{"id":135,"date":"2024-03-14T14:16:42","date_gmt":"2024-03-14T14:16:42","guid":{"rendered":"https:\/\/shaynepatelcybersecurityportfolio.online\/?p=135"},"modified":"2024-03-18T20:20:38","modified_gmt":"2024-03-18T20:20:38","slug":"lab-file-integrity-monitoring-for-windows-using-wazuh","status":"publish","type":"post","link":"https:\/\/shaynepatelcybersecurityportfolio.online\/?p=135","title":{"rendered":"File Integrity Monitoring for Windows using Wazuh"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">In this Home-Lab setup, I go through the tasks to set up a Wazuh platform, onboard the Windows agent, and implement a File Integrity monitoring use case. My goal was to replicate a scenario that would be seen by a SOC or Security Analyst.  <\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">This was my first time getting hands-on with Wazuh&#8217;s security platform which has helped many organizations with log data analysis, endpoint detection and response, file integrity monitoring, compliance monitoring, and much more.<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">In this lab, I set up File Integrity monitoring use case as it&#8217;s essential for securing a system. Some important factors are:<\/mark><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Unauthorized Changes Detection<\/mark><\/li>\n\n\n\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Compliance Requirements<\/mark><\/li>\n\n\n\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Insider Threat Mitigation<\/mark><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">After downloading the Wazuh OVA file into the VM, the most important task in the configuration was changing the network settings to Bridge mode so my host device could access it directly. <\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Following the login process, I ran ifconfig the get the IP address for the server which I then entered into the browser.<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"781\" height=\"383\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/wazuh-vm-config.png\" alt=\"\" class=\"wp-image-137\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/wazuh-vm-config.png 781w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/wazuh-vm-config-300x147.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/wazuh-vm-config-768x377.png 768w\" sizes=\"auto, (max-width: 781px) 100vw, 781px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"540\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-13-203043-1024x540.png\" alt=\"\" class=\"wp-image-143\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-13-203043-1024x540.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-13-203043-300x158.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-13-203043-768x405.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-13-203043-1536x809.png 1536w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-13-203043-720x380.png 720w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Screenshot-2024-03-13-203043.png 1909w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">As you can see, the server is running so I entered the platform to begin setting up my first agent. The next steps included basic installation such as naming, address matching, and OS of choice. The following PowerShell script and command start the Wazuh service.<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Step-2-Install-Wazuh-Agent-on-Windows-1024x246.png\" alt=\"\" class=\"wp-image-136\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Step-2-Install-Wazuh-Agent-on-Windows-1024x246.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Step-2-Install-Wazuh-Agent-on-Windows-300x72.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Step-2-Install-Wazuh-Agent-on-Windows-768x185.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Step-2-Install-Wazuh-Agent-on-Windows.png 1102w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">As seen below, my new Windows agent is running.<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"383\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/image.png\" alt=\"\" class=\"wp-image-139\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/image.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/image-300x112.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/image-768x287.png 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Now to the final step of enabling file Integrity, I came to find out it&#8217;s automatically enabled. The following is seen in the ossec configuration file where we see &#8216;no&#8217; under the File Integrity monitoring which means it is enabled.<\/mark><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"292\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/enable-file-integ-ossex-1024x292.png\" alt=\"\" class=\"wp-image-140\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/enable-file-integ-ossex-1024x292.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/enable-file-integ-ossex-300x86.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/enable-file-integ-ossex-768x219.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/enable-file-integ-ossex-1536x439.png 1536w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/enable-file-integ-ossex.png 1565w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">I chose to monitor any actions in the System32 folder considering its importance.  The Systems32 folder holds important system files, dynamic link libraries, and executables that the Windows operating system needs to work properly. <\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">An example would be when malware gets into a system, it tries to set up persistence so it can stay active and not be found. The malware changes or removes files in System32. Malware creators make their programs look like a part of the system so they go unseen.<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">I added the temp folder in the &lt;directories tag>, highlighted below. <\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><div><span style=\"background-color: rgb(255, 255, 255); color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: var(--font-size-large); white-space-collapse: collapse;\"><\/span><\/div><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"366\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Temp-folder-add-1-1024x366.png\" alt=\"\" class=\"wp-image-158\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Temp-folder-add-1-1024x366.png 1024w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Temp-folder-add-1-300x107.png 300w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Temp-folder-add-1-768x274.png 768w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Temp-folder-add-1-1536x548.png 1536w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Temp-folder-add-1.png 1630w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"410\" height=\"373\" src=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Wazuh-Agent-Manager.png\" alt=\"\" class=\"wp-image-142\" style=\"width:438px;height:auto\" srcset=\"https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Wazuh-Agent-Manager.png 410w, https:\/\/shaynepatelcybersecurityportfolio.online\/wp-content\/uploads\/2024\/03\/Wazuh-Agent-Manager-300x273.png 300w\" sizes=\"auto, (max-width: 410px) 100vw, 410px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Now, if any files or changes are made in real-time, an alert will generate in the Security Alerts dashboard on the Wazuh platform. I will look into generating other rules based on scenarios, but this was an interesting and useful lab to simulate a defensive role.<\/mark><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">Thanks for following along!<\/mark><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this Home-Lab setup, I go through the tasks to set up a Wazuh platform, onboard the Windows agent, and implement a File Integrity monitoring use case. My goal was to replicate a scenario that would be seen by a SOC or Security Analyst. This was my first time getting hands-on with Wazuh&#8217;s security platform [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-135","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=135"}],"version-history":[{"count":6,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/135\/revisions"}],"predecessor-version":[{"id":160,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=\/wp\/v2\/posts\/135\/revisions\/160"}],"wp:attachment":[{"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shaynepatelcybersecurityportfolio.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}