fraggle/WebsiteTemplate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
WebsiteTemplate/cheatsheets/wazuh.html
Fraggle 6f42a58ee5
first commit
2026-01-25 11:33:37 -04:00

406 lines
14 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<link rel="stylesheet" href="../assets/css/style.css">
<link rel="icon" type="image/x-icon" href="../favicon.ico">
<script>
// Apply theme immediately to prevent flash
(function() {
const theme = localStorage.getItem('theme') ||
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
document.documentElement.setAttribute('data-theme', theme);
})();
</script>
<title>Wazuh Cheatsheet - Cheatsheets - Launch Pad</title>
</head>
<body>
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
</button>
<br/><br/>
<div class="name">
__ _______________________ _________._________________________
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
\/ \/ \/ \/ \/ \/ \/
</div>
<div class="blog-page-header">
<div class="blog-header-content">
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
</a>
<h1 class="blog-page-title">Wazuh Cheatsheet</h1>
</div>
</div>
<div class="blog-post-container">
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
<div class="blog-post">
<div class="blog-post-content">
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
<hr>
<p>Wazuh is an open-source security monitoring platform that provides intrusion detection, vulnerability detection, incident response, and compliance management. It integrates with the MITRE ATT&CK framework for threat detection and hunting.</p>
<hr>
<h2>Service Management</h2>
<ul>
<li>systemctl start wazuh-manager - Start Wazuh manager</li>
</ul>
<ul>
<li>systemctl stop wazuh-manager - Stop Wazuh manager</li>
</ul>
<ul>
<li>systemctl restart wazuh-manager - Restart Wazuh manager</li>
</ul>
<ul>
<li>systemctl status wazuh-manager - Check manager status</li>
</ul>
<ul>
<li>systemctl start wazuh-agent - Start Wazuh agent</li>
</ul>
<ul>
<li>systemctl status wazuh-agent - Check agent status</li>
</ul>
<ul>
<li>/var/ossec/bin/wazuh-control status - Check all components status</li>
</ul>
<ul>
<li>/var/ossec/bin/wazuh-control start - Start all components</li>
</ul>
<ul>
<li>/var/ossec/bin/wazuh-control stop - Stop all components</li>
</ul>
<ul>
<li>/var/ossec/bin/wazuh-control restart - Restart all components</li>
</ul>
<hr>
<h2>Agent Management</h2>
<ul>
<li>/var/ossec/bin/agent_control -l - List all agents</li>
</ul>
<ul>
<li>/var/ossec/bin/agent_control -e <agent_id> - Restart agent</li>
</ul>
<ul>
<li>/var/ossec/bin/agent_control -r <agent_id> - Remove agent</li>
</ul>
<ul>
<li>/var/ossec/bin/agent_control -a - List active agents</li>
</ul>
<ul>
<li>/var/ossec/bin/agent_control -i <agent_id> - Show agent info</li>
</ul>
<ul>
<li>/var/ossec/bin/agent_control -u <agent_id> - Upgrade agent remotely</li>
</ul>
<ul>
<li>/var/ossec/bin/agent_control -s <agent_id> - Show agent statistics</li>
</ul>
<ul>
<li>/var/ossec/bin/manage_agents - Manage agent keys</li>
</ul>
<hr>
<h2>Log Files</h2>
<ul>
<li>/var/ossec/logs/ossec.log - Main Wazuh manager log</li>
</ul>
<ul>
<li>/var/ossec/logs/alerts/alerts.json - JSON formatted alerts</li>
</ul>
<ul>
<li>/var/ossec/logs/alerts/alerts.log - Standard alert log</li>
</ul>
<ul>
<li>/var/ossec/logs/archives/archives.log - Archived logs</li>
</ul>
<ul>
<li>tail -f /var/ossec/logs/alerts/alerts.log - Monitor alerts in real-time</li>
</ul>
<ul>
<li>tail -f /var/ossec/logs/ossec.log - Monitor main log</li>
</ul>
<hr>
<h2>Rule Configuration</h2>
<ul>
<li>/var/ossec/etc/rules/local_rules.xml - Custom local rules</li>
</ul>
<ul>
<li>/var/ossec/etc/rules/ - Rules directory</li>
</ul>
<ul>
<li>/var/ossec/etc/ossec.conf - Main configuration file</li>
</ul>
<ul>
<li>wazuh-logtest - Test rule matching</li>
</ul>
<ul>
<li>wazuh-logtest -f <log_file> - Test rules against log file</li>
</ul>
<hr>
<h2>Searching Alerts</h2>
<ul>
<li>grep -i "rule.id" /var/ossec/logs/alerts/alerts.log - Search by rule ID</li>
</ul>
<ul>
<li>grep -i "agent.id" /var/ossec/logs/alerts/alerts.log - Search by agent ID</li>
</ul>
<ul>
<li>jq '.rule.id' /var/ossec/logs/alerts/alerts.json - Query JSON alerts</li>
</ul>
<ul>
<li>jq '.rule.mitre.id' /var/ossec/logs/alerts/alerts.json - Filter by MITRE ATT&CK ID</li>
</ul>
<ul>
<li>jq 'select(.rule.level >= 10)' /var/ossec/logs/alerts/alerts.json - High severity alerts</li>
</ul>
<hr>
<h2>MITRE ATT&CK Framework Integration</h2>
<p>Wazuh automatically maps detection rules to MITRE ATT&CK tactics, techniques, and sub-techniques. Alerts include ATT&CK metadata for threat hunting and correlation.</p>
<h3>ATT&CK Metadata in Rules</h3>
<pre><code>&lt;rule id="100200" level="12"&gt;
&lt;if_sid&gt;1002&lt;/if_sid&gt;
&lt;match&gt;authentication failure&lt;/match&gt;
&lt;description&gt;Multiple authentication failures detected&lt;/description&gt;
&lt;mitre&gt;
&lt;id&gt;T1110&lt;/id&gt;
&lt;tactic&gt;Credential Access&lt;/tactic&gt;
&lt;technique&gt;Brute Force&lt;/technique&gt;
&lt;/mitre&gt;
&lt;/rule&gt;</code></pre>
<h3>Querying ATT&CK Techniques</h3>
<pre><code># Search for T1110 (Brute Force) alerts
jq 'select(.rule.mitre.id == "T1110")' /var/ossec/logs/alerts/alerts.json
# Search by tactic
jq 'select(.rule.mitre.tactic[] | contains("Credential Access"))' /var/ossec/logs/alerts/alerts.json
# Search for specific technique
jq 'select(.rule.mitre.technique == "Brute Force")' /var/ossec/logs/alerts/alerts.json</code></pre>
<h3>Common ATT&CK Mappings</h3>
<ul>
<li>T1003 - OS Credential Dumping (password file access)</li>
</ul>
<ul>
<li>T1018 - Remote System Discovery (network scanning)</li>
</ul>
<ul>
<li>T1021 - Remote Services (SSH, RDP connections)</li>
</ul>
<ul>
<li>T1047 - Windows Management Instrumentation (WMI abuse)</li>
</ul>
<ul>
<li>T1055 - Process Injection (suspicious process behavior)</li>
</ul>
<ul>
<li>T1070 - Indicator Removal (log deletion)</li>
</ul>
<ul>
<li>T1071 - Application Layer Protocol (network traffic)</li>
</ul>
<ul>
<li>T1105 - Ingress Tool Transfer (file downloads)</li>
</ul>
<ul>
<li>T1110 - Brute Force (authentication failures)</li>
</ul>
<ul>
<li>T1548 - Abuse Elevation Control Mechanism (sudo/privilege escalation)</li>
</ul>
<h3>Threat Hunting with ATT&CK</h3>
<pre><code># Hunt for credential access techniques
jq 'select(.rule.mitre.tactic[] | contains("Credential Access")) | {time: .timestamp, agent: .agent.name, rule: .rule.description, mitre_id: .rule.mitre.id}' /var/ossec/logs/alerts/alerts.json
# Hunt for persistence mechanisms
jq 'select(.rule.mitre.tactic[] | contains("Persistence")) | {time: .timestamp, technique: .rule.mitre.technique, id: .rule.mitre.id}' /var/ossec/logs/alerts/alerts.json
# Hunt for privilege escalation
jq 'select(.rule.mitre.tactic[] | contains("Privilege Escalation"))' /var/ossec/logs/alerts/alerts.json | jq -s 'group_by(.rule.mitre.id) | map({technique: .[0].rule.mitre.technique, count: length, id: .[0].rule.mitre.id})'</code></pre>
<hr>
<h2>Creating Custom Rules with ATT&CK</h2>
<pre><code>&lt;group name="custom,mitre_attack,"&gt;
&lt;rule id="100001" level="10"&gt;
&lt;if_sid&gt;5710&lt;/if_sid&gt;
&lt;match&gt;sudo.*su.*root&lt;/match&gt;
&lt;description&gt;Suspicious sudo to su root escalation&lt;/description&gt;
&lt;mitre&gt;
&lt;id&gt;T1548.003&lt;/id&gt;
&lt;tactic&gt;Privilege Escalation,Defense Evasion&lt;/tactic&gt;
&lt;technique&gt;Sudo and Sudo Caching&lt;/technique&gt;
&lt;/mitre&gt;
&lt;/rule&gt;
&lt;rule id="100002" level="12"&gt;
&lt;if_group&gt;web&lt;/if_group&gt;
&lt;match&gt;SQL.*injection&lt;/match&gt;
&lt;description&gt;SQL injection attempt detected&lt;/description&gt;
&lt;mitre&gt;
&lt;id&gt;T1190&lt;/id&gt;
&lt;tactic&gt;Initial Access&lt;/tactic&gt;
&lt;technique&gt;Exploit Public-Facing Application&lt;/technique&gt;
&lt;/mitre&gt;
&lt;/rule&gt;
&lt;/group&gt;</code></pre>
<hr>
<h2>File Integrity Monitoring (FIM)</h2>
<ul>
<li>/var/ossec/etc/ossec.conf - Configure FIM in &lt;syscheck&gt; section</li>
</ul>
<ul>
<li>/var/ossec/queue/fim/ - FIM events directory</li>
</ul>
<h3>FIM Configuration Example</h3>
<pre><code>&lt;syscheck&gt;
&lt;disabled&gt;no&lt;/disabled&gt;
&lt;frequency&gt;43200&lt;/frequency&gt;
&lt;directories check_all="yes"&gt;/etc,/usr/bin,/usr/sbin&lt;/directories&gt;
&lt;directories check_all="yes"&gt;/bin,/sbin&lt;/directories&gt;
&lt;ignore&gt;/etc/mtab&lt;/ignore&gt;
&lt;ignore&gt;/etc/hosts.deny&lt;/ignore&gt;
&lt;ignore&gt;/etc/mail/statistics&lt;/ignore&gt;
&lt;/syscheck&gt;</code></pre>
<hr>
<h2>Rootcheck</h2>
<ul>
<li>/var/ossec/etc/ossec.conf - Configure rootcheck</li>
</ul>
<ul>
<li>grep "rootcheck" /var/ossec/logs/alerts/alerts.log - View rootcheck alerts</li>
</ul>
<ul>
<li>/var/ossec/etc/shared/default/rootcheck.conf - Rootcheck configuration</li>
</ul>
<hr>
<h2>Vulnerability Detection</h2>
<ul>
<li>/var/ossec/wodles/vulnerability-detector/ - Vulnerability detector scripts</li>
</ul>
<ul>
<li>wazuh-cli -d -u -f /var/ossec/wodles/vulnerability-detector/vulnerability-detector.py - Run vulnerability scan</li>
</ul>
<ul>
<li>jq 'select(.vulnerability)' /var/ossec/logs/alerts/alerts.json - View vulnerability alerts</li>
</ul>
<hr>
<h2>API Usage</h2>
<ul>
<li>curl -k -u wazuh:wazuh -X GET "https://localhost:55000/agents?pretty" - List agents via API</li>
</ul>
<ul>
<li>curl -k -u wazuh:wazuh -X GET "https://localhost:55000/agents/<agent_id>?pretty" - Get agent details</li>
</ul>
<ul>
<li>curl -k -u wazuh:wazuh -X GET "https://localhost:55000/rules?rule_ids=1002&pretty" - Get rule information</li>
</ul>
<ul>
<li>curl -k -u wazuh:wazuh -X POST "https://localhost:55000/syscollector/<agent_id>/hardware?pretty" - System inventory</li>
</ul>
<ul>
<li>curl -k -u wazuh:wazuh -X GET "https://localhost:55000/rootcheck/<agent_id>?pretty" - Rootcheck results</li>
</ul>
<ul>
<li>curl -k -u wazuh:wazuh -X GET "https://localhost:55000/syscheck/<agent_id>?pretty" - FIM baseline</li>
</ul>
<hr>
<h2>Common Commands</h2>
<ul>
<li>wazuh-cli -c /var/ossec/etc/ossec.conf -l - List configuration</li>
</ul>
<ul>
<li>wazuh-logtest - Interactive log testing tool</li>
</ul>
<ul>
<li>wazuh-keystore - Manage encrypted keys</li>
</ul>
<ul>
<li>/var/ossec/bin/wazuh-control info - System information</li>
</ul>
<ul>
<li>/var/ossec/bin/verify-agent-conf - Verify agent configuration</li>
</ul>
<ul>
<li>/var/ossec/bin/syscheck_update - Update FIM baseline manually</li>
</ul>
<hr>
<h2>Configuration Locations</h2>
<ul>
<li>/var/ossec/etc/ossec.conf - Main configuration (manager/agent)</li>
</ul>
<ul>
<li>/var/ossec/etc/rules/ - Rule files directory</li>
</ul>
<ul>
<li>/var/ossec/etc/decoders/ - Log decoders directory</li>
</ul>
<ul>
<li>/var/ossec/etc/shared/ - Shared configuration for agents</li>
</ul>
<ul>
<li>/var/ossec/etc/lists/ - CDB lists for rules</li>
</ul>
<hr>
<h2>Tips</h2>
<ul>
<li>Use MITRE ATT&CK metadata in custom rules for better threat hunting</li>
</ul>
<ul>
<li>Regularly review high-level alerts (level 12+)</li>
</ul>
<ul>
<li>Use jq for querying and filtering JSON alert logs</li>
</ul>
<ul>
<li>Create custom rules in local_rules.xml, not in default rule files</li>
</ul>
<ul>
<li>Test rules with wazuh-logtest before deploying</li>
</ul>
<ul>
<li>Monitor agent connectivity - disconnected agents can't send alerts</li>
</ul>
<ul>
<li>Use FIM to monitor critical system files and directories</li>
</ul>
<ul>
<li>Enable vulnerability detection for compliance scanning</li>
</ul>
<ul>
<li>Correlate alerts using MITRE ATT&CK tactics to identify attack chains</li>
</ul>
<ul>
<li>Use the API for automation and integration with other tools</li>
</ul>
<ul>
<li>Check /var/ossec/logs/ regularly for errors</li>
</ul>
<ul>
<li>Keep Wazuh updated to get latest detection rules and MITRE mappings</li>
</ul>
<ul>
<li>Use rootcheck to detect rootkits and suspicious system modifications</li>
</ul>
<ul>
<li>Create dashboards based on MITRE ATT&CK tactics for threat visibility</li>
</ul>
<ul>
<li>Archive and analyze historical alerts for threat hunting</li>
</ul>
<hr>
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
</div>
</div>
</div>
</div>
<script async type="text/javascript" src="../blog/analytics.js"></script>
<script src="../theme.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink