Adversary Simulation

Environment:

Kali Linux (Attacker) • Windows 11 (Endpoint Agent) • Wazuh OVA (SIEM/XDR Manager)

Objective: Simulate a real brute-force authentication attack and validate SIEM detection and alerting.

Step 1 — Network Configuration

Actions / Configuration

• Confirmed all virtual machines were connected using identical VirtualBox network adapters:

  • Adapter 1: Host-Only Network

  • Adapter 2: NAT Network

• Verified the following settings across all VMs:

  • Matching adapter names

  • Promiscuous Mode set to Allow VMs

  • Virtual cable connected enabled

• Ensured all systems shared the same subnet to allow inter-VM communication.

Screenshots

• VirtualBox Network Adapter configuration (Host-Only & NAT)

Step 2 — IP Address Confirmation

Actions / Commands

• Verified IP addresses for each machine:

Kali Linux:
ip a

Windows 11:
ipconfig

Wazuh OVA:
ip a

• • 
    

• Confirmed all systems were assigned IPs within the 192.168.56.0/24 network.

• Recorded IP addresses for use during the attack simulation.

Screenshots

• Terminal output showing assigned IP addresses for each VM

Step 3 — Network Connectivity Testing

Actions / Commands

• Verified network connectivity using ICMP ping tests:

  • Kali → Windows 11 → Wazuh OVA

  • Windows 11 → Kali → Wazuh OVA

  • Wazuh OVA → Kali → Windows 11

• Successful replies confirmed full network visibility and communication.

Screenshots

• Ping results from each VM confirming connectivity

Step 4 — Wazuh Agent Installation on Windows 11

Actions / Commands

• Downloaded the Wazuh Windows Agent (MSI GUI Installer) from the official Wazuh documentation:

  • https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-windows.html

• Launched the graphical installer on Windows 11.

• Entered the following during setup:

  • Wazuh Manager Address: (Wazuh OVA IP)

  • Confirmed default communication ports

• Completed installation using the GUI wizard.

• Started the agent service:

  • Start Menu → Wazuh Agent → Start

• Verified agent status in the Wazuh Dashboard:

  • Windows 11 agent = Active

Screenshots

• Wazuh Agent installation wizard

• Wazuh Dashboard showing active Windows 11 agent

Step 5 — Attack Simulation Using Kali Linux

Actions / Commands

Opened Kali Linux terminal and executed a simulated brute-force attack using CrackMapExec:
crackmapexec smb <Windows-IP> -u "lakel" -p WrongPassword

Example:
crackmapexec smb 192.168.56.103 -u "lakel" -p WrongPassword

• 
  

• Repeated the command multiple times to intentionally trigger failed authentication attempts.

• Terminal output confirmed:

  • STATUS_LOGON_FAILURE

  • Generated Windows Event ID 4625 (Failed Logon)

Screenshots

• Kali terminal showing repeated failed login attem

Step 6 — Wazuh SIEM Detection & Alerting

Actions / Analysis

• Accessed the Wazuh Dashboard

• Navigated to Threat Hunting

• Searched for authentication-related events

• Observed security alerts:

  • Authentication Failure

  • Rule ID 60122 — Logon Failure (Unknown user or bad password)

Alert Details

• Source IP: Kali Linux attacker

• Destination: Windows 11 endpoint

• Username attempted: lakel

• Pattern detected: Repeated failures indicating brute-force behavior

This confirmed successful detection and correlation by Wazuh SIEM/XDR.

Screenshots

• Threat Hunting results

• Authentication failure alert details