{"id":21423195,"url":"https://github.com/ghost-7a/attack-technique-emulation-wazuh","last_synced_at":"2025-03-16T20:25:31.097Z","repository":{"id":263849571,"uuid":"891035034","full_name":"Ghost-7A/Attack-Technique-Emulation-Wazuh","owner":"Ghost-7A","description":"A project showcasing attack technique emulation using MITRE ATT\u0026CK and detection with Wazuh, Sysmon, and Atomic Red Team.","archived":false,"fork":false,"pushed_at":"2024-11-20T18:36:44.000Z","size":1602,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-23T07:11:22.735Z","etag":null,"topics":["atomic-red-team","detection","docker-container","intrusion-detection-system","mitre-attack","sysmon","wazuh"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ghost-7A.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-19T16:01:43.000Z","updated_at":"2024-11-20T18:36:48.000Z","dependencies_parsed_at":"2024-11-20T16:39:49.476Z","dependency_job_id":"b8fa907c-c238-4554-af62-6b5508fb6699","html_url":"https://github.com/Ghost-7A/Attack-Technique-Emulation-Wazuh","commit_stats":null,"previous_names":["ghost-7a/attack-technique-emulation-wazuh"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ghost-7A%2FAttack-Technique-Emulation-Wazuh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ghost-7A%2FAttack-Technique-Emulation-Wazuh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ghost-7A%2FAttack-Technique-Emulation-Wazuh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ghost-7A%2FAttack-Technique-Emulation-Wazuh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ghost-7A","download_url":"https://codeload.github.com/Ghost-7A/Attack-Technique-Emulation-Wazuh/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243926669,"owners_count":20370021,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["atomic-red-team","detection","docker-container","intrusion-detection-system","mitre-attack","sysmon","wazuh"],"created_at":"2024-11-22T21:14:45.673Z","updated_at":"2025-03-16T20:25:31.064Z","avatar_url":"https://github.com/Ghost-7A.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Attack-Technique-Emulation-Wazuh\nA project showcasing attack technique emulation using MITRE ATT\u0026amp;CK and detection with Wazuh, Sysmon, and Atomic Red Team.\n\n\n\n\n**Introduction**:\n\nThis repository showcases the emulation of adversary tactics from the MITRE ATT\u0026CK framework using Atomic Red Team and demonstrates how Wazuh can be configured to detect these threats effectively, with detailed monitoring provided by Sysmon.\n\n**Emulating ATT\u0026CK Techniques**:\n\nUsing Red Canary’s [Atomic Red Team](https://github.com/redcanaryco/invoke-atomicredteam), we emulate **T1053.005 – Scheduled Task/Job**, a common adversarial technique for automating malicious activities. This simulation demonstrates how Wazuh can monitor, detect, and alert on the creation and execution of potentially harmful scheduled tasks, providing a realistic assessment of our detection capabilities.\n\n\n\n**Setup and Installation Instructions**: \n\nWe are using wazuh docker deployment, so we will need to install Docker and Docker-Composer\n\nInstall Docker:\n\nFor Docker installation, we will refer to this repository\n[Docker-install](https://github.com/penoughcyber/awesome-basics/tree/main/Docker)\n\n\n\n**Changing the vm.max_map_count value:**\n\nThe default value of vm.max_map_count on many systems is 65536. Recommended setting it to at least 262144 to prevent out-of-memory exceptions.\n\n```jsx\n//To check the current value of vm.max_map_count\nsysctl vm.max_map_count\n\n//To open the file in text editor use this command\nsudo nano /etc/sysctl.conf\n\n//now put this command in that file and save the file\nvm.max_map_count=262144\n```\n\n# **Sysmon Configuration**\n\nSysmon, a system monitoring tool from Microsoft Sysinternals, can be downloaded from the [official Sysinternals page](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon). It is installed using a configuration file, **sysmonconfig.xml**, which maps Sysmon event monitoring to MITRE ATT\u0026CK techniques.\n\nTo install Sysmon with the configuration file via PowerShell, use the following command:\n\n```powershell\nsysmon.exe -accepteula -i sysmonconfig.xml\n```\n\nThis command installs Sysmon and loads the specified configuration file to start monitoring system activities. Be sure to install Sysmon on the endpoint you wish to monitor for detailed event logging and analysis.\n\n# **Wazuh Docker Deployment**\n\nIn this section, we will guide you through setting up Wazuh using Docker. For detailed instructions and configuration files, refer to my GitHub repository:\n\n🔗 [Wazuh Docker Deployment Repository](https://github.com/Ghost-7A/wazuh-docker-deployment.git)\n\nThis repository contains all the necessary steps to deploy Wazuh in a Docker environment efficiently.\n\n# **Emulating ATT\u0026CK Techniques**\n\nWe leverage Red Canary’s [Atomic Red Team](https://github.com/redcanaryco/invoke-atomicredteam) to emulate **T1053.005 – Scheduled Task/Job**, a technique frequently used by adversaries to automate malicious operations. This simulation provides an opportunity to test Wazuh’s ability to monitor, detect, and alert on the creation and execution of suspicious scheduled tasks. By doing so, we gain a realistic assessment of our detection capabilities and identify areas for potential improvement.\n\nWe will implement this simulation on our designated victim endpoint.\n\n### Basic Commands:\n\nGet details of a particular technique\n\n- The command below is used to show details of technique T1053.005:\n\n```jsx\nInvoke-AtomicTest T1053.005 -ShowDetailsBrief\n```\n\n- Check/Get prerequisites of a technique\n\nTo check the prerequisites needed to test  T1053.005, the command below is used:\n\n```jsx\nInvoke-AtomicTest T1053.005 -CheckPrereqs\n```\n\n- There may be some prerequisites that are not met. We will satisfy them by running the following command:\n\n```jsx\nInvoke-AtomicTest T1053.005 -GetPrereqs\n```\n\n- Run the test for a particular technique\n\nTo run the test that emulates the T1053.005 technique, the following command is used:\n\n```jsx\nInvoke-AtomicTest T1053.005\n```\n\n- Clean-up on completion of the test\n\nAfter a test has been carried out, the changes made can be reverted with the following command. This command will clean-up test for T1053.005:\n\n```jsx\nInvoke-AtomicTest T1053.005 -Cleanup\n```\n\n# **Monitoring and Detection**:\n\n## **Configuring Wazuh agent**\n\nInstallation and enrollment of the Wazuh agent are done on the Windows sandbox. The agent is configured to capture Sysmon events by adding the following settings to the agent configuration file in  C:\\Program Files (x86)\\ossec-agent\\ossec.conf\n\n```jsx\n\u003clocalfile\u003e\n  \u003clocation\u003eMicrosoft-Windows-Sysmon/Operational\u003c/location\u003e\n  \u003clog_format\u003eeventchannel\u003c/log_format\u003e\n\u003c/localfile\u003e\n```\n\nTo apply changes, we restart the agent by running the following PowerShell command as an administrator:\n\n```jsx\nRestart-Service -Name wazuh\n```\n\n# **Creating detection rules on Wazuh manager:**\n\nTo generate alerts for the previously selected MITRE ATT\u0026CK techniques, the following rules are added to the local_rules.xml file in the rules section on the Wazuh manager.\n\n![local_ruls.png](screenshot/image.png)\n\n```jsx\n\u003cgroup name=\"windows,sysmon,\"\u003e\n\n\u003crule id=\"100001\" level=\"10\"\u003e\n  \u003cif_group\u003ewindows\u003c/if_group\u003e\n  \u003cfield name=\"win.eventdata.ruleName\" type=\"pcre2\" \u003etechnique_id=T1053,technique_name=Scheduled Task\u003c/field\u003e\n  \u003cdescription\u003eA Newly Scheduled Task has been Detected on $(win.system.computer)\u003c/description\u003e\n  \u003cmitre\u003e\n    \u003cid\u003eT1053\u003c/id\u003e\n  \u003c/mitre\u003e\n\u003c/rule\u003e\n\n\u003c/group\u003e\n```\n\nAfter we save the rules file, We restart the Wazuh manager so it starts using the new rules.\n\n![restart_agent.png](screenshot/2image.png)\n\n# **Monitoring with Wazuh Dashboards:**\n\n![simple_dashborad.png](screenshot/3image.png)\n\nThe above image showcases our Wazuh dashboard for the specific endpoint. Since this is a fresh installation, it currently does not display extensive data.\n\n![discover_section.png](screenshot/4image.png)\n\nNow we will go to Discover section and look for the alerts.\n\n![alerts.png](screenshot/5image.png)\n\nThe alert have been generated \n\n# **Conclusion:**\n\nIn this project, we explored the emulation of MITRE ATT\u0026CK techniques and the detection of these techniques using Wazuh, Sysmon, and Atomic Red Team. This journey provided valuable insights into the capabilities and challenges of modern threat detection mechanisms.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghost-7a%2Fattack-technique-emulation-wazuh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghost-7a%2Fattack-technique-emulation-wazuh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghost-7a%2Fattack-technique-emulation-wazuh/lists"}