DetectionHunter
// telemetry setup

Stand up the data sources that make detection possible

Detection rules are only as good as the telemetry that feeds them. Complete these steps in order on a lab Windows endpoint.

  1. 1. Enable Windows process-creation auditing

    Group Policy → Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy → Detailed Tracking → Audit Process Creation: Success.

    auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

  2. 2. Include command line in 4688 events

    Administrative Templates → System → Audit Process Creation → Include command line in process creation events: Enabled.

    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

  3. 3. Enable PowerShell Script Block Logging

    Captures decoded payloads of PowerShell, including obfuscated and encoded commands, into EID 4104.

    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f

  4. 4. Enable PowerShell Module Logging

    Provides pipeline execution detail (EID 4103) for high-fidelity behavioral context.

    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" /v EnableModuleLogging /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" /v "*" /t REG_SZ /d "*" /f

  5. 5. Install and configure Sysmon

    Use a vetted baseline config (e.g. SwiftOnSecurity / Olaf Hartong) and tune for PowerShell scenarios.

    Sysmon64.exe -accepteula -i sysmonconfig.xml

  6. 6. Forward logs to Wazuh

    Subscribe the agent to the relevant EventChannels via ossec.conf.

    <localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>
<localfile>
  <location>Microsoft-Windows-PowerShell/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>
<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
</localfile>

  7. 7. Verify collection

    Run a known event generator and confirm Wazuh receives it.

    # On endpoint:
powershell.exe -c "Write-Host detection-test"

# On Wazuh manager:
tail -f /var/ossec/logs/archives/archives.log | grep detection-test