Linkdln: linkedin.

com/in/muhammad-faheem-shahid-26558b242

Hands on Advanced Threat

Detection

By: Muhammad Faheem Shahid

Under Guidance Of:

Prof. Naveed Naeem Abbas

1|Page DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

Index
S. No. Section Title
EDR (Endpoint Detection and Response): FIM (File Integrity
1. Monitoring) using Wazuh
Objective
Preparation & Configuration
Attack Simulation & Detection
Conclusion & Observation
Submission Requirements
Detecting SSH Brute Force attack
2.

Objective

Preparation & Agent Installation

Attack Simulation & Detection

Conclusion & Observation

Submission Requirements
3. Detection Suspicious Network Traffic Detection with
2|Page DONE BY MUHAMMAD FAHEEM SHAHID
Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

Suricata

Objective

IDS Setup & Configuration

Attack Simulation & Detection

Conclusion & Learning Outcomes

Submission Requirements
4. Vulnerability Detection with Wazuh

Objective

Vulnerability-Detector Configuration

Visualization & Analysis

Conclusion & Recommended Mitigation

Submission Requirements

EDR (Endpoint Detection and Response): FIM (File

Integrity Monitoring) using Wazuh

Objective

The objective of this task is to help me detect and investigate unauthorized file
changes on a Windows machine using Wazuh File Integrity Monitoring (FIM).
Students will learn how to monitor sensitive files for unauthorized modifications,
simulate an attack by modifying a file, and analyze alerts in Wazuh.

3|Page DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
Preparation: Configure Wazuh Agent on Windows
Target Machine

Requirements

• Wazuh Server: Installed and running.

Step 1: Configure File Integrity Monitoring (FIM) in Wazuh

1. Open Wazuh Manager Configuration on the Wazuh Server:

sudo nano /var/ossec/etc/ossec.conf

2. Check the logall lines are “Yes” as hown in snap shot bellow:

3. Restart Wazuh Manager to apply changes:

sudo systemctl restart wazuh-manager

4|Page DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

4. Open Wazuh Agent Configuration:

sudo nano /var/ossec/etc/ossec.conf

5. Add the following configuration under to monitor sensitive files on Windows:

<directories check_all="yes" report_changes="yes" realtime="yes">/root</directories>

6. Restart Wazuh Agent to apply changes:

sudo systemctl restart wazuh-agent

Attack Simulation & Detection

Step 1: Simulate an Unauthorized File Change on Kali Linux

1. Open Terminal on the Kali Linux machine.

5|Page DONE BY MUHAMMAD FAHEEM SHAHID
Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
2. Create a test file in the monitored directory:

echo "Sensitive data" > faheem.txt

3. Modify the file content to simulate unauthorized changes:

echo "Unauthorized modification detected" >> faheem.txt

4. Delete the file to simulate data tampering:

rm -f faheem.txt

Step 2: Detect Unauthorized File Changes in Wazuh

1. Open the Wazuh Dashboard (http:/server_ip/:443).

2. Navigate to Security Events → File Integrity Monitoring (FIM).
3. Run the following search query in Wazuh to filter FIM logs:

"faheem.txt"

6|Page DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
4. Look for logs indicating:

• File Created
• File Modified
• File Deleted

Conclusion
✅ Successfully configured File Integrity Monitoring (FIM) in Wazuh.
✅ Simulated unauthorized file modifications and deletions on a Linux system.
✅ Detected file changes in Wazuh logs and dashboard alerts.
✅ Learned how SOC analysts investigate unauthorized file changes for threat detection.

Submission

• Share a screenshot of the Wazuh dashboard showing detected file changes.

7|Page DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
• Share a screenshot of logs confirming file modifications or deletions.

• Write a short observation on how Wazuh’s File Integrity Monitoring helps in security
investigations.

Observation:

Wazuh’s File Integrity Monitoring (FIM) is an essential tool in security investigations as it continuously
tracks changes to critical files and directories. By monitoring file attributes like permissions, ownership,
hash values, and content modifications, FIM promptly detects unauthorized or suspicious changes that
may indicate a security breach or malware activity. During an investigation, these recorded events help
identify the timeline and scope of an incident, facilitating root cause analysis and aiding in the
formulation of effective response strategies. In summary, Wazuh’s FIM significantly enhances an
organization’s ability to detect and respond to security threats.

EDR: Detecting SSH Brute Force attack

Objective

8|Page DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
The objective of this task is to help me detect SSH brute-force attacks on an Kali machine
using Wazuh’s security monitoring capabilities. Students will simulate an SSH brute-force attack,
analyze logs, and detect suspicious authentication attempts using Wazuh alerts.

Preparation: Configure Wazuh Agent on Ubuntu Target Machine

Requirements

• Wazuh Server: Installed and running.

• Ubuntu 22.04/20.04 (Attacker Machine).
• Wazuh Agent installed on the Kali machine.
• SSH enabled on the target machine.
• Admin or sudo access on the target machine.

Step 1: Install Wazuh Agent on Ubuntu

1. Download and install the Wazuh Agent on the target machine (Ubuntu):

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.11.2-1_amd64.deb
&& sudo WAZUH_MANAGER='ug5683emprfk.cloud.wazuh.com'
WAZUH_REGISTRATION_PASSWORD=$'WhCNSnS6jfA6jmiJl7EhEQHmPDZREi6F'
WAZUH_AGENT_NAME='kali' dpkg -i ./wazuh-agent_4.11.2-1_amd64.deb

2. Start the Wazuh Agent service:

sudo systemctl start wazuh-agent

Attack Simulation & Detection

9|Page DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
Step 1: Simulate an SSH Brute-Force Attack Using Hydra

1. From the attacker machine, install Hydra:

sudo apt update && sudo apt install hydra -y

2. Run the following command to simulate an SSH brute-force attack:

hydra -l kali -P password.txt 192.168.58.158 ssh

• Replace 192.168.58.158 with the Ubuntu target machine’s IP address.

• -l kali specifies the username to attack.
• -P password.txt uses a password list for brute-forcing SSH.

3. If a valid password is found, Hydra will display:

[22][ssh] host: 192.168.58.158 login: kali password: kali

Step 2: Detect SSH Brute Force Attempts in Wazuh

1. Open the Wazuh Dashboard (https:// ip :443).

2. Navigate to Security Events and run below query:

data.srcuser: kali

10 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

4. Look for logs indicating:

• Multiple failed SSH login attempts from the same IP.

11 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
• High volume of authentication failures in a short period.

• Successful logins after repeated failed attempts (possible compromise).

12 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

Conclusion

✅ Successfully configured Wazuh Agent on an Ubuntu machine for SSH monitoring.

✅ Simulated SSH brute-force attacks using Hydra.
✅ Detected brute-force attempts in Wazuh logs and alerts.
✅ Learned how SOC analysts investigate authentication attacks using SIEM tools.

Submission

• Share a screenshot of the Wazuh dashboard showing SSH brute-force detection alerts.

13 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

• Share a screenshot of logs confirming multiple failed SSH attempts.

• Write a short observation on how SSH brute-force detection helps in security monitoring
and threat prevention.

Observation:

SSH brute-force detection acts as an early warning system in security monitoring. By identifying and
alerting on excessive failed login attempts to SSH, it immediately flags potential malicious activity aimed
at gaining unauthorized access to critical systems. This proactive detection enables timely intervention,

14 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
such as blocking malicious IPs or strengthening access controls, effectively preventing
successful breaches and mitigating potential damage before they occur.

EDR - Detecting Suspicious Network Traffic using

Suricata

🎯 Objective

To understand how an Endpoint Detection and Response (EDR) solution can detect suspicious network
traffic using Suricata IDS and visualize alerts on Wazuh.

📚 What is Suspicious Network Traffic?

Suspicious network traffic refers to abnormal or unexpected activities on a network that may indicate
malicious intent or an ongoing attack.

🔍 Examples:

• A machine scanning multiple ports on the network (e.g., Nmap Scan).

• Traffic to known malicious IPs (Command & Control).
• FTP uploads on non-standard ports.
• HTTP connections to rare domains or IPs.

🔐 How are IDSs Helpful?

Intrusion Detection Systems (IDS) provide the following benefits:

• Monitor and inspect network traffic in real time.

15 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID
Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
• Trigger alerts when known attack patterns are detected.
• Help detect reconnaissance, malware communication, and lateral movement.
• Provide visibility to SOC teams for early-stage attacks.

⚙️ How Does IDS Work?

1. Packet Capture: Captures and inspects each packet.

2. Rule Matching: Matches traffic patterns against rule sets.
3. Alerting: Triggers alerts when rules are matched.
4. Integration: Sends logs/alerts to SIEM platforms like Wazuh.

🐍 What is Suricata?

Suricata is an open-source, high-performance network IDS, IPS, and network monitoring engine.

Features:

• Deep packet inspection

• Multi-threaded architecture
• Protocol identification (HTTP, TLS, DNS, etc.)
• JSON log output for easy integration
• Community rules for threat detection

🖥️ Lab Setup

Component Description
Wazuh Server Server with Wazuh Manager & Dashboard
Wazuh Agent Ubuntu with Suricata installed
Attacker Machine Kali Linux (for simulating attacks)

📌 Task: Detecting Port Scanning using Suricata + Wazuh

Step 1: Installing Suricata and Rules

16 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
1. Install Suricata on the Ubuntu endpoint. We tested this process with version 6.0.8 and
it can take some time:

sudo add-apt-repository ppa:oisf/suricata-stable

sudo apt-get update

sudo apt-get install suricata -y

2. Download and extract the Emerging Threats Suricata ruleset:

sudo apt update && sudo apt install -y curl && cd /tmp && curl -LO
https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz && tar -xvzf
emerging.rules.tar.gz && sudo mkdir -p /etc/suricata/rules && sudo mv rules/*.rules
/etc/suricata/rules/ && sudo chmod 640 /etc/suricata/rules/*.rules && rm emerging.rules.tar.gz

17 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
3. Make these bellow configurations in Suricata yml file:

4. Entering local interface:

5. Modifying the correct rules path:

6. Restart the Suricata service:

sudo systemctl restart Suricata

18 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

4. Add the following configuration to the /var/ossec/etc/ossec.conf file of the Wazuh agent. This
allows the Wazuh agent to read the Suricata logs file:

<localfile>

<log_format>json</log_format>

<location>/var/log/suricata/eve.json</location>

</localfile>

Step 3: Simulate Attack using Kali Linux

1. On Kali Linux terminal, run a SYN scan:

nmap -sS -T4 192.168.58.135

19 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

-sS: SYN scan

-T4: Faster scan timing

2. This scan should trigger Suricata detection rules for port scanning.

Step 4: View Alerts in Wazuh Dashboard

1. Login to Wazuh Dashboard.

2. Navigate to Security Events → Choose agent.
3. Filter by Rule Group: Suricata

4. Look for alert like:

ET SCAN Nmap Synchronous Scan

20 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

Submission

Submit screenshots of:

• Suricata service running

• Alert in Wazuh Dashboard

21 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

Learning Outcome

By completing this lab, I:

• Understand the basics of IDS and Suricata.

• Install and configure Suricata to monitor traffic.
• Detect and respond to a port scanning attack.
• Visualize network alerts on Wazuh SIEM.
• Gain hands-on experience with EDR concepts.

EDR: Vulnerability Detection using Wazuh

22 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

Objective

To detect system vulnerabilities using Wazuh’s built-in vulnerability detection module

and understand how a SOC Analyst can identify and mitigate vulnerabilities using
alert data.

What is a Vulnerability?

A vulnerability is a weakness or flaw in software, hardware, or system configuration

that could be exploited by attackers to gain unauthorized access or perform
malicious actions.

Types of Vulnerabilities

Type Example

Software Bugs Buffer overflow in Apache

Misconfigurations SSH root login enabled

Outdated Software Unpatched Windows or Linux packages

Default Credentials Admin:admin on routers or web apps

Open Ports/Services FTP open with anonymous access

How Are Vulnerabilities Discovered?

• Vulnerability Scanners like OpenVAS, Nessus, or Wazuh's built-in modules

23 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
• Threat Intelligence Feeds

• Manual Testing and Penetration Testing

• Bug Bounty Programs

• Exploit Databases (e.g., NVD, Exploit-DB)

How Do SOC Analysts Mitigate Vulnerabilities?

• Prioritize based on CVSS score and asset criticality

• Coordinate with IT to apply patches or updates

• Disable or restrict vulnerable services

• Monitor for exploit attempts (IDS/EDR)

• Document and track remediation through ticketing systems

Lab Setup

Component Description

Wazuh Server Ubuntu with Wazuh Manager + Dashboard

Wazuh Agent Ubuntu machine with agent installed

Task: Detecting and Visualizing System Vulnerabilities using

24 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID
Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
Wazuh

Step 1: Setting up Vulnerability Detection on Wazuh Agent

1. Ensure the Wazuh agent is already installed and connected to the manager.

2. On the Wazuh agent, enable vulnerability-detector module:

Edit the Wazuh configuration file:

sudo nano /var/ossec/etc/ossec.conf

Enable and configure the module:

<vulnerability-detector>

<enabled>yes</enabled>

<interval>5m</interval>

<providers>

<provider name="canonical">yes</provider> <!-- For Ubuntu -->

</providers>

</vulnerability-detector>

25 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

3. Restart the Wazuh agent to apply changes:

sudo systemctl restart wazuh-agent

4. Wazuh agent will now scan installed packages and compare them against
vulnerability databases like NVD and Canonical Security Tracker.

Step 2: Visualizing Vulnerability Alerts in Wazuh Dashboard

1. Go to the Wazuh Dashboard.

2. Navigate to: vulnerability-detector

26 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

3. View detailed data:

• CVE ID (e.g., CVE-2023-####)

• Affected package

• CVSS score

• Recommendation to patch or update

27 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

Submission

Submit:

• Screenshot of at least one vulnerability alert on the dashboard

28 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

• Description of the vulnerable package, CVE, and CVSS score

29 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242

• Suggested mitigation step

To address the vulnerability detected in the Django package (4.2.19), which is

affected by a potential denial-of-service (DoS) issue when processing large
sequences of incomplete HTML tags, the suggested mitigation step is to upgrade
Django to a patched version . Specifically, update Django to 4.2.21 or later for
versions in the 4.x series, 5.1.9 or later for the 5.x series, or 5.2 or later for the 5.2.x
series. This ensures that the vulnerability is resolved and the system is protected
against potential exploitation. Additionally, review and harden configurations to limit
user input validation for HTML content, and monitor logs for any suspicious activity
related to DoS attempts.

30 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID

Linkdln: linkedin.com/in/muhammad-faheem-shahid-26558b242
Learning Outcome

After completing this lab, I:

• Understand how vulnerabilities are detected by Wazuh EDR.

• Enable and configure Wazuh’s vulnerability detector.

• View and interpret CVE alerts on the dashboard.

• Learn how SOC analysts triage and respond to system vulnerabilities.

• Strengthen your endpoint detection and response (EDR) fundamentals.

31 | P a g e DONE BY MUHAMMAD FAHEEM SHAHID