Blue Teaming with Wazuh The Open Source Security Platform: Part 1

What’s going on everyone! Hope you all have been enjoying the Summer soaking in all those good vibes, getting outside and a enjoying a lil’ drinky drink! Today we will be discussing Wazuh, how to install it and how it can be used to monitor your on prem and/or virtual devices!

What is Wazuh?

Wazuh is an open sourced security operation center solution that can be deployed on prem and/or in the cloud to monitor activity on all your workstations. It does so by installing agents on your systems and then ingests event logs via operating as a SIEM (Security Incident Event Manager), create alerts and build detections against adversarial network/system traffic. Here is the installation guide. Also, Network Chuck has $100, 60 day credit for using his link to register with Linode.

Today, we will be installing Wazuh in the cloud via the Linode platform and deploying the agents to Kali, CentOS and Ubuntu machines, so please ensure that you use the link to get $100 usage for two months! With that amount you might as well go with a semi-decent amount of RAM!

Hardware Requirements

Tailor to your needs!

Wazuh Setup

In the left pane, select the Marketplace at the bottom, search for “Wazuh” and fill in the following info:

1. Email address
2. limited sudo user
3. password for the limited user
4. Public SSH key to be used
5. And whether or not to allow root access over SSH

The API token, domain and sub-domain items are optional.

1. Select the image you would like to use, I just chose Ubuntu 22.04 LTS
2. Select your region, be sure to select the region closes to you! I’m in the DMV so I chose Washington, DC
3. For your Linode Plan, remember you have a $100 credit, if you selected the link, so choose the plan that will give you the best bang for your buck!
4. Paste in your public SSH key. If you don’t know how to do that, check out my guide on creating your SSH keys and remediating common issues.

Once you’ve selected your specs, you will be brought to the following screen. Here you will be given all the info to log into your machine. It may take a few minutes for your machine to finish provisioning, when it does it should say “Running” with the green circle in the upper left corner as depicted below.

Use either SSH or the “Launch LISH Console” button to log in. Wuzah may not be done installing so type htop to view the processes.

After about 5 minutes it should be done. Now it’s time to grab your passwords, issues ls -la to view the file “.deployment-secrets.txt” this text file will contain all the passwords you need for your project.

Logging into Wazuh home page

We’re going to use the admin credentials to log into the Wazuh homepage. First navigate to your summary page and select “Network” from the row of options. Then look for “Reverse DNS” , copy this address and paste it into your browser. Reference the below picture for guidance:

Homepage

After you log on, you will be brought to this page. I enabled dark mode on my dashboard, and I know a lot of you will want to do the same: select the “hamburger” icon in the upper left corner, near the home page button. Scroll down to Management, then select Stack Management -> Advanced Settings. In the search bar, type “Dark” and the option will appear. Simply toggle the selection to the right to enable.

While there are many things to explore right out of the box, it would be best to install agents so we can syphon traffic into Wazuh. Doing so will add further context and help build the “story” when looking at suspect events and systems.

Installing Agents

So what are agents? At a high level, agents are small programs that are deployed to a number of endpoints to execute/perform a function such as gathering logs, beaconing back to the server and/or establishing a foothold. The last two examples I gave are a typical actions of a Red Team or a Advanced Persistent Threat group (APT) such as APT29, learn more here!

For our purposes, blue teaming (defense), we want to send logs of our machines to our SIEM so that we can monitor, alert and build detections against adversarial activity. We will install agents on Kali Linux, Ubuntu and CentOS. I’m sure you can see where this is going; we will use Kali to attack the other two and observe the logs captured by Wazuh!

The process is nearly the same for all Linux machines, barring the type of package you want to download. From the homepage, select “Add agent”. It should be highlighted in a brownish, yellow tint with the following warning message, “No agents were added to the manager”.

Sometimes you may be taken to the page directly below. Other times you will be taken to the “Deploy New Agent” page, like so. I don’t know why this happens but I figured to point it out. On the second depiction, click the show more dropdown to reveal for operating system distributions. When you select your operating system, you will then choose the version and architecture.

Wazuh server address will be the FQDN specified under “Reverse DNS

If you need to restart the agent deployment process and remove the agent you just deployed, take a look at the following Wuzah guide.

Verify the agent was successfully deployed. At the top, select the down arrow dropdown between “Wazuh” and “Modules”, select agents. And our Kali agent deployment was successful!

Kali Agent

In the Agents pane, go to Actions. The eye icon is “Open summary panel for this agent” and the wrench icon is “Open configuration for this agent”, these two options will give us a better understanding of our agent.

For the summary panel, we can see what Wazuh provides right out of the box such as MITRE attack techniques, compliances and much more!

It even links to the specific MITRE attack details!

The configuration icon presents options to modify audit and policy monitoring and log data analysis configurations.

Scroll down to “Log data analysis”. Here you can see exactly what logs are being collected and monitored by Wazuh. You can also view these logs in JSON or XML, whichever you prefer!

Now install the agent on CentOS and Ubuntu. One thing to note, in order for Wazuh to detect and report vulnerabilities you must enable the action in the Manager’s configuration. Go to Management -> Configuration -> Edit Configuration. Search for “vulnerability detector” and set enable to yes as below:

Ensure to save and restart the manager to update your config changes

I added a Suricata machine on Ubuntu a few days later to this. Hacker Sploit did an awesome YouTube demo about integrating Suricata into Wazuh, check it out and give them a follow!

Depicting Kali, Ubuntu, CentOS and Suriata

In the next part of this series, I will be conducting attacks against Ubuntu, CentOS as well as my Wazuh Manager and detecting the traffic via Suricata. This will give us a good insight into Wazuh’s capabilities and help us build detections. In part 2 we carry out brute force attacks and create custom alerts for Slack notifications!