brute forcing windows 11 using wazuh active response

[R Hari]

Hello,

environment: three separata VM's as follow: 

wazuh manager: ubuntu 22.04 LTS Server

attacker endpoint: ubuntu 22.04 LTS Server (with hydra installed for ssh brute force attack)

victim endpoint: ubuntu 22.04 LTS Server

I had successfully blocked the attacker endpoint for three minutes, following this link: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html

This is the result:

Then after three minute timeout:

Now I want to try with a windows 11 VM as the victim endpoint.

I have enabled RDP as well and am following this link: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html

This is the result:

The when tried attacking again:

A windows 11 in-built software has blocked the attack machine, is my understanding from the below wazuh security log.

But I want to block the attack machine using wazuh active repsonse with a timeout of two minutes and tried the same way I had done with the ubuntu victim endpoint. But it does not work at all. Could anyone help me out please?

[Harshal Paliwal]

Hi Hari

Hope you are doing well today and thank you for using wazuh.
Please follow the steps in this document https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html
while adding Add the <active-response> block below to the Wazuh server /var/ossec/etc/ossec.conf configuration file, please change the timeout from 180 to 120

<ossec_config> <active-response> <command>firewall-drop</command> <location>local</location> <rules_id>5763</rules_id> <timeout>120 </timeout> </active-response> </ossec_config>

The restart the wazuh manager using the following command:
sudo systemctl restart wazuh-manager

Hope this will help. Please feel free to contact us for any information/issues.

Regards