuh agent on three Windows systems. However, I am having trouble configuring them to track various things.
How can I know what the default settings of what they are tracking?
Is there an easy ruleset that would cover most of the "default" things I should be looking for?
I guess I would love a HOWTO guide, but not finding anything for the absolute beginner which also explains why specific changes are being recommended.
Thanks,
Wade
rafael...@wazuh.com
Aug 8, 2018, 2:24:19 AM8/8/18
to Wazuh mailing list
Hi Wade,
as Wazuh is made off different components the documentation explains them separately. I will try to give you a basic explanation on how it works.
With a Wazuh agent you can collect information about different things on the system, for example:
- Monitor log files with logcollector. https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/localfile.html
- Monitor Windows registry changes for the keys that you want with syscheck. https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/syscheck.html
- File Integrity Monitoring with syscheck.
- Monitor rootkit and other malicious processes with rootcheck. https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/rootcheck.html
- Obtain system information (OS, packages, hardware) with syscollector. https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/wodle-syscollector.html
To take a look of the default configuration for your Windows agents, open the GUI and click on View->View Config (ossec.conf file).
Here is a default configuration for syscheck where you can see the default monitored directories and registry keys:
<!-- File integrity monitoring -->
<syscheck>
<!-- By default it is disabled. In the Install you must choose to enable it. -->
<disabled>yes</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<!-- Default files to be monitored. -->
<directories check_all="yes">%WINDIR%\regedit.exe</directories>
<directories check_all="yes">%WINDIR%\system.ini</directories>
<directories check_all="yes">%WINDIR%\win.ini</directories>
<directories check_all="yes">%WINDIR%\SysNative\at.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\attrib.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\cacls.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\cmd.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\drivers\etc</directories>
<directories check_all="yes">%WINDIR%\SysNative\eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\ftp.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\lsass.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\net.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\net1.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\netsh.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\reg.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\regedt32.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\runas.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\sc.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\schtasks.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\sethc.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\subst.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\wbem\WMIC.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%\SysNative\winrm.vbs</directories>
<!-- 32-bit programs. -->
<directories check_all="yes">%WINDIR%\System32\at.exe</directories>
<directories check_all="yes">%WINDIR%\System32\attrib.exe</directories>
<directories check_all="yes">%WINDIR%\System32\cacls.exe</directories>
<directories check_all="yes">%WINDIR%\System32\cmd.exe</directories>
<directories check_all="yes">%WINDIR%\System32\drivers\etc</directories>
<directories check_all="yes">%WINDIR%\System32\eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%\System32\ftp.exe</directories>
<directories check_all="yes">%WINDIR%\System32\net.exe</directories>
<directories check_all="yes">%WINDIR%\System32\net1.exe</directories>
<directories check_all="yes">%WINDIR%\System32\netsh.exe</directories>
<directories check_all="yes">%WINDIR%\System32\reg.exe</directories>
<directories check_all="yes">%WINDIR%\System32\regedit.exe</directories>
<directories check_all="yes">%WINDIR%\System32\regedt32.exe</directories>
<directories check_all="yes">%WINDIR%\System32\regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%\System32\runas.exe</directories>
<directories check_all="yes">%WINDIR%\System32\sc.exe</directories>
<directories check_all="yes">%WINDIR%\System32\schtasks.exe</directories>
<directories check_all="yes">%WINDIR%\System32\sethc.exe</directories>
<directories check_all="yes">%WINDIR%\System32\subst.exe</directories>
<directories check_all="yes">%WINDIR%\System32\wbem\WMIC.exe</directories>
<directories check_all="yes">%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%\System32\winrm.vbs</directories>
<directories check_all="yes" realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<!-- Remove not monitored files -->
<remove_old_diff>yes</remove_old_diff>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>300</windows_audit_interval>
</syscheck>There you can add your own directories to be monitored.
The default log files being monitored are the following:
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>If for example you want to monitor a custom log file you can add the following entry:
<localfile>
<location>C:\example.log</location>
<log_format>syslog</log_format>
</localfile>Every time you change the configuration, you must restart the agent.
Now the Wazuh manager comes with a package with rules and decoders to generate alerts for almost any case: https://github.com/wazuh/wazuh-ruleset
I hope this is useful for you.
Best regards.
Reply all
Reply to author
Forward
0 new messages