Proof of Concept guide

Detecting unauthorized processes

In this use case, you use the Wazuh command monitoring capability to detect when
Netcat is running on an Ubuntu endpoint. Netcat is a computer networking utility used
for port scanning and port listening.

Infrastructure

Endpoint Description

Ubuntu You configure the Wazuh command monitoring module on

22.04 this endpoint to detect a running Netcat process.

Configuration
Ubuntu endpoint

Take the following steps to configure command monitoring and query a list of all

running processes on the Ubuntu endpoint.

1. Add the following configuration block to the Wazuh

agent  /var/ossec/etc/ossec.conf  file. This allows to periodically get a list of

running processes:

<ossec_config>
<localfile>
<log_format>full_command</log_format>
<alias>process list</alias>
<command>ps -e -o pid,uname,command</command>
<frequency>30</frequency>
</localfile>
</ossec_config>
2. Restart the Wazuh agent to apply the changes:

$ sudo systemctl restart wazuh-agent

3. Install Netcat and the required dependencies:

 $ sudo apt install ncat nmap -y

Wazuh server

You have to configure the following steps on the Wazuh server to create a rule

that triggers every time the Netcat program launches.

1. Add the following rules to the  /var/ossec/etc/rules/local_rules.xml  file on the

Wazuh server:

<group name="ossec,">
<rule id="100050" level="0">
<if_sid>530</if_sid>
<match>^ossec: output: 'process list'</match>
<description>List of running processes.</description>
<group>process_monitor,</group>
</rule>

<rule id="100051" level="7" ignore="900">

<if_sid>100050</if_sid>
<match>nc -l</match>
<description>netcat listening for incoming connections.</description>
<group>process_monitor,</group>
</rule>
</group>
2. Restart the Wazuh manager to apply the changes:

$ sudo systemctl restart wazuh-manager

Attack emulation
On the monitored Ubuntu endpoint, run  nc -l 8000  for 30 seconds.
Visualize the alerts
You can visualize the alert data in the Wazuh dashboard. To do this, go to

the Security events module and add the filters in the search bar to query the

alerts.

 rule.id:(100051)
Blocking a known malicious actor
In this use case, we demonstrate how to block malicious IP addresses from

accessing web resources on a web server. You set up Apache web servers on

Ubuntu and Windows endpoints, and try to access them from an RHEL

endpoint.

This case uses a public IP reputation database that contains the IP addresses

of some malicious actors. An IP reputation database is a collection of IP

addresses that have been flagged as malicious. The RHEL endpoint plays the

role of the malicious actor here, therefore you add its IP address to the

reputation database. Then, configure Wazuh to block the RHEL endpoint from

accessing web resources on the Apache web servers for 60 seconds. It’s a way

of discouraging attackers from continuing to carry out their malicious activities.

In this use case, you use the Wazuh CDB list and active response capabilities.

InfrastructurePermalink to this headline

Endpoint Description

Attacker endpoint connecting to the victim's web server on

RHEL 9.0 which you use Wazuh CDB list capability to flag its IP

address as malicious.

Victim endpoint running an Apache 2.4.54 web server. Here,

Ubuntu
you use the Wazuh active response module to automatically
22.04
block connections from the attacker endpoint.

Victim endpoint running an Apache 2.4.54 web server. Here,

Windows
you use the Wazuh active response module to automatically
11
block connections from the attacker endpoint.
ConfigurationPermalink to this headline
Ubuntu endpointPermalink to this headline

Perform the following steps to install an Apache web server and monitor its logs

with the Wazuh agent.

1. Update local packages and install the Apache web server:

2. $ sudo apt update

3. $ sudo apt install apache2

4. If the firewall is enabled, modify the firewall to allow external access to

web ports. Skip this step if the firewall is disabled:

5. $ sudo ufw status

6. $ sudo ufw app list
7. $ sudo ufw allow 'Apache'

8. Check the status of the Apache service to verify that the web server is

running:

9. $ sudo systemctl status apache2

10.Use the  curl  command or open  http://<UBUNTU_IP>  in a browser to view the

Apache landing page and verify the installation:

11. $ curl http://<UBUNTU_IP>

12.Add the following to  /var/ossec/etc/ossec.conf  file to configure the Wazuh

agent and monitor the Apache access logs:

13. <localfile>
14. <log_format>syslog</log_format>
15. <location>/var/log/apache2/access.log</location>
16. </localfile>

17.Restart the Wazuh agent to apply the changes:

 18. $ sudo systemctl restart wazuh-agent
Windows endpointPermalink to this headline
Install the Apache web serverPermalink to this headline

Perform the following steps to install and configure an Apache web server.

1. Install the latest Visual C++ Redistributable package.

2. Download the Apache web server ZIP installation file. This is an already

compiled binary for Windows operating systems.

3. Unzip the contents of the Apache web server zip file and copy the

extracted  Apache24  folder to the  C: directory.

4. Navigate to the  C:\Apache24\bin  folder and run the following command in a

PowerShell terminal with administrator privileges:

5. > C:\Apache24\bin>httpd.exe

The first time you run the Apache binary a Windows Defender Firewall

pops up.

6. Click on Allow Access. This allows the Apache HTTP server to

communicate on your private or public networks depending on your

network setting. It creates an inbound rule in your firewall to allow

incoming traffic on port 80.

7. Open  http://<WINDOWS_IP>  in a browser to view the Apache landing page

and verify the installation. Also, verify that this URL can be reached from

the attacker endpoint.

Configure the Wazuh agentPermalink to this headline

Perform the steps below to configure the Wazuh agent to monitor Apache web

server logs.
 1. Add the following to  C:\Program Files (x86)\ossec-agent\ossec.conf  to configure

the Wazuh agent and monitor the Apache access logs:

2. <localfile>
3. <log_format>syslog</log_format>
4. <location>C:\Apache24\logs\access.log</location>
5. </localfile>

6. Restart the Wazuh agent in a PowerShell terminal with administrator

privileges to apply the changes:

7. > Restart-Service -Name wazuh

Wazuh serverPermalink to this headline

You need to perform the following steps on the Wazuh server to add the IP

address of the RHEL endpoint to a CDB list, and then configure rules and

active response.

Download the utilities and configure the CDB listPermalink to this

headline

1. Install the  wget utility to download the necessary artifacts using the

command line interface:

2. $ sudo yum update && sudo yum install -y wget

3. Download the Alienvault IP reputation database:

4. $ sudo wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/

alienvault_reputation.ipset -O /var/ossec/etc/lists/alienvault_reputation.ipset

5. Append the IP address of the attacker endpoint to the IP reputation

database. Replace  <ATTACKER_IP>  with the RHEL IP address in the

command below:

6. $ sudo echo "<ATTACKER_IP>" >> /var/ossec/etc/lists/alienvault_reputation.ipset

 7. Download a script to convert from the  .ipset format to the  .cdb  list format:

8. $ sudo wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py

9. Convert the  alienvault_reputation.ipset  file to a  .cdb  format using the

previously downloaded script:

10. $ sudo /var/ossec/framework/python/bin/python3 /tmp/iplist-to-cdblist.py

/var/ossec/etc/lists/alienvault_reputation.ipset /var/ossec/etc/lists/blacklist-alienvault

11.Optional: Remove the  alienvault_reputation.ipset  file and the  iplist-to-

cdblist.py  script, as they are no longer needed:

12. $ sudo rm -rf /var/ossec/etc/lists/alienvault_reputation.ipset

13. $ sudo rm -rf /tmp/iplist-to-cdblist.py

14.Assign the right permissions and ownership to the generated file:

15. $ sudo chown wazuh:wazuh /var/ossec/etc/lists/blacklist-alienvault

Configure the active response module to block the malicious IP
addressPermalink to this headline

1. Add a custom rule to trigger a Wazuh active response script. Do this in

the Wazuh server  /var/ossec/etc/rules/local_rules.xml  custom ruleset file:

2. <group name="attack,">
3. <rule id="100100" level="10">
4. <if_group>web|attack|attacks</if_group>
5. <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
6. <description>IP address found in AlienVault reputation database.</description>
7. </rule>
8. </group>

9. Edit the Wazuh server  /var/ossec/etc/ossec.conf  configuration file and add

the  etc/lists/blacklist-alienvault  list to the  <ruleset>  section:

10. <ossec_config>
11. <ruleset>
12. <!-- Default ruleset -->
13. <decoder_dir>ruleset/decoders</decoder_dir>
14. <rule_dir>ruleset/rules</rule_dir>
15. <rule_exclude>0215-policy_rules.xml</rule_exclude>
16. <list>etc/lists/audit-keys</list>
17. <list>etc/lists/amazon/aws-eventnames</list>
18. <list>etc/lists/security-eventchannel</list>
19. <list>etc/lists/blacklist-alienvault</list>
20.
21. <!-- User-defined ruleset -->
22. <decoder_dir>etc/decoders</decoder_dir>
23. <rule_dir>etc/rules</rule_dir>
24. </ruleset>
25.
26. </ossec_config>

27.Add the active response block to the Wazuh

server  /var/ossec/etc/ossec.conf  file:

For the Ubuntu endpoint

The  firewall-drop  command integrates with the Ubuntu local iptables

firewall and drops incoming network connection from the attacker

endpoint for 60 seconds:

<ossec_config>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
</ossec_config>

For the Windows endpoint

 The active response script uses the  netsh  command to block the attacker's

IP address on the Windows endpoint. It runs for 60 seconds:

<ossec_config>
<active-response>
<command>netsh</command>
<location>local</location>
<rules_id>100100</rules_id>
<timeout>60</timeout>
</active-response>
</ossec_config>

28.Restart the Wazuh manager to apply the changes:

29. $ sudo systemctl restart wazuh-manager

Attack emulationPermalink to this headline

1. Access any of the web servers from the RHEL endpoint using the

corresponding IP address. Replace  <WEBSERVER_IP>  with the appropriate

value and execute the following command from the attacker endpoint:

2. $ curl http://<WEBSERVER_IP>

The attacker endpoint connects to the victim's web servers the first time. After

the first connection, the Wazuh active response module temporarily blocks any

successive connection to the web servers for 60 seconds.

Visualize the alertsPermalink to this headline

You can visualize the alert data in the Wazuh dashboard. To do this, go to

the Security events module and add the filters in the search bar to query the

alerts.

 Ubuntu -  rule.id:(651 OR 100100)
  Windows -  rule.id:(657 OR 100100)

Detecting a brute-force attackPermalink to

this headline
Brute-forcing is a common attack vector that threat actors use to gain

unauthorized access to endpoints and services. Services like SSH on Linux

endpoints and RDP on Windows endpoints are usually prone to brute-force

attacks. Wazuh identifies brute-force attacks by correlating multiple

authentication failure events.

The section on Blocking attacks with Active Response describes how to

configure an active response to block the IP address of an attacker. In this use

case, we show how Wazuh detects brute-force attacks on RHEL and Windows

endpoints.

InfrastructurePermalink to this headline

Endpoint Description

Ubuntu Attacker endpoint that performs brute-force attacks. It’s

22.04 required to have an SSH client installed on this endpoint.

Victim endpoint of SSH brute-force attacks. It’s required to

RHEL 9.0
have an SSH server installed and enabled on this endpoint.

Windows Victim endpoint of RDP brute-force attacks. It’s required to

11 enable RDP on this endpoint.

ConfigurationPermalink to this headline

Perform the following steps to configure the Ubuntu endpoint. This allows

performing authentication failure attempts on the monitored RHEL and Windows

endpoints.

1. On the attacker endpoint, install Hydra and use it to execute the brute-

force attack:

2. $ sudo apt update

3. $ sudo apt install -y hydra
Attack emulationPermalink to this headline

1. Create a text file with 10 random passwords.

 2. Run Hydra from the attacker endpoint to execute brute-force attacks

against the RHEL endpoint. To do this, replace  <RHEL_IP>  with the IP

address of the RHEL endpoint and run the command below:

3. $ sudo hydra -l badguy -P <PASSWD_LIST.txt> <RHEL_IP> ssh

4. Run Hydra from the attacker endpoint to execute brute-force attacks

against the Windows endpoint. To do this, replace  <WINDOWS_IP>  with

the IP address of the Windows endpoint and run the command below:

5. $ sudo hydra -l badguy -P <PASSWD_LIST.txt> rdp://<WINDOWS_IP>

Visualize the alertsPermalink to this headline

You can visualize the alert data in the Wazuh dashboard. To do this, go to

the Security events module and add the filters in the search bar to query the

alerts.

 Linux -  rule.id:(5551 OR 5712) . Other related rules

are  5710 ,  5711 ,  5716 ,  5720 ,  5503 ,  5504 .

 Windows -  rule.id:(60122 OR 60204)