Back to Portfolio
Blue Team SIEM Engineering MITRE ATT&CK

Enterprise SOC Deployment & Threat Detection Lab

Date: December 1, 2025

Environment: VMware Workstation / Wazuh SIEM / Windows 11 / Kali Linux

Download Full Report

1. Project Scope & Topology

This project involved the design, deployment, and validation of a virtualized Security Operations Center (SOC). The objective was to emulate an enterprise network environment to generate real-world attack telemetry and configure a SIEM (Wazuh) for threat detection.

SIEM Node
  • OS: Amazon Linux 2023 (Wazuh OVA)
  • Software: Wazuh Manager v4.14.1
  • IP: 192.168.245.129
Victim Endpoint
  • OS: Windows 11 Ent.
  • Defensive Tools: Windows Defender, Wazuh Agent, Windows Audit Policies
  • IP: 192.168.245.130
Adversary Node
  • OS: Kali Linux 2025.3
  • Offensive Tools: Hydra, Nmap, Smbclient
  • IP: DHCP Assigned

2. Executive Summary

Objective: To validate the detection capabilities of the Wazuh SIEM against common adversarial tactics, including Credential Access (T1110), Persistence (T1136), and Defense Evasion (T1562).

Key Achievements

  • Infrastructure: Successfully deployed a functional SIEM pipeline ingesting logs from Windows Event Channels (Security, System, Application).
  • Detection Engineering: Authored and verified detection logic for SMB Brute Force attacks (Event ID 4625) and Local Account Manipulation (Event ID 4720).
  • Malware Analysis: Integrated Windows Defender operational logs into Wazuh to capture and alert on EICAR test file signatures.
  • Visibility: Reduced logging blind spots by configuring advanced Audit Policies and disabling NLA (Network Level Authentication) to ensure authentication attempts are properly captured by Windows Security Event logs.
  • Defensive Hardening: Validated security controls by configuring an Account Lockout Policy that successfully terminated the brute force attack after 5 failed attempts (Event ID 4740).

3. Infrastructure Deployment

The environment was hosted on VMware Workstation, utilizing a shared NAT network adapter to simulate a corporate intranet. The Wazuh Agent was deployed on the Windows 11 victim machine and configured to forward security telemetry over port 1514/TCP. Post-deployment verification confirmed the agent successfully registered with the Manager.

Figure 1: Wazuh SIEM Dashboard Initial Setup
Wazuh Dashboard

Figure 1: Wazuh SIEM Dashboard Initial Setup

(Click anywhere to close)
Figure 2: Windows Endpoint Successfully Onboarded
Agent Status

Figure 2: Windows Endpoint Successfully Onboarded

(Click anywhere to close)

4. Threat Emulation

Scenario A: Network Propagation via SMB Brute Force

MITRE T1110.001 | Tool: smbclient

Simulated lateral movement via dictionary attack against SMB (Port 445). The attack generated "Logon Failure" events (ID 4625) until the Account Lockout Policy triggered (ID 4740).

Figure 3: Bash script iterating smbclient to execute SMB Brute Force attack
Bash Script Attack

Figure 3: Bash script iterating smbclient to execute SMB Brute Force attack

(Click anywhere to close)

Scenario B: Persistence (Backdoor User)

MITRE T1136.001 | Command: net user /add

Manually created a backdoor user "BlackHat" to simulate persistence. This action triggered Windows Security Event ID 4720.

Figure 4: Manual creation of unauthorized user account
User Creation Command

Figure 4: Manual creation of unauthorized user account

(Click anywhere to close)

5. Detection & Analysis

Evidence of successful ingestion, correlation, and alerting within the Wazuh SIEM.

Unauthorized User Creation

Log telemetry showing the creation of the backdoor user "BlackHat" (Event ID 4720), triggering Wazuh Rule ID 60109.

Wazuh Alert: User Account Created
Log Parsing
Rule ID 60109
Rule Level 8 (High Severity)
Agent Name DESKTOP-EA7SO4Q (192.168.245.130)
Target User BlackHat
Event ID 4720
Provider Microsoft-Windows-Security-Auditing
MITRE Tactic Persistence (T1098)

Figure 5: Parsed log table for unauthorized user creation.

Malware Detection

The following parsed telemetry confirms the successful correlation of Windows Defender events by the Wazuh agent (Figure 6 Data).

Wazuh Alert: Event ID 1116
Log Parsing
Rule ID 62123
Rule Level 12 (High Severity)
Agent Name DESKTOP-EA7SO4Q (192.168.245.130)
Threat Name Virus:DOS/EICAR_Test_File
File Path C:\Users\User\Desktop\eicar_test2.com
Action Taken Detection Only
Provider Microsoft-Windows-Windows Defender
Severity Severe (Category: Virus)
Wazuh Alert: Event ID 1117
Log Parsing
Rule ID 62124
Rule Level 12 (High Severity)
Agent Name DESKTOP-EA7SO4Q (192.168.245.130)
Threat Name Virus:DOS/EICAR_Test_File
File Path C:\Users\User\Desktop\eicar_test2.com
Action Taken Quarantine
Provider Microsoft-Windows-Windows Defender
MITRE Tactic Defense Evasion (T1562.001)

Figure 6: Parsed log tables showing critical EICAR detection details.

Brute Force & Account Lockout

Wazuh Alert: Logon Failure (Brute Force)
Log Parsing
Rule ID 60122
Rule Level 5 (User Error)
Event ID 4625
Source IP 192.168.245.128
Source Workstation KALI
Target User Administrator
Logon Type 3 (Network - SMB)
Failure Reason Unknown user name or bad password

Figure 7: Parsed log showing repeated login failures from the Kali attacker node.

Wazuh Alert: User Account Locked Out
Log Parsing
Rule ID 60115
Rule Level 9 (High Severity)
Event ID 4740
Target User Administrator
Caller Computer KALI
Subject User DESKTOP-EA7SO4Q$
Provider Microsoft-Windows-Security-Auditing
MITRE Tactic Credential Access (T1110)

Figure 8: Parsed log confirming the active defense trigger (Account Lockout).