SEC‐350 Lab 10.1 ‐ Windows Logging - Snowboundport37/champlain GitHub Wiki

🛠️ SEC350 Lab 10.1 - Technical Journal Entry: Windows Logging

✅ Domain Setup and Agent Installation

1. Installed Active Directory on `mgmt02`

Promoted to domain controller for andrei.local.

2. Joined `wks01` to the domain

Renamed to wk01-andrei.
Joined to andrei.local.
Verified with:
- whoami: [email protected]
- ipconfig /all: IP 172.16.150.101, domain DNS confirmed

3. Installed Wazuh Agent on both `mgmt02` and `wks01`

Used this command on mgmt02:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.6.0-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='Windows' WAZUH_AGENT_NAME='mgmt' WAZUH_REGISTRATION_SERVER='172.16.200.10'

Started the service:
```
NET START WazuhSvc
```
Verified both agents are active in Wazuh dashboard under the Windows group.

🔐 Firewall Configuration (VyOS)

Opened required ports between LAN ↔ MGMT:

TCP Ports:

88, 135, 139, 389, 445, 636, 3268, 3269, 9389, 49152–65535

UDP Ports:

88, 123, 137, 138, 389

Used VyOS port-groups:

set firewall group port-group AD-TCP-Ports port '88'
set firewall group port-group AD-TCP-Ports port '135'
set firewall group port-group AD-TCP-Ports port '139'
set firewall group port-group AD-TCP-Ports port '389'
set firewall group port-group AD-TCP-Ports port '445'
set firewall group port-group AD-TCP-Ports port '636'
set firewall group port-group AD-TCP-Ports port '3268'
set firewall group port-group AD-TCP-Ports port '3269'
set firewall group port-group AD-TCP-Ports port '9389'
set firewall group port-group AD-TCP-Ports port '49152-65535'

set firewall group port-group AD-UDP-Ports port '88'
set firewall group port-group AD-UDP-Ports port '123'
set firewall group port-group AD-UDP-Ports port '137'
set firewall group port-group AD-UDP-Ports port '138'
set firewall group port-group AD-UDP-Ports port '389'

set firewall name LAN-to-MGMT rule 10 action 'accept'
set firewall name LAN-to-MGMT rule 10 protocol 'tcp'
set firewall name LAN-to-MGMT rule 10 destination port-group 'AD-TCP-Ports'

set firewall name LAN-to-MGMT rule 20 action 'accept'
set firewall name LAN-to-MGMT rule 20 protocol 'udp'
set firewall name LAN-to-MGMT rule 20 destination port-group 'AD-UDP-Ports'

🔍 Logging Tests (Deliverables 3–6)

Deliverable 3: Domain login (Valid)

Action: Logged in to wk01 as a valid domain user.
Agent: wks
Event matched: Windows logon success
Confirmed via Wazuh dashboard under Security events.

Deliverable 4: Failed login attempt as `[email protected]`

Action: Attempted login with fake user.
Agent: wks

Event matched:

Logon failure - Unknown user or bad password  
data.win.eventdata.targetUserName = eviluser

Deliverable 5: Successful RDP from `wks` to `mgmt02`

Action: Used valid domain admin credentials to RDP.
Agent that logged the event: mgmt

Event matched:

Successful Remote Logon Detected - NTLM authentication
Rule ID: 92657

Deliverable 6: Failed RDP attempt to `mgmt02`

Action: RDP from wks using incorrect credentials + wrong domain name.
Agent that logged the event: mgmt

Event matched:

Logon failure - Unknown user or bad password

⚠️ Issues Faced & Fixes

Issue	Fix
Wazuh agent wouldn’t start on `mgmt02`	Reinstalled using full PowerShell command with proper config.
Couldn’t reach Wazuh URL from mgmt	Installed Google Chrome and accessed directly via internal IP.
DNS resolution failed for curl	Used raw IPs for agent and manager config.
Couldn’t see RDP events	Filtered by agent ID and rule description for NTLM.
Failed RDP not logged at first	Used a wrong domain to force failure record in Wazuh.

✅ Final Agent Status in Wazuh

ID	Name	OS	IP Address	Group	Status
001	dhcp02-andrei	Ubuntu 22.04	172.16.150.10	default	Active
002	jump-andrei	CentOS Linux 7.9	172.16.50.4	default	Active
003	nginx02-andrei	Ubuntu 22.04	172.16.50.3	default	Active
004	mgmt	Win Server 2019	172.16.200.11	Windows	Active
005	wks	Windows 10 LTSC	172.16.150.101	Windows	Active

All lab deliverables were completed successfully and verified through Wazuh event logs.

SEC‐350 Lab 10.1 ‐ Windows Logging - Snowboundport37/champlain GitHub Wiki

🛠️ SEC350 Lab 10.1 - Technical Journal Entry: Windows Logging

✅ Domain Setup and Agent Installation

1. Installed Active Directory on mgmt02

2. Joined wks01 to the domain

3. Installed Wazuh Agent on both mgmt02 and wks01

🔐 Firewall Configuration (VyOS)

Opened required ports between LAN ↔ MGMT:

TCP Ports:

UDP Ports:

Used VyOS port-groups:

🔍 Logging Tests (Deliverables 3–6)

Deliverable 3: Domain login (Valid)

Deliverable 4: Failed login attempt as [email protected]

Deliverable 5: Successful RDP from wks to mgmt02

Deliverable 6: Failed RDP attempt to mgmt02

⚠️ Issues Faced & Fixes

✅ Final Agent Status in Wazuh

1. Installed Active Directory on `mgmt02`

2. Joined `wks01` to the domain

3. Installed Wazuh Agent on both `mgmt02` and `wks01`

Deliverable 4: Failed login attempt as `[email protected]`

Deliverable 5: Successful RDP from `wks` to `mgmt02`

Deliverable 6: Failed RDP attempt to `mgmt02`