Skip to main content
HashnodeWoogi's Infosec Blog

Command Palette

Search for a command to run...

[ProjectX] E101: Vulnerable Environment Setup & Wazuh Monitoring

Updated
4 min read
J
Jaewook Jung
Part of seriesProjects

This homelab project is included in the ProjectX course by Grant Collins.

Network Topolgy & Attack Scenario

VM System

In the course, virtual machines (VMs) are used, but I prefer using Proxmox VE to save resources.

Overall Purpose of homelab project

  • Comparison of Detection Integration: corp-svr(without EDR) vs. linux-client (with Wazuh Agent)

Configure a Vulnerability

Open SSH

  • PasswordAuthentication yes : Allows users to log in using a standard password rather than a secure SSH key.

    • Why Insecure?: Vulnerable to brute-force attacks.

  • PermitRootLogin yes : Allows the "root" account to log in directly via SSH.

    • Why Insecure?: Attackers only need to guess one password to gain full control of the machine.

  • Weak Password: Set the root password to november using sudo passwd root .

Create Detection Alert for ssh in Wazuh

  • To create a detection alert, use an SSH authentication failure sample.
    - From the screenshot, can get decoder name, rule groups.

  • Using the sample, create a query.

Enable WinRM on win-client

  • What is WinRM?: allows administrators to remotely manage Windows systems, similar to how SSH works for Linux.

  • enable WinRM codeline
    powershell -ep bypass Enable-PSRemoting -force winrm quickconfig -transport:https Set-Item wsman:\localhost\client\trustedhosts * net localgroup "Remote Management Users" /add administrator Restart-Service WinRM .

How to detect activation of WinRM

- Event ID 4624 with a logonProcessName of Kerberos
- Wazuh Rule ID: 60106
- Description: User: Windows Logon Success

  • From the sample above, make data filter for alerts

Configure SMTP Email Inbox Connection

[project-x-corp-svr] -> [project-x-linux-client]

Run MailHog

  • Docker is used to host and orchestrate MailHog, which acts as the SMTP server for the lab environment.

  • The email_poller.sh script is run on the client machine ([project-x-linux-client]) to interact with the MailHog server.

  • [project-x-corp-svr] is intentionally unmanaged to demonstrate the security 'blind spot' that occurs when monitoring tools are absent.

Enable RDP on [project-x-dc]

How to detect RDP connection in Wazuh

  • Default Wazuh Rule to detect RDP: 92653

  • or query data.win.system.eventID: 4624 AND data.win.eventdata.logonProcessName: User32 .

    • Successful authentication of Windows Security Event ID: 4624 .

    • UnSuccessful authentication of Windows Security Event ID: 4625 .

    • The value User32 in the logonProcessName field indicates the use of the User32.dll library, which handles RDP logins.

Setup “Sensitive File” in [project-x-dc]

  • make secrets.txt file under Administrator > Documents > ProductionFiles .

Detect file modifications in Wazuh

  • Under Server management > Endpoint Groups > Windows > agent.conf

  • Put below codeblock to make file monitoring

<syscheck>
  <directories check_all="yes" report_changes="yes"
  realtime="yes">C:\Users\Administrator\Documents\ProductionFiles
  </directories>
  <frequency>60</frequency>
 </syscheck>

  • check_all="yes" : check multiple file properties including file's hash (MD5, SHA1, and SHA256), permissions, owner, group, and size

  • report_changes="yes" : When a text file is modified, Wazuh will actually send the alert

  • Under File Integration Monitoring's Inventory tab, can see monitoring files inculding secrets.txt

Create Detection Alert for File Modification

  • Under rules tab, find local_rules.xml and adds below code
<group name="syscheck">
 <rule id="100002" level="10">
 <field name="file">secrets.txt</field>
 <match>modified</match>
 <description>File integrity monitoring alert - access to
sensitive.txt file detected</description>
 </rule>
</group>

  • save and restart

  • Under Alerting > Monitors > Create Monitor, write configuration

  • full_log contains secrets.txt : ensures looking at events specifically related to secrets.txt .

  • syscheck.event is modified : When a file change is detected, Wazuh categorizes the type of action that occurred.

  • and also configure Trigger Condition

Exfiltration Setup on Attacker Machine

  • scp : allow copy files and directories between two systems through ssh
  • create a file where to copy secrets.txt content

Enable Insecure guest logons for [project-x-client]

  • Under File Explorer Window > C:\Windows\System32 > gpedit(Run as Administrator) > Computer Configuration > Administrative Template > Network > Lanman Workstation > "Enable insecure guest logons" > “Enabled” -> allows the workstation to connect to shared network resources (like an SMB share) using a guest account with zero authentication required.
  • also with command line
#cybersecurity#projects#homelab

Projects

Part 1 of 1

"Practical cybersecurity projects and homelab deep-dives. Focused on defensive hardening and sharpening Blue Team skills through real-world lab simulations."

More from this blog

W

Woogi's Infosec Blog

2 posts