Wazuh – RDP Brute Force Attack

ACTIVE RESPONSE
Lab Created By: MUHAMMAD MOIZ UD DIN RAFAY
Follow Me: linkedin.com/in/moizuddinrafay

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Wazuh is an open-source security platform that provides comprehensive
security monitoring and threat detection capabilities. One of its features is
active response, which enables automated responses to detected threats, such
as blocking IP addresses involved in brute force attacks. Here, we will focus on
how Wazuh can be configured to block RDP (Remote Desktop Protocol) brute
force attacks.

RDP Brute Force Attacks

RDP brute force attacks involve attackers systematically trying various

username and password combinations to gain unauthorized access to a system
via RDP. These attacks can compromise the security of a network, leading to
data breaches and other malicious activities.

Wazuh Active Response

Wazuh’s active response feature can be configured to detect and mitigate such
attacks. Here’s how it works:

1. Detection Rules: Wazuh uses detection rules to identify suspicious

activities. For RDP brute force attacks, rules can be set to monitor failed
login attempts. If a certain threshold of failed attempts is reached within
a specific time period, it triggers an alert.
2. Triggering Alerts: When the threshold for failed login attempts is
reached, Wazuh generates an alert. These alerts can include details like
the source IP address, the targeted system, and the time of the
attempts.
3. Active Response Configuration: Wazuh’s active response mechanism
can be configured to automatically execute predefined actions in
response to specific alerts. For RDP brute force attacks, the response
might include adding the attacking IP address to a block list.
4. Blocking the Attacker: Upon triggering the active response, Wazuh can
use various methods to block the attacker. One common method is
modifying the firewall rules to block traffic from the offending IP
address. This can be done using tools like iptables on Linux or the
Windows Firewall.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Implementation Steps
1. Install and Configure Wazuh: Ensure Wazuh is installed and configured
on the systems you wish to protect. The Wazuh agent should be
installed on endpoints to monitor local events.
2. Define Detection Rules: Customize or use predefined Wazuh rules to
detect multiple failed RDP login attempts. These rules are often based
on log analysis, such as monitoring Windows Event Logs for specific
event IDs that indicate failed logins.
3. Set Up Active Response: Configure active response policies in Wazuh to
specify the actions taken when certain rules are triggered. This involves
creating a response command, such as a script that updates firewall
rules to block the attacker’s IP.
4. Deploy and Monitor: Deploy the configured Wazuh agents and active
response policies across your network. Regularly monitor the Wazuh
dashboard to ensure that the responses are correctly triggered and that
attackers are being blocked effectively.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Here is Wazuh Server running on my lab environment. I access Wazuh console
via SSH connection.

Wazuh Dashboard is running and Active-agent Windows11

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Now we have to configure “local rules” for detecting and blocking RDP Brute
Force Attack.

Here is “local_rules.xml” file now edit configuration.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Edit these lines in “local_rules.xml” configuration.
<group name=”rdp”>
<rule id=”100100” level=”10” frequency=”3” timeframe=”120”>
<if_matched_sid>60122</if_matched_sid>
<description> RDP Attack Detected </description>
</rule>
</group>

Now we have to edit configuration in “ossec.conf” file

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Scroll down to “Active Response”

Here we have to edit configuration.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Edit these lines here:
<active-response>
<disabled>no</disabled>
<command>netsh</command>
<location>local</local>
<rules_id>100100</rules_id>
</active-response>

Save the configuration and restart “Wazuh-manager”

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Now in “Windows11” go to “Manage Agent”

Go to “View Config”

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Here is “ossec.conf” file in windows11-agent

Scroll down and here we have to edit configuration under “Active response”

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Now have a look here we have to edit same configuration in both “ossec.conf”
file, Wazuh Server and Wazuh Agent

After saving the configuration we have to restart wazuh-agent manager

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Wazuh Agent Restarted

Here is “Windows11” agent in Wazuh Dashboard.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Have a look there is no result for now.

So before going farther we have to enable RDP – Remote Desktop in

Windows11. Follow same shown in figures.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Go to “This PC” Properties

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Scroll down and go to “Remote desktop”

Turn this “ON”

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Now click on drop down button.

Uncheck “Require devices to use Network Level Authentication”, Click on

“Proceed anyway” button.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Now we have to launch RDP Brute Force Attack with “Hydra” tool.
Command: sudo hydra -L user.txt -P pass.txt rdp://192.168.100.32
Explain:
hydra = tool it self
-L for username dictionary
-P for passwords dictionary
rdp://192.168.100.32 (Protocol with IP address)

Now we have to observe Events, you can see “Authentication Failure” now go
to “Events” tab.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Let’s do Event Analysis

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
During the events and logs analysis you can see “Brute Force Attack” is failed
because Wazuh is performing “Active Response”

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
Now continue to events and logs analysis.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY
SUMMARY
In summary, Wazuh’s active response capability is a powerful tool to
automatically mitigate RDP brute force attacks by blocking malicious IP
addresses. By setting up appropriate detection rules and response actions,
organizations can protect their systems from unauthorized access and enhance
their overall security posture. Regular monitoring and updates to these
configurations ensure ongoing protection against evolving threats.

Wazuh – Vulnerabilities Detection Lab: 07

Lab Created by: MUHAMMAD MOIZ UD DIN RAFAY