Tracking Mimikatz Activity with Wazuh & Sysmon Logs

PreviousWazuh & TheHive: Installation, Configuration, and Optimization NextEnd-to-End Alert Automation: Wazuh → Shuffle → TheHive

Last updated 2 months ago

Tracking Mimikatz Activity with Wazuh & Sysmon Logs

🔧 Configuring Wazuh to Ingest Sysmon Logs

Step 1: Accessing and Editing Wazuh Configuration

Locate Wazuh Configuration File
- Open Program Files (x86).
- Find the ossec.conf file inside the wazuh-agent folder.
- Right-click the file and open it with Notepad (admin privileges might be needed).
Modify Log Analysis Settings
- Inside the configuration file, locate the log analysis section.
Enable Sysmon Logging
- Sysmon must be installed (done in part 1).
- Modify ossec.conf to ingest Sysmon logs.
- Get Sysmon’s channel name from the Windows Event Viewer:
  - Open Event Viewer.
  - Navigate to Applications and Services → Microsoft → Windows → Sysmon.
  - Right-click Operational, select Properties, and copy the full name.
- Paste this name into the ossec.conf configuration under the correct log location.
Remove Unnecessary Log Sources
- For testing, remove other log sources (application, security, system) to focus on Sysmon.
- Save the configuration and replace the existing file.

Step 2: Restarting Wazuh Agent

Open Windows Services.
Restart the Wazuh Agent service.
This step is required whenever configuration changes are made.

Step 3: Verify Sysmon Logs in Wazuh Dashboard

Log in to the Wazuh Dashboard
- Open your browser and go to: https://<Wazuh_Server_IP>
- Sign in with your Wazuh credentials.
Go to the "Discover" Section
- In Wazuh, click on Discover from the left panel.
Select the Correct Index
- In the search bar, choose: wazuh-alerts-*
Filter for Sysmon Events
- Type "sysmon" in the search bar and press Enter.

🚀 Using Mimikatz for Security Testing

🔹 What is Mimikatz?

Mimikatz is a powerful post-exploitation tool used to extract passwords, hashes, and authentication tokens from Windows systems. It’s commonly used by security professionals for penetration testing and by attackers for credential theft.

🔹 What Can Mimikatz Do?

✅ Dump plaintext passwords from memory. ✅ Extract NTLM hashes for offline cracking. ✅ Pass-the-Hash & Pass-the-Ticket attacks. ✅ Extract Kerberos tickets (Golden Ticket, Silver Ticket). ✅ Bypass Windows authentication protections.

👉 Running Mimikatz for Testing

Disable Windows Defender (for testing purposes only)
- Open Windows Security.
- Go to Virus & threat protection → Manage settings.
- Add an exclusion for the Downloads folder.
- Some browsers (like Edge) may block Mimikatz.
- If you are using (Chrome) Disable Chrome’s security settings if needed:
  - Go to Privacy & Security → Security.
  - Turn off Safe Browsing (No Protection).
- Click Keep and Download Mimikatz.
  Now, let's execute mimikatz.exe, then review the Wazuh dashboard for detections or alerts.
Run Mimikatz in PowerShell
- Open PowerShell as Administrator.
- Navigate to the extracted Mimikatz folder.
- Run mimikatz.exe.
Checking Wazuh for Alerts
- Open the Wazuh dashboard.
- Search for Sysmon or Mimiktaz events in the alerts index.
- If no events appear immediately, wait a little or check if Wazuh rules are triggering correctly.
Configuring Wazuh to Log All Events
- Modify ossec.conf on Wazuh Manager
  - Create a backup of the ossec.conf file.
    cp /var/ossec/etc/ossec.conf ~/ossec_backup.conf
  - Open ossec.conf and find logall and logall_json settings.
  - Change both values from no to yes.
    <logall> yes → Logs everything (useful for debugging, but large logs).
    <logall_json> yes → Logs everything in JSON format (structured but more storage).
  - Save and exit.
- Restart Wazuh Manager
  - Use systemctl restart wazuh-manager to apply changes.
- Enable Filebeat to Process Archives
  - Edit the Filebeat configuration file (filebeat.yml).
  - Locate archives_enabled: false and change it to true.
  - Save and restart Filebeat (systemctl restart filebeat).
- Create an Index for Archives in Wazuh Dashboard
  - Open Dashboards Management in Wazuh.
  - Go to Index patterns.
  - Name it wazuh-archives-* and click on Next step.
  - select timestamp at the bottom as the time field.
  - Now, let's head to Discover page to check our index.
- Verify Events in the Archive
  - Check the archive logs (/var/ossec/logs/archives/).
  - Run cat archives.json | grep -i mimikatz to confirm logs are being stored.
- If you got nothing, it means no logs were recorded and we must execute Mimikatz again to generate new logs and verify if they appear in the archive.
- Now return to Discover page to verify Mimiktaz logs.
- Also, we can check the archive logs agian.
Creating a Custom Rule for Mimikatz Detection
1. Access Wazuh Rule Management
  - Go to Server Management → Rules in the Wazuh dashboard.
  - Click Manage Rule Files and search for existing Sysmon event ID 1 rules.
2. Create a Custom Rule
  - Copy an existing Sysmon event ID 1 rule as a reference.
  - Open the Custom Rules section and edit the local_rules.xml file.
  - Paste the copied rule and modify it:
    Change Rule ID to 100002.
    Set the level to 15 (critical).
    Change the field name from parentImage to originalFileName (ensuring case sensitivity).
    Set regex match for mimikatz.
    Modify the description to indicate Mimikatz detection.
    Update the MITRE ATT&CK ID to T1003 (Credential Dumping).
3. Save and Restart Wazuh Manager
  - Click Confirm Restart to apply the custom rule.
Testing the Custom Rule
1. Rename Mimikatz to Avoid Detection Bypass
  - Rename mimikatz.exe to something else (e.g., totally-not-mimikatz).
2. Run the Renamed File in PowerShell
  - Open PowerShell and execute the renamed file.
3. Check for Alerts in Wazuh Dashboard
  - Refresh the Security Events section.
  - If the rule is working, Mimikatz should trigger an alert despite the name change.