3️⃣Test
Last updated
Last updated
Now that we have our agent installed on the Windows machine, let's see what this looks like on Wazhuh.
Let's take a look at security events, from the dashboard:
It event shows us the Top MITRE ATT&CKS. Very cool. You can check out the aggregated security events when you scroll down, or by clicking the "events" tab.
It's actually showing us the security events from both the Windows VM and the Wazuh server. It even shows us the Techniques it's using. You can dig into each of the events and start searching for interesting behaviour.
Let's take a step back and go to our agent. On the Windows agent, we can see sections for MITRE, Compliance, and more.
At tge top therei s a More... dropdown which we can have a look at Security configuration assessment. It's automatically used the CIS benchmark security for Windows 11.
If we go onto the results, this is what we get:
Straight away, we have a lot of work to do and it's a clean install.
You can find more configuration for Wazuh (as root) in /var/etc/ossec/ossec.conf
I turned on "vulnerability detector".
Make sure you restart the service with sudo systemctl restart wazuh-manager.service
Restart the agent(s) too - Restart-Service Wazuh
I also wanted to install sysmon, as it provides a lot of useful logs on Windows
Make sure you add syslog in your ossec.conf file. Read more about doing that here:
You can check out some of the official "Proof of Concept" documentation with Wazuh.
Another test you can do is running WinPEAS. This is a tool to enumerate a Windows machine for potential attack vectors. Once installed, run the script. You may need to change your execution policy to unrestricted.
https://github.com/carlospolop/PEASS-ng
All of a sudden, we get a lot of suspicious processes.
I installed "Invoke-AtomicRedTeam"
You can run tests, categorised to each MITRE ATTACK technique, for example, if you run
It will run all tests for the T1218 technique, which is System Binary Proxy Execution: Regsvr32
If you're interesting in Malware Analysis, you might find these useful:
Flare VM is a Windows host designed for static and dynamic analysis.
You can find malware samples everywhere in GitHub like: https://github.com/ytisf/theZoo
Note that if you want this to be a malware lab, you need to make sure you firewalls are set to properly isolate the network, and that there is no internet connectivity.
You can extend the lab if you want to recreate different environments. For example, a building management system might include IoT devices. Launch some more VMs and run IoT or OT simulation programs with Wazuh agents installed on there.