CYBERDUDEBIVASH — Wazuh Ransomware Rules Pack v1.1
Generated: 2025-11-04 15:06 IST

WHAT'S NEW (v1.1)
- Linux add-on rules (IDs 881100–881109) for auditd/sysmon-for-linux + FIM
- Active Response pack: kill-process and host isolation scripts for Windows/Linux
- ossec.conf wiring snippets to quickly enable AR on our rules

CONTENTS
- cdb_wazuh_ransomware_rules.xml                   (Windows/Sysmon rules 880100–880109)
- cdb_wazuh_ransomware_rules_linux.xml             (Linux rules 881100–881109)
- active_response/kill-process.ps1                 (Win)
- active_response/isolate-host.ps1                 (Win)
- active_response/kill-process.sh                  (Linux, +x)
- active_response/isolate-host.sh                  (Linux, +x)
- ossec_conf_active_response_snippets.xml          (copy-paste into /var/ossec/etc/ossec.conf)

INSTALL
1) Copy rules XML files into /var/ossec/etc/rules.d/ (or append to local_rules.xml).
2) Copy scripts from active_response/ to /var/ossec/active-response/bin/ and set executable bits.
3) Merge ossec_conf_active_response_snippets.xml into /var/ossec/etc/ossec.conf (<commands>, <active-response> sections).
4) Restart Wazuh Manager and affected Agents.

CAUTION
- Isolation scripts block outbound traffic; set your real Manager IP before enabling.
- Test everything in a lab first. Start with kill-process only, then add isolation once confident.

QUICK TESTS
- Windows: create README_RECOVER_FILES.txt on Desktop; run 'powershell -enc UwBFAFgA'; simulate vssadmin delete (admin shell).
- Linux: drop a ransom-note-named file under ~/Documents; run 'find /home -type f -exec chmod 000 {} +' in a lab to see rule 881105 (DANGEROUS—lab only!).

SERVICES
- Need turnkey deployment & tuning? IR retainers, Wazuh/Sysmon baselines, AR design: https://www.cyberdudebivash.com/apps-products
