Wazuh and Sysinternals Integration. Part I — Finding Persistent Footholds

Introduction.

Out of all the Microsoft Sysinternals tools, integrating Sysmon with the Wazuh agent is probably the most popular, most implemented option.

Sysinternals — Autoruns

The official Microsoft documentation can be found here.

  • Explorer add-ons
  • Internet Explorer add-ons including Browser Helper Objects (BHOs)
  • Appinit DLLs
  • Image hijacks
  • Boot execute images
  • Winlogon notification DLLs
  • Windows Services and Winsock Layered Service Providers
  • Media codecs
  • ….and more.

Sysinternals and Virus Total.

Autoruns and Virus Total hash analysis integration was included in 2015. Sysinternals and Virus Total worked out integration options whereby some tools included in the suite can make API calls to Virus Total to query file hashes and spot malicious files found in drives, references and keys found in the windows registry, etc.

Integrating Autoruns and Wazuh Agent.

Full details in our Github repo.

SOCFortress — Persistent Foothold Reports.

Autoruns — Signatures found in Virus Total
Signatures by Software Vendor and Category
Autoruns — Events Details.

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).