Case 1 – Web Server Intrusion Attempt Against Grav CMS

This case simulates an attacker probing a Linux web server running Grav CMS. The investigation includes attacker activity (Kali), SIEM visibility (Wazuh), and incident response workflow (DFIR‑IRIS).

1. Case Overview

• Date: 2026‑02‑02
• Target: Linux Web Server (10.10.10.30)
• Attacker: Kali Linux (10.10.10.40)
• Detection Source: Wazuh SIEM
• IR Platform: DFIR‑IRIS

2. Attack Simulation (Kali)

Summary of attacker actions performed from Kali.

2.1. Reconnaissance

Webserver scan and enumeration.

dirb http://10.10.10.30

2.2. Initial Access Attempt

Weak credentials and error generation.

admin:admin
test:test
user:user
etc.

2.3. Persistence Attempt

Accessing restricted or interesting paths.

2.4. Defense Evasion Attempts

Mixed navigation and varying patterns.

3. Detection and Analysis (Wazuh SIEM)

How Wazuh detected and logged the activity.

3.1. Alerts

3.2. Log Evidence

Access logs and error logs.

10.10.10.40 - - [03/Feb/2026:13:36:53 +0000] "GET /provoked_error HTTP/1.1" 404 3139 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:140.0 Gecko/20100101 Firefox/140.0")

3.3. SIEM Correlation

How alerts tie together into a single incident, including mixed navigation.

4. Incident Response (DFIR‑IRIS)

How the case was documented and analyzed in DFIR‑IRIS.

4.1. Customer, Template and Case Creation

4.2. Evidence Added

4.3. IOCs

4.4. Timeline Reconstruction

5. MITRE ATT&CK Mapping and Conclusion

• TA0043 – Reconnaissance
• TA0001 – Initial Access
• TA0006 – Credential Access
• TA0007 – Discovery
• T1110 – Brute Force
• TA0005 – Defense Evasion

6. Case Closing

The attacker performed reconnaissance, directory enumeration, admin panel probing, and weak credential attempts. No compromise occurred. Wazuh successfully detected the activity, and DFIR‑IRIS was used to document the investigation.

← Back to Home