Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Threat hunting with MITRE ATT&CK and Wazuh

November 18, 2022
MITRE ATT&CK and Wazuh

Hazard searching is the procedure of seeking harmful task and also its artefacts in a computer system or network. Hazard searching is executed periodically in a setting no matter whether hazards have actually been found by computerized protection services. Some hazard stars might remain inactive in a company’s facilities, expanding their accessibility while waiting on the ideal possibility to manipulate found weak points.

Consequently it is necessary to execute hazard searching to determine harmful stars in a setting and also quit them prior to they attain their best objective.

To efficiently execute hazard searching, the hazard seeker need to have an organized technique to imitating feasible enemy habits. This adversarial habits identifies what artefacts can be looked for that show continuous or previous harmful task.


Throughout the years, the protection area has actually observed that hazard stars have actually typically utilized lots of techniques, methods, and also treatments (TTPs) to penetrate and also pivot throughout networks, raise opportunities, and also exfiltrate personal information. This has actually caused the growth of different structures for mapping the tasks and also approaches of hazard stars. One instance is the MITRE ATT&CK structure.

MITRE ATT&CK is a phrase that means MITRE Adversarial Tips, Techniques, and also Open Secret (ATT&CK). It is a well-documented data base of real-world hazard star activities and also actions. MITRE ATT&CK structure has 14 techniques and also lots of methods that determine or show a strike underway. MITRE utilizes IDs to reference the strategy or strategy used by an enemy.

The Wazuh unified XDR and also SIEM system

Wazuh is an open resource linked XDR and also SIEM system. The Wazuh option is comprised of a solitary global representative that is released on monitored endpoints for hazard discovery and also computerized feedback. It likewise has main parts (Wazuh web server, indexer, and also control panel) that examine and also envision the protection occasions information accumulated by the Wazuh representative. It secures on-premises and also cloud work.

Wazuh security event dashboard
Number 1: Wazuh protection occasion control panel

Hazard searching with Wazuh

Hazard seekers make use of different devices, procedures, and also approaches to look for harmful artefacts in a setting. These consist of yet are not restricted to utilizing devices for protection surveillance, documents honesty surveillance, and also endpoint setup evaluation.

Wazuh deals durable capacities like documents honesty surveillance, protection setup evaluation, hazard discovery, computerized feedback to hazards, and also assimilation with services that give hazard knowledge feeds.

Wazuh MITRE ATT&CK component

Wazuh includes the MITRE ATT&CK component out-of-the-box and also hazard discovery regulations mapped versus their matching MITRE strategy IDs. This component has 4 parts which are:

a. The knowledge part of the Wazuh MITRE ATT&CK component: Has thorough details regarding hazard teams, reduction, software application, techniques, and also methods utilized in cyber strikes. This part assists hazard seekers to determine and also categorize various TTPs that enemies make use of.

Wazuh MITRE ATT&CK Intelligence
Number 2: Wazuh MITRE ATT&CK Knowledge

b. The structure part of the Wazuh MITRE ATT&CK component: Assists hazard seekers limit hazards or jeopardized endpoints. This part utilizes details methods to see all the occasions pertaining to that strategy and also the endpoints where these occasions took place.

Wazuh MITRE ATT&CK framework
Number 3: Wazuh MITRE ATT&CK structure

c. The control panel part of the MITRE ATT&CK component: Assists to sum up all occasions right into graphes to help hazard seekers in having a fast introduction of MITRE associated tasks in a framework.

Wazuh MITRE ATT&CK dashboard
Number 4: Wazuh MITRE ATT&CK control panel

d. The Wazuh MITRE ATT&CK occasions part: Screens occasions in real-time, with their particular MITRE IDs, to much better recognize each reported alert.

Wazuh MITRE ATT&CK events
Number 5: Wazuh MITRE ATT&CK occasions

Wazuh regulations and also decoders

Wazuh has out-of-the-box regulations and also decoders to analyze protection and also runtime information produced from various resources. Wazuh sustains regulations for various modern technologies (e.g., Docker, CISCO, Microsoft Exchange), which have actually been mapped to their proper MITRE IDs. Individuals can likewise develop personalized regulations and also decoders and also map each regulation with its proper MITRE strategy or strategy. This blog post reveals an instance of leveraging MITRE ATT&CK and also Wazuh personalized regulations to discover an enemy.

Safety And Security Setup Analysis (SCA) component

The Wazuh SCA component carries out routine scans in endpoints to discover system and also application misconfigurations. It can likewise be utilized to check for signs of concession, like harmful data and also folders that have actually been produced by malware. Assessing software application supplies, solutions, misconfigurations, and also modifications in the setup on an endpoint can assist hazard seekers discover strikes underway.

Wazuh SCA dashboard
Number 6: Wazuh SCA control panel

Assimilation with hazard knowledge services

Because of its open resource nature, Wazuh offers a possibility to incorporate with hazard knowledge APIs and also various other protection services. Wazuh incorporates with open resource hazard knowledge systems like Virustotal, URLHaus, MISP, and also AbuseIPDB among others. Relying on the assimilation, appropriate informs show up in the Wazuh control panel. Particular details, such as IP addresses, documents hashes, and also Links, can be inquired utilizing filters on the Wazuh control panel.

Submit honesty surveillance

Submit honesty surveillance (FIM) is utilized to keep an eye on and also examine delicate data and also folders on endpoints. Wazuh offers an FIM component that keeps track of and also identifies modifications in defined directory sites or data on an endpoint’s filesystem. The FIM component can likewise discover when data presented to endpoints match hashes of well-known malware.

Wazuh archives

Wazuh archives can be allowed to gather and also save all protection occasions consumed from kept track of endpoints. This function aids hazard seekers by offering them with information that can be utilized to develop discovery regulations and also remain in advance of hazard stars. Wazuh archives are likewise handy in conference regulative conformity where audit log background is needed.


The MITRE ATT&CK structure assists to appropriately categorize and also determine hazards according to found TTPs. Wazuh utilizes its committed MITRE ATT&CK parts to present details regarding exactly how protection information from endpoints represent TTPs. The hazard searching capacities of Wazuh aid cybersecurity experts to discover noticeable cyber strikes along with underlying concessions to facilities.

Wazuh is a cost-free and also open resource system that can be utilized by companies with cloud and also on-premises facilities. Wazuh has among the fastest-growing open resource community on the planet, where discovering, conversations, and also assistance is provided at absolutely no expense. Take a look at this documentation to start with Wazuh.

Posted in SecurityTags:
Write a comment