Attack Scenarios
Executed an aggressive Nmap SYN scan against the Windows 11 workstation (192.168.56.1) targeting all 1,024 common ports with OS detection, service version enumeration, and script scanning enabled.
# Aggressive SYN scan from Kali nmap -sS -A 192.168.56.1 # Results PORT STATE SERVICE 8080/tcp open http Apache Tomcat (en) OS: Windows 11 21H2 (91%) Distance: 1 hop
Wazuh detected the scan via rootcheck anomaly rules on the Kali agent and port status change events. The scan revealed an Apache Tomcat instance running on port 8080 — an attack surface that would be prioritized in a real engagement. Windows Firewall filtered 999/1000 ports, demonstrating effective host-based defense.
MITRE ATT&CK: T1046 — Network Service Discovery
Nmap -sS -A scan results — port 8080 open (Apache Tomcat), OS detected as Windows 11 21H2 (91% confidence)
Launched a dictionary-based SSH brute force attack against the Wazuh server (192.168.56.101) using Hydra with the rockyou.txt wordlist. 196 password attempts across 4 parallel threads over approximately 3 minutes.
# Hydra SSH brute force hydra -l root \ -P /usr/share/wordlists/rockyou.txt \ 192.168.56.101 ssh -t 4 # Output [DATA] attacking ssh://192.168.56.101:22 [STATUS] 73 tries/min 196 login tries attempted
Wazuh fired its highest-severity brute force rule (5763, level 10) within seconds of the attack beginning. The rule correlates multiple authentication failures into a single behavioral detection — exactly how a real SOC tool identifies credential stuffing and brute force campaigns.
MITRE ATT&CK: T1110.001 — Brute Force: Password Guessing
Used the Metasploit Framework's auxiliary/scanner/ssh/ssh_login module to perform a second wave of credential attacks against the same target. Demonstrates that Wazuh detects the malicious behavior — not the specific tool.
# Metasploit SSH login scanner use auxiliary/scanner/ssh/ssh_login set RHOSTS 192.168.56.101 set USERNAME root set PASS_FILE /usr/share/wordlists/rockyou.txt set THREADS 4 run [*] Starting bruteforce [*] Testing User/Pass combinations
Rule 5763 fired again — proving Wazuh's detection is behavior-based, not signature-based. The Wazuh dashboard showed two distinct attack clusters in the timeline graph: the Hydra attack at ~19:46 and the Metasploit attack at ~20:57. A SOC analyst would immediately recognize these as two separate attack campaigns against the same target.
MITRE ATT&CK: T1110.001 — Brute Force: Password Guessing
Detection Timeline
Wazuh Threat Hunting filtered to rule 5763 — 6 hits across 24 hours showing two distinct attack campaigns (Hydra + Metasploit), all level 10
MITRE ATT&CK Mapping
SOC Analyst Perspective
If this were a production SOC environment, here's how I would triage and respond to these alerts:
Rule 5763 at level 10 would trigger an immediate ticket. Identify the source IP (192.168.56.102 — Kali), correlate with other events in the same time window, and determine if any login succeeded (rule 5715). Block the source IP at the firewall.
Check for successful authentications after the brute force (rule 5715). Review lateral movement indicators. Determine if the source IP is internal (compromised insider) or external (perimeter breach). Timeline the full attack chain.
Isolate affected host if compromise is confirmed. Reset credentials for targeted accounts. Enable fail2ban or equivalent automatic blocking on the SSH service. Review other services on the same host for similar exposure.
Disable root SSH login. Implement SSH key-based authentication only. Configure account lockout after failed attempts. Enable geographic IP restrictions if SSH access patterns are predictable. Document and close the incident ticket.