Integrar Sysmon con Wazuh

¿Que es Sysmon?

System Monitor ( Sysmon ) es un servicio del sistema de Windows y un controlador de dispositivo que, una vez instalado en un sistema, permanece residente en todos los reinicios del sistema para monitorear y registrar la actividad del sistema en el registro de eventos de Windows. Proporciona información detallada sobre creaciones de procesos, conexiones de red y cambios en el tiempo de creación de archivos. Al recopilar los eventos que genera utilizando Windows Event Collection o los agentes SIEM y luego analizarlos, puede identificar actividades maliciosas o anómalas y comprender cómo operan los intrusos y el malware en su red.

Para descargar Sysmon accedemos a la pagina oficial de Microsft https://docs.microsoft.com/es-es/sysinternals/downloads/sysmon

Agregamos el fichero sysmon.xml de configuración en la carpeta 

<Sysmon schemaversion="4.00">
   <!-- Capture all hashes -->
   <HashAlgorithms>*</HashAlgorithms>
   <EventFiltering>
      <!-- Event ID 1 == Process Creation. -->
      <ProcessCreate onmatch="include">
          <!-- Office related binaries -->
          <ParentImage condition="contains">office</ParentImage>
          <ParentImage condition="end with">WINWORD.exe</ParentImage>
          <ParentImage condition="end with">EXCEL.exe</ParentImage>
          <ParentImage condition="end with">POWERPNT.exe</ParentImage>
          <ParentImage condition="end with">MSPUB.exe</ParentImage>
          <ParentImage condition="end with">VISIO.exe</ParentImage>
          <ParentImage condition="end with">mshta.exe</ParentImage>
          
          <ParentImage condition="end with">mmc.exe</ParentImage>
          <ParentImage condition="end with">control.exe</ParentImage>
          <ParentImage condition="end with">services.exe</ParentImage>
          <ParentImage condition="end with">wmiprvse.exe</ParentImage>
          <!-- Priviledge escalation tricks -->
          <ParentImage condition="end with">eventvwr.exe</ParentImage>
          <ParentImage condition="end with">fodhelper.exe</ParentImage>

          <CommandLine condition="contains">wevutil cl</CommandLine>
          <CommandLine condition="contains">/logfile= /LogToConsole=false /U</CommandLine>
          <CommandLine condition="contains">/transfer</CommandLine>
          <CommandLine condition="contains">dnscmd.exe /config /serverlevelplugindll</CommandLine>
          <!-- Java with Remote Debugging -->
          <CommandLine condition="contains">*transport=dt_socket,address=*</CommandLine>
          <!-- Suspicious WMIC Commands -->
          <CommandLine condition="contains">*/NODE:*process call create *</CommandLine>
          <CommandLine condition="contains">* path AntiVirusProduct get *</CommandLine>
          <CommandLine condition="contains">* path FirewallProduct get *</CommandLine>
          <CommandLine condition="contains">* shadowcopy delete *</CommandLine>
          <!-- VSADMIN Tricks ( Generally Ransomware Or Hacking Activitiy ) -->
          <CommandLine condition="contains">vssadmin.exe Delete Shadows</CommandLine>
          <CommandLine condition="contains">vssadmin create shadow /for=*:</CommandLine>
          <CommandLine condition="contains">vssadmin delete shadows /for=*:</CommandLine>
          <CommandLine condition="contains">copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit</CommandLine>
          <CommandLine condition="contains">copy \\?\GLOBALROOT\Device\*\config\SAM</CommandLine>
          <CommandLine condition="contains">reg SAVE HKLM\SYSTEM </CommandLine>
          <!-- CMD tricks -->
          <CommandLine condition="contains">cmd.exe /c *http://*%AppData%</CommandLine>
          <CommandLine condition="contains">cmd.exe /c *https://*%AppData%</CommandLine>
          <!-- Information Gathering About Domain & Local Users (If it matches so many false-possitive filtering can be done in Wazuh via net.exe or net1.exe)-->
          <!-- <CommandLine condition="contains">net group "domain admins" /domain</CommandLine> -->
          <!-- <CommandLine condition="contains">net localgroup administrators</CommandLine> -->
          <CommandLine condition="contains">* group*</CommandLine>
          <CommandLine condition="contains">* localgroup*</CommandLine>
          <CommandLine condition="contains">* view*</CommandLine>
          <CommandLine condition="contains">* share</CommandLine>
          <CommandLine condition="contains">* account*</CommandLine>
          <CommandLine condition="contains">* use*</CommandLine>
          <!-- Certuilt tricks -->
          <CommandLine condition="contains">*\certutil.exe * -decode *</CommandLine>
          <CommandLine condition="contains">*\certutil.exe * -decodehex *</CommandLine>
          <CommandLine condition="contains">*\certutil.exe *-urlcache* http*</CommandLine>
          <CommandLine condition="contains">*\certutil.exe *-urlcache* ftp*</CommandLine>
          <CommandLine condition="contains">*\certutil.exe *-URL*</CommandLine>
          <CommandLine condition="contains">*\certutil.exe *-ping*</CommandLine>
          <!-- Droppers (False Possitives exist) -->
          <CommandLine condition="contains">* C:\Users\*.jse *</CommandLine>
          <CommandLine condition="contains">* C:\Users\*.vbe *</CommandLine>
          <CommandLine condition="contains">* C:\Users\*.js *</CommandLine>
          <CommandLine condition="contains">* C:\Users\*.vba *</CommandLine>
          <CommandLine condition="contains">* C:\Users\*.vbs *</CommandLine>
          <CommandLine condition="contains">* C:\ProgramData\*.jse *</CommandLine>
          <CommandLine condition="contains">* C:\ProgramData\*.vbe *</CommandLine>
          <CommandLine condition="contains">* C:\ProgramData\*.js *</CommandLine>
          <CommandLine condition="contains">* C:\ProgramData\*.vba *</CommandLine>
          <CommandLine condition="contains">* C:\ProgramData\*.vbs *</CommandLine>
          <!-- Powershell commandline tricks ( This continues and should be filter in Wazuh ) -->
          <CommandLine condition="contains">*new-object system.net.webclient).downloadstring(*</CommandLine>
          <CommandLine condition="contains">*new-object system.net.webclient).downloadfile(*</CommandLine>
          <CommandLine condition="contains"> -enc </CommandLine>
          <CommandLine condition="contains"> -EncodedCommand </CommandLine>
          <CommandLine condition="contains"> -w hidden </CommandLine>
          <CommandLine condition="contains"> -window hidden </CommandLine>
          <CommandLine condition="contains"> -windowstyle hidden </CommandLine>
          <CommandLine condition="contains"> -noni </CommandLine>
          <CommandLine condition="contains"> -noninteractive </CommandLine>
          <!-- Critical Binaries -->
          <Image condition="is">C:\Windows\System\32\regsvr32.exe</Image>
          <Image condition="is">C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe</Image>
          <Image condition="end with">InstallUtil.exe</Image>
          <Image condition="end with">EQNEDT32.EXE</Image>
          <Image condition="end with">wevutil</Image>
          <Image condition="end with">bitsadmin.exe</Image>
          <Image condition="end with">CasPol.exe</Image>
          <Image condition="end with">IEExec.exe</Image>
          <Image condition="end with">odbcconf.exe</Image>
          <Image condition="end with">cscript.exe</Image>
          <Image condition="end with">wscript.exe</Image>
          <Image condition="end with">cmd.exe</Image>
          <Image condition="end with">powershell.exe</Image>
	  <Image condition="end with">certutil.exe</Image>
          <Image condition="end with">sh.exe</Image>
          <Image condition="end with">bash.exe</Image>
          <Image condition="end with">scrcons.exe</Image>
          <Image condition="end with">svchost.exe</Image>
          <Image condition="end with">spoolsv.exe</Image>
          <Image condition="end with">smss.exe</Image>
          <Image condition="end with">csrss.exe</Image>
          <Image condition="end with">conhost.exe</Image>
          <Image condition="end with">regsvr32.exe</Image>       
          <Image condition="end with">hh.exe</Image>
          <Image condition="end with">wsmprovhost.exe</Image>
          <Image condition="end with">regsvcs.exe</Image>
          <Image condition="end with">regasm.exe</Image>
          <Image condition="end with">sdbinst.exe</Image>
          <Image condition="end with">schtasks.exe</Image>
          <Image condition="end with">rundll32.exe</Image>
          <Image condition="end with">net.exe</Image>
          <Image condition="end with">net1.exe</Image>
          <Image condition="end with">wmic.exe</Image>
          <Image condition="end with">eventvwr.exe</Image>
          <Image condition="end with">csc.exe</Image>
          <!-- Very Suspicious Paths To Execute Binary From -->
          <Image condition="contains">*\PerfLogs\*</Image>
          <Image condition="contains">*\$Recycle.bin\*</Image>
          <Image condition="contains">*\Intel\Logs\*</Image>
          <Image condition="contains">*\Users\All Users\*</Image>
          <Image condition="contains">*\Users\Default\*</Image>
          <Image condition="contains">*\Users\Public\*</Image>
          <Image condition="contains">*\Users\NetworkService\*</Image>
          <Image condition="contains">*\Windows\Fonts\*</Image>
          <Image condition="contains">*\Windows\Debug\*</Image>
          <Image condition="contains">*\Windows\Media\*</Image>
          <Image condition="contains">*\Windows\IME\*</Image>
          <Image condition="contains">*\Windows\Help\*</Image>
          <Image condition="contains">*\Windows\addins\*</Image>
          <Image condition="contains">*\Windows\repair\*</Image>
          <Image condition="contains">*\Windows\security\*</Image>
          <Image condition="contains">*\RSA\MachineKeys\*</Image>
          <Image condition="contains">*\wwwroot\*</Image>
          <Image condition="contains">*\wmpub\*</Image>
          <Image condition="contains">*\htdocs\*</Image>
          <Image condition="contains">*\Windows\system32\config\systemprofile\*</Image>

      </ProcessCreate>

      <!-- Event ID 2 == File Creation Time. -->
      <FileCreateTime onmatch="include"/>
      <!-- Event ID 3 == Network Connection. -->
      <NetworkConnect onmatch="include">
          <!-- Very Suspicious Paths To Have Network Connection -->
          <Image condition="contains">*\PerfLogs\*</Image>
          <Image condition="contains">*\ProgramData\*</Image>
          <Image condition="contains">*\$Recycle.bin\*</Image>
          <Image condition="contains">*\Users\All Users\*</Image>
          <Image condition="contains">*\Users\Default\*</Image>
          <Image condition="contains">*\Users\Public\*</Image>
          <Image condition="contains">*\Windows\Fonts\*</Image>
          <Image condition="contains">*\Windows\Debug\*/</Image>
          <Image condition="contains">*\Windows\Media\*</Image>
          <Image condition="contains">*\Windows\IME\*</Image>
          <Image condition="contains">*\Windows\Help\*</Image>
          <Image condition="contains">*\Windows\addins\*</Image>
          <Image condition="contains">*\Windows\system32\config\systemprofile\*</Image>
          <!-- Non-common network connections and should be filtered thorugh the internal network in Wazuh -->
          <Image condition="end with">rundll32.exe</Image>
          <Image condition="end with">IEExec.exe</Image>
          <Image condition="end with">powershell.exe</Image>
      </NetworkConnect>
      <!-- Event ID 5 == Process Terminated. -->
      <ProcessTerminate onmatch="include"/>
      <!-- Event ID 6 == Driver Loaded. -->
      <!-- Event ID 7 == Image Loaded. -->
      <!-- Event ID 8 == CreateRemoteThread. -->
      <CreateRemoteThread onmatch="include">
          <StartFunction condition="contains">LoadLibrary</StartFunction>
          <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
      </CreateRemoteThread>
      <!-- Event ID 9 == RawAccessRead. -->
      <RawAccessRead onmatch="include"/>
      <!-- Event ID 10 == ProcessAccess. -->
      <ProcessAccess onmatch="include">
          <CallTrace condition="contains">CorperfmontExt.dll</CallTrace>
          <TargetImage condition="is">C:\Windows\system32\lsass.exe</TargetImage>
          <TargetImage condition="end with">verclsid.exe</TargetImage>
      </ProcessAccess>
      <!-- Event ID 11 == FileCreate. -->
      <FileCreate onmatch="include">
          <TargetFilename condition="contains">C:\Windows\AppPatch\Custom</TargetFilename>
      </FileCreate>
      <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
      <RegistryEvent onmatch="include">
          <Image condition="is">C:\Windows\system32\services.exe</Image>
          <Image condition="is">C:\Windows\system32\LogonUI.exe</Image>
          <Image condition="end with">IEExec.exe</Image>
          <!-- <TargetObject condition="is">REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject> -->
          <TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup</TargetObject>
          <TargetObject condition="is">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs</TargetObject>
          <TargetObject condition="is">HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services</TargetObject>
          <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\</TargetObject>
          <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</TargetObject>
          <!-- Autorun method and needs to be tuned -->
          <TargetObject condition="contains">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*</TargetObject>
          
          <TargetObject condition="contains">\Services\DNS\Parameters\ServerLevelPluginDll</TargetObject>
          <TargetObject condition="contains">\Services\DHCPServer\Parameters\CalloutDlls</TargetObject>
          <TargetObject condition="contains">\Services\DHCPServer\Parameters\CalloutEnabled</TargetObject>
          <TargetObject condition="contains">HKLM\System\CurrentControlSet\services\Tcpip\Parameters</TargetObject>
          <TargetObject condition="contains">\services\Netlogon\Parameters\DisablePasswordChange</TargetObject>
          <TargetObject condition="contains">\Control\SecurityProviders\WDigest</TargetObject>
          <TargetObject condition="contains">\mscfile\shell\open\command\</TargetObject>
          <TargetObject condition="contains">\Classes\exefile\shell\runas\command\isolatedCommand</TargetObject>
          <TargetObject condition="contains">ms-settings\shell\open\command</TargetObject>
          <TargetObject condition="contains">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB</TargetObject>
          <TargetObject condition="is">Win32_OSRecoveryConfiguration</TargetObject>
      </RegistryEvent>
      <!-- Event ID 15 == FileStream Created. -->
      <FileCreateStreamHash onmatch="include"/>
      <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
      <PipeEvent onmatch="include">
          <PipeName condition="contains">\isapi_http</PipeName>
          <PipeName condition="contains">\isapi_dg</PipeName>
          <PipeName condition="contains">\isapi_dg2</PipeName>
          <PipeName condition="contains">\sdlrpc</PipeName>
          <PipeName condition="contains">\ahexec</PipeName>
          <PipeName condition="contains">\winsession</PipeName>
          <PipeName condition="contains">\lsassw</PipeName>
          <PipeName condition="contains">\46a676ab7f179e511e30dd2dc41bd388</PipeName>
          <PipeName condition="contains">\9f81f59bc58452127884ce513865ed20</PipeName>
          <PipeName condition="contains">\e710f28d59aa529d6792ca6ff0ca1b34</PipeName>
          <PipeName condition="contains">\rpchlp_3</PipeName>
          <PipeName condition="contains">\NamePipe_MoreWindows</PipeName>
          <PipeName condition="contains">\pcheap_reuse</PipeName>
          <PipeName condition="contains">\NamePipe_MoreWindows</PipeName>
      </PipeEvent>
      <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity-->
      <WmiEvent onmatch="include"/>
  </EventFiltering>
</Sysmon>

iniciamos sysmon

Sysmon64.exe -accepteula -i sysmon.xml

Nos tendría que salir registros en Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

Es necesario indicarle en el agente de wazuh que monitorice los eventos de Sysmon, para ello agregamos las siguientes lineas en C:\Program Files (x86)\ossec-agent\ossec.conf

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Es necesario agregar una nueva regla local_rules.xmlen el administrador de Wazuh para que coincida con el evento Sysmon generado por la ejecución de Powershell. Esta regla permitirá que el administrador active una alerta cada vez que reciba este tipo de evento.

Para ello agregamos la siguiente configuración en:  /var/ossec/etc/rules/local_rules.xml

 */ rules in localrules.xml for Sysmon*/

<group name="sysmon,sysmon_process-anomalies,">
    <rule id="255000" level="12">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">\\powershell.exe||\\.ps1||\\.ps2</field>
        <description>Sysmon - Event 1: Powershell or Script Execution: $(win.eventdata.image)</description>
    </rule>

    <rule id="255001" level="0">
        <field name="win.eventdata.Image">\\rundll32.exe</field>
        <description>Sysmon - rundll32.exe</description>
    </rule>

    <rule id="255002" level="12">
        <if_sid>255001</if_sid>
        <field name="win.eventdata.ImageLoaded">\\vaultcli.dll</field>
        <description>Possible Mimikatz Running In-Memory Detection</description>
    </rule>

    <rule id="255003" level="12">
        <if_sid>255001</if_sid>
        <field name="win.eventdata.ImageLoaded">\\wlanapi.dll</field>
        <description>Possible Mimikatz In-Memory Detection</description>
    </rule>

    <rule id="255004" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.parentImage">\\mshta.exe</field>
        <description>Sysmon - mshta.exe</description>
    </rule>

    <rule id="255005" level="12">
        <if_sid>255004</if_sid>
        <field name="win.eventdata.Image">\\cmd.exe||\\powershell.exe||\\wscript.exe||\\cscript.exe||\\sh.exe||\\bash.exe||\\reg.exe||\\regsvr32.exe||\\BITSADMIN*</field>
        <description>Detection a Windows command line executable started from MSHTA</description>
    </rule>

    <rule id="255006" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.ParentImage">\\WINWORD.EXE||\\EXCEL.EXE||\\POWERPNT.exe||\\MSPUB.exe||\\VISIO.exe</field>
        <description>Sysmon - MS Word - Ms EXCEL run</description>
    </rule>

    <rule id="255007" level="12">
        <if_sid>255006</if_sid>
        <field name="win.eventdata.Image">\\cmd.exe</field>
        <description>Possible Office Macro Started : $(win.eventdata.image)</description>
    </rule>

    <rule id="255008" level="12">
        <if_sid>255006</if_sid>
        <field name="win.eventdata.Image">\\cmd.exe||\\powershell.exe||\\wscript.exe||\\cscript.exe||\\sh.exe||\\bash.exe||\\scrcons.exe||\\schtasks.exe||\\regsvr32.exe||\\hh.exe</field>
        <description>Microsoft Office Product Spawning Windows Shell</description>
    </rule>

    <rule id="255009" level="0">
        <if_group>sysmon_event8</if_group>
        <field name="win.eventdata.TargetImage">\\lsass.exe</field>
        <description>sysmon</description>
    </rule>

    <rule id="255010" level="12">
        <if_sid>255009</if_sid>
        <field name="win.eventdata.startModule">null</field>
        <description>Password Dumper Remote Thread in LSASS</description>
    </rule>

    <rule id="255011" level="12">
        <if_sid>255000</if_sid>
        <field name="win.eventdata.commandline">DownloadString||downloadfile</field>
        <description>PowerShell scripts that download content from the Internet</description>
    </rule>

    <rule id="255016" level="12">
        <if_sid>255000</if_sid>
        <field name="win.eventdata.commandline">EncodedCommand||-w hidden||-window hidden||-windowstyle hidden||-enc||-noni||noninteractive</field>
        <description>Detects suspicious PowerShell invocation command parameters</description>
    </rule>

    <rule id="255017" level="0">
        <if_group>sysmon_event3</if_group>
        <field name="win.eventdata.image">rundll32.exe</field>
        <description>Rundll32 Internet Connection</description>
    </rule>

    <rule id="255018" level="12">
        <if_sid>255017</if_sid>
        <match>!192.</match>
        <description>Detects a rundll32 that communicates with public IP addresses</description>
    </rule>

    <rule id="255020" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">certutil.exe</field>
        <description>Detetcs a suspicious Microsoft certutil execution with sub commands</description>
    </rule>

    <rule id="255021" level="12">
        <if_sid>255020</if_sid>
        <field name="win.eventdata.commandline">URL||decode||decodehex||urlcache||ping</field>
        <description>Detetcs a suspicious Microsoft certutil execution with sub commands</description>
    </rule>

    <rule id="255023" level="12">
        <if_sid>255000</if_sid>
        <field name="win.eventdata.currentDirectory">AppData</field>
        <description>Detects a suspicious command line execution that includes an URL and AppData</description>
    </rule>

    <rule id="255024" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.parentImage">\\System32\\control.exe</field>
        <description>Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits</description>
    </rule>

    <rule id="255025" level="12">
        <if_sid>255024</if_sid>
        <field name="win.eventdata.commandline">\\rundll32.exe</field>
        <description>Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits</description>
    </rule>

    <rule id="255026" level="12">
        <if_group>sysmon_event6</if_group>
        <field name="win.eventdata.imageLoaded">\\Temp</field>
        <description>Detects a driver load from a temporary directory</description>
    </rule>

    <rule id="255027" level="12">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">C:\\PerfLogs\\||C:\$Recycle.bin\\||C:\\Intel\\Logs\\||C:\\Users\\Default\\||C:\\Users\\Public\\||C:\\Users\\NetworkService\\||C:\\Windows\\Fonts\\C:\\Windows\\Debug\\||C:\\Windows\\Media\\||C:\\Windows\\Help\\||C:\\Windows\\addins\\||C:\\Windows\\repair\\||C:\\Windows\\security\\||\\RSA\\MachineKeys\\||C:\\Windows\\system32\\config\\systemprofile</field>
        <description>Detects process starts of binaries from a suspicious folder</description>
    </rule>

    <rule id="255028" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.parentImage">\\mmc.exe</field>
        <description>Processes started by MMC could by a sign of lateral movement using MMC application COM object</description>
    </rule>

    <rule id="255029" level="12">
        <if_sid>255028</if_sid>
        <field name="win.eventdata.image">\\cmd.exe</field>
        <description>Processes started by MMC could by a sign of lateral movement using MMC application COM object</description>
    </rule>

    <!-- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/-->
    <rule id="255030" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.parentImage">\\net.exe||\\net1.exe</field>
        <description>Detects execution of Net.exe, whether suspicious or benign.</description>
    </rule>

    <rule id="255031" level="12">
        <if_sid>255030</if_sid>
        <field name="win.eventdata.commandline">group||localgroup||user||view||share||accounts||use</field>
        <description>Detects execution of Net.exe, whether suspicious or benign</description>
    </rule>

    <rule id="255032" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.parentImage">\\wscript.exe||\\cscript.exe</field>
        <description>Sysmon - wscript/cscript.exe</description>
    </rule>

    <rule id="255033" level="12">
        <if_sid>255032</if_sid>
        <field name="win.eventdata.Image">\\powershell.exe</field>
        <description>Detects suspicious powershell invocations from interpreters or unusual programs</description>
    </rule>

    <rule id="255034" level="12">
        <if_sid>255030</if_sid>
        <field name="win.eventdata.commandline">net group "domain admins" /domain||net localgroup administrators||net1 group "domain admins" /domain||net1 localgroup administrators</field>
        <description>Detects suspicious command line activity on Windows systems</description>
    </rule>

    <rule id="255035" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">\\regsvr32.exe</field>
        <description>Detects various anomalies in relation to regsvr32.exe</description>
    </rule>

    <rule id="255036" level="12">
        <if_sid>255035</if_sid>
        <field name="win.eventdata.commandline">\\Temp</field>
        <description>Detects various anomalies in relation to regsvr32.exe</description>
    </rule>

    <rule id="255037" level="12">
        <if_sid>255035</if_sid>
        <field name="win.eventdata.parentImage">powershell.exe</field>
        <description>Detects various anomalies in relation to regsvr32.exe</description>
    </rule>

    <rule id="255038" level="12">
        <if_sid>255035</if_sid>
        <field name="win.eventdata.commandline">scrobj.dll</field>
        <description>Detects various anomalies in relation to regsvr32.exe</description>
    </rule>

    <rule id="255039" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">\\schtasks.exe</field>
        <description>Detects the creation of scheduled tasks in user session</description>
    </rule>

    <rule id="255040" level="12">
        <if_sid>255039</if_sid>
        <field name="win.eventdata.commandline">/create</field>
        <description>Detects the creation of scheduled tasks in user session</description>
    </rule>

    <rule id="255041" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">\\wscript.exe||\\cscript.exe</field>
        <description>Detects various anomalies in relation to wscriptcscript</description>
    </rule>

    <rule id="255042" level="12">
        <if_sid>255041</if_sid>
        <field name="win.eventdata.commandline">jse||vbe||js||vba</field>
        <description>Detects suspicious file execution by wscript and cscript</description>
    </rule>

    <rule id="255043" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.parentImage">\\svchost.exe</field>
        <description>Suspicious Svchost Process</description>
    </rule>

    <rule id="255044" level="12">
        <if_sid>255041</if_sid>
        <field name="win.eventdata.image">\\services.exe</field>
        <description>Detects a suspicious scvhost process start</description>
    </rule>

    <rule id="255045" level="12">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.commandline">vssadmin.exe Delete Shadows||vssadmin create shadow||GLOBALROOT||vssadmin delete shadows||reg SAVE HKLM\\SYSTEM||\\windows\\ntds\\ntds.dit</field>
        <description>Detects suspicious commands that could be related to activity that uses volume shadow copy</description>
    </rule>

    <rule id="255046" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">\\wmic.exe</field>
        <description>Detects WMI executing suspicious commands</description>
    </rule>

    <rule id="255047" level="12">
        <if_sid>255046</if_sid>
        <field name="win.eventdata.commandline">process call create||AntiVirusProduct get||FirewallProduct get||shadowcopy delete</field>
        <description>Detects WMI executing suspicious commands</description>
    </rule>

    <rule id="255048" level="12">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.commandline">transport=dt_socket,address=</field>
        <description>Detects a JAVA process running with remote debugging allowing more than just localhost to connect</description>
    </rule>

    <rule id="255049" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.ParentImage">\\WINWORD.EXE</field>
        <description>Sysmon - MS Word</description>
    </rule>

    <rule id="255050" level="12">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">\\csc.exe</field>
        <description>Detects Winword starting uncommon sub process csc.exe as used in exploits</description>
    </rule>

    <rule id="255051" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.ParentImage">\\apache||\\tomcat||\\w3wp.exe||\\php-cgi.exe||\\nginx.exe||\\httpd.exe</field>
        <description>Sysmon - Webshell detection</description>
    </rule>

    <rule id="255052" level="0">
        <if_sid>255051</if_sid>
        <field name="win.eventdata.commandline">whoami||net user||ping -n||systeminfo</field>
        <description>Sysmon - Webshell detection</description>
    </rule>

    <rule id="255053" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.image">bitsadmin.exe</field>
        <description>Sysmon Bitsadmin.exe detection</description>
    </rule>

    <rule id="255054" level="12">
        <if_sid>255053</if_sid>
        <field name="win.eventdata.commandline">/transfer</field>
        <description>Detects usage of bitsadmin downloading a file</description>
    </rule>

    <rule id="254056" level="12">
        <if_sid>255000</if_sid>
        <field name="win.eventdata.commandline">AppData</field>
        <description>Detects a suspicious command line execution that includes an URL and AppData</description>
    </rule>

    <rule id="255057" level="12">
        <if_sid>255028</if_sid>
        <field name="win.eventdata.image">\\powershell.exe</field>
        <description>Processes started by MMC could by a sign of lateral movement using MMC application COM object</description>
    </rule>

    <rule id="255058" level="12">
        <if_sid>255032</if_sid>
        <field name="win.eventdata.Image">\\cmd.exe</field>
        <description>Detects suspicious powershell invocations from interpreters or unusual programs</description>
    </rule>

    <rule id="255059" level="0">
        <if_sid>184666</if_sid>
        <match>MsMpEng.exe</match>
        <description>Exclude</description>
    </rule>

    <rule id="254060" level="0">
        <if_sid>254056</if_sid>
        <match>WindowsVersionTempFile.txt</match>
        <description>Exclude</description>
    </rule>

    <rule id="255061" level="0">
        <if_sid>255025</if_sid>
        <match>timedate.cpl</match>
        <description>Exclude</description>
    </rule>
    <rule id="255062" level="0">
        <if_sid>255033</if_sid>
        <match>getfilecounts.vbs</match>
        <description>Exclude</description>
    </rule>
   <rule id="255063" level="0">
        <if_sid>255050</if_sid>
        <match>xj6r_ru4.cmdline</match>
        <description>Exclude</description>
    </rule>
   <rule id="255065" level="0">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.Image">conhost.exe</field>
        <description>Mimikatz Detection Parent Image $(win.eventdata.parentimage)</description>
    </rule>
   <rule id="255066" level="12">
        <if_sid>255065</if_sid>
        <field name="win.eventdata.ParentImage">mimikatz.exe</field>
        <description>Mimikatz Detection Image: $(win.eventdata.parentimage)</description>
    </rule>
   <rule id="255067" level="12">
        <if_sid>255032</if_sid>
        <field name="win.eventdata.currentDirectory">AppData</field>
        <description>Detects a suspicious command line execution that includes an URL and AppData</description>
    </rule>
   <rule id="255068" level="12">
        <if_sid>255041</if_sid>
        <field name="win.eventdata.currentDirectory">AppData</field>
        <description>Detects a suspicious command line execution that includes an URL and AppData</description>
    </rule>
<!--
    <rule id="255069" level="12">
        <if_sid>255017</if_sid>
        <match>!172.</match>
        <description>Detects a rundll32 that communicates with public IP addresses</description>
    </rule>
    <rule id="255070" level="12">
        <if_sid>255017</if_sid>
        <match>!10.</match>
        <description>Detects a rundll32 that communicates with public IP addresses</description>
    </rule>
-->
    <rule id="255071" level="12">
        <if_group>sysmon_event1</if_group>
        <field name="win.eventdata.commandline">AppData</field>
        <description>Detects a suspicious command line execution that includes an URL and AppData</description>
    </rule>
</group>

Una vez reiniciado el servicio de Wazuh accedemos a mediante Kibana y podemos observar las diferentes alertas que nos llegan:

:wq!

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

*