Sigma Rules for Mimikatz
999 views
Skip to first unread message
A B
May 19, 2021, 5:45:22 AM5/19/21
to Wazuh mailing list
Hi All,
Can anyone please guide me with a way to set up the detection in Wazuh as per the below sigma rule for detecting mimikatz.
Can anyone please guide me with a way to set up the detection in Wazuh as per the below sigma rule for detecting mimikatz.
Thank you everyone in advance.
Regards
Ashish Bansal
Fabricio Brunetti
May 19, 2021, 10:00:44 AM5/19/21
to Wazuh mailing list
Hi Ashish,
</mitre>
To detect command line mimikatz using the model proposed by sigma rules the first thing we have to get is command line visibility for this we are going to use Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
Sysmon should be installed in the Windows endpoint were we want to detect mimikatz, it requires a configuration XML file, that defines which trace data is going to be collected, so far this one https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml is excellent because it already is MITRE oriented. To install use this command sysmon64 -i sysmonfig.xml.
To enable Wazuh collection of the events generated by Sysmon this snippet should be added to Wazuh agent ossec.conf:
<localfile>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
After this is done Wazuh-agent should be sending Sysmon events to Wazuh-manager.
Another guide to configure Wazuh+Sysmon can be found here: https://wazuh.com/blog/how-to-collect-windows-events-with-wazuh/
Now to the rule:
We will be adding the new rules to the manager in the local rules file: /var/ossec/etc/rules/local_rules.xml
<rule id="100000" level="12">
<if_group>sysmon_event1</if_group> <!-- Tells our rule to analyze process created Sysmon events, this grouping is managed by other Wazuh rule -->
<field name="win.eventdata.commandLine">DumpCreds|invoke-mimikatz|rpc|token|crypto|dpapi|sekurlsa|kerberos|lsadump|privilege|process</field> <!-- these would be selection_1 and selection_2 as they are using an or expression in the condition we can put them together -->
<field name="win.eventdata.commandLine">::</field> <!-- this is selection_3 we force an and operation by having two "field" conditions in wazuh rule-->
<description> Detection well-known mimikatz command line arguments </description>
<mitre>
<id>T1003</id> <!-- add MITRE Technique ids --></mitre>
</rule>
Hope this is helpful for you! Let me know if any step needs a better explanation.
Regards,
Fabricio Brunetti
A B
May 19, 2021, 2:25:27 PM5/19/21
to Wazuh mailing list
Hi Fabricio,
Thanks a ton for your reply and such a detailed explanation.
I will test the rule and let you know if this is giving me the desired result.
Regards
Ashish Bansal
Reply all
Reply to author
Forward
0 new messages