Deploying Powershell scripts using the Wazuh Manager and Agents
471 views
Skip to first unread message
Leon Scott
Feb 3, 2023, 10:13:16 PM2/3/23
to Wazuh mailing list
Hello,
Where do i place Powershell scrips in the wazuh manager to deploy to windows agents. I notice other people use other solutions via Guthub and other resources.
Is this even possible?
Even better in the groups management could these scripts be edited directly and deployed for each group. Bat files or Powershell for windows, bash scripts for Linux
Apologies Im learning
Leon Scott
Feb 3, 2023, 10:21:09 PM2/3/23
to Wazuh mailing list
Sorry, slightly vague on the second paragraph. Go to web interface > management> groups > windows group > files > create and edit Powershell and bat scripts, you get the idea. Execution controlled via wodles (I think thats right.
Julian Bustamante Narvaez
Feb 5, 2023, 9:10:06 PM2/5/23
to Wazuh mailing list
Hi, you can use Active response for execute any bat file in you windows agent.
the path for put you bat file is C:\Program Files (x86)\ossec-agent\active-response\bin
you must motorizing the active-response.log file in ossec.log file in the windows agent side.
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
you must set active response in manager side ( link) and set a rule and decoder or use some predefined one like this rule 5716(link).
for example:
<active-response>
<command>netsh</command>
<location>local</location>
<rules_id>5716</rules_id>
<timeout>60</timeout>
</active-response>
<command>netsh</command>
<location>local</location>
<rules_id>5716</rules_id>
<timeout>60</timeout>
</active-response>
where netsh is a command that will execute the netsh.exe( for you case bat file)
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
with this log -> Dec 10 01:02:02 host sshd[1234]: Accepted none for root from 64.62.197.132 port 1066 ssh2
for launch the 5716 rule, you should create a empty file for test in windows agent side and paste and save this log for that this alert inthe manager launch the active response and this run the bat file.
remember monitorizing you file test(wndows agent side):
<localfile>
<location>C:\Users\vagrant\Documents\test.txt</location>
<log_format>syslog</log_format>
</localfile>
<location>C:\Users\vagrant\Documents\test.txt</location>
<log_format>syslog</log_format>
</localfile>
let me know if this helps you
Regards
Reply all
Reply to author
Forward
0 new messages