Execute Mimikatz & create detection rules in Wazuh

First, let's open Virus & Threat Protection to add the Downloads folder as an exclusion.

Now, let's install Mimikatz from this link: https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe

Now, let's execute mimikatz.exe and review the Wazuh dashboard for any related detections or alerts.

.\mimikatz.exe
Add-MpPreference -ExclusionProcess "mimikatz.exe"

When I execute mimikatz.exe, Windows Defender blocks it. To proceed, I need to exclude the mimikatz process from detection.

Now, let's check the Wazuh dashboard for any related detections or alerts.

Upon reviewing Wazuh, I did not find any indicators related to Mimikatz.

By default, Wazuh does not log all events; it only generates logs when a rule is triggered or an alert is generated. However, this behavior can be modified by configuring the ossec.conf file within the Wazuh Manager to enable comprehensive logging. Alternatively, specific rules can be created to monitor particular events. When these events occur, they will trigger an alert in Wazuh, allowing for efficient searching and analysis.

Next, let's proceed with editing the ossec.conf file.

nano /var/ossec/etc/ossec.conf

Now, let's restart the Wazuh manager.

systemctl restart wazuh-manager

This action compels Wazuh to start archiving all logs and store them in a file named "archives."

cd /var/ossec/logs/archives/
ls

We also need to configure the filebeat.yml file.

Next, let's restart the Filebeat manager.

systemctl restart filebeat

Next, we need to create an index for the archives. Let's move forward with this step.

Let's return to the Discover page.

Let's execute Mimikatz again and review the logs in the Wazuh dashboard.

We now need to create a rule to detect and generate an alert for Mimikatz activity.

We need to copy this section as it will be used to create a custom rule.

Let's proceed with creating our custom rule.

  <rule id="100002" level="10">
    <if_group>sysmon_event1</if_group>
    <field name="win.eventdata.originalFileName" type="pcre2">(?i)mimikatz\.exe</field>
    <description>Mimikatz Usage Detected</description>
    <mitre>
      <id>T1003</id>
    </mitre>
  </rule>

The win.eventdata.originalFileName field refers to the original name embedded within the file's metadata, which doesn't change even if the file is renamed on disk. Therefore, if an attacker simply renames mimikatz.exe to another name, this rule would still trigger an alert because the original filename remains mimikatz.exe.

Let's rename mimikatz.exe to an alternative name, execute it, and verify whether Wazuh generates an alert.

If the rule is based on the image, the alert will not be triggered.

Last updated