Wazuh: Mapping Sysmon Events to MITRE ATT&CK IDs

In this post, I show how I implemented and worked around some issues while adding an enhanced ruleset mapping Sysmon events to ATT&CK IDs.

4 months ago   •   3 min read

By 0xBEN
Table of contents

MITRE ATT&CK Framework

MITRE's ATT&CK framework is an extremely modular and extensive catalogue of observed tactics, techniques, and procedures used by adversaries in the real world.

With a SIEM like Wazuh, and a very powerful Windows event logger like Sysmon, it is very useful to be able to correlate event data to the various framework IDs to make it easier to hunt and recognize potential threat actors.





Extending Wazuh Rules

This GitHub repo has some very useful rules files for the aforementioned purpose. Incidentally, they also have a template osquery config, but that's not in the scope of this post. Go check out this repo.

GitHub - Hestat/ossec-sysmon: A Ruleset to enhance detection capabilities of Ossec using Sysmon
A Ruleset to enhance detection capabilities of Ossec using Sysmon - GitHub - Hestat/ossec-sysmon: A Ruleset to enhance detection capabilities of Ossec using Sysmon

The reason, I decided to write this post, is to document my steps to work around some issues while implementing the rulesets, as Wazuh was throwing errors when I tried to restart it.

Based on my trial and error, it looks like Wazuh loads rules files – built-in and custom – in order by their numerical ID. So, if you have a custom rules file named 0001-custom-rules.xml, that is going to be loaded first by Wazuh due to its name.

Implementing the Ruleset

These commands are being run on the server where the Wazuh Manager is installed.

cd /tmp
git clone https://github.com/Hestat/ossec-sysmon

cd ossec-sysmon

# This file has a group ID that needs to be loaded first
mv 0805-v10-sysmon-modular_rules.xml 0330-v10-sysmon-modular_rules.xml

# Need to push all the rules files lower down the chain
# They reference some identities that are loaded later if not renamed
# All we're doing here is adding a '1' in front of the file name
# So, 0330 becomes 10330
for file in `ls ./0*`; do oldName=$file; newName="1$file"; mv $oldName $newName; done

# Copy the rules files to the custom rules location
sudo cp ./10*.xml /var/ossec/etc/rules

# Set the correct ownership on the files
sudo chown ossec:ossec /var/ossec/etc/rules/10*.xml

# Restart the Manager service
sudo systemctl restart wazuh-manager





Tagging Events with MITRE ATT&CK IDs

Wazuh has an interesting feature where you can visualize events by MITRE ATT&CK ID numbers. So, when you open up the dashboard on the homepage, you can drill down into events by a selected ID.

Also, in the events view overview, if the rules have been configured as such, you can see how events align with ATT&CK.

I forked the project linked above, and added the following tags to any applicable rules:

<mitre>
    <id>T####</id>
</mitre>

If you'd like to save yourself some work, you can follow the exact same instructions as above, but just clone my repo and copy the rules files to the correct location.

GitHub - 0xBEN/ossec-sysmon: A Ruleset to enhance detection capabilities of Ossec using Sysmon
A Ruleset to enhance detection capabilities of Ossec using Sysmon - GitHub - 0xBEN/ossec-sysmon: A Ruleset to enhance detection capabilities of Ossec using Sysmon

Spread the word

Keep reading