MITRE ATT&CK Framework
MITRE's ATT&CK framework is an extremely modular and extensive catalogue of observed tactics, techniques, and procedures used by adversaries in the real world.
With a SIEM like Wazuh, and a very powerful Windows event logger like Sysmon, it is useful to be able to correlate event data to the various framework IDs to make it easier to hunt and recognize potential threat actors.
Extending Wazuh Rules
This GitHub repo has some very useful rules files for the aforementioned purpose.
The reason, I decided to write this post, is to document my steps to work around some issues while implementing the rulesets, as Wazuh was throwing errors when I tried to restart it.
Based on my trial and error, it looks like Wazuh loads rules files – built-in and custom – in order by their numerical ID. So, if you have a custom rules file named
0001-custom-rules.xml, that is going to be loaded first by Wazuh due to its name.
Implementing the Ruleset
These commands are being run on the server where the Wazuh Manager is installed.
cd /tmp git clone https://github.com/Hestat/ossec-sysmon cd ossec-sysmon # This file has a group ID that needs to be loaded first mv 0805-v10-sysmon-modular_rules.xml 0330-v10-sysmon-modular_rules.xml # Need to push all the rules files lower down the chain # They reference some identities that are loaded later if not renamed # All we're doing here is adding a '1' in front of the file name # So, 0330 becomes 10330 for file in `ls 0*.xml`; do oldName=$file; newName="1$file"; mv $oldName $newName; done # Copy the rules files to the custom rules location sudo cp ./10*.xml /var/ossec/etc/rules # Set the correct ownership on the files sudo chown wazuh:wazuh /var/ossec/etc/rules/10*.xml # Restart the Manager service sudo systemctl restart wazuh-manager
Tagging Events with MITRE ATT&CK IDs
Wazuh has an interesting feature where you can visualize events by MITRE ATT&CK ID numbers. So, when you open up the dashboard on the homepage, you can drill down into events by a selected ID.
Also, in the events view overview, if the rules have been configured as such, you can see how events align with ATT&CK.
I forked the project linked above, and added the following tags to any applicable rules:
<mitre> <id>T####</id> </mitre>
If you'd like to save yourself some work, you can follow the exact same instructions as above, but just clone my repo and copy the rules files to the correct location.
Ingesting Sysmon Logs
Create a Windows Agent Group
Log into Wazuh Dashboards and you should be redirected to the Wazuh Management app.
Management > Groups. Add a new group and call it
Create a Shared Configuration
With Wazuh, it is possible to create a shared agent configuration that will be applied to any agents that belong to a member of a group. This centralized configuration will take precedence over any configurations in the local
Next to your new
sysmon group, click the Edit (pencil icon) button to modify the shared configuration.
<agent_config> <localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile> </agent_config>
Once you've added the configuration to the
agent.conf template in the editor, click the Save button in the top right of the screen.
Add Agents to the Group
Right now, your
sysmon group has
0 agents assigned to it. We are going to click the group and add any Windows agents where the Sysmon service has been installed.
Click Manage agents.
Go throguh and select your Windows agents that have been configured with the Sysmon service.
Click the Add selected items button and click Apply changes button.
Now with your agents added to the group, the Wazuh Manager should push the shared configuration to your agent(s) and cause a restart of the agent.