Proj 6x: Monitoring File Integrity with Wazuh 3 (15 pts.)

What you need

• A Wazuh 3 server and a Windows server with the Wazuh client installed, which you prepared in a previous project.

Purpose

Launching ossec_agents

C:\Program Files (x86)\ossec-agent

(Note: the Start menu no longer works on Windows Server 2016. This is a feature, not a bug.)

Speeding Up the Agent

But for this project, we want it to respond quickly.

On the Windows server, in File Explorer, navigate to:

C:\Program Files (x86)\ossec-agent

Right-click internal_options and click Open, as shown below.

Open the file in Notepad.

Change syscheck_sleep from its default value of 2 to 0, as shown below.

In Notepad, click File, Save.

Close Notepad.

Starting the Wazuh Agent

Click the Refresh button.

The Status should be "Running", as shown below.

Viewing Wazuh Logs

An "ossec - Notepad" window opens. Scroll to the bottom. You should see the message "Starting syscheck real-time monitoring", as shown below.

In Notepad, click File, Save.

Close Notepad.

Real-Time Monitoring

Scroll down to the "<!-- Windows registry entries to monitor. -->" line. A few lines above it, observe the line shown below.

This line tells OSSEC to monitor the Run key in realtime.

Close Notepad.

Modifying the Startup Folder

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Right-click an empty portion of the window and click New, "Text Document", as shown above.

Type a filename of YOURNAME, replacing "YOURNAME" with your own name. Then press Enter.

A file appears with your name on it, as shown below.

Viewing File Integrity Alerts

In the second line, click "FILE INTEGRITY".

At the top right, click DISCOVER.

At the bottom of the page, there should be an alert containing your name, as shown below.

Troubleshooting If you see no results, try changing the time interval. At the top right, click the time range, which may say "Last 15 minutes" or some other time range, as shown below. On the next page, at the top right, click Quick. Click "This week", as shown below.

Saving a Screen Image

Capture a whole-desktop image.

Save the image with the filename "Your Name Proj 6xa". Use your real name, not the literal text "Your Name".

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Modifying the Run Key

On the Windows server desktop, click the Start button and type REGEDIT

In the search results, click regedit.

In the left pane of Registry Editor, navigate to this key, as shown below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the left pane, click Run to select it.

In the right pane, right-click an empty portion of the window and click New, "String Value", as shown above.

Type a name of YOURNAME, replacing "YOURNAME" with your own name. Then press Enter.

A value appears with your name on it, as shown below.

Double-click the YOURNAME value. Enter some text into the "Value data:" box, as shown below.

Click OK.

Restarting the Agent

To save time, we'll restart the agent, triggering an immediate update.

In "Wazah Agent Manager", from the menu bar, click Manage, Stop. Click OK.

Click Manage, Start. Click OK.

Click the Refresh button.

The Status should be "Running", as shown below.

Viewing Registry Alerts

In the second line, click GENERAL.

At the top right, click DISCOVER.

At the top left, in the search bar, type

Run

and press Enter.

At the bottom of the page, there should be an alert containing the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run , as shown below.

Saving a Screen Image

Capture a whole-desktop image.

Save the image with the filename "Your Name Proj 6xb". Use your real name, not the literal text "Your Name".

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Turning in your Project

Sources

Docs: Welcome to Wazuh

Posted 12-26-17 by Sam Bowne
Revised extensively 12-30-17