Wazuh

Commands

• static IP Configration

  sudo nano /etc/netplan/50-cloud-init.yaml # Maybe ur file note not like mine 
   
  # Delete all the Data and add 
   
  network:
    version: 2
    ethernets:
      ens18:
        dhcp4: false
        addresses:
          - 192.168.99.24/24
      ens19:
        dhcp4: true
        
   
  sudo netplan try

• Timeout Extend

  # 1. Create the override directories for all three engines
  mkdir -p /etc/systemd/system/wazuh-indexer.service.d/
  mkdir -p /etc/systemd/system/wazuh-manager.service.d/
  mkdir -p /etc/systemd/system/wazuh-dashboard.service.d/
   
  # 2. Inject the 10-minute timeout rules
  echo -e "[Service]\nTimeoutStartSec=10min" > /etc/systemd/system/wazuh-indexer.service.d/override.conf
  echo -e "[Service]\nTimeoutStartSec=10min" > /etc/systemd/system/wazuh-manager.service.d/override.conf
  echo -e "[Service]\nTimeoutStartSec=10min" > /etc/systemd/system/wazuh-dashboard.service.d/override.conf
   
  # 3. Reload the Linux brain so it learns the new rules
  systemctl daemon-reload
   
  # 4. The CPR Restart Sequence (with built-in breathing room)
  echo "Starting Indexer (Database)..."
  systemctl restart wazuh-indexer
  echo "Waiting 30 seconds for database to open ports..."
  sleep 30
   
  echo "Starting Manager (Brain)..."
  systemctl restart wazuh-manager
  echo "Waiting 15 seconds for brain to connect..."
  sleep 15
   
  echo "Starting Dashboard (GUI)..."
  systemctl restart wazuh-dashboard
  echo "Wazuh stack is fully online! Go check your browser."

• Sysmon

  Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -OutFile "C:\sysmon64.exe"; Invoke-WebRequest -Uri "https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml" -OutFile "C:\sysmon-mitre.xml"; C:\sysmon64.exe -accepteula -i C:\sysmon-mitre.xml; C:\sysmon64.exe -c C:\sysmon-mitre.xml

• Tips & Tricks
  • Automatic

    Set-Service -Name Wazuh -StartupType Automatic

Notes

Active Directory LDAP Activations

This complete pipeline forces a Windows Domain Controller to log raw LDAP enumeration (Event 1644) and directory modifications (Event 5136), and pipes them directly into a Wazuh SIEM using a custom detection rule.

Phase 1: Force Windows to Audit Modifications (GPMC)

Catches modifications to the Schema, Users, and Groups (Event ID 5136).

1. Open gpmc.msc on the DC and edit the Default Domain Controllers Policy.
2. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → DS Access.
3. Check Success and Failure for both Audit Directory Service Access and Audit Directory Service Changes.
4. Force update via Admin prompt: gpupdate /force

Phase 2: Registry Hacks for Raw LDAP Queries (Event 1644)

Forces NTDS to log every single enumeration attempt, regardless of size. Run this in an Administrator PowerShell session on the DC:

# Set Field Engineering diagnostics to maximum verbosity (Level 5)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" -Name "15 Field Engineering" -Value 5
 
# Drop search thresholds to 1 to force auditing of ALL queries
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "Expensive Search Results Threshold" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "Inefficient Search Results Threshold" -Value 1

Phase 3: Route the Logs to Wazuh (Agent Config)

Pipes the specific Windows Directory Service channel over to the SIEM.

1. Open C:\Program Files (x86)\ossec-agent\ossec.conf on the DC as Administrator.
2. Add this block right beneath the existing <localfile> sections:

  <localfile>
    <location>Directory Service</location>
    <log_format>eventchannel</log_format>
  </localfile>

3. Cycle the agent: Restart-Service -Name WazuhSvc

Phase 4: The Custom Wazuh Detection Rule (Manager Config)

Forces Wazuh to index the diagnostic logs (Level 5) instead of silently dropping them. 4. Open local_rules.xml on your Wazuh Manager web interface. 5. Paste this rule at the bottom to catch the enumeration:

<group name="windows, active_directory,">
  <rule id="100010" level="5">
    <if_group>windows</if_group>
    <field name="win.system.eventID">^1644$</field>
    <description>Active Directory: Raw LDAP Enumeration Detected (Event 1644)</description>
  </rule>
</group>

6. Restart the Wazuh Manager to load the new rule into the engine.