Monitoring AWS Managed Microsoft Active Directory with Wazuh

AWS Managed Microsoft Active Directory (AD) is an AWS Directory Service that provides users, businesses, and organizations different options to use Microsoft Active Directory (AD) with other AWS services. AWS Managed Microsoft AD stores information about users, groups, and devices, and system administrators use this Directory Service to manage access to this information. 

AWS Managed Microsoft AD can be configured to forward logs to AWS CloudWatch. Wazuh pulls and analyzes these logs from AWS CloudWatch.

Wazuh is a free and open source enterprise security platform that offers protection against security threats in the cloud, on-premises, virtualized, and containerized environments.

In this blog post, we demonstrate how Wazuh monitors the activities performed on an AWS Managed Microsoft AD service.

Infrastructure

We use the following infrastructure to show how Wazuh monitors AWS Managed Microsoft Active Directory Service:

• A pre-built, ready-to-use Wazuh OVA 4.7.2: Refer to this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). 
• An Amazon Web Services (AWS) account: We set up a free AWS account using this link.

Configuration

Amazon Web Services

To create an AWS Managed Microsoft AD, you need an Amazon VPC with at least two subnets. The subnets must be in different Availability Zones. In this blog post, we use the default Amazon VPC to create an AWS Managed Microsoft AD. 

Note: You cannot create an AWS Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.

Create an AWS Managed Microsoft AD

Perform the following steps to create an AWS Managed Microsoft AD

1. Navigate to the AWS portal and type directory service in the search bar. Select Directory Service.

2. Click Set up directory, and select AWS Managed Microsoft AD.

3. Click Next, and select Standard Edition.

4. Enter a fully qualified domain name in the Directory DNS name field. In our case, we use wazuh.domain.com.

5. Enter a password in the Admin password field. The password must meet the specified password requirements.

6. Enter the same password in step 5 in the Confirm password field. Then click Next.

7. Select the default Amazon VPC in the VPC field. 

8. Select two subnets in different Availability Zones in the Subnets field. Then click Next.

9. Click Create directory.

10. Take note of the Directory ID. 

Note: Your AWS Managed Microsoft AD will take approximately 20-45 minutes to be ready for use.

Amazon EC2 Windows instance

To manage users and groups in an AWS Managed Microsoft AD from an Amazon EC2 Windows instance, you must complete the following prerequisites.

• Join the Amazon EC2 Windows instance to your AWS Managed Microsoft AD.
• Install an Active Directory Administration Tools on the Amazon EC2 Windows instance.
• Assign the AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore policies to the Amazon EC2 Windows instance.

Create an Amazon EC2 Windows instance

In this blog post, we create an Amazon EC2 Windows Server 2019. Perform the following steps to create an Amazon EC2 Windows Server 2019.

1. Navigate to the AWS portal and type instances in the search bar. Select Instances.

2. Click Launch instances.

3. Enter a name in the Name field. In our case, we use AD_Server.

4. Under Quick Start, select Windows.

5. Expand Amazon Machine Image (AMI), and select Microsoft Windows Server 2019 Base (free tier eligible).

6. Click Create new key pair, and enter a name in the Key pair name field. In our case, we use WindowsKP.

7. Click Create key pair. A file named WindowsKP.pem is downloaded to your local computer.

8. Click Launch instance. 

Note: Your Amazon EC2 Windows instance will take approximately five minutes to be ready for use.

Join an Amazon EC2 Windows instance to AWS Managed Microsoft AD

Perform the following steps to join an Amazon EC2 Windows instance to an AWS Managed Microsoft AD.

1. Navigate to the AWS portal and type directory in the search bar. Select Directory Service.

2. Click the Directory ID value of the AWS Managed Microsoft AD created previously. 

3. Copy and save the values of the DNS address under the Networking & security tab.

4. Navigate to the AWS portal and type instances in the search bar. Select Instances.

5. Select the instance AD_Server. Click Connect > RDP client. 

6. Click Get password, then click Upload private key file to upload the WindowsKP.pem file downloaded previously.

7. Click Decrypt password. 

8. Copy and save the values of Public DNS, Password, and Username. You require these values to RDP into the Amazon EC2 Windows instance.

9. Connect to your Amazon EC2 Windows instance using any Remote Desktop Protocol client.

10. Enter the value of the Public DNS when prompted to enter a Computer name.

11. Enter the values of User name and Password, when prompted for credentials.

12. Press Windows + R keys on your keyboard to open the run dialog box, when logged into the Amazon EC2 Windows instance.

13. Type ncpa.cpl in the search box and click OK to open the Network Connections.

14. Right-click the enabled network connection and click Properties.

15. Double-click Internet Protocol Version 4 (TCP/IPv4).16. Enter the IP address of the DNS servers of your AWS Managed Microsoft AD in the fields Preferred DNS server and Alternate DNS server, and click OK.

17. Press Windows + R keys on your keyboard to open the run dialog box.

18. Type sysdm.cpl in the search box and click OK to open the System Properties dialog box. Then click Change.

19. Select Domain in the Member of field, enter wazuh.domain.com in the Domain field, and click OK.

20. Enter the username Admin and the password, created when setting up your AWS Managed Microsoft AD, when prompted to enter a username and password to join the EC2 Windows instance to the domain. Then click OK. 

21. Click OK when you receive a message Welcome to the wazuh.domain.com domain.

22. Restart the EC2 Windows instance when prompted to restart the instance.

Assign required policies to the EC2 Windows instance

Perform the following steps to assign AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore policies to the EC2 Windows instance.

1. Navigate to the AWS portal and type iam in the search bar. Select IAM.

2. Select Roles > Create roles.

3. Select EC2 under Service or use case field. Then click Next.

4. Search for the policy AmazonSSMDirectoryServiceAccess. Then select the policy.

5. Search for the policy AmazonSSMManagedInstanceCore. Then select the policy.

6. Click Next. Type a name in the Role name field. In our case, we use EC2_role.

7. Then click Create role.

8. Type instances in the search bar of the AWS portal. Select Instances.

9. Select the Amazon EC2 Windows instance. Click Actions.

10. Click Security > Modify IAM role.

11. Select the IAM role EC2_role created in step 6 in the IAM role field.

12. Click Update IAM role.

Install the Active Directory Administration Tools on the EC2 Windows instance

Perform the following steps to install the Active Directory Administration Tools on the EC2 Windows Server instance.

1. Connect to your Amazon EC2 Windows instance using any Remote Desktop Protocol client.

2. Enter the value of the Public DNS when prompted to enter a Computer name.

3. Enter the username in the format <DIRECTORY-DNS-NAME>\Admin and the password, created when setting up your AWS Managed Microsoft AD, when prompted to enter credentials. Then click OK.

Note: <DIRECTORY-DNS-NAME> is the Directory DNS name of your AWS Managed Microsoft AD. In our case, <DIRECTORY-DNS-NAME> is wazuh.domain.com.

4. Press Windows + R keys on your keyboard to open the run dialog box.

5. Type servermanager in the search box and click OK to open the Server Manager.

6. Click Add roles and features, then click Next.

7. Select Role-based or feature-based installation. Click Next > Next > Next.

8. Expand Remote Server Administration Tools > Role Administration Tools, and select AD DS and AD LDS Tools. Scroll down and select DNS Server Tools,  then click Next.

9. Click Install > Close.

Forward AWS Managed Microsoft AD logs to AWS CloudWatch

We forward AWS Managed Microsoft AD logs to AWS CloudWatch. Wazuh then pulls these logs from AWS CloudWatch, and analyzes these logs using decoders and rules.

Perform the following steps to forward AWS Managed Microsoft AD logs to AWS CloudWatch.

1. Navigate to the AWS portal and search for directory service in the search bar.

2. Click the directive service name wazuh.domain.com you created previously.

3. Choose the Networking & security tab, and locate the Log forwarding section.

4. In the Log forwarding section, click Enable.

5. Select Create a new CloudWatch log group, and click on Enable. Make a note of the CloudWatch log group name /aws/directoryservice/<DIRECTORY_ID>-wazuh.domain.com under the CloudWatch Log group name. You need this information to configure the Wazuh server to pull the AWS Managed Microsoft AD logs from CloudWatch.

Create an IAM user

Perform the following steps to create an IAM user wazuh_user with an Access key and a Secret access key on AWS.

1. Navigate to the AWS portal and search for iam in the search bar. Select the IAM service and choose Users from the Dashboard sidebar.

2. Click Create user, and type a name in the User name field. Then click on Next > Next > Create user. In our case, we use wazuh_user.

3. Click the IAM user wazuh_user and then click on Create access key. 

4. Select Command Line Interface (CLI), and select the checkbox at the bottom to confirm your selection. Then click on Next > Create access key.

5. Copy and save both Access key and Secret access key. Then click Done.

Warning: You should copy and save the secret access key, because when you click Done, you cannot recover it later. However, you can create a new secret access key.

Create and attach an IAM policy to an IAM user

The IAM user wazuh_user requires an IAM policy with the necessary permissions to collect the AWS Managed Microsoft AD logs from AWS CloudWatch. Perform the following steps to create and attach an IAM policy to the IAM user wazuh_user.

1. Navigate to the AWS portal and search for iam in the search bar. Select IAM service and choose Policies from the Dashboard sidebar.

2. Click Create policy and select JSON as your Policy editor

3. Remove the default policy from the Policy editor workspace.

4. Paste the policy below into the Policy editor workspace.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudWatchlog0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<AWS_ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:*"
        },
        {
            "Sid": "AWSCloudWatchlog1",
            "Effect": "Allow",
            "Action": "logs:GetLogEvents",
            "Resource": "arn:aws:logs:<REGION>:<AWS_ACCOUNT_ID>:log-group:<LOG_GROUP_NAME>:log-stream:*"
        }
    ]
}

Where:

• <REGION> represents the region where your AWS account is located.
• <AWS_ACCOUNT_ID> represents your AWS account ID.
• <LOG_GROUP_NAME> represents the log group name of the AWS CloudWatch service. In our case, /aws/directoryservice/<DIRECTORY_ID>-wazuh.domain.com is the log group name.

5. Click Next, and enter a name in the Policy name field. In our case, we use wazuh_policy

6. Click Create policy.

7. Search for the newly created IAM policy wazuh_policy.

8. Select the wazuh_policy, and click on Actions > Attach.

9. Search for the user wazuh_user, then select the user and click Attach policy.

Wazuh server

Perform the following steps on the Wazuh server to pull and analyze logs from AWS CloudWatch.
1. Create the directory /root/.aws on the Wazuh server:

# sudo mkdir /root/.aws

2. Create the file /root/.aws/credentials on the Wazuh server:

# sudo touch /root/.aws/credentials

3. Edit the file /root/.aws/credentials and include the following configuration to allow the Wazuh server to access your AWS account:

[default]
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
region=<REGION>

Where:

• <AWS_ACCESS_KEY_ID> represents the access key for the IAM user wazuh_user.
• <AWS_SECRET_ACCESS_KEY> represents the secret access key for the IAM user wazuh_user.
• <REGION> represents the region where your AWS account is located.

4. Edit the file /var/ossec/etc/ossec.conf on the Wazuh server to include the following configuration:

<ossec_config>
  <wodle name="aws-s3">
    <disabled>no</disabled>
    <interval>45m</interval>
    <run_on_start>yes</run_on_start>
    <service type="cloudwatchlogs">
    <aws_profile>default</aws_profile>                               
    <aws_log_groups>/aws/directoryservice/<DIRECTORY_ID>-wazuh.domain.com</aws_log_groups>
    <regions><REGION></regions>
    </service>
  </wodle>
</ossec_config>

Replace:

• The <REGION> variable with the region where your AWS account is located.
• The <DIRECTORY_ID> variable with the directory ID of the AWS Managed Microsoft Active Directory service.

Note: The interval represents how often Wazuh pulls logs from the AWS CloudWatch service. We use 45 minutes in this blog post. You can configure a longer interval if the logs in CloudWatch are very large.

5. Edit the file /var/ossec/etc/decoders/local_decoder.xml on the Wazuh server and include the following decoders:

<decoder name="AWS_Managed_Microsoft_AD">
        <prematch type="pcre2">\x3cEventID\x3e\d+\x3c\/EventID\x3e</prematch>
</decoder>

<decoder name="AWS_Managed_Microsoft_AD_001">
        <parent>AWS_Managed_Microsoft_AD</parent>
        <regex type="pcre2">\x3cEventID\x3e(\d+)\x3c\/EventID\x3e\x3cVersion\x3e0\x3c\/Version\x3e\x3cLevel\x3e0\x3c\/Level\x3e\x3cTask\x3e\d+\x3c\/Task\x3e\x3cOpcode\x3e\d+\x3c\/Opcode\x3e\x3cKeywords\x3e\S+?\x3c\/Keywords\x3e\x3cTimeCreated\s*SystemTime='\S+?\/\x3e\x3cEventRecordID\x3e\d+\x3c\/EventRecordID\x3e\x3cCorrelation\/\x3e\x3cExecution\s*ProcessID='\d+'\s*ThreadID='\d+'\/\x3e\x3cChannel\x3eSecurity\x3c\/Channel\x3e\x3cComputer\x3e\S+?\x3c\/Computer\x3e\x3cSecurity\/\x3e\x3c\/System\x3e\x3cEventData\x3e\x3cData\s*Name='TargetUserName'\x3e(\S+\s*\S*)?\x3c\/Data\x3e\x3cData\s*Name='TargetDomainName'\x3e(\S+)?\x3c\/Data\x3e\x3cData\s*Name='TargetSid'\x3e\S+?\x3c\/Data\x3e\x3cData\s*Name='SubjectUserSid'\x3e\S+?\x3c\/Data\x3e\x3cData\s*Name='SubjectUserName'\x3e(\S+)?\x3c\/Data\x3e.+</regex>
        <order>eventid, targetusername, targetdomainname, subjectusername</order>
</decoder>

6. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following detection rules:

<group name="amazon, AWS_Managed_Microsoft_AD">
<!-- This rule detects an AWS Managed Microsoft AD log. No alert is generated by this rule. -->
  <rule id="100074" level="0">
          <decoded_as>AWS_Managed_Microsoft_AD</decoded_as>
          <description>No alert for AWS Managed Microsoft AD log.</description>
  </rule>
<!-- This rule detects when a user is created on AWS Managed Microsoft Active Directory. -->
  <rule id="100075" level="6">
          <if_sid>100074</if_sid>
    <field name="eventid">4720</field>
    <description>A user $(targetusername) was created by $(subjectusername) in $(targetdomainname) domain.</description>
  <mitre>
    <id>T1136.002</id>
  </mitre>
  </rule>
<!-- This rule detects when a user is disabled on AWS Managed Microsoft Active Directory. -->
 <rule id="100076" level="6">
    <if_sid>100074</if_sid>
    <field name="eventid">4725</field>
    <description>A user $(targetusername) was disabled by $(subjectusername) in $(targetdomainname) domain.</description>
    <mitre>
      <id>T1531</id>
    </mitre>
  </rule>
<!-- This rule detects when a user was enabled on AWS Managed Microsoft Active Directory. -->
<rule id="100077" level="6">
    <if_sid>100074</if_sid>
    <field name="eventid">4722</field>
    <description>A user $(targetusername) was enabled by $(subjectusername) in $(targetdomainname) domain.</description>
    <mitre>
      <id>T1531</id>
    </mitre>
  </rule>
<!-- This rule detects when a user is deleted from AWS Managed Microsoft Active Directory. -->
<rule id="100078" level="6">
    <if_sid>100074</if_sid>
    <field name="eventid">4726</field>
    <description>A user $(targetusername) was deleted by $(subjectusername) in $(targetdomainname) domain.</description>
    <mitre>
      <id>T1531</id>
    </mitre>
  </rule>
</group>

Where:

• Rule ID 100074 is triggered when Wazuh detects an AWS Managed Microsoft AD log. This rule does not generate any alert on the Wazuh dashboard.
• Rule ID 100075 is triggered when Wazuh detects a user is created on AWS Managed Microsoft Active Directory.
• Rule ID 100076 is triggered when Wazuh detects a user is disabled from AWS Managed Microsoft Active Directory.
• Rule ID 100077 is triggered when Wazuh detects a user is enabled on AWS Managed Microsoft Active Directory.
• Rule ID 100078 is triggered when Wazuh detects a user is deleted from AWS Managed Microsoft Active Directory.

7. Restart the Wazuh manager for your changes to take effect:

# systemctl restart wazuh-manager

Use case

Our use case involves creating, disabling, enabling, and deleting a user from the AWS Managed Microsoft AD.

AWS Managed Microsoft AD

Perform the following steps to create, disable, enable, and delete a user from the AWS Managed Microsoft AD.

1. Connect to your Amazon EC2 Windows instance using any Remote Desktop Protocol client.

2. Enter the value of the Public DNS when prompted to enter a Computer name.

3. Enter the username in the format <DIRECTORY-DNS-NAME>\Admin and the password created when setting up your AWS Managed Microsoft AD, when prompted to enter the credentials. Then click OK.

Note: <DIRECTORY-DNS-NAME> is the Directory DNS name of your AWS Managed Microsoft AD. In our case, <DIRECTORY-DNS-NAME> is wazuh.domain.com.

4. Press Windows + R keys on your keyboard to open the run dialog box.

5. Type servermanager in the search box and click OK to open the Server Manager.

6. Click Tools > Active Directory Users and Computers.

7. Navigate to wazuh.domain.com > wazuh > Users.

8. Right-click on Users, and click New > User.

9. Enter Test in the First name field, and User in the Last name field.

10. Enter Test.U in the User logon name field.

11. Click Next, and enter a password in the Password and Confirm fields. 

12. Click Next > Finish.

13. Right-click on the newly created user Test User, and click Disable Account. Then click OK.

14. Right-click on the user Test User, and click Enable Account. Then click OK.

15. Right-click on the user Test User, and click Delete. Then click Yes.

Wazuh dashboard

Perform the following steps to view the alerts on the Wazuh dashboard.

1. Enable the Amazon AWS module on the Wazuh dashboard by navigating to Settings > Modules.

2. Navigate to Modules > Amazon AWS > Events.

3. Click + Add filter. Then filter for rule.id in the Field field.

4. Filter for is one of in the Operator field.

5. Filter for 100075, 100076, 100077, and 100078 in the Values field.

6. Click Save.

Note: The below alerts take approximately 45 minutes before they are generated on the Wazuh dashboard.

Conclusion  

In this blog post, we successfully demonstrated how Wazuh monitors the activities performed on an AWS Managed Microsoft Active Directory service. This integration allows organizations to leverage Wazuh to provide insights into their AWS Managed Microsoft Active Directory.

Wazuh is a free and open source enterprise security solution for uncovering security threats, incident response, and meeting regulatory requirements. Please check out our documentation and blog posts to learn more about Wazuh.

References

• Using Wazuh to monitor AWS
• AWS Directory Service