This might be the end
Objective: Generate Telemetry & Ingest into Wazuh
- Sent Telemetry Containing Mimikatz
- Triggered Custom Alert for Mimikatz
This part is all about sending custom logs from Sysmon to Wazuh, so Wazuh can monitor important activity like password dumping tools (Mimikatz).
We’ll edit the Wazuh agent config file and tell it, “Hey, watch Sysmon logs only.”
Let’s go step by step.
If you’re on a Windows 10 machine (like me), head over to:
C:\Program Files (x86)\ossec-agent\ossec.confHere, click on ossec.conf and open it with Notepad
As you remember we installed our sysmon in the part 2 of the series now here we will make some changes in the conf file to ask it to inject sysmon logs
Now close this file as it is and create another backup of this file, such as
Now open the OSSEC file again and scroll a bit to find “Log analysis” run the notepad as administrator