Vulnerability Detection through Wazuh

Riya Jain
3 min readJan 29, 2024

What is Vulnerability detection?

The process of finding, recognizing, and categorizing security flaws in a system, network, application, or other computing environment is known as vulnerability detection. Vulnerability is a weakness or flaw in a system, network, program, or any other IT environment that attackers might be able to use to get into the system or get to its data. There are a few important points you should know before conducting vulnerability detection using Wazuh:

  • CVE (Common Vulnerabilities and Exposures): The CVE list is a standard collection of all known vulnerabilities, with a unique number (CVE ID) assigned to each one. CVE IDs are used to find and keep track of specific vulnerabilities. A CVE ID might look like this: “CVE-2022–1234.”
  • CVSS (Common Vulnerability Scoring System): It’s a way to figure out how bad and harmful vulnerabilities are. The CVSS gives vulnerabilities a score that helps organizations understand how serious they are and put them in order of importance. The score is based on how easy it is to exploit, how it affects confidentiality, availability, and integrity, and other things. As a rule, the CVSS score is given as a number between 0 (low severity) and 10 (high severity).

Adding Windows Machine to Wazuh

If your host OS is Windows, you can go for installing locally or else you can download the Windows 10/11 Virtual Edition from Microsoft’s official website

Step1: Once your Windows 10 machine is ready, visit the Wazuh platform using GUI. Go to Agents and click on Deploy new agent, as shown below.

Step2: Next, select an Operating system, enter your Wazuh Server address, and set your agent name as shown below.

Step 3: In the end, you will get a PowerShell script and a command to start the Wazuh service on your agent, as shown below.

Step4: Next, go to your Windows 10 Machine and the script in your Powershell command prompt.

Step5: Next, start the Wazuh service.

Step6: Finally, come back to your Wazuh platform and go to Agents; you should see your newly onboarded Windows agent here

Setting up Vulnerability Detection

To enable vulnerability detection, we have to make changes on Wazuh manager. We need to enable Vulnerability detection for Windows in the ossec.conf file at /var/ossec/etc/osssec.conf. Now, lets open the osssec.conf file on the Wazuh manager using nano editor and make sure <enabled> tag is set to yes under <vulnerability-detector>.

<vulnerability-detector>

<enabled>yes</enabled>

<interval>5m</interval>

<min_full_scan_interval>6h</min_full_scan_interval>

<run_on_start>yes</run_on_start>

</vulnerability-detector>

next, restart the Wazuh manager using below command

systemctl restart wazuh-manager

Testing

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Vulnerability detector module, select an agent and click on any vulnerability.

You can also filter vulnerabilities based on CVE ID and get a report.

--

--

Riya Jain

Security Researcher | Penetration Tester | Red Team | Blue Team | eJPT|CAP | CND | Purple Team