Wazuh for Windows Logging - savannahc502/SavC-TechJournal-SEC350 GitHub Wiki

Lab Introduction

In this lab, the goal is to install the wazuh agent on the LAN and MGMT based Windows system.

Install Active Directory (AD) on Windows Server

The goal here is to first install Active Directory Domain Services on mgmt02. Then I will want to join wks1 to the new domain (savannah.local).

On mgmt02-savannah:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName “savannah.local”
$pw = Read-Host -Prompt 'Enter a Password for this user' -AsSecureString 
New-ADUser -Name savannah.ciak-adm -AccountPassword $pw -Passwordneverexpires $true -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members savannah.ciak-adm
Install-WindowsFeature DNS -IncludeManagementTools
Add-DnsServerPrimaryZone -NetworkId “172.16.150.0/24” -ReplicationScope “Domain”
Add-DnsServerPrimaryZone -NetworkId “172.16.200.0/28” -ReplicationScope “Domain”

Source

Firewall Rules for Domain Joining

I need to open many new ports to allow wks01-savannah to join the newly created savannah.local domain.

MGMT-to-LAN rules:

set firewall name MGMT-to-LAN rule 30 action accept
set firewall name MGMT-to-LAN rule 30 description “allow ad service ports”
set firewall name MGMT-to-LAN rule 30 destination port “53,88,135,139,389,445,686,49152-65535,464,636,3268”
set firewall name MGMT-to-LAN rule 30 protocol “tcp_udp”

set firewall name MGMT-to-LAN rule 31 action accept
set firewall name MGMT-to-LAN rule 31 description "allow dns service ports" 
set firewall name MGMT-to-LAN rule 31 destination port "389,53,88,123,137,138,636"
set firewall name MGMT-to-LAN rule 31 protocol udp

LAN-to-MGMT rules:

set firewall name LAN-to-MGMT rule 30 action accept
set firewall name LAN-to-MGMT rule 30 description "allow ad service ports"
set firewall name LAN-to-MGMT rule 30 destination port "88,135,53,88,135,139,389,445,686,49152-65535,464,636,3268”
set firewall name LAN-to-MGMT rule tcp

set firewall name LAN-to-MGMT rule 31 action accept
set firewall name LAN-to-MGMT rule 31 description "allow dns service ports" 
set firewall name LAN-to-MGMT rule 31 destination port "389,53,88,123,137,138,636"
set firewall name LAN-to-MGMT rule 31 protocol udp

Domain Joining Workstation to Domain

The mgmt02-savannah box is located at 172.16.200.11. As such, since it is now the DNS server, the workstation wks01-savannah needs to have its DNS location changed:

image

To actually join the domain: Control panel > system and security > system > change settings > change > domain > savannah.local > restart the computer.

Once restarted, the workstation should successfully be on the savannah.local domain!

Deliverable 1

image

Installing Wazuh Agent on Windows

On Workstation (has internet connectivity):

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_NAME='wks01-savannah' WAZUH_REGISTRATION_SERVER='172.16.200.10'

NET START WazuhSvc

Since mgmt02-savannah has no network connectivity, we have to come up with a solution to get the agent file downloaded. My solution was a temporary firewall rules that would be deleted after downloading:

set firewall name MGMT-to-LAN rule 999 action accept
set firewall name MGMT-to-LAN rule 999 protocol all

set firewall name LAN-to-MGMT rule 999 action accept
set firewall name LAN-to-MGMT rule 999 protocol all 

# Make sure to delete the rules after!

On mgmt02:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.5-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_NAME='mgmt02-savannah' WAZUH_REGISTRATION_SERVER='172.16.200.10'

NET START WazuhSvc

Add the new Wazuh agents to the windows group by running these commands on wazuh-manager box:

sudo /var/ossec/bin/agent_groups -a -g windows
sudo /var/ossec/bin/agent_groups -a -i <agent_number> -g windows
sudo /var/ossec/bin/agent_groups -a -i <agent_number> -g windows

Deliverable 2

image

Wazuh Logging Tests

The next few steps are to see if events are being properly logged in the Wazuh Server.

Deliverable 3

Logged into [email protected] on wks1. This should be a valid connection. The workstation login event should be found within the events for the wks1 agent.

image

Deliverable 4

Logged into eviluser@yourdomain on wks1. This should fail. Found the event where data.win.eventdata.targetUserName=eviluser

image

Deliverable 5

I could not figure out what I was doing wrong with the SSH connection when attempting RDP, as it kept failing. These are the firewall configurations I attempted:

set nat destination rule 20 description 'SSH->MGMT02'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '172.16.200.11'
set nat destination rule 20 translation port '22'

set firewall name LAN-to-MGMT rule 50 action 'accept'
set firewall name LAN-to-MGMT rule 50 description 'Allow SSH from LAN to MGMT'
set firewall name LAN-to-MGMT rule 50 destination port '22'
set firewall name LAN-to-MGMT rule 50 protocol 'tcp'
set firewall name LAN-to-MGMT rule 50 source address '172.16.150.0/24'

Even when testing with all traffic accepted, I was unable to resolve the issue. However, I can show an RDP session being logged onto mgmt02-savannah from traveler01-savannah (which was configured in the previous lab).

I spent a couple of hours on this and may come back to it at a later time.

image

Deliverable 6

image