# Tracking Mimikatz Activity with Wazuh & Sysmon Logs
## **π§ Configuring Wazuh to Ingest Sysmon Logs**
### **Step 1: Accessing and Editing Wazuh Configuration**
1. **Locate Wazuh Configuration File**
* Open `Program Files (x86)`.
* Find the `ossec.conf` file inside the `wazuh-agent` folder.
* Right-click the file and open it with Notepad (admin privileges might be needed).
2. **Modify Log Analysis Settings**
* Inside the configuration file, locate the `log analysis` section.
3. **Enable Sysmon Logging**
* Sysmon must be installed (done in [part 1](https://osamaa.gitbook.io/osama_homepage/cybersecurity-soc-analyst-labs/automation-lab-home-project/broken-reference)).
* Modify `ossec.conf` to ingest Sysmon logs.
* Get Sysmonβs channel name from the Windows Event Viewer:
* Open Event Viewer.
* Navigate to Applications and Services β Microsoft β Windows β Sysmon.
* Right-click **Operational**, select **Properties**, and copy the **full name**.
* Paste this name into the `ossec.conf` configuration under the correct log location.
4. **Remove Unnecessary Log Sources**
* For testing, remove other log sources (`application`, `security`, `system`) to focus on Sysmon.
* Save the configuration and replace the existing file.
### **Step 2: Restarting Wazuh Agent**
* Open **Windows Services**.
* Restart the **Wazuh Agent** service.
* **This step is required whenever configuration changes are made.**
### Step 3: Verify Sysmon Logs in Wazuh Dashboard
1. **Log in to the Wazuh Dashboard**
* Open your browser and go to:\
`https://`
* Sign in with your Wazuh credentials.
2. **Go to the "Discover" Section**
* In Wazuh, click on **Discover** from the left panel.
3. **Select the Correct Index**
* In the search bar, choose:\
`wazuh-alerts-*`
4. **Filter for Sysmon Events**
* Type **"sysmon"** in the search bar and press **Enter**.
## **π Using Mimikatz for Security Testing**
#### πΉ What is Mimikatz?
Mimikatz is a powerful post-exploitation tool used to extract passwords, hashes, and authentication tokens from Windows systems. Itβs commonly used by security professionals for **penetration testing** and by attackers for **credential theft**.
#### πΉ What Can Mimikatz Do?
β Dump plaintext passwords from memory.\
β Extract NTLM hashes for offline cracking.\
β Pass-the-Hash & Pass-the-Ticket attacks.\
β Extract Kerberos tickets (Golden Ticket, Silver Ticket).\
β Bypass Windows authentication protections.
***
### π Running Mimikatz for Testing
1. **Disable Windows Defender (for testing purposes only)**
* Open **Windows Security**.
* Go to **Virus & threat protection** β **Manage settings**.
* Add an **exclusion** for the **Downloads folder**.
2. **Download Mimikatz from** :link:[GitHub Repository](https://github.com/ParrotSec/mimikatz)**.**
* Some browsers (like Edge) may block Mimikatz.
* If you are using (Chrome) Disable Chromeβs security settings if needed:
* Go to **Privacy & Security** β **Security**.
* Turn off **Safe Browsing** (No Protection).
* Click Keep and Download Mimikatz.
Now, let's execute **`mimikatz.exe`**, then review the **Wazuh dashboard** for detections or alerts.
3. **Run Mimikatz in PowerShell**
* Open **PowerShell as Administrator**.
* Navigate to the extracted Mimikatz folder.
* Run `mimikatz.exe`.
4. **Checking Wazuh for Alerts**
* Open the **Wazuh dashboard**.
* Search for **Sysmon or Mimiktaz events** in the **alerts index**.
* If no events appear immediately, wait a little or **check if Wazuh rules are triggering correctly**.\
5. #### **Configuring Wazuh to Log All Events**
* **Modify `ossec.conf` on Wazuh Manager**
* Create a backup of the `ossec.conf` file.
```bash
cp /var/ossec/etc/ossec.conf ~/ossec_backup.conf
```
* Open `ossec.conf` and find `logall` and `logall_json` settings.
* Change both values from `no` to `yes`.
* **` yes`** β Logs everything (useful for debugging, but large logs).
* **` yes`** β Logs everything in JSON format (structured but more storage).
* Save and exit.
* **Restart Wazuh Manager**
* Use `systemctl restart wazuh-manager` to apply changes.
* **Enable Filebeat to Process Archives**
* Edit the **Filebeat configuration** file (`filebeat.yml`).
* Locate `archives_enabled: false` and change it to `true`.
It lets Filebeat process archived logs for analysis and auditing.
* Save and restart Filebeat (`systemctl restart filebeat`).\
* **Create an Index for Archives in Wazuh Dashboard**
* Open **Dashboards Management** in Wazuh.
* Go to **Index patterns**.
* Name it `wazuh-archives-*` and click on Next step.\
* select **timestamp** at the bottom as the time field.
* Now, let's head to Discover page to check our index.
* **Verify Events in the Archive**
* Check the archive logs (`/var/ossec/logs/archives/`).
* Run `cat archives.json | grep -i mimikatz` to confirm logs are being stored.
* **If you got nothing, it means no logs were recorded and we must execute Mimikatz again to generate new logs and verify if they appear in the archive.**
* Now return to Discover page to verify Mimiktaz logs.
* Also, we can check the archive logs agian.
6. #### **Creating a Custom Rule for Mimikatz Detection**
1. **Access Wazuh Rule Management**
* Go to **Server** **Management** β **Rules** in the Wazuh dashboard.
* Click **Manage Rule Files** and search for existing Sysmon event ID 1 rules.
2. **Create a Custom Rule**
* Copy an existing Sysmon event ID 1 rule as a reference.
* Open the **Custom Rules** section and edit the `local_rules.xml` file.
* Paste the copied rule and modify it:
* Change **Rule ID** to `100002`.
* Set the **level** to `15` (critical).
* Change the **field name** from `parentImage` to `originalFileName` (ensuring case sensitivity).
* Set **regex match** for `mimikatz`.
* Modify the **description** to indicate Mimikatz detection.
* Update the **MITRE ATT\&CK ID** to `T1003` (Credential Dumping).
Detection rule for Mimikatz: Triggers an alert when Sysmon logs show 'mimikatz.exe' execution, linking to MITRE ATT&CK T1003 (Credential Dumping).
3. **Save and Restart Wazuh Manager**
* Click **Confirm Restart** to apply the custom rule.
7. #### **Testing the Custom Rule**
1. **Rename Mimikatz to Avoid Detection Bypass**
* Rename `mimikatz.exe` to something else (e.g., `totally-not-mimikatz`).
2. **Run the Renamed File in PowerShell**
* Open PowerShell and execute the renamed file.
3. **Check for Alerts in Wazuh Dashboard**
* Refresh the **Security Events** section.
* If the rule is working, Mimikatz should trigger an alert despite the name change.
