CYBERDUDEBIVASH — Top 10 Wazuh Ransomware Rules
Generated: 2025-11-04 15:03 IST

WHAT YOU GET
- cdb_wazuh_ransomware_rules.xml  (10 high-signal rules for Windows with Sysmon telemetry)
- Works with Windows Eventchannel + Sysmon forwarding to Wazuh

PREREQS
1) Deploy Sysmon on Windows endpoints (recommended SwiftOnSecurity config or equivalent).
2) Ensure Sysmon Event ID 1 (ProcessCreate) and 11 (FileCreate) are forwarded to Wazuh.

INSTALL (Wazuh Manager)
A) As a dedicated rules file:
   - Copy cdb_wazuh_ransomware_rules.xml to /var/ossec/etc/rules.d/
   - chmod 640, chown root:wazuh
   - systemctl restart wazuh-manager

   OR

B) Append to local rules:
   - Append the XML content into /var/ossec/etc/rules/local_rules.xml inside <group>...</group>
   - Restart wazuh-manager

TEST
- Simulate ransom-note creation in a test VM:
  echo "test" > "%USERPROFILE%\Desktop\README_RECOVER_FILES.txt"

- Simulate vssadmin (no-op in non-admin shells):
  vssadmin.exe delete shadows /all /quiet  (expect Rule 880100)

- Safe PowerShell encoded sample:
  powershell -enc UwBFAFgA  (expect Rule 880104)

TUNING
- Adjust <frequency>/<timeframe> in Rule 880106 for your environment.
- Add specific ransomware note patterns you encounter into Rule 880105.

SUPPORT & SERVICES
- Incident response retainers, Wazuh hardening, Sysmon configs, and Active Response playbooks:
  https://www.cyberdudebivash.com/apps-products
