MITRE ATT&CK Framework
MITRE's ATT&CK framework is an extremely modular and extensive catalogue of observed tactics, techniques, and procedures used by adversaries in the real world.
With a SIEM like Wazuh, and a very powerful Windows event logger like Sysmon, it is very useful to be able to correlate event data to the various framework IDs to make it easier to hunt and recognize potential threat actors.
Extending Wazuh Rules
This GitHub repo has some very useful rules files for the aforementioned purpose. Incidentally, they also have a template
osquery config, but that's not in the scope of this post. Go check out this repo.
The reason, I decided to write this post, is to document my steps to work around some issues while implementing the rulesets, as Wazuh was throwing errors when I tried to restart it.
Based on my trial and error, it looks like Wazuh loads rules files – built-in and custom – in order by their numerical ID. So, if you have a custom rules file named
0001-custom-rules.xml, that is going to be loaded first by Wazuh due to its name.
Implementing the Ruleset
These commands are being run on the server where the Wazuh Manager is installed.
cd /tmp git clone https://github.com/Hestat/ossec-sysmon cd ossec-sysmon # This file has a group ID that needs to be loaded first mv 0805-v10-sysmon-modular_rules.xml 0330-v10-sysmon-modular_rules.xml # Need to push all the rules files lower down the chain # They reference some identities that are loaded later if not renamed # All we're doing here is adding a '1' in front of the file name # So, 0330 becomes 10330 for file in `ls ./0*`; do oldName=$file; newName="1$file"; mv $oldName $newName; done # Copy the rules files to the custom rules location sudo cp ./10*.xml /var/ossec/etc/rules # Set the correct ownership on the files sudo chown ossec:ossec /var/ossec/etc/rules/10*.xml # Restart the Manager service sudo systemctl restart wazuh-manager
Tagging Events with MITRE ATT&CK IDs
Wazuh has an interesting feature where you can visualize events by MITRE ATT&CK ID numbers. So, when you open up the dashboard on the homepage, you can drill down into events by a selected ID.
Also, in the events view overview, if the rules have been configured as such, you can see how events align with ATT&CK.
I forked the project linked above, and added the following tags to any applicable rules:
<mitre> <id>T####</id> </mitre>
If you'd like to save yourself some work, you can follow the exact same instructions as above, but just clone my repo and copy the rules files to the correct location.