Home-Lab#3: Vulnerability detection using Wazuh
Rajneesh G.
CEO, HaxSecurity | I build and Improve SOC | Cybersecurity Mentor | DM me for help | 2x Book Author
Hello Everyone,
Welcome to our third Home-Lab! In this edition, we will use Wazuh to detect Vulnerabilities of Windows Machine in real-time. Vulnerability detection plays a pivotal role in fortifying the security posture of any system or network. Since cyber??threats are changing so quickly, it is very important to find weaknesses before they are used against you. Wazuh helps us to detect?vulnerabilities that cyber?criminals could use to exploit. Lets begin.
Outline
What is Vulnerability detection?
The process of finding, recognizing, and categorizing security flaws in a system, network, application, or other computing environment is known as vulnerability detection. Vulnerability is a weakness or flaw in a system, network, program, or any other IT environment that attackers might be able to use to get into the system or get to its data. There are a few important points you should know before conducting vulnerability detection using Wazuh:
Requirement
To set up our Home-lab, we need platforms and tools as mentioned below:
Setting up Wazuh Manager
For Home-lab, it is convenient to use Wazuh OVA file. Visit their official website the file https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html
Open the file in Virtualbox and start the Virtual Machine
Now, log in to Wazuh CLI and run ifconfig to get the IP address.
The default Wazuh CLI credential is
username: wazuh-user
password: wazuh
Once, you have the IP address, open your favourite browser and submit the URL https://<WAZUH_IP_ADDRESS>
Next, enter the Wazuh GUI credential as shown below
username: admin
password: admin
Adding Windows Machine to Wazuh
If your host OS is Windows, you can go for installing locally or else you can download the Windows 10/11 Virtual Edition from Microsoft's official website
Step1: Once your Windows 10 machine is ready, visit the Wazuh platform using GUI. Go to Agents and click on Deploy new agent, as shown below.
Step2: Next, select an Operating system, enter your Wazuh Server address, and set your agent name as shown below.
领英推荐
Step 3: In the end, you will get a PowerShell script and a command to start the Wazuh service on your agent, as shown below.
Step4: Next, go to your Windows 10 Machine and the script in your Powershell command prompt.
Step5: Next, start the Wazuh service.
Step6: Finally, come back to your Wazuh platform and go to Agents; you should see your newly onboarded Windows agent here
Setting up Vulnerability Detection
To enable vulnerability detection, we have to make changes on Wazuh manager. We need to enable Vulnerability detection for Windows in the ossec.conf file at /var/ossec/etc/osssec.conf. Now, lets open the osssec.conf file on the Wazuh manager using nano editor and make sure <enabled> tag is set to yes under <vulnerability-detector>.
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
</vulnerability-detector>
next, restart the Wazuh manager using below command
systemctl restart wazuh-manager
Testing
You can visualize the alert data in the Wazuh dashboard. To do this, go to the Vulnerability detector module, select an agent and click on any vulnerability.
You can also filter vulnerabilities based on CVE ID and also get a report.
That's all for today.
See you next week.
Whenever you're ready , there are 2 ways I can help you"
Project Management | Information and Cyber Security Enthusiast | Database and System Administrator | Data Engineer
1 年Thank you very much Rajneesh G. for sharing, this is very interesting and educative
Expert Formateur Cyber sécurité/Cisco? Enseignant universitaire Docteur en informatique, ingénieur d'état en réseaux et télécoms
1 年Thanks Rajneesh G. for the sharing ,it's very interesting Just to add some things to troubleshoot wazuh if the vulnerabilities scan does not enable: So you can force the scaning by the following steps: You must in the first search the ID of the wazuh agent by the following command: sudo /var/ossec/bin/manage_agents -l . Then, you can force the scan with: sudo /var/ossec/bin/wazuh-vuln-scan -i <ID_de_l'agent> If it works it's ok, if not try to go to the file /var/ossec/etc/shared/default/agent.conf in the wazuh server and add the following block : <wodle name="syscollector"> <disabled>no</disabled> <interval>1h</interval> <os>yes</os> <packages>yes</packages> <hotfixes>yes</hotfixes> </wodle>
Security Engineer @techolution | Cloud Security Engineer | Aspiring CISO | Application Security | SOC - XDR | VAPT | AWSx2 | Azure | GCPx1 |
1 年Thank you Rajneesh G. For sharing this amazing newsteller it helped me a lot