Home-Lab#1: Setting up File Integrity Monitoring for Windows 10 using Wazuh

Hello Everyone,

Welcome to our first Home-Lab! In this edition, we'll be looking at some interesting tasks to set up Wazuh platform, onboard the Windows agent, and go through the File Integrity monitoring use case! File Integrity Monitoring is a very critical process in the Enterprise environment. If you are a SOC Analyst, Security, or an Aspirant SOC Analyst, this home-lab will help you excel in your career.

I will take you through a step-by-step process to set up the home-lab with Wazuh. Wazuh is an open-source Security platform that can help organizations with Log Data Analysis, Endpoint detection and response(EDR), File Integrity Monitoring, Compliance monitoring, and many more.

Each of our Home-Lab will have the following topics:

• Background
• Requirement
• Home-Lab Set up
• Use Cases
• Assignments

Why File Integrity Monitoring? ??

By keeping an eye out for and identifying unauthorized?changes to files, File Integrity Monitoring (FIM) is essential for ensuring the security and integrity of a system. Let me give you some important factors:

• Unauthorized Changes Detection: To stop security breaches, FIM locates and notifies users when important system files are altered without authorization.
• Compliance Requirement: To comply with regulatory standards like as PCI DSS, HIPAA, and GDPR, FIM deployment is required.
• Insider Threat Mitigation: By keeping an eye on changes made by internal users, FIM helps find and deal with possible insider threats.

Now that you understand the importance of FIM, let's get into lab set up and use case of FIM.

Requirement

• Virtualbox
• Windows 10 VM
• Wazuh OVA File

Home-Lab Set up

Step1: Install Wazuh

For Home-lab, it is convenient to use Wazuh OVA file. Visit their official website the file https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html

Open the file in Virtualbox and start the Virtual Machine

Make sure you set the Network setting to Bridge mode to access it from your Host machine directly.

Now, log in to Wazuh CLI and run ifconfig to get the IP address.

The default Wazuh CLI credential is

username: wazuh-user

password: wazuh

Once, you have the IP address, open your favourite browser and submit the URL https://<WAZUH_IP_ADDRESS>

Next, enter the Wazuh GUI credential as shown below

username: admin

password: admin

Step2: Install Wazuh Agent on Windows 10

If your host OS is Windows, you can go for installing locally or else you can download the Windows 10/11 Virtual Edition from Microsoft's official website

Once your Windows 10 machine is ready, visit the Wazuh platform using GUI. Go to Agents and click on Deploy new agent, as shown below.

Next, select an Operating system, enter your Wazuh Server address, and set your agent name as shown below.

In the end, you will get a PowerShell script and a command to start the Wazuh service on your agent, as shown below.

Next, go to your Windows 10 Machine and the script in your Powershell command prompt.

Next, start the Wazuh service.

Finally, come back to your Wazuh platform and go to Agents; you should see your newly onboarded Windows agent here.

Step3: Enable File Integrity Module on Windows Machine

Well, the good news is that the File Integrity Monitoring(FIM) module is by default, enabled on agents.

You can verify that checking the configuration file(ossec.conf) located at C:\Program Files (x86)\ossec-agent

You can also open the Wazuh agent GUI(win32ui file) located in the same folder. This is also called a Wazuh Agent Manager. Click on View> View Config

Now, scroll a little and look for <syscheck> with the comment File Integrity Monitoring. You should see the <disabled> tag is set to NO, meaning it's enabled.

Windows FIM Use Cases

There can be tons of use cases when it comes to File Integrity Monitoring, however, in this newsletter, we will cover two important ones.

Use Case: Monitoring System32 folder to track malicious executable

The System32 area holds important system files, dynamic link libraries (DLLs), and executables that the Windows operating system needs to work properly.

Path: C:\Windows\System32        

Why Temp folder?

• When malware gets into a system, it tries to set up persistence so that it can stay active and not be found. Malware can stay active for a long time by changing or removing files in System32. Users usually don't notice these changes.
• Malware creators try to make their programs look like they are part of the system. Because it lives in the System32 area, malware can hide among real system files, making it harder for regular security measures to find.

Let's have our Wazuh agent keep track of System32 files.

Step1: Add temp folder in <directories> tag

Go to Wazuh Agent Manager. Click on View> View Config and edit the <syscheck> block as shown below

Step2: Restart the agent

Under the Manager tab of the Wazuh agent manager. Click the Restart option.

Step3: Visualize the alert

Add any random file to the folder C:\Windows\System32 Next come to the Wazuh > Security Alerts, you should see the alert as shown below.

Alright, so we are done with our Lab and use case; I hope you enjoyed. Now, Let me give you some Homework, ready?

Assignments

1. Monitor Windows folder C:\Program Files\Microsoft Security Client
2. Monitor Windows Registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Hint: Go through the <syscheck>, look for any existing Registry entry

Conclusion

We have successfully learned to set up Wazuh, onboarded the Windows agent, and created the FIM rule. If you are interested to explore more in the SOC Analyst journey. You can enroll for my Ultimate SOC Analyst Course LINK

Keep learning!