Successfull bruteforce
274 views
Skip to first unread message
Felix Kodzasov
Jul 31, 2023, 7:12:19 AM7/31/23
to Wazuh mailing list
Good day, colleagues
Could you please tell me if it is possible to create an alert for successful bruteforce using Wazuh tools? For example, make an alert for successful login after three unsuccessful attempts
I tried to do this
<group name="windows,windows_security,">
<rule id="100001" level="12" frequency="3" timeframe="120">
<if_matched_sid>60122</if_matched_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<same_field>win.eventdata.targetUserName</same_field>
<options>no_full_log</options>
<description>Logon failure - 3 attempts.</description>
<mitre>
<id>T1078</id>
<id>T1531</id>
</mitre>
<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100002" level="12">
<if_matched_sid>100001</if_matched_sid>
<field name="win.system.eventID">^4624$</field>
<same_field>win.eventdata.targetUserName</same_field>
<description>Successful logon after failed 3 attemts</description>
</rule>
</group>
but it doesn't work like that
Can you please provide an example of such a rule bundle?
Could you please tell me if it is possible to create an alert for successful bruteforce using Wazuh tools? For example, make an alert for successful login after three unsuccessful attempts
I tried to do this
<group name="windows,windows_security,">
<rule id="100001" level="12" frequency="3" timeframe="120">
<if_matched_sid>60122</if_matched_sid>
<field name="win.system.eventID">^529$|^4625$</field>
<same_field>win.eventdata.targetUserName</same_field>
<options>no_full_log</options>
<description>Logon failure - 3 attempts.</description>
<mitre>
<id>T1078</id>
<id>T1531</id>
</mitre>
<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100002" level="12">
<if_matched_sid>100001</if_matched_sid>
<field name="win.system.eventID">^4624$</field>
<same_field>win.eventdata.targetUserName</same_field>
<description>Successful logon after failed 3 attemts</description>
</rule>
</group>
but it doesn't work like that
Can you please provide an example of such a rule bundle?
Eduardo Leon Aldazoro
Jul 31, 2023, 8:23:32 AM7/31/23
to Wazuh mailing list
Hi Felix,
Yes, it is possible to create alerts for successful brute force attacks, you can achieve this by creating custom rules.
For example, to create a rule on successful login after three unsuccessful attempts, you can follow these steps:
- Identify the log entries that correspond to unsuccessful attempts, this will depend on the operating system.
- Create a custom decoders to extract the relevant information of your choice.
- Write custom rules to trigger the alert.
Here's a general example on the on the config for the decoder and rule:
<!-- Custom decoder for failed login attempts -->
<decoder name="failed_login_decoder">
<regex>Failed login from (.*)</regex>
<!-- Additional parsing logic as needed -->
</decoder>
<!-- Custom decoder for successful logins -->
<decoder name="success_login_decoder">
<regex>Successful login from (.*)</regex>
<!-- Additional parsing logic as needed -->
</decoder>
<!-- Custom rule for detecting successful login after three or more failed attempts -->
<group name="custom_rules">
<rule id="100001" level="5">
<decoded_as>failed_login_decoder</decoded_as>
<description>Successful login after three or more failed attempts</description>
<group>brute_force</group>
<threshold>3</threshold>
<field>srcip</field>
</rule>
</group>
You will need to customize the decoders and rules to match the actual log format and conditions in your environment.
Remember to always restart the Wazuh server after changing the rules.
Hope this helps.
Reply all
Reply to author
Forward
0 new messages