In this writeup, I’ll be setting up a wazuh server - An Endpoint detection and response (EDR) tool that monitor devices for activity that could indicate a threat. I’ll be doing that in an Active directory environment containing 1 Domain controller and a client, both a windows server 2019 Virtual machine.

I went with an AD environment mainly because there aren't many tutorials or resources out there that show how to set this up in that context.

This guide assumes that the reader has basic experience working with virtual machines (VMs) and is familiar with general system administration tasks. If you're new to virtualization or managing Windows and Linux environments, I recommend getting comfortable with those concepts before proceeding (Or research about it when you come across something new!)

Setting up the Lab.

I have used the following configuration for the VMs in VIrtual box setup on a Linux Host.

2x Windows server 2019 (64 bit):

• 2048 MB Memory, 60GB storage, 128 mb VideoRAM - 1 Host only adapter, 1 NAT.

• Install the VM here - Choose the English 64bit edition.

1x Wazuh All in one server

• 4096 MB Memory, 20Gb storage, 16mb VideoRAM - 1 Host only adapter

• Install the Wazuh server here. (Wazuh documentation site)

Once you download the iso and ova file, upload that into VirtualBox or any virtualization tool of your choice with the configuration that i listed above or anything works on your PC without crashing. This is important since we are going to run three vm’s at the same time, therefore i recommend a host with minimum of 16 gb RAM.

**I had faced a virtualization issue - ‘**kvm: failed to initialize KVM: Device or resource busy’ which can be solved by unloading KVM Modules temporarily until reboot -

sudo rmmod kvm_amd && sudo rmmod kvm

» Choose the Desktop experience for GUI.

» Wait for the install to get over.

Active directory setup

Now we gotta setup the active directory environment, which is quiet easy. if you don’t know much about AD, you can learn from this well writen blog.

Creating the Domain controller (DC)

Now start both of those windows Virtual machines and set it up with a local admin account.

Open the server manager and click on “Add roles and features”.

• Click next until Server roles section and tick Active directory domain services.

• Use default settings until the last sections and click install, wait for the feature to get installed.

After install, you would notice the notification on the top nav bar, click on that and the first notification gives us the option to “Promote to Domain controller”, which is exactly what we want to do.

Choose the Create a new forest radio button and give a Root domain name of your choice. here, i gave mine as ‘redtrib3.in’, but it could be literally anything and doesn’t have to be a valid domain name.

For example give it as: steelmountain.com

Now, go through each steps in the configuration wizard, give it the DC a password. Choose default options for all steps and click Install and wait! Your server might restart.

You have successfully Promoted your Server to a DOMAIN CONTROLLER!

Adding a user to a Domain

Now that we have created a Domain controller in our network, its time for us to add our first (and only) user part of the domain, spin up the other VM if you haven’t already.

Set the DNS (Important)

Point the DNS ip to that of the Domain controller, this is an important step as a DC also works as the DNS.

Get the DC’s IP by running ipconfig in the DC server cmdline.

WIN + R \> type ncpa.cpl \> Right click on adapter and click on properties > Double click on Internet protocol 4 (TCP/IPv4) \> Select ‘use the following DNS server address’ and set it to the DC’s IP.

Press WIN + R and Type ‘sysdm.cpl‘ to go to system properties, click on the ‘change’ button. choose the Domain option, and add your domain to join (This is case-insensitive and make sure there is no typo). Press OK, Submit Admin credentials and this VM will be part of the domain.

.

You have successfully joined the Domain! if you run into problems, it’s probably related to the DNS, make sure the DC ip is right and pingable from the Client and vice-versa. Make sure both the VM’s are set to Host only network adapter types, also set Static IP on both the VM’s (just in case if the fault is with virtualbox’s DHCP server…).

Setting up Wazuh: Installing agents

Turn on the wazuh all in one VM, set it with host only adapter as we do not need to access the internet but it should be accessible by the agents (windows servers). Make sure all the VMs are in the same IP class and subnet so that we don’t run into network related issues later.

Once the wazuh VM is booted, you should be able to login with the provided credentials. make a note of the wazuh vm IP, which is 192.168.56.105 in my case.

Visit http://<WAZUH-IP>/ to visit the administrator dashboard, use the default credentials -

admin: admin

After login you should see something like this: (the number of active agents should be 0 for you now right now)

Let’s make the DC an Agent.

Click on the deploy new agents button in place of the agents summary. select windows as your operating system.

Set the server address that of the Wazuh server - 192.168.56.105 in my case.

Optionally add an Agent name which will make it easier to recognize the agent, i will name it as client_dc_1.

Copy the powershell command displayed and we are almost ready to deploy our first agent.

Issue: Installing agents in a host only network.

---

We will run into issue at this stage as the VM is set with host only. To install an agent, we gotta reach out to install a package, which requires an internet connection. But if we set the connection to NAT, all the VMs will have one single IP connected via the host PC’s network, which will make our lab impossible.

This is where i learned that we could setup multiple Network adapters for a VM. We have to do that for every VM which we install as agents in Wazuh.

Shutdown your VM if running.

In virtualbox, right click on a VM \> Settings > go to network tab and set adapter 1 as NAT.

in Adapter 2, Tick the enable network adapter option and set it to Host only.

Now go ahead and check the network adapters, boot up the VM, and open cmd, type ipconfig.

You can see two network adapters, the first one is for Host only network with IP of 192.168.56.102, and the second adapter for NAT with ip 10.0.3.15.

To confirm you have Internet connectivity, also try pinging the google’s dns server - 8.8.8.8, or cloudflare’s DNS server - 1.1.1.1

Do the same for every VM’s which you want to install as an agent.

---

Now that we have successfully setup the network connection, we are ready to make them wazuh agents.

Fire up the Wazuh all in one serve, and Login to the wazuh dashboard, navigate the the agent deployment page - https://<YOUR-WAZUH-IP>/app/endpoints-summary#/agents-preview/deploy

Select windows as the package, set the Wazuh server address. also give it a meaningful agent name so you don’t get confused later.

Follow the instructions and copy the powershell command and paste that into the client and DC PCs.

Do the same for all VMs to be installed as DC.

~ If your copy-paste from host to vm is not working, follow this video to fix it.

If everything went right, you should see two active machines in the endpoint-summary page. (Ignore the disconnected agent in this image).

Integrating sysmon logs

By default, Wazuh uses the windows event logs as a source of logs, which is usually insufficient and really less verbose. Sysmon (system monitor) is a free tool from microsoft that logs detailed information about what’s happening in a more verbose manner.

Integrating sysmon, will give you more visibility into what’s happening.

Unlike normal Windows logs, Sysmon tells you things like:

• What programs were run

• What network connections they made

• What files they created or changed

To download and install sysmon, do the following:

• Go to: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

• Extract the ZIP, then open PowerShell as Administrator

• Download the config file from here: https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml

• Install Sysmon with a config file:

    .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml
  

You have installed Sysmon, now to configure Wazuh to collect the sysmon logs, do the following:

• Open the file: C:\Program Files (x86)\ossec-agent\ossec.conf as administrator.

• add the following code at the end before </ossec_config> closing tag.

  <!--Sysmon log collection-->
  <localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
  </localfile>

Reboot the wazuh server.

To verify that if we have successfully added sysmon as a source of logs, go to the wazuh dashboard, under threat intelligence section, Click on threat hunting, click on events in top navbar and you should see a list of events like this:

Click on the inspect icon in the left most end of the event, you should see the data.win.system.channel as Microsoft-Windows-Sysmon/Operational which is what we set as the name of the source in ossec.conf file.

If you cannot find a sysmon event, wait a few minutes for wazuh to collect the events after reboot. or filter for sysmon events using the filter option at the top. Set the Field to ‘data.win.system.channel’, operator to ‘is’, value to 'Microsoft-Windows-Sysmon/Operational’.

The attack

We are finally in the part where we attack and test Wazuh. we are going to try some common attacks against active directory and see how wazuh detects and shows it in its dashboard. if wazuh does not show the alert we are going to find a way to make wazuh detect such kind of attack and test again.

Before we simulate an attack, lets setup the AD to mimic some real world corporate setup so that we dont get bored with one user acccount and a DC:

I created the following users:

1. scott knowles

2. terry.colby

3. elliot.anderson

4. gideon.goddard

5. michael.scott

6. gus.fring

I created the following OU’s and added those users:

1. Executives - scott.knowles, terry.colby

2. Network_engineers - elliot.anderson, gideon.goddard

3. Managers - michael.scott, gus.fring

Creating OU’s and adding users is fairly simple, learn to do that here.

This blog is under work and will be updated ASAP. Please check back later