Support new OSs - Windows 11 24H2 - Test agent package

[jotacarma90]

Description

Weekly OS check issue: https://github.com/wazuh/wazuh/issues/23838 Epic issue to check Windows 11 24H2: https://github.com/wazuh/wazuh/issues/23859

Agent support	Agent tier	Central components support	OS type
Yes	1	No	Minor

Requested testing code: :white_circle: Requested. :black_circle: Not requested.

Result code: :green_circle: Completed: Test finished with success. :red_circle: Completed with failures. :yellow_circle: Completed with known issues.

Requested checks by tier:		Tier 1	Tier 2	Tier 3	Result
Log collection - System events	:white_circle:	:white_circle:	:white_circle:	:green_circle:
Log collection - Log files	:white_circle:	:white_circle:	:white_circle:	:green_circle:
Log collection -Command execution	:white_circle:	:white_circle:	:white_circle:	:green_circle:
FIM - Scheduled	:white_circle:	:white_circle:	:white_circle:	:green_circle:
FIM - Realtime	:white_circle:	:black_circle:	:black_circle:	:green_circle:
FIM - Whodata	:white_circle:	:black_circle:	:black_circle:	:green_circle:
SCA	:white_circle:	:white_circle:	:black_circle:	:green_circle:
Inventory	:white_circle:	:white_circle:	:white_circle:	:green_circle:
Active response	:white_circle:	:white_circle:	:black_circle:	:green_circle:
Remote upgrade	:white_circle:	:black_circle:	:black_circle:	:green_circle:
Command monitoring	:white_circle:	:white_circle:	:black_circle:	:green_circle:
Wodles	:white_circle:	:black_circle:	:black_circle:	:green_circle:

[mjcr99]

Hi team,

I have been trying to test this Windows version. I have managed with no problems downloading the required ISO image, but it seems that it's not currently supported by VirtualBox.

I have been researching and trying the solutions proposed in this VirtualBox forum thread, enabling 3D acceleration and changing the used chipset.

No solution has resulted valid for the case and the VM keeps hanging while booting. In the thread, it seems that some people have managed to virtualize the mentioned ISO, but looking at the VirtualBox Documentation, it's explicitly said that VirtualBox does not support Windows 11 Insider preview builds.

VirtualBox Manual see page 69.

[vikman90]

This issue is blocked by:

• https://github.com/wazuh/wazuh/issues/23860

(ETA June 20th)

[lchico]

Testing

:green_circle: Agent package install (enrollment and connectivity with the manager)

OS information

```console PS C:\WINDOWS\system32> systeminfo Host Name: WINDOWS-11-24H2 OS Name: Microsoft Windows 11 Pro for Workstations OS Version: 10.0.26100 N/A Build 26100 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: jenkins Registered Organization: N/A Product ID: 00391-70000-00000-AA741 Original Install Date: 6/14/2024, 6:20:57 AM System Boot Time: 6/18/2024, 6:51:31 AM System Manufacturer: Amazon EC2 System Model: c5ad.xlarge System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2800 Mhz BIOS Version: Amazon EC2 1.0, 10/16/2017 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-gb;English (United Kingdom) Input Locale: en-us;English (United States) Time Zone: (UTC-08:00) Pacific Time (US & Canada) Total Physical Memory: 8,070 MB Available Physical Memory: 4,389 MB Virtual Memory: Max Size: 9,990 MB Virtual Memory: Available: 6,389 MB Virtual Memory: In Use: 3,601 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\WINDOWS-11-24H2 Hotfix(s): 3 Hotfix(s) Installed. [01]: KB5037589 [02]: KB5039239 [03]: KB5039332 Network Card(s): 1 NIC(s) Installed. [01]: Amazon Elastic Network Adapter Connection Name: Ethernet 2 DHCP Enabled: Yes DHCP Server: 172.31.80.1 IP address(es) [01]: 172.31.93.150 [02]: fe80::f06d:8f24:df2e:234f Virtualization-based security: Status: Not enabled App Control for Business policy: Enforced App Control for Business user mode policy: Off Security Features Enabled: Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. ```

Download the windows Installer

Using the browser: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi and installed using [GUI](https://documentation.wazuh.com/4.7/installation-guide/wazuh-agent/wazuh-agent-package-windows.html) ```console # Start Wazuh-agent, run this command on powershell as administrator. NET START Wazuh ```

Agent enrollment and connection

```bash # Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" |Select-String -Pattern "Connected to the server" -Context 8,1 2024/06/25 06:55:52 wazuh-agent: INFO: Using agent name as: windows-11-24H2 2024/06/25 06:55:52 wazuh-agent: INFO: Waiting for server reply 2024/06/25 06:55:52 wazuh-agent: INFO: Valid key received > 2024/06/25 06:55:52 wazuh-agent: INFO: Waiting 20 seconds before server connection 2024/06/25 06:56:12 wazuh-agent: INFO: (1410): Reading authentication keys file. 2024/06/25 06:56:12 wazuh-agent: INFO: Using AES as encryption method. > 2024/06/25 06:56:12 wazuh-agent: INFO: Trying to connect to server ([xx.xxx.xx.x]:1514/tcp). > 2024/06/25 06:56:12 wazuh-agent: INFO: (4102): Connected to the server ([xx.xxx.xx.x]:1514/tcp). 2024/06/25 06:56:12 sca: INFO: Module started. ```

:green_circle: Upgrade using WPK

Result

```bash [root@wazuh-server wazuh-user]# /var/ossec/bin/agent_upgrade -a 005 Upgrading... Upgraded agents: Agent 005 upgraded: Wazuh v4.7.5 -> Wazuh v4.8.0 ```

:green_circle: Log files

Configuration

The following configuration is tested: ```xml C:\test\file.log syslog ```

Test

```bash > Restart-Service -Name wazuh # Generate an alert reducing the size of the file > echo "Jun 26 15:39:00 anotherprogram[5678] warning: Potential security issue detected" > C:\test\file.log ```

Result

In the ossec.log from the agent we can see: ```log > 2024/06/25 10:56:48 wazuh-agent: INFO: (1950): Analyzing file: 'C:\test\file.log'. ``` In the alert.log from the server we can see: ```log ** Alert 1719338996.5421214: - ossec,attacks,pci_dss_10.5.2,pci_dss_11.4,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.9,nist_800_53_SI.4,tsc_CC6.1,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8, 2024 Jun 25 18:09:56 (windows-11-24H2) any->logcollector Rule: 592 (level 8) -> 'Log file size reduced.' ossec: File size reduced (inode remained): 'C:\test\file.log'. ```

:green_circle: System events

Test

Try logging into the agent with the **user non_exist_user** using Remmina. 

Result

The following alert is generated in the server: ``` ** Alert 1719339817.5501665: - windows,windows_security,authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 Jun 25 18:23:37 (windows-11-24H2) any->EventChannel Rule: 60122 (level 5) -> 'Logon failure - Unknown user or bad password.' {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2024-06-25T18:23:21.3175729Z","eventRecordID":"16591","processID":"840","threadID":"9800","channel":"Security","computer":"windows-11-24H2","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tno_exist_user\r\n\tAccount Domain:\t\t-\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC0000064\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x0\r\n\tCaller Process Name:\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tsaulo\r\n\tSource Network Address:\t181.116.200.217\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-0-0","targetUserName":"no_exist_user","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc0000064","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"saulo","keyLength":"0","processId":"0x0","ipAddress":"181.116.200.217","ipPort":"0"}}} win.system.providerName: Microsoft-Windows-Security-Auditing win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} win.system.eventID: 4625 win.system.version: 0 win.system.level: 0 win.system.task: 12544 win.system.opcode: 0 win.system.keywords: 0x8010000000000000 win.system.systemTime: 2024-06-25T18:23:21.3175729Z win.system.eventRecordID: 16591 win.system.processID: 840 win.system.threadID: 9800 win.system.channel: Security win.system.computer: windows-11-24H2 win.system.severityValue: AUDIT_FAILURE win.system.message: "An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: no_exist_user Account Domain: - Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: saulo Source Network Address: 181.116.200.217 Source Port: 0 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." win.eventdata.subjectUserSid: S-1-0-0 win.eventdata.subjectLogonId: 0x0 win.eventdata.targetUserSid: S-1-0-0 win.eventdata.targetUserName: no_exist_user win.eventdata.status: 0xc000006d win.eventdata.failureReason: %%2313 win.eventdata.subStatus: 0xc0000064 win.eventdata.logonType: 3 win.eventdata.logonProcessName: NtLmSsp win.eventdata.authenticationPackageName: NTLM win.eventdata.workstationName: saulo win.eventdata.keyLength: 0 win.eventdata.processId: 0x0 win.eventdata.ipAddress: 181.116.200.217 win.eventdata.ipPort: 0 ```

:green_circle: Command execution

Test add user

```bash # This command attempts to add a new user net user test_command /add ```

Result

The following alert is generated in the server: ``` ** Alert 1719341244.5716354: - windows,windows_security,account_changed,adduser,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.10,hipaa_164.312.a.2.I,hipaa_164.312.a.2.II,hipaa_164.312.b,nist_800_53_AC.2,nist_800_53_AC.7,nist_800_53_AU.14,nist_800_53_IA.4,pci_dss_10.2.5,pci_dss_8.1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 Jun 25 18:47:24 (windows-11-24H2) any->EventChannel Rule: 60109 (level 8) -> 'User account enabled or created.' {"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4722","version":"0","level":"0","task":"13824","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-06-25T18:47:08.1795198Z","eventRecordID":"16626","processID":"840","threadID":"1160","channel":"Security","computer":"windows-11-24H2","severityValue":"AUDIT_SUCCESS","message":"\"A user account was enabled.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-4282740826-343319856-4121932412-1002\r\n\tAccount Name:\t\twazuh-user\r\n\tAccount Domain:\t\twindows-11-24H2\r\n\tLogon ID:\t\t0x2E9323C\r\n\r\nTarget Account:\r\n\tSecurity ID:\t\tS-1-5-21-4282740826-343319856-4121932412-1004\r\n\tAccount Name:\t\ttest_command\r\n\tAccount Domain:\t\twindows-11-24H2\""},"eventdata":{"targetUserName":"test_command","targetDomainName":"windows-11-24H2","targetSid":"S-1-5-21-4282740826-343319856-4121932412-1004","subjectUserSid":"S-1-5-21-4282740826-343319856-4121932412-1002","subjectUserName":"wazuh-user","subjectDomainName":"windows-11-24H2","subjectLogonId":"0x2e9323c"}}} win.system.providerName: Microsoft-Windows-Security-Auditing win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} win.system.eventID: 4722 win.system.version: 0 win.system.level: 0 win.system.task: 13824 win.system.opcode: 0 win.system.keywords: 0x8020000000000000 win.system.systemTime: 2024-06-25T18:47:08.1795198Z win.system.eventRecordID: 16626 win.system.processID: 840 win.system.threadID: 1160 win.system.channel: Security win.system.computer: windows-11-24H2 win.system.severityValue: AUDIT_SUCCESS win.system.message: "A user account was enabled. Subject: Security ID: S-1-5-21-4282740826-343319856-4121932412-1002 Account Name: wazuh-user Account Domain: windows-11-24H2 Logon ID: 0x2E9323C Target Account: Security ID: S-1-5-21-4282740826-343319856-4121932412-1004 Account Name: test_command Account Domain: windows-11-24H2" win.eventdata.targetUserName: test_command win.eventdata.targetDomainName: windows-11-24H2 win.eventdata.targetSid: S-1-5-21-4282740826-343319856-4121932412-1004 win.eventdata.subjectUserSid: S-1-5-21-4282740826-343319856-4121932412-1002 win.eventdata.subjectUserName: wazuh-user win.eventdata.subjectDomainName: windows-11-24H2 win.eventdata.subjectLogonId: 0x2e9323c ```

:green_circle: Command monitoring

Configuration

The following configuration block is added to the agent: ```xml full_command PowerShell.exe echo 10 memory_utilization 10 ``` The following custom rule is added in the manager's `/var/ossec/etc/rules/local_rules.xml` file: ```xml 530 ^ossec: output: 'memory_utilization' Memory utilization metric. ```

Result

The server and agent are restarted. After this, the following alert is generated in the server: ``` ** Alert 1719342857.5909461: - memory_utilization, 2024 Jun 25 19:14:17 (windows-11-24H2) any->memory_utilization Rule: 100012 (level 6) -> 'Memory utilization metric.' ossec: output: 'memory_utilization': 10 ```

:green_circle: SCA support

Manager log:

``` ** Alert 1719323840.2080515: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2, 2024 Jun 25 13:57:20 (windows-11-24H2) any->sca Rule: 19004 (level 7) -> 'SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32)' {"type":"summary","scan_id":2009092072,"name":"CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0","policy_id":"cis_win11_enterprise_21H2","file":"cis_win11_enterprise.yml","description":"This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11.","references":"https://www.cisecurity.org/cis-benchmarks/","passed":124,"failed":263,"invalid":8,"total_checks":395,"score":32.041343688964844,"start_time":1719323784,"end_time":1719323791,"hash":"55902faec776b99b00bc360eda9fee1b2d61e14fbbff4a4e128afa7fa0bb1ba1","hash_file":"6f622df67164c0755571947cf9fc4cfdd2e18cae1b5268567595e259ed30bfdb","force_alert":"1","force_alert":"1"} sca.type: summary sca.scan_id: 2009092072 sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. sca.policy_id: cis_win11_enterprise_21H2 sca.passed: 124 sca.failed: 263 sca.invalid: 8 sca.total_checks: 395 sca.score: 32 sca.file: cis_win11_enterprise.yml ```

:green_circle: FIM scheduled

Agent configuration

The following configuration line is added in the syscheck block into the 'ossec.conf': ```xml 4 c:\test\scheduled ``` Then restart wazuh-agent.

Test

```bash # Adds test_scheduled file mkdir -p c:\test\scheduled echo "Testing" > c:\test\scheduled\test_scheduled ```

Result

```log ** Alert 1719355719.7114404: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 Jun 25 22:48:39 (windows-11-24H2) any->syscheck Rule: 554 (level 5) -> 'File added to the system.' File 'c:\test\scheduled\test_scheduled' added Mode: scheduled Attributes: - Size: 20 - Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES - Date: Tue Jun 25 22:48:20 2024 - Inode: 0 - User: Administrators (S-1-5-32-544) - MD5: 1d2e76720b4907d25515ecb202a4125b - SHA1: 2e74a02a18c9c7d406bcab8e98789b085a2d146c - SHA256: 0ce6545e815f2fec5184986438abcb743968e81f9b5dbfaee388ef7f876fafc5 - File attributes: ARCHIVE ```

:green_circle: FIM Real-time

Configuration on the agent

```bash # ossec.conf added c:\test\realtime # To generate the alert run: mkdir -p c:\test\realtime echo "Testing" > c:\test\realtime\test_real_time ```

Result

```log ** Alert 1719355314.7068253: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 Jun 25 22:41:54 (windows-11-24H2) any->syscheck Rule: 554 (level 5) -> 'File added to the system.' File 'c:\test\realtime\test_real_time' added Mode: realtime Attributes: - Size: 20 - Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES - Date: Tue Jun 25 22:41:39 2024 - Inode: 0 - User: Administrators (S-1-5-32-544) - MD5: 1d2e76720b4907d25515ecb202a4125b - SHA1: 2e74a02a18c9c7d406bcab8e98789b085a2d146c - SHA256: 0ce6545e815f2fec5184986438abcb743968e81f9b5dbfaee388ef7f876fafc5 - File attributes: ARCHIVE ```

:green_circle: FIM Whodata

Configuration

```bash mkdir -p c:\test\whodata echo "Testing" > c:\test\whodata\test_whodata ```

Configuration on the agent

I configured the Local Audit Policies:  ```xml c:\test\whodata ```

Alerts

```log ** Alert 1719357334.7339501: - ossec,syscheck,syscheck_entry_modified,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 Jun 25 23:15:34 (windows-11-24H2) any->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' File 'c:\test\whodata\test_whodata' modified Mode: whodata Changed attributes: mtime Old modification time was: '1719357276', now it is '1719357318' Attributes: - Size: 20 - Permissions: Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Authenticated Users (allowed): DELETE|READ_CONTROL|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Users (allowed): READ_CONTROL|SYNCHRONIZE|READ_DATA|READ_EA|EXECUTE|READ_ATTRIBUTES - Date: Tue Jun 25 23:15:18 2024 - Inode: 0 - User: Administrators (S-1-5-32-544) - MD5: 1d2e76720b4907d25515ecb202a4125b - SHA1: 2e74a02a18c9c7d406bcab8e98789b085a2d146c - SHA256: 0ce6545e815f2fec5184986438abcb743968e81f9b5dbfaee388ef7f876fafc5 - File attributes: ARCHIVE - (Audit) User name: wazuh-user - (Audit) Process id: 10792 - (Audit) Process name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ```

:green_circle: Active response

Manager configuration:

```xml no restart-wazuh defined-agent 005 7 ```

Result:

```log 2024/06/25 16:23:03 active-response/bin/restart-wazuh.exe: Starting 2024/06/25 16:23:03 active-response/bin/restart-wazuh.exe: {"version":1,"origin":{"name":"node01","module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[],"alert":{"timestamp":"2024-06-25T23:23:18.656+0000","rule":{"level":8,"description":"Windows audit policy changed.","id":"60112","firedtimes":7,"mail":false,"groups":["windows","windows_security","policy_changed"],"gdpr":["IV_35.7.d"],"gpg13":["10.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"pci_dss":["10.6.1"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"005","name":"windows-11-24H2","ip":"172.31.93.150"},"manager":{"name":"wazuh-server"},"id":"1719357798.7400397","decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4719","version":"1","level":"0","task":"13568","opcode":"0","keywords":"0x8020000000000000","systemTime":"2024-06-25T23:23:02.3882694Z","eventRecordID":"17143","processID":"840","threadID":"6828","channel":"Security","computer":"windows-11-24H2","severityValue":"AUDIT_SUCCESS","message":"\"System audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWINDOWS-11-24H2$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tObject Access\r\n\tSubcategory:\t\tFile System\r\n\tSubcategory GUID:\t{0cce921d-69ae-11d9-bed3-505054503030}\r\n\tChanges:\t\tSuccess Added\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"WINDOWS-11-24H2$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","categoryId":"%%8274","subcategoryId":"%%12800","subcategoryGuid":"{0cce921d-69ae-11d9-bed3-505054503030}","auditPolicyChangesId":"%%8449","clientProcessId":"8984","clientProcessStartKey":"1970324836984260","category":"Object Access","subcategory":"File System","auditPolicyChanges":"Success added"}}},"location":"EventChannel"},"program":"active-response/bin/restart-wazuh.exe"}} 2024/06/25 16:23:05 active-response/bin/restart-wazuh.exe: Ended ```

:green_circle: Inventory

Script to get the first 5 rows of each table

I copy the local.db file to my linux and run this script. ```bash #!/bin/bash db_path="/db_path/local.db" for table in $(sqlite3 $db_path ".tables"); do echo echo "Local agent db: $table" echo TMP_FILE=$(mktemp) # Execute the query and store output in temporary file sqlite3 $db_path ".headers on" "select * from $table"|head -n5 > $TMP_FILE # Check if query execution was successful if [[ $? -ne 0 ]]; then echo "Error executing query!" exit 1 fi # Build markdown table header HEADER_ROW=$(head -n 1 "$TMP_FILE" | tr ',' '\t') echo "| ${HEADER_ROW// /|} |" max_col=$(tr -cd '|' <<< "$HEADER_ROW" | wc -c) for i in $(seq 0 $max_col); do echo -n "|---"; done ; echo "|" # Build markdown table body with separators tail -n +2 "$TMP_FILE" | tr ',' '\t' | while IFS= read -r line; do echo "| $line |" done # Clean up temporary file rm "$TMP_FILE" done ```

Inventory

Local agent db: dbsync_hotfixes | hotfix|checksum|db_status_field_dm | |---|---|---| | KB2468871|8f99821b9e79bc2258cb56cd14cfcaf9bbeda8e5|1 | | KB2478063|8511235ae3ab3b642d8ba429599092634fdde3a8|1 | | KB2533523|b8c4cb9a2aeb6a64269e88f6116765420a65cd80|1 | | KB2544514|8e468309f00c0f31b8a0f12a6a79d2658652e9e9|1 | Local agent db: dbsync_network_iface | name|adapter|type|state|mtu|mac|tx_packets|rx_packets|tx_bytes|rx_bytes|tx_errors|rx_errors|tx_dropped|rx_dropped|checksum|item_id|db_status_field_dm | |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | Ethernet 2|Amazon Elastic Network Adapter #2|ethernet|up|1500|12:ad:96:1d:a7:eb|580242|951868|154290291|667708543|0|0|0|0|a50d81c7b8040f589fc07d671c41e3826c76add1|f6487f0368b3dd981b823ba4ec43d93b2d410e25|1 | | Loopback Pseudo-Interface 1|Software Loopback Interface 1| |up|-1|00:00:00:00:00:00|0|0|0|0|0|0|0|0|e4a92faeea2613dab29a772ec7f3540be951b478|56e07d1bb3aeca5febd3a26616defa115f6a881b|1 | Local agent db: dbsync_packages | name|version|vendor|install_time|location|architecture|groups|description|size|priority|multiarch|source|format|checksum|item_id|db_status_field_dm | |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | Amazon EC2Launch|2.0.1924.0|Amazon Web Services|2024/06/14 20:08:07| |x86_64| | |0| || |win|15fca6263fc5120f4c6f54d1a111005a22713fef|6782cf9812102339eb93f4e2f60819067046f621|1 | | Amazon SSM Agent|3.3.484.0|Amazon Web Services|2024/06/14 20:08:30| |x86_64| | |0| || |win|5b6fc083a38aacfd02ff8712417f03571eff10fc|b22011a9b3eb483317056eea4b2ee037834ffd97|1 | | Cross Device Experience Host|0.24052.57.0|Microsoft Windows| |C:\Program Files\WindowsApps\MicrosoftWindows.CrossDevice_0.24052.57.0_x64__cw5n1h2txyewy|x86_64| | |0| || |win|a10cce855b47d1f2835cab3f6117297273d63259|5eb67de57cc1361a0c5949defe4129653e17e6c4|1 | | Feedback Hub|1.2405.21481.0|Microsoft Corporation| |C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2405.21481.0_x64__8wekyb3d8bbwe|x86_64| | |0| || |win|b74882a85ea63f71ac9383b2d9b16e046b181bdb|dc1d181e8a12fed2064ccd1ba77c43e13168482d|1 | Local agent db: dbsync_hwinfo | board_serial|cpu_name|cpu_cores|cpu_mhz|ram_total|ram_free|ram_usage|checksum|db_status_field_dm | |---|---|---|---|---|---|---|---|---| | Amazon EC2|AMD EPYC 7R32|4|2800.0|8263724|4551208|44|991f4bcfd739bcd7d4675fb6c4d2ed7ce85ff914|1 | Local agent db: dbsync_network_protocol | iface|type|gateway|dhcp|metric|checksum|item_id|db_status_field_dm | |---|---|---|---|---|---|---|---| | Ethernet 2|ipv4|172.31.80.1|enabled|15|4a97d7e4de9984fb46b47f67a9f7d3fc3211235a|92245c06b5120c62174799e7f531d4df81619672|1 | | Ethernet 2|ipv6|172.31.80.1|enabled|15|df9b6a1a5c04797fb2c5981db06ccc3466994d30|65cba16a628b8d44376edad047917e02b4ce2934|1 | | Loopback Pseudo-Interface 1|ipv4| |disabled|75|d6a282416a91025410b99ad096fd1b7cc41a498d|833209683780c3388298c23e5826678311bd72a1|1 | | Loopback Pseudo-Interface 1|ipv6| |disabled|75|7861a05d95490060f2366cd171d34ce7f58daba4|dce561a4dc90d98deddfd902bfc3c0e7988f7b56|1 | Local agent db: dbsync_ports | protocol|local_ip|local_port|remote_ip|remote_port|tx_queue|rx_queue|inode|state|pid|process|checksum|item_id|db_status_field_dm | |---|---|---|---|---|---|---|---|---|---|---|---|---|---| | tcp|0.0.0.0|135|0.0.0.0|0|0|0|0|listening|688|svchost.exe|a5243c258243abcb449f6d77c2df9ae287adb781|bbbbf17f188ec1927cd6da2bcdd41506ae3f829e|1 | | tcp|0.0.0.0|445|0.0.0.0|0|0|0|0|listening|4|System|481fa26d857363b78f4f3f586816a2bca324560a|120ef3368b130c7432e4ee29d7ae502fb6767d10|1 | | tcp|0.0.0.0|2200|0.0.0.0|0|0|0|0|listening|3204|sshd.exe|3e27d25ba4989e83afcc5e80148b4500a40fdf94|54ca8ec19e74a2c2c727814c7ead0fcda4501860|1 | | tcp|0.0.0.0|3389|0.0.0.0|0|0|0|0|listening|1076|svchost.exe|10a120896c13213f6ca1e1406ea2261ca674aef5|a53cb3cb984259836f56c86147b4b3dbf7da2e21|1 | Local agent db: dbsync_network_address | iface|proto|address|netmask|broadcast|checksum|item_id|db_status_field_dm | |---|---|---|---|---|---|---|---| | Ethernet 2|0|172.31.93.150|255.255.240.0|172.31.95.255|e9687c4519d92fd45cd82eb1fe3ede4236cb0a17|69f6008f6d5bd794de26ac01ab66bfa708c33add|1 | | Ethernet 2|1|fe80::f06d:8f24:df2e:234f|ffff:ffff:ffff:ffff::| |c2d59418286fc744348847bdcd7f4e5f9b269c23|bf8f523de82fb80f3ceb0b26535462583b72d9c9|1 | | Loopback Pseudo-Interface 1|0|127.0.0.1|255.0.0.0|127.255.255.255|2e5cd3256e1553d8dbb8d176563d964fc654a2a9|976387d31be037d781b9ff2285b6f44fd28b0650|1 | | Loopback Pseudo-Interface 1|1|::1|| |fa94c2aa68c8820fe69ba72c5ed91ac0fa9428f9|55604a20b704e491c9afb7320962fe4a0d9d6288|1 | Local agent db: dbsync_osinfo | hostname|architecture|os_name|os_version|os_codename|os_major|os_minor|os_patch|os_build|os_platform|sysname|release|version|os_release|os_display_version|checksum|db_status_field_dm | |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | WINDOWS-11-24H2|x86_64|Microsoft Windows 11 Pro for Workstations|10.0.26100.863||10|0||26100.863|windows||||2009|24H2|1719418550348651400|1 | Local agent db: dbsync_processes | pid|name|state|ppid|utime|stime|cmd|argvs|euser|ruser|suser|egroup|rgroup|sgroup|fgroup|priority|nice|size|vm_size|resident|share|start_time|pgrp|session|nlwp|tgid|tty|processor|checksum|db_status_field_dm | |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | 10004|msedge.exe||2528|42|41|C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe|||||||||8||89382912|298545152|||1719320681||2|54||||3d9abd4d33d3659b2327325710f566f113c4fef2|1 | | 1004|fontdrvhost.exe||676|0|0|C:\Windows\System32\fontdrvhost.exe|||||||||8||1810432|7368704|||1718718694||0|5||||ad5d726c0ef6bc94bdb5f676dccf4be8a2e45b39|1 | | 1008|fontdrvhost.exe||740|0|0|C:\Windows\System32\fontdrvhost.exe|||||||||8||1662976|6955008|||1718718694||1|5||||b0778d3b5edf03760f6dfbc18cef1f6982aaa74d|1 | | 10208|msedge.exe||10004|0|0|C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe|||||||||8||2273280|11984896|||1719320683||2|9||||2990b3610390f4d4a7d18b62459d3d454c462433|1 |

:green_circle: Wodles

Testing command wodle, that allows agents to execute commands and send custom messages to the manager. This configuration demonstrates how to create a wodle that executes a script and generates a syslog message for testing purposes. This configuration is based on this documentation with some modifications.

Configuration

1. Add the following script to `c:\test\script.bat` : ```bash @echo off echo Jun 6 11:31:41 Windows su[2936]: pam_unix(su:session): session opened for user root(uid=0) by testing(uid=0).TESTING WODLE ``` From the agent, add the following code to the `ossec.conf` file: ```xml no test PowerShell.exe c:\test\script.bat 1m no yes 0 ```

Result

This configuration will generate the following alert on the server every minute: ```log ** Alert 1719359692.7772740: - pam,syslog,authentication_success,pci_dss_10.2.5,gpg13_7.8,gpg13_7.9,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, 2024 Jun 25 23:54:52 (windows-11-24H2) any->command_test Rule: 5501 (level 3) -> 'PAM: Login session opened.' User: root(uid=0) Jun 6 11:31:41 Windows su[2936]: pam_unix(su:session): session opened for user root(uid=0) by testing(uid=0).TESTING WODLE uid: 0 ``` **Note:** This wodle should be disabled after the test to avoid excessive alerts.

[MarcelKemp]

LGTM.