-<!-- OSSEC Win32 Agent Configuration.
- - This file is compost of 3 main sections:
- - - Client config - Settings to connect to the OSSEC server.
- - - Localfile - Files/Event logs to monitor.
- - - syscheck - System file/Registry entries to monitor.
+<!-- OSSEC-HIDS Win32 Agent Configuration.
+ - This file is composed of 3 main sections:
+ - - Client config - Settings to connect to the OSSEC server
+ - - Localfile - Files/Event logs to monitor
+ - - syscheck - System file/Registry entries to monitor
-->
-<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
- - try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
+<!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time,
+ - try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- - Second, and optionally, change the settings of the files you want
+ - Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- - Example of server-ip:
+ - Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
-
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
-
+
+ <localfile>
+ <location>Windows PowerShell</location>
+ <log_format>eventlog</log_format>
+ </localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
- </rootcheck>
-
+ </rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
-
+
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
- <disabled>yes</disabled>
-
+ <disabled>yes</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
+
+ <directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
+ <directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>
+
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
- <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
- <directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
- <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
+ <directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
+ <directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
+ <directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>
+ <directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>
+
+ <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
-
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
-
-
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
- </syscheck>
+ </syscheck>
<active-response>
<disabled>yes</disabled>
</ossec_config>
-
<!-- END of Default Configuration. -->
-
projects / ossec-hids.git / blobdiff