Lab - Performing IoC Detection and Analysis

---

Scenario

In this lab, you will learn about using an automated security platform named wazuh to detect IoCs related to suspicious activity.

As a cybersecurity analyst, you want to take full advantage of automation to detect and potentially respond to security violations.

In this lab, you will:

1. use wazuh to review security alerts from IoCs related to questionable logon activity.
2. Then, you will delete audit logs files then use wazuh to evaluate the IoCs of this anti-forensic activity.
3. Finally, you will perform questionable user management, then review the IoCs detected by wazuh about your shenanigans.

Your cybersecurity analyst (CySA) workstation, running Kali Linux, is located in Structureality’s server subnet. You will be accessing the wazuh web interface from Kali and DC10 while performing attack simulations from Kali and DC10 against DC10.

Understand your environment

You will be working from:

• a virtual machine named KALI hosting Kali Linux
• a virtual machine named DC10 hosting Windows Server 2019
• and a virtual machine named WAZUH running Ubuntu Server and supporting the wazuh security platform

Steps

1. Detecting logon events with wazuh

Summary

• use wazuh to detect IoC related to logon events
• perform two types of login attacks
• then view the security alerts caused by those attacks in wazuh

1. On the KALI machine, create /root/passlist.txt by adding Pa$$w0rd into the 57th line position of the /usr/share/seclists/Passwords/500-worst-passwords.txt file and redirecting output to passlist file. Then, confirm the addition of this lab password.

2. Open wazuh platform in web browser

3. View the Security events for only the DC10 system

   • Select Security events from the Security Information Management section
   • Select Explore agent near the top of the page
   • select DC10

4. use hydra to perform a password guessing attack, using the passlist.txt modified previously, via the RDP (Remote Desktop Protocol) service against the administrator account on DC10 (10.1.16.1)

   • hydra -t 1 -V -f -l administrator -P passlist.txt rdp://10.1.16.1

5. View the security alert(s) resulting from the password guessing attack on wazuh

   • Select Refresh at the top of the page to update the display with new information obtained by the wazuh agent on DC10
   • The Total counter should increase by at least 57, and you should see incremented Authentication failure and Authentication success counters as well.
   • Scroll down below the graphs to view the list of Security Alerts.
   • Locate the entry with a Rule ID of 92652, it should be near the top of the results
     • search for it if needed

6. View the Technique information related to Rule ID 92652.

   • Name is “pass the hash”

The technique associated with this event is inaccurate. While it is true that a pass the hash attack (PtH) could have been the cause of the event recorded into the Windows security log, you know that is not the attack you performed. You ran a password-guessing attack using a dictionary list, which is not the same attack concept as PtH. A PtH attack requires the theft of an access token from a valid client, which is then used from a different system to fool the authentication service.

7. Connect to the WAZUH virtual machine and sign in as wazuh using Pa$$w0rd as the password

8. Locate the wazuh rule related to Rule ID of 92652, view its contents through the less viewer, read over the rule, then exit the less viewer.

   1. Enter cd /var/ossec/ruleset/rules to change into the default rules directory.
   2. Enter ls -l to view a list of all of the rule files.
   3. Enter **grep 92652 ***.
      • result 0840-win_event_channel.xml: <rule id="92652" level="6">
   4. Enter less 0840-win_event_channel.xml
   5. Locate the rule with an ID of 92652. It should be the third rule. Read over the rule.
   6. Type q to exit the less viewer.

9. Enter exit to log out of the wazuh VM.

10. Switch back to the KALI virtual machine

11. Access the wazuh Security Events page

12. From the Terminal window, attempt to mount the C$ share using the Jaime account and Pa$$w0rd as the password.

    1. Return to the Terminal window.
    2. Enter mkdir /mnt/dc10-c to create a mount point.
    3. Enter the following and provide Pa$$w0rd as the password when prompted.
       • mount -o username=jaime //10.1.16.1/c$ /mnt/dc10-c
    • mount attempt will fail

13. Attempt to mount the C$ share using the administrator account and Pa$$w0rd as the password.

    • mount -o username=administrator //10.1.16.1/c$ /mnt/dc10-c
    • mount will succeed

14. In wazuh, Locate the Security events caused by the mount attempts.

    1. Select Refresh to update the wazuh Security events page with the latest data.
    2. Enter 60122 in the Search field, then select Update.
    3. Scroll down to view the alert record(s).
    4. Select an alert record to expand it. After reviewing the details, select it again to collapse it.
    5. Scroll back up to the top of the page.
    6. Enter 60106 in the Search field, then select Update.
    7. Scroll down to view the alert record(s).
    8. Select an alert record to expand it. After reviewing the details, select it again to collapse it.

You have seen wazuh security alerts triggered by matching IoCs to questionable logon activity.

2. Detecting anti-forensics with wazuh

 
 In this exercise, you will delete log files and view the related security alerts of these IoCs in wazuh.

1. Connect to the DC10 virtual machine. Sign in as the admin.

2. Minimize or close Server Manager if it appears. It will not be used in this lab.

3. Access the wazuh platform at 10.1.16.242 using a web browser

4. Clear the contents of the Security log.

   1. Select Type here to search from the taskbar, enter Event and then select Event Viewer.
   2. In the left pane, double-click Windows logs to expand it.
   3. In the expanded list, select Security.
   4. In the right pane, select Clear log….
   5. On the Event Viewer pop-up confirmation window, select Clear.
   6. Close the *Event Viewer

5. Locate the wazuh security alert related to the security log deletion.

   1. Return to Firefox focused on wazuh.
   2. Select Refresh.
   3. Look for a Security Alert related to The audit log was cleared.
   4. Select an alert record to expand it. After reviewing the details, select it again to collapse it.
   • Rule ID = 63103

6. Delete the System and Application logs.

   1. Select Type here to search from the taskbar, enter Event and then select Event Viewer.
   2. In the left pane, double-click Windows logs to expand it.
   3. In the expanded list, select Application.
   4. In the right pane, select Clear log….
   5. On the Event Viewer pop-up confirmation window, select Clear.
   6. In the left pane, select System.
   7. In the right pane, select Clear log….
   8. On the Event Viewer pop-up confirmation window, select Clear.
   9. Close the Event Viewer

7. Create a filter for the audit log clearing events, then locate the alerts for the clearing of the Application and System logs.

   1. Locate the Alert groups evolution graphic. It is just under the alert count header.
      • If this does not appear, make sure to select Explore agent > DC10 agent
   2. Select windows_logs, then select the ⊕ (i.e., circled plus sign) from the pop-up window.
      • A new filter should now be present of rule:groups: windows_logs.
      • You may need to scroll up to view this filter. It is listed under the Search field.
      • Help: if the windows_logs does not appear, try filtering the time to last hour
   3. Select Refresh.
   4. Review the security alerts matching the filter.
   5. Select an alert record to expand it. After reviewing the details, select it again to collapse it.

8. Remove the rule:groups: windows_logs by clicking on the x in the filter box.

You have observed the IoCs of clearing logs of a monitored system through wazuh.

3. Detecting abnormal user management with wazuh

 In this exercise, you will:

• maximize the insight wazuh has into a system by turning on all system logging policies.
• Then, you will delete a user account and add a user account to the Administrators group.
• Then, you will view the related security alerts of these IoCs in wazuh.

1. Connect to the DC10 virtual machine as admin.

2. Turn on all audit policies using auditpol.

   1. Select Type here to search from the taskbar, enter cmd, then right-click Command Prompt in the results, then select Run as administrator.
   2. Select Yes on the User Account Control window.
   3. Enter auditpol /set /category:* /success:enable /failure:enable.
      • The message The command was successfully executed should be displayed.
   4. Enter auditpol /get /category:* to view the audit policy status.
      • A lengthy list of audit policies should be displayed, each with a status of Success and Failure.

3. Delete two local user accounts.

   1. Enter net users.
   2. Select two accounts from the list other than Administrator. For example, Angel and Dylan.
   3. Enter net user /delete Angel.
      • A confirmation message of The command completed successfully should be displayed.
   4. Enter net user /delete Dylan.
      • A confirmation message of The command completed successfully should be displayed.

4. Add a user account to the local administrators’ group.

   1. Enter net users.
   2. Select any of the remaining accounts, other than Administrator. For example, Dani.
   3. Enter net localgroup Administrators /add Dani
      • A confirmation message of The command completed successfully should be displayed.

5. Hide the security alerts for logon success and User logoff.

   1. Return to Firefox focused on wazuh.
   2. Select + Add filter under the Search field.
   3. Type rule.id into the Select a field first field, then select rule.id from the drop-down list result.
   4. Select the Operator drop-down list, then select is not.
   5. Type 60106 in the Value field, then select 60106 from the drop-down list result.
   6. Select Save.
   7. Select + Add filter under the Search field.
   8. Type rule.id into the Select a field first field, then select rule.id from the drop-down list result.
   9. Select the Operator drop-down list, then select is not.
   10. Type 60137 in the Value field, then select 60137 from the drop-down list result.
   11. Select Save.
   12. These two new filters should not be present under the Search field.

6. Locate the wazuh security alerts related to the alteration of the audit policy.

   1. Select Refresh.
   2. Enter 60112 in the Search field, then select Update.
      • The results should be numerous Windows audit policy changed alerts.
   3. Select an alert record to expand it. After reviewing the details, select it again to collapse it.

7. Locate the wazuh security alerts related to suspicious account management activities. View the details of each alert.

   1. Enter 60111 in the Search field, then select Update.
      • The results should be two User account disabled or deleted alerts.
   2. Select the first alert in the list to expand it. Scroll through the details to determine which user account was affected.
   3. Scroll back to the top of the page.
   4. Enter 60147 in the Search field, then select Update.
      • The results should be one Security enabled local group changed alert.
   5. Select the alert record to expand it. After reviewing the details, select it again to collapse it.
   6. Scroll back to the top of the page.
   7. Enter 60144 in the Search field, then select Update.
      • The results should be one Security enabled local group member added… alert.
   8. Select the alert record to expand it. After reviewing the details, select it again to collapse it.

You have observed the IoCs of questionable account management activities on a monitored system through wazuh.