Scribd
Upload
794 views15 pages

Detecting and Blocking RDP Attack With Wazuh

Uploaded by

aforabad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
794 views15 pages

Detecting and Blocking RDP Attack With Wazuh

Uploaded by

aforabad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Blocking RDP brute-force Attack

Wazuh Labs by: MUHAMMAD MOIZ UD DIN RAFAY


LinkedIn: www.linkedin.com/in/moizuddinrafay
According to Sophos, in the first half of 2023, adversaries leveraged Remote
Desktop Protocol (RDP) in 95% of attacks, increased by 88% from 2023. RDP is
a Microsoft-developed proprietary protocol that allows users to connect to
and remotely operate another computer or device via a network connection.
Attackers employ automated software to try many login and password
combinations in order to obtain unauthorized access to systems via RDP.
Mitigating such risks involves proactive measures as well as quick action to
block malicious IP addresses that try these assaults. In this section, we will
utilize Wazuh active response to block the attacker’s IP address against an RDP
brute-force attack.
Wazuh Server (SIEM) IP: 192.168.100.15
Windows7 (Victim) IP: 192.168.100.20
Kali Linux (Attacker) IP: 192.168.100.3
Wazuh-Server and Windows7 is running on VirtualBox and Kali Linux is directly
installed on my laptop.
Wazuh Server & Windows7 is running.

Accessing Wazuh Server with SSH:


Command: ssh [email protected]

Enter the Wazuh Server Password.


Login into Wazuh Server via SSH

Now going to add configuration in “ossec.conf”


Setting up a Windows7 agent with an active response script:
Opening Wazuh-Agent

Go to View and then view config


Here is “ossec.conf” file

Adding script under  Active response →


Script text:
<command>
<name>netsh</name>
<executeable>netsh.exe</executeable>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>netsh</command>
<location>local</location>
<rules_id>100100</rules_id>
</active-response>

Copy and paste the script at exact location. (Be careful)


Now Restart the Wazuh-agent:
Wazuh-agent restarted:

Now we have to add rule in Wazuh Server:


Edit “local_rules.xml” file which is located in “/var/ossec/etc/rules/”

Here is configuration of file (local_rules.xml)


We have to add rule here which is highlighted.

Rule:
<group name=”rdp”>
<rule id=”100100” level=”10” frequency=”3” timeframe=”120”>
<if_mached_sid>60122</if_mached_sid>
<description> Possible RDP Attack “You can write your own msg” </description>
</rule>
</group>

Saving the configuration file “local_rules.xml”


Now we have to add same configuration in “ossec.conf”
Command: nano ossec.conf
Active response configuration in “ossec.conf” file.
Adding the configuration file under the “netsh” command section:

Only Add these lines as configuration:


<active-response>
<disabled>no</disabled>
<command>netsh</command>
<location>local</location>
<rules_id>100100</rules_id>
</active-response>
Save the “ossec.conf” file and exit form root user.
Now we have to restart Wazuh manager service.
Command: sudo systemctl restart wazuh-manager

Accessing Wazuh Dashboard.


In the Agent tab select “windows7”

Now perform brute-force attack on Windows7 using hydra tool:


Command: sudo hydra -L user.txt -P pass.txt rdp://192.168.100.20

Brute-forcing on Windows7
Go to Security Evens of Windows7 agent here is detecting and blocking brute-
force attack.

Security Event Details:


Event Details:

-------------------THE END-------------------→
Follow Me: www.linkedin.com/in/moizuddinrafay

You might also like