SIEM Monitoring Lab: Wazuh

AWS Deployment • Detection Engineering • Threat Simulation • SOC Investigation

Summary

Architecture and Deployment

The lab environment was built in AWS to simulate a small security monitoring setup with one Wazuh manager and two monitored endpoints. Although this is a small and rather compact lab, it still demonstrates the same principle used in larger SOC environments: multiple systems generate logs, those logs are forwarded to a central analysis point, and suspicious behaviour is investigated from there.

Wazuh Agents

The Wazuh manager was installed on an Ubuntu EC2 instance and acts as the central log analysis point for the lab. A Windows Server EC2 instance was configured as the Windows endpoint and monitored for event log activity, file changes, and registry changes. An Ubuntu Lightsail instance was configured as the Linux endpoint and monitored for authentication and system activity. A third device (JackWindows) is also configured but not demonstrated throughout this lab

Both the Windows Server and Linux agent were configured to communicate with the same Wazuh manager. This made it possible to review suspicious events from multiple operating systems through one monitoring platform rather than checking each host individually.

The Wazuh manager was installed first so that the two monitored endpoints could later be connected to it. Once the manager was active, the Windows and Linux agents were installed and their configurations were updated so that they forwarded logs to the manager for analysis.

The Wazuh manager was installed on the Ubuntu EC2 instance using the official Wazuh installation script:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh
sudo bash wazuh-install.sh -a

The Windows endpoint was then deployed on a Windows Server EC2 instance. The Wazuh agent was installed and the ossec.conf configuration was updated so that the agent pointed to the Wazuh manager. After the agent service started, the endpoint was confirmed as connected.

The Linux endpoint was deployed on Ubuntu Lightsail. The Wazuh agent was installed, the agent configuration was updated to point to the same Wazuh manager, and successful registration was verified once the service came online.

curl -s https://packages.wazuh.com/4.x/agent/install.sh | sudo bash
sudo nano /var/ossec/etc/ossec.conf

The Wazuh manager requires several network ports to allow agents to register, forward security logs, and allow administrators to securely access the monitoring platform. The following ports were enabled:

• TCP/UDP 1514: Wazuh agent event log forwarding to the Wazuh manager.
• TCP 1515: Agent enrollment and authentication during agent registration.
• TCP 55000: Wazuh API communication used by the dashboard and management tools.
• TCP 443: Secure HTTPS access to the Wazuh web dashboard.
• TCP 22: SSH administrative access to the Linux servers.

Wazuh Agents

SIEM v SOAR

Wazuh analyses incoming log data using a rule-based detection engine. Each event collected from monitored endpoints is evaluated against predefined detection rules designed to identify suspicious behaviour associated with attacker activity. A common theme during my Security+ studies was the emphasis placed on the difference between a Security Information and Event Management (SIEM) and a Security Orchestration, Automation and Response (SOAR). Before we continue looking at the three simulations, I think it's relevant to distinguish a key difference between them. A SIEM does more than store logs: it actively evaluates them for correlations such as indicators of compromise and behaviours that match known attack patterns aiding in the identification of threats. A SOAR goes one step futher and leverages automation as a response to a particular incident.

Threat Scenario and SOC Alert Triage

To evaluate the monitoring environment, several attacker techniques were simulated that commonly appear during real intrusions. These activities reflect different stages of attacker behaviour including persistence, privilege escalation, and credential abuse.

In many incidents, attackers first gain a foothold on a system, then attempt to maintain access, increase privileges, and expand control over the environment. The simulations in this lab were selected to mirror that progression across both Windows and Linux endpoints.

The simulated sequence in this lab can be summarized as follows: after initial access, the attacker establishes persistence on Windows through a startup registry modification, escalates privileges through unauthorized account creation and administrator group assignment, and then attempts credential abuse through repeated failed SSH authentication attempts on Linux.

When alerts were generated, a consistent triage process was followed. First, the alert details and affected host were reviewed. Next, surrounding logs were correlated to understand context. The initiating account or process was then identified, and finally the behaviour was assessed to determine whether it reflected expected administration or suspicious attacker activity.

• Case Study 1 – Persistence: A Windows startup registry key was modified to simulate malware establishing execution at boot.
• Case Study 2 – Privilege Escalation: A new local account was created and added to the Administrators group to simulate unauthorized privilege escalation.
• Case Study 3 – Credential Access / Brute Force: Multiple failed SSH authentication attempts were generated on the Linux host to simulate password guessing activity.

Detection Scenario 1 — Windows Registry Persistence

This scenario focuses on persistence. Persistence refers to techniques that allow an attacker to maintain access to a system even after a reboot or user logging off unbeknown to them. On Windows systems, one common method is modifying the startup-related registry keys so that a malicious or unauthorised programme automatically launches when the Operating System (OS) starts.

To simulate this behaviour, a value was added to the Windows Run registry key. This created a startup entry that would automatically execute the chosen binary whenever the system booted. Because this registry path is commonly abused by malware, it is a valuable location to monitor within a SIEM environment.

Evidence — Registry Persistence Example

This registry location is monitored because entries under the Run key can be used to launch programs automatically when Windows starts. In this example, the added value simulates a suspicious startup entry that could be used to maintain access across reboots. If you wish to replicate the same log files, I have attached below the file path along with the Value name and data. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Value Name: MALWARE_TEST Value Data: C:\Windows\notepad.exe

Wazuh generated a detection alert after identifying the registry modification. In a production environment, this type of alert would indicate that a high-risk configuration area had been altered and would require further validation. The analyst would need to determine whether the change was part of a legitimate software installation or whether it represented unauthorized persistence behaviour. In real investigations, this matters because persistence often allows attackers to survive reboots and regain execution without needing to exploit the system again.

Wazuh Alert

System Events displaying a Registry Key change.

SOC Investigation and Response Workflow

• Alert Validation: Confirm the registry persistence alert and identify the affected host along with the timestamp.
• Log Review: Analyse Windows Security logs and Wazuh event data to determine which user account or process created the registry entry.
• Process Verification: Investigate the referenced executable to determine whether it's a legitimate software or known malware.
• Scope Assessment: Search for similar registry modifications across other hosts to determine whether the activity is isolated or part of a wider compromise.
• Containment: If malicious activity is confirmed, isolate the affected host from the network to prevent further attacker access.
• Eradication: Remove the unauthorised registry entry, investigate additional persistence mechanisms, and quarantine any other suspicious binaries.
• Host Triage: Review scheduled tasks, startup folders, services, and running processes to identify additional attacker footholds.

MITRE ATT&CK Mapping

MITRE ATT&CK is a widely used framework that documents common adversary tactics and techniques observed in real intrusions. Mapping alerts to MITRE ATT&CK helps analysts understand not just what happened, but why the behaviour is important within the broader context of an attack chain.

Detection Scenario 2 — Privilege Escalation

This scenario focuses on privilege escalation. Privilege escalation occurs when an attacker gains higher levels of access than originally intended, often to perform administrative actions, disable security controls, or move laterally through an environment.

To simulate this behaviour, a new local user account was created and then added to the local Administrators group. This is significant because the creation of unauthorized privileged accounts is a common post-compromise technique. It allows an attacker to maintain access using a legitimate-looking identity while gaining the permissions needed to control the host.

Wazuh generated a detection alert after identifying both the account creation and administrative group membership change. This type of activity is high risk because a newly created privileged account can be used immediately for persistence, system control, or further attacker actions. In a real SOC, this alert would often be prioritised for immediate review because administrative accounts can quickly be used to disable protections, access sensitive files, or pivot to additional systems.

Evidence — Unauthorized Account Creation and Privilege Assignment

This activity simulates a common post-compromise technique where an attacker creates a new account and elevates it to administrator level. That combination provides both access and control, making it a high-priority event for investigation. net user hacker Password123! /add net localgroup Administrators hacker /add

A further investigation into this log message confirms that the user account was created and then shortly after was added to a security-enabled local group confirming privilege escalation

Unauthorized Account Creation and Privilege Assignment

Confirmation a user account was created

Unauthorized Account Creation and Privilege Assignment

Confirmation a user account was added to a security-enabled local group confirming privilege escalation

SOC Investigation and Response

• Alert Validation: Confirm that a new user account was created and added to a privileged group, and identify the affected host and timestamp.
• User Context Review: Determine whether the account creation was authorized through change management records or administrative activity.
• Privilege Analysis: Review the assigned group memberships and permissions to understand the level of access granted to the account.
• Activity Investigation: Examine authentication logs, command history, and process creation events to determine whether the account has already been used for additional actions.
• Scope Assessment: Review account management events across other systems to determine whether similar unauthorized accounts exist elsewhere in the environment.
• Containment: If the account is confirmed to be unauthorized, disable or remove it immediately to prevent further use.
• Threat Hunting: Search for evidence of additional attacker activity such as PowerShell execution, scheduled tasks, persistence mechanisms, or lateral movement attempts.
• Credential Protection: Reset credentials for accounts that may have been compromised and monitor for any further suspicious login activity.

MITRE ATT&CK Mapping

Privilege escalation is often a turning point in an intrusion because it allows an attacker to move from limited access to full control of a host. Mapping the behaviour to MITRE ATT&CK helps analysts classify the activity according to known adversary techniques and document it consistently.

Tactic	Technique	ID	Why It Applies
Persistence	Create Account	T1136	A new local account was created, which could be used to maintain access to the system.
Privilege Escalation	Account Manipulation	T1098	The newly created account was added to the Administrators group to gain elevated permissions.

Detection Scenario 3 — Linux Authentication Monitoring

This scenario focuses on credential access and brute force activity. Brute force attacks involve repeated authentication attempts against an account or service in the hope of guessing a valid password.

To simulate this behaviour, repeated failed SSH login attempts were generated against the Linux host. Authentication logs were then collected and monitored by Wazuh. Failed SSH activity is important to detect because repeated failures can indicate password guessing, automated login attempts, or credential stuffing against exposed services.

Evidence — Repeated Failed Authentication Attempts

Repeated failed SSH logins are often one of the earliest visible indicators of attempted brute-force access.

Wazuh generated a detection alert based on repeated failed authentication attempts. In a production SOC environment, this type of alert would lead analysts to investigate whether the activity came from known infrastructure, whether a valid account was eventually compromised, and whether firewall or account lockout controls should be strengthened. This matters because repeated failed authentication is often an early sign of brute-force activity or an attempt to gain initial access using stolen or guessed credentials.

SOC Investigation and Response

• Alert Validation: Confirm repeated SSH authentication failures and identify the targeted host and timestamp of the activity.
• Source Identification: Determine which IP addresses generated the login attempts and whether they originate from internal infrastructure or external sources.
• Credential Analysis: Identify which user accounts were targeted and determine whether any successful login occurred after the failed authentication attempts.
• Pattern Assessment: Analyse the frequency and distribution of login attempts to determine whether the activity resembles manual guessing, automated brute-force attacks, or credential stuffing.
• Scope Assessment: Review authentication activity across other hosts to determine whether the same source IP or targeted accounts appear elsewhere in the environment.
• Containment: Block or restrict malicious source IP addresses using firewall rules or intrusion prevention controls.
• Hardening Measures: Ensures SSH security controls such as account lockout thresholds, and multi-factor authentication are enabled if supported. If not, implement compensating controls
• Continuous Monitoring: Continue monitoring the host and authentication logs to detect any successful logins or additional suspicious activity.

MITRE ATT&CK Mapping

Authentication abuse is an early and common step in many attacks. MITRE ATT&CK mapping helps analysts relate repeated failed logins to known credential access techniques and document how those attempts could progress into initial access if not stopped.

Tactic	Technique	ID	Why It Applies
Credential Access	Brute Force	T1110	Repeated authentication failures indicate password guessing against SSH accounts.
Initial Access	Valid Accounts	T1078	If the attack succeeded, the adversary could gain access using compromised legitimate credentials.

SOC Investigation Summary

Across the three simulated attack scenarios, the SIEM platform successfully detected suspicious behaviour originating from both Windows and Linux systems. Each alert provided useful context including the affected host, timestamp, and the rule logic that triggered the detection.

From an analyst perspective, the investigation process involved reviewing alert metadata, correlating related logs, and determining whether the behaviour represented legitimate administrative activity or potential attacker behaviour. This reflects how SOC teams use centralized monitoring platforms to reduce investigation time and improve visibility across multiple systems.

• Registry monitoring allowed persistence activity to be detected quickly.
• Account management monitoring identified unauthorized privilege escalation.
• Authentication monitoring highlighted abnormal login activity.

These investigations demonstrate how a SIEM can help analysts identify suspicious activity early and begin incident response before an attacker gains long-term control of the environment.

Real-World SOC Relevance and Detection Limitations

The detection techniques demonstrated in this lab reflect monitoring practices commonly used in enterprise security operations centres. Registry monitoring, account management alerts, and authentication monitoring are core components of many SIEM deployments because they provide visibility into attacker behaviour that often occurs after initial compromise.

Even in a small lab, the same principles apply: logs from multiple systems are collected, suspicious behaviour is identified through rule-based detections, and analysts use that information to investigate potential compromise. In larger enterprise environments, this model scales across many hosts, cloud assets, and user accounts.

At the same time, these detections have limitations. Advanced attackers may attempt to evade detection through log tampering, living-off-the-land binaries, or credential theft techniques that generate limited logging. In production SOC environments, detections like these would usually be supplemented by additional controls such as endpoint detection and response, network monitoring, and behavioural analytics to improve overall visibility.

Future Improvements

• Integrate additional endpoint log sources to broaden visibility.
• Implement custom Wazuh rules for more advanced attacker behaviours.
• Add network monitoring to improve lateral movement detection.
• Develop automated response workflows for high-severity alerts.

Key Security Takeaways

• How SIEM platforms collect and correlate security logs from different operating systems.
• How attacker techniques such as persistence, privilege escalation, and brute force appear in host logs.
• How rule-based detection turns raw system events into actionable security alerts.
• How SOC analysts validate, triage, and investigate suspicious activity.
• How MITRE ATT&CK mapping helps contextualise alerts using a widely recognised threat framework.
• How centralized monitoring supports faster detection and more effective incident response.

This lab demonstrates SIEM deployment, detection engineering, and SOC investigation workflows using simulated attacker techniques.

← Back to Homepage