A multi-stage cyberattack simulation in a controlled homelab environment, using Wazuh SIEM to detect, analyze, and respond to each attack phase. Documented end-to-end as a final year project in Information Security.
Last updated: February 2026 ยท More stages in progress
Isolated virtualized environment simulating a small organizational network
Ubuntu Server 22.04 LTS
192.168.0.133
Wazuh Manager โ collects and analyzes logs from all agents. Hosts the Wazuh dashboard for alert visualization.
Windows 11 (Host OS)
192.168.0.173
Target endpoint running the Wazuh agent. Monitored for file integrity, PowerShell execution, and security events.
Kali Linux (VirtualBox VM)
10.0.3.15
Simulates the origin of the attack. Runs offensive tools (Hydra, Mimikatz) against the victim machine in an isolated network.
Network Configuration
VirtualBox Host-only Networking creates a private network link between the attacker and victim machines on different subnets. NAT handles routing. This isolates all attack traffic from any real network, ensuring the simulation is fully contained and safe.
Each stage documents the attacker action, SIEM detection, and MITRE ATT&CK mapping
Infrastructure Configuration
Attacker Action
Configured a three-node homelab: Wazuh Manager (Ubuntu Server 22.04, 192.168.0.133), Windows 11 victim machine (192.168.0.173) running the Wazuh agent, and a Kali Linux attacker VM (10.0.3.15) on VirtualBox Host-only networking.
SIEM Detection
Wazuh agent successfully connected to the manager and appeared as 'Active' in the dashboard after resolving duplicate agent name, missing auth key, and ossec.conf syntax errors.
Wazuh Rules Triggered
Key Findings & Observations
Execution via PowerShell + File Integrity Monitoring Detection
Attacker Action
Executed a PowerShell command on the Windows victim machine to create an EICAR test file (eicar.com) in the monitored C:\Users\Public directory. The EICAR string is the industry-standard harmless payload used to test AV and SIEM detection without risk.
SIEM Detection
Wazuh immediately generated two high-priority FIM alerts: Rule 550 (integrity checksum changed) and Rule 553 (file added to system), confirming that the SIEM correctly detected the simulated malware drop in real time.
Wazuh Rules Triggered
Key Findings & Observations
OS Credential Dumping via LSASS
Stage not yet executed โ documentation will be added as the project progresses.
Command and Control Traffic Blocking
Stage not yet executed โ documentation will be added as the project progresses.
Practical insights gained from building and running this project
Getting the Wazuh agent to connect required diagnosing three separate issues: duplicate agent names, missing auth keys, and a config syntax error. Real-world SIEM deployments involve the same iterative troubleshooting โ patience and systematic log analysis are essential.
File Integrity Monitoring detected the EICAR payload drop within seconds. Monitoring critical directories in real time is one of the most effective controls for detecting malware staging, ransomware drops, and unauthorized configuration changes.
Configuring the PowerShell Operational event channel for monitoring is essential in any Windows environment. Attackers frequently use PowerShell for payload execution, lateral movement, and data exfiltration โ it must be logged and monitored.
Using VirtualBox Host-only networking ensured all simulated attack traffic was fully contained. In a real SOC, network segmentation serves the same purpose โ limiting the blast radius of any compromise.
Stage 03 โ Credential Dumping
Mimikatz / LSASS memory access simulation (T1003.001)
Stage 04 โ C2 Traffic & Firewall Mitigation
Command and control traffic simulation and blocking (T1071)
This page will be updated as each stage is completed.
Related Content
Read the detailed Wazuh brute force incident response walkthrough with MITRE ATT&CK mapping.