Building a Home SOC Lab

This project details the creation of a home Security Operations Center (SOC) lab designed to simulate and monitor cyberattacks. The lab's architecture utilizes Proxmox to host virtual machines, including a Wazuh Manager for log analysis, a Kali Linux attacker, and a Debian victim. The project simulates a brute-force attack using Hydra from the Kali machine against the victim system. Wazuh efficiently detects the malicious activity, identifying the attacker's IP address. This allows for isolating and containing the attack by blocking the originating IP. The detected activity is mapped to the MITRE ATT&CK framework, specifically identifying the credential access tactic (T1110) used. An incident timeline analysis visualizes the normal system activity, followed by the detection, and finally, the mitigation phases. Furthermore, the project implements proactive detection using Auditd, setting behavioral "traps" on sensitive files. These Auditd traps, when triggered, trigger alerts within Wazuh based on specific rules. This setup provides additional security and detection capabilities. The initial setup faced a "Missing location element" error within Wazuh's configuration, which was successfully troubleshooted using command line tools. The project demonstrates the full lifecycle of attack detection, analysis, and containment within a simulated SOC environment.