Integrating sysmon with wazuh

[Monah Baki]

Hi all,

I am running a windows 10 enterprise LTSC guest VM. Both manager and agent running 4.3.7. I am following https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/ just to get alerted for powershell as a first step.

I followed the exact steps on both wazuh manager and the windows 10, and in my windows 10 event viewer:

Process Create:
RuleName: technique_id=T1204,technique_name=User Execution
UtcTime: 2022-09-06 13:46:53.206
ProcessGuid: {80459ade-4f4d-6317-0e03-000000000800}
ProcessId: 5984
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.19041.546 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

I can't seem to get the alert on the manager, don't see alerts even in the ossec-alerts.log file

Thanks

Monah

[Facundo Dalmau]

Hi Monah,

Thanks for using Wazuh!

I recommend that you activate the logall option (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall)  of the manager's ossec.conf file. This option will let you see in /var/ossec/logs/archives/archives.log all the events that are being monitored by your manager. After you set it, restart the manager and check the archives.log file.

Note: Don't forget to disable the logall_json parameter once the troubleshooting has finished. Leaving it enabled could result in high disk space consumption.

I look forward to hearing from you.

Regards,

Facundo Dalmau

[Monah Baki]

Hi Facundo,

I was able to see the following in the archives.log file

2022 Sep 06 13:27:00 (CitrixBackup) 192.168.2.246->EventChannel {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"10","version":"3","level":"4","task":"10","opcode":"0","keywords":"0x8000000000000000","systemTime":"2022-09-06T17:26:57.866592300Z","eventRecordID":"128628","processID":"5644","threadID":"2864","channel":"Microsoft-Windows-Sysmon/Operational","computer":"WSUS-Server","severityValue":"INFORMATION","message":"\"Process accessed:\r\nRuleName: technique_id=T1055.001,technique_name=Dynamic-link Library Injection\r\nUtcTime: 2022-09-06 17:26:57.866\r\nSourceProcessGUID: {c28c12a9-226e-62f4-a900-000000004c00}\r\nSourceProcessId: 5672\r\nSourceThreadId: 4212\r\nSourceImage: C:\\Program Files\\Metricbeat\\metricbeat.exe\r\nTargetProcessGUID: {c28c12a9-82c7-6317-e442-000000004c00}\r\nTargetProcessId: 6896\r\nTargetImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nGrantedAccess: 0x1010\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+a0be4|C:\\Windows\\System32\\KERNELBASE.dll+2126e|C:\\Program Files\\Metricbeat\\metricbeat.exe+6dbbe|UNKNOWN(000000000000040C)\r\nSourceUser: NT AUTHORITY\\SYSTEM\r\nTargetUser: I""},"eventdata":{"ruleName":"technique_id=T1055.001,technique_name=Dynamic-link Library Injection","utcTime":"2022-09-06 17:26:57.866","sourceProcessGUID":"{c28c12a9-226e-62f4-a900-000000004c00}","sourceProcessId":"5672","sourceThreadId":"4212","sourceImage":"C:\\\\Program Files\\\\Metricbeat\\\\metricbeat.exe","targetProcessGUID":"{c28c12a9-82c7-6317-e442-000000004c00}","targetProcessId":"6896","targetImage":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","grantedAccess":"0x1010","callTrace":"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+a0be4|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+2126e|C:\\\\Program Files\\\\Metricbeat\\\\metricbeat.exe+6dbbe|UNKNOWN(000000000000040C)","sourceUser":"NT AUTHORITY\\\\SYSTEM"

Does this mean it's working? If yes, where in the manager GUI do I go to look at

Thanks

Monah

[Facundo Dalmau]

Hi Monah,

This means that the events are being processed by the manager but if it is not found in the alerts.log file then you won't find any alert triggered.

Can you check that the rules are properly configured to match events that the one you showed?

Regards,

Facundo

[Monah Baki]

Hi Facundo,

The only addition is I added in the local_rules.xml file the following:

<!-- Local rules -->

<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->

<group name="sysmon,">
 <rule id="255000" level="12">
 <if_group>sysmon_event1</if_group>
 <field name="sysmon.image">\\powershell.exe||\\.ps1||\\.ps2</field>
 <description>Sysmon - Event 1: Bad exe: $(sysmon.image)</description>
 <group>sysmon_event1,powershell_execution,</group>
 </rule>
</group>

Besides that I did not modify any rules.

Thanks

Monah

[Facundo Dalmau]

Hi Monah,

I have tested the rule and it didn't work even with the example from the link you sent in the first message of the conversation. The link might be outdated for the Wazuh version you are using. Have you checked the following updated posts:

- https://wazuh.com/blog/learn-to-detect-threats-on-windows-by-monitoring-sysmon-events/ 

- https://wazuh.com/blog/monitoring-commonly-abused-windows-utilities/

Regards,

Facundo Dalmau

[Monah Baki]

Hi Facundo,

The mimikatz step by step worked. Thank you. 

Monah