Request for information - Windows Endpoints - Blogs on native commands

[Leon Scott]

Good afternoon,

This is a suggestion not a support request - call it a request for a conversion, or better yet blogs.

Today after receiving my daily Wazuh mailing list update, I found an interesting conversation on pushing files to endpoints.  I am now testing this to deploy PowerShell scripts.  I do not have a DC in my test network, and I am using Wazuh to watch my family PCs and Linux servers that provide entertainment, NAS and various other functions, mainly in a learning capacity, I am no cybersecurity professional yet, in any shade of grey.

So far, I have learned heaps, like how many pipes Windows makes but that is a topic for another conversation.  I am also having issues with Wazuh accessing OneDrive files and numerous errors in relation to the extremely long files names used in certain Windows directories - lots of exemptions have been set in FIM for Windows, and my learning continues.

However, my request has to do with Windows Defender that when online seems to be okay at detecting threats and removing them, according to various testing sites.  I find it slightly strange that no expert dev or Wazuh blogger has written on this topic and the fact that we are ingesting logs no dashboard (to my knowledge) has been provided along with other mainstream antivirus vendors, or indeed how to create one.

In fact, the making of a dashboard is highly annoying to say the least considering in a cybersecurity boot camp based on the ELK stack most of us want-to-be's generated not half bad dashboards in 3 hours for various purposes.

Having followed this post

Detecting and responding to malicious files using CDB lists and active response | Wazuh | The Open Source Security Platform

I find it slightly strange that we should not need a python generated executable but rather send a command to windows (along with a follow up full scan please) to execute and terminate nasty little file with remote command enabled obviously - not a prerequisite in the blogs solution.  This also leads to removing registry entries that may be utilized for persistence and the like.

This post which leads to another blog

Remote Access Trojan (RAT) detection with Wazuh - Cloud7 News (ampproject.org)

STRRAT detection with Wazuh | Wazuh | The Open Source Security Platform

Once again leaves remediation via active response missing.  My apologies.

So, if you are an Wazuh dev that lives in Linux like most Dev's can you please write a post on how Wazuh using native Windows commands, with remote execution enabled can be utilized to Wazuh's advantage.

Having now learned to monitor my Windows Wazuh agent log files, the main Wazuh log files, renumber all rules generated by bloggers (thankyou - my local rules file is getting rather long), I have and am learning a great deal, but my main problem with Wazuh is that Linux may rule the server world but it is not on endpoints and installing Yara or other software on endpoints, well -  it's not my ideal solution - it simply leads to the supply chain problem (software - numerous examples - LastPass, Go anywhere, OpenVPN, the list goes on).

So, forgive me if I have raised a few hackles, but in my extremely humble opinion Wazuh is great at monitoring Linux servers but since phishing attacks don't happen on servers (bet you don't read your email on a server) Windows endpoints is where it is at.

So having thought long on hard on posting this in the discussion group - let it be and see what becomes of it.  

To repeat myself I am not employed in cybersecurity in anyway but love this field, and I appreciate all your work, as I learn.  To the developers behind Wazuh, my thanks.

Sincerely

Leon

[Harold Andre Rodriguez Cortes]

Hello Leon,

It is true that Windows Defender has become a fairly effective antivirus program over the years and is capable of detecting and removing various types of threats. However, the lack of coverage on this topic by expert developers and bloggers could be due to a number of reasons.

Firstly, as Windows Defender is a built-in antivirus program in Windows operating systems, many experts may not consider it a third-party antivirus program and hence may not feel the need to write about it. Moreover, as it is an integral part of Windows, the security logs it generates are already ingested into the Windows Event Log, which can be accessed via the Windows Event Viewer.

Secondly, there are many other antivirus programs available in the market, and experts may choose to focus on those programs which are not built-in and are developed by third-party vendors. Additionally, as Windows Defender is developed by Microsoft, it is assumed that the company itself would be providing sufficient support and resources to its users, including the provision of a dashboard for security logs, if needed.

However, if you are interested in creating a dashboard for Windows Defender security logs, you may be able to do so using  the Windows Event Log, which can be accessed via the Windows Event Viewer  with Wazuh. 

In conclusion, while it may be surprising that there is limited coverage on Windows Defender, it is likely due to the fact that it is a built-in antivirus program and is already supported by Microsoft. However, if you are interested in creating a dashboard for security logs you can do it using Wazuh Custom Dashboards.