Skip to content

Commit

Permalink
fix(#3165): fix emotet test.
Browse files Browse the repository at this point in the history
  • Loading branch information
@mauromalara
mauromalara committed Sep 8, 2022
1 parent 75ed656 commit a5dca58
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 59 deletions.
127 changes: 69 additions & 58 deletions tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,75 @@
- name: Configure Windows agent environment
hosts: windows-agent
- name: Configure manager environment
hosts: manager
tasks:

- name: Enable auto logon
community.windows.win_auto_logon:
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
delegate_to: windows-agent

- name: Reboot Windows
win_reboot:
delegate_to: windows-agent

- name: Disable Windows Defender
win_shell: |
Set-MpPreference -DisableRealtimeMonitoring 1
delegate_to: windows-agent

- name: Configure local rules
include_role:
name: manage_wazuh_configurations
tasks_from: write_local_rules.yaml
vars:
config_block: |
<group name="emotet,">
<rule id="255559" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Indirect Command Execution</match>
<description>Indirect Command Execution: $(win.eventdata.image)</description>
<mitre>
<id>T1202</id>
</mitre>
</rule>
<rule id="255561" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Regsvr32</match>
<description>Regsvr32: $(win.eventdata.image)</description>
<mitre>
<id>T1218</id>
</mitre>
</rule>
<rule id="255926" level="12">
<if_sid>255559</if_sid>
<regex>WINWORD.EXE</regex>
<description>Word Executing WScript $(win.eventdata.image)</description>
<mitre>
<id>T1059.005</id>
</mitre>
</rule>
</group>
- name: Enable events logging
become: true
lineinfile:
path: /var/ossec/etc/ossec.conf
regexp: '<logall_json>no</logall_json>'
line: "<logall_json>yes</logall_json>"
backrefs: yes

- name: Restart wazuh-manager
include_role:
name: manage_wazuh
tasks_from: restart_wazuh.yaml
vars:
os: linux

- name: Configure Windows agent environment
hosts: windows-agent
tasks:

- name: Create temp folder
win_file:
Expand All @@ -28,12 +85,6 @@
win_shell: |
Expand-Archive -Path C:\temp\PSTools.zip -DestinationPath C:\temp\PSTools
- name: Copy ossec.conf
win_copy:
src: C:\Program Files (x86)\ossec-agent\ossec.conf
dest: C:\temp
remote_src: true

- name: Download sysmon
win_shell: |
Set-Location C:\temp
Expand All @@ -53,6 +104,12 @@
cd C:\temp\Sysmon
./Sysmon64.exe -accepteula -i sysconfig.xml
- name: Copy ossec.conf
win_copy:
src: C:\Program Files (x86)\ossec-agent\ossec.conf
dest: C:\temp
remote_src: true

- name: Configure Wazuh to collect Sysmon events
include_role:
name: manage_wazuh_configurations
Expand All @@ -68,60 +125,14 @@
Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n</ossec_config>"
os: windows

- name: Download trigger_emotet.exe
win_shell: |
Set-Location C:\temp
Invoke-WebRequest -Uri {{ s3_url }}/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe
- name: Restart wazuh-agent
include_role:
name: manage_wazuh
tasks_from: restart_wazuh.yaml
vars:
os: windows

- name: Configure manager environment
hosts: manager
tasks:

- name: Configure local rules
include_role:
name: manage_wazuh_configurations
tasks_from: write_local_rules.yaml
vars:
config_block: |
<group name="emotet,">
<rule id="255559" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Indirect Command Execution</match>
<description>Indirect Command Execution: $(win.eventdata.image)</description>
<mitre>
<id>T1202</id>
</mitre>
</rule>
<rule id="255561" level="5">
<if_group>sysmon</if_group>
<match>technique_name=Regsvr32</match>
<description>Regsvr32: $(win.eventdata.image)</description>
<mitre>
<id>T1218</id>
</mitre>
</rule>
<rule id="255926" level="12">
<if_sid>255559</if_sid>
<regex>WINWORD.EXE</regex>
<description>Word Executing WScript $(win.eventdata.image)</description>
<mitre>
<id>T1059.005</id>
</mitre>
</rule>
</group>
- name: Restart wazuh-manager
include_role:
name: manage_wazuh
tasks_from: restart_wazuh.yaml
vars:
os: linux
- name: Download trigger_emotet.exe
win_shell: |
Set-Location C:\temp
Invoke-WebRequest -Uri {{ s3_url }}/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe
14 changes: 13 additions & 1 deletion tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
hosts: manager
tasks:

- name: Truncate archives log
shell: echo "" > /var/ossec/logs/archives/archives.json
become: true

- name: Truncate alert.json
include_role:
name: manage_alerts
Expand All @@ -20,9 +24,17 @@
hosts: manager
tasks:

- name: Wait for expected alert
- name: Wait for expected event and alert
block:

- name: Search event in archives
become: true
with_items: "{{ lookup('ansible.builtin.dict', alerts) }}"
wait_for:
path: /var/ossec/logs/archives/archives.json
search_regex: "{{ item.value.rule_id }}"
timeout: 10

- name: Search alert in alerts log
with_items: "{{ lookup('ansible.builtin.dict', alerts) }}"
include_role:
Expand Down
22 changes: 22 additions & 0 deletions tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,25 @@

- name: Enable Windows Defender
win_shell: set-MpPreference -DisableRealtimeMonitoring $False

- name: Disable events logging
lineinfile:
path: /var/ossec/etc/ossec.conf
regexp: '<logall_json>yes</logall_json>'
line: "<logall_json>no</logall_json>"
delegate_to: centos-manager

- name: Delete created rules
become: true
blockinfile:
path: /var/ossec/etc/rules/local_rules.xml
block: ''
marker: <!-- {mark} ANSIBLE MANAGED BLOCK -->
delegate_to: centos-manager

- name: Restart manager
include_role:
name: manage_wazuh
tasks_from: restart_wazuh.yaml
vars:
os: linux

0 comments on commit a5dca58

Please sign in to comment.