Architecture

The lab runs on a VMware-based hypervisor with dedicated VMs for each function:

• Wazuh Manager + Dashboard — central SIEM collecting logs from all agents via the Wazuh agent on each endpoint VM
• Suricata IDS — network tap running on a dedicated interface, feeding alerts into Wazuh via Filebeat
• Wireshark capture host — promiscuous-mode capture on the lab’s internal virtual switch
• Kali Linux attacker — isolated on a separate VLAN from the victim VMs; used to generate traffic and test detection coverage
• Ubuntu 24.04 targets — two VMs acting as victim hosts: one hardened baseline, one intentionally misconfigured to study detection gaps

What’s Monitored

• File integrity monitoring on sensitive directories (/etc, /var/log, auth files)
• Brute-force and credential-stuffing detection via sshd log rules
• Port scan detection via Suricata rules tuned against nmap SYN and UDP scans
• Reverse shell callback detection via outbound connection rules
• Lateral movement indicators: unusual cron additions, SUID changes, new user creation

Attack Simulations Run

Nmap full-port scans, Hydra SSH brute-force, Metasploit exploit/multi/handler sessions, manual SUID exploitation on the misconfigured VM, and Kali’s evil-winrm connectivity tests. Each simulation produced Wazuh alerts that were triaged, documented, and used to refine detection rules.

The lab is an ongoing project — rule tuning and new attack modules added continuously as study for Security+ and VCP-DCV scenarios.