privileges escalation
45 views
Skip to first unread message
Piviul
Jan 21, 2025, 9:55:39 AM1/21/25
to Wazuh | Mailing List
Hi all, I'm new on Wazuh and I would like to find all successful privilege escalation logs on a windows PC. I logged on a windows endpoint with privileged account and I've opened a powershell console as administrator, then I tried to find this log... no way.
Wazuh logs privileges escalation? I've forgot to enable some modules/rules? ...or simply looking and finding are two differents things ;)?
Piviul
José Luis Cosentino
Jan 21, 2025, 10:39:08 AM1/21/25
to Wazuh | Mailing List
Hello, Piviul!
Wazuh reads event logs. In Windows, it reads the eventviewer. So in case you want to see any activity event ingested in Wazuh, you need first to:
1- Identify your eventID an log sample in your EventViewer. If you cannot find it there, you can also enable the security auditing. Here are official Windows documentation related
2- If you are still not viewing your logs ingested in your Wazuh Discover module( ☰ > Explore > Discover) You may need to enable Archives to find that log events, and generate a custom ule for them. To enable archives, you have this reference definition and this configuration<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json> <------------------------------ Here
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
Wazuh reads event logs. In Windows, it reads the eventviewer. So in case you want to see any activity event ingested in Wazuh, you need first to:
1- Identify your eventID an log sample in your EventViewer. If you cannot find it there, you can also enable the security auditing. Here are official Windows documentation related
2- If you are still not viewing your logs ingested in your Wazuh Discover module( ☰ > Explore > Discover) You may need to enable Archives to find that log events, and generate a custom ule for them. To enable archives, you have this reference definition and this configuration
☰ > Server management > Settings
And edit the server configuration, clicking on Edit Configuration:
Then you need to change the <logall_json></logall_json> From no to yes
Save the changes and restart the manager:
Now you were ready to see all the events coming to the Wazuh-Manager, and you can validate if those admin events are there or not.
To do so, you just need to grep any Google logs familiar keyword in the archives.json file like this:
grep -i eventID /var/ossec/logs/archives/archives.json
If the event is already in archives.json, you can create a custom rule to trigger an alert.
Please let me know if this information was useful and how it goes.
Regards!
José Luis Cosentino
Jan 21, 2025, 10:41:36 AM1/21/25
to Wazuh | Mailing List
My apologies, when I said: "To do so, you just need to grep any Google logs familiar keyword in the archives.json file like this:"
I mean to say: "To do so, you just need to grep any Windows logs familiar keyword (related to the eventid or log sample desired) in the archives.json"
Regards!
I mean to say: "To do so, you just need to grep any Windows logs familiar keyword (related to the eventid or log sample desired) in the archives.json"
Regards!
Paul Kotila
Jan 21, 2025, 11:24:42 AM1/21/25
to Wazuh | Mailing List
Hi Piviul,
I would recommend a couple of additions to your Wazuh, first powershell logging via Group Policy. Secondly adding Sysmon to your configuration. Below I found on Wazuh's Blogs. In my environment I was able to log Sysmon - Event 1: Non Interactive PowerShell Execution detected. Also the win.eventdata.integrityLevel alert was High (indicating administrative privileges).
--POWERSHELL LOGGING--
--POWERSHELL LOGGING--
Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward PowerShell logs to the Wazuh server for analysis:
<localfile>
<location>Microsoft-Windows-PowerShell/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-PowerShell/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
--SYSMON SETUP--
Use Sysmon to monitor several system events such as file creation, registry, DNS queries, and process execution on the victim Windows endpoint.
Perform the following steps to configure the Wazuh agent to collect and forward Sysmon logs from the Windows endpoint to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Use PowerShell with administrator privilege to create a Sysmon folder in the C:\ folder:
New-Item -ItemType Directory -Path C:\Sysmon
3. Extract the content of the compressed Sysmon file to the C:\Sysmon folder:
Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"
Replace <PATH> with the path where the Sysmon.zip file was downloaded.
4. Download the Sysmon configuration file – sysmonconfig.xml to the C:\Sysmon folder using the PowerShell command below:
wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml
5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges:
cd C:\Sysmon
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
Perform the following steps to configure the Wazuh agent to collect and forward Sysmon logs from the Windows endpoint to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Use PowerShell with administrator privilege to create a Sysmon folder in the C:\ folder:
New-Item -ItemType Directory -Path C:\Sysmon
3. Extract the content of the compressed Sysmon file to the C:\Sysmon folder:
Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"
Replace <PATH> with the path where the Sysmon.zip file was downloaded.
4. Download the Sysmon configuration file – sysmonconfig.xml to the C:\Sysmon folder using the PowerShell command below:
wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml
5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges:
cd C:\Sysmon
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
Reply all
Reply to author
Forward
0 new messages