This lab demonstrates how Wazuh SIEM will alert us about detection of malware in one of our agent. There is a slight tweak on Wazuh SIEM's ossec.conf to make it able to take it logs from Windows Defender.
- Attacker Machine: Windows Agent (Self attack)
- Target Machine: Windows Agent (monitored by Wazuh Manager)
- Manager: Ubuntu Server
- SIEM Tool: Wazuh
- Attack Tool: EICAR
- Attack Goal: Spreading malware
- Configuring the ossec.conf to enable it to take logs from Windows Defender.
<localfile>
<log_format>eventchannel</log_format>
<location>Security</location>
</localfile>
<localfile>
<log_format>eventchannel</log_format>
<location>Microsoft-Windows-Windows Defender/Operational</location>
</localfile>
- EICAR file creation (The malware)
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
-
Running the EICAR file
-
Wazuh logs detects installation of potential malware on Windows Agent.
-Double check the logs with Windows Defender logs.
-
Rule 62123 - Installation of Potential Malware
- Wazuh SIEM can be configured to take logs from Anti Virus softwares
- Installation of Anti Virus software is a must to keep the devices safe from malwares.