Real-world incident response scenarios from my home lab โ each one documented with full investigation methodology, MITRE ATT&CK mapping, and remediation recommendations.
Wazuh SIEM Home Lab ยท Dec 2024
Detected and responded to a simulated SSH brute force attack (487 attempts in 90 seconds) using Wazuh SIEM. Investigated log evidence, confirmed no successful authentication, blocked the attacker IP, and documented hardening recommendations.
487 failed SSH authentication attempts detected from 192.168.56.101 in 90 seconds. Wazuh dashboard showed a spike in authentication failure events. Alert escalated immediately.
Identified tactic (Credential Access TA0006), technique (T1110), and sub-technique (T1110.001). Determined attacker objective: gain valid credentials for initial access or privilege escalation.
Searched auth.log for Rule 5715 (Successful SSH login) from the attacker IP. No successful authentications detected. Checked for lateral movement indicators: no new accounts, no sudo abuse, no FIM alerts on critical files.
Immediately blocked 192.168.56.101 using UFW (sudo ufw deny from 192.168.56.101). In a real environment, this would be escalated to the network team for perimeter firewall block and threat intel feed update.
Recommended: disable SSH password auth (key-only), deploy fail2ban, move SSH off port 22, enforce MFA for remote access, restrict SSH-capable accounts. All mapped to MITRE ATT&CK mitigations M1032, M1036, M1026.
T1110.001 โ Password Guessing
Tools Used
Currently working on: Malware detection with Wazuh FIM, Network anomaly investigation with Wireshark, and a Phishing email analysis walkthrough.
Read the Blog for More