The purpose of this project is to host a basic SOC environment locally.
This project contains the steps to configure a SOC environment locally on your home computer using Virtual Machines and some basic networking concepts. We will make use of the following services:
- Virtualbox along with Virtual machines Including Ubuntu, Windows-10, Kali-Linux
- Wazuh Siem
- Shuffle
- Mimikatz (Malware)
- Sysmon (For Windows)
- VirusTotal
- Discord
- Hydra (Script in Kali)
In summary, we will achieve the following:
A. Phase 1:
- Detect threats on our Windows virtual machine with Wazuh SIEM
- Forwarding the detected threat to shuffle for enrichment
- Automatically forwarding an alert message to a Discord server for specific threats
B. Phase 2:
- Detecting threats on our Ubuntu virtual machine with Wazuh SIEM
- Simulating a SSH brurte force attack on our Ubuntu machine using a Kali Virtual machine as our attackbox
- Mitigating the adversity of the SSH brute force attack using "active response" capability of Wazuh SIEM
- We Installed Mimikatz on the Windows VM and a Wazuh Agent
- We Configured Sysmon to send Logs to the Wazuh SIEM
- We Configured Ubuntu VM to install the Wazuh Dashboard and detect specific alerts from Windows.
- We also got logs of our SSH brute force from our victim Ubuntu Machine
- We also configured the Wazuh Configuration file to include a new Active Response Rule
- This is our Shuffle Workflow
- This Includes Alerts From Wazuh > Regex > VirusTotal > Discord
- This is what Discord will Display upon recieving the message from shuffle
