3️⃣Test

Now that we have our agent installed on the Windows machine, let's see what this looks like on Wazhuh.

Introduction

Let's take a look at security events, from the dashboard:

Overview of all security events

It event shows us the Top MITRE ATT&CKS. Very cool. You can check out the aggregated security events when you scroll down, or by clicking the "events" tab.

Security Events

It's actually showing us the security events from both the Windows VM and the Wazuh server. It even shows us the Techniques it's using. You can dig into each of the events and start searching for interesting behaviour.

Let's take a step back and go to our agent. On the Windows agent, we can see sections for MITRE, Compliance, and more.

Security Compliance

At tge top therei s a More... dropdown which we can have a look at Security configuration assessment. It's automatically used the CIS benchmark security for Windows 11.

If we go onto the results, this is what we get:

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0

Straight away, we have a lot of work to do and it's a clean install.

You can find more configuration for Wazuh (as root) in /var/etc/ossec/ossec.conf

I turned on "vulnerability detector".

Wazuh Configuration - VM

Make sure you restart the service with sudo systemctl restart wazuh-manager.service

Restart the agent(s) too - Restart-Service Wazuh

I also wanted to install sysmon, as it provides a lot of useful logs on Windows

LogoSysmon - Sysinternalsdocsmsft

Make sure you add syslog in your ossec.conf file. Read more about doing that here:

LogoLocal configuration (ossec.conf) - Reference · Wazuh documentationwazuh
ossec configuration

Pentesting

You can check out some of the official "Proof of Concept" documentation with Wazuh.

LogoProof of Concept guide · Wazuh documentationwazuh

Another test you can do is running WinPEAS. This is a tool to enumerate a Windows machine for potential attack vectors. Once installed, run the script. You may need to change your execution policy to unrestricted.

https://github.com/carlospolop/PEASS-ng

All of a sudden, we get a lot of suspicious processes.

List of suspicious processes, mapped to MITRE Tactics

Atomic Red Team

I installed "Invoke-AtomicRedTeam"

LogoExplore Atomic Red TeamExplore Atomic Red Team
Atomic Red Team Website

You can run tests, categorised to each MITRE ATTACK technique, for example, if you run

Invoke-AtomicTest T1218.010

It will run all tests for the T1218 technique, which is System Binary Proxy Execution: Regsvr32

Malware

If you're interesting in Malware Analysis, you might find these useful:

Flare VM is a Windows host designed for static and dynamic analysis.

LogoFLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed! | MandiantMandiant

You can find malware samples everywhere in GitHub like: https://github.com/ytisf/theZoo

Note that if you want this to be a malware lab, you need to make sure you firewalls are set to properly isolate the network, and that there is no internet connectivity.

Scaling the lab

You can extend the lab if you want to recreate different environments. For example, a building management system might include IoT devices. Launch some more VMs and run IoT or OT simulation programs with Wazuh agents installed on there.

PreviousDeployNextAutomating

Last updated