SCENARIO 01 // ATTACK FLOW

Nmap Reconnaissance

NETWORK SERVICE DISCOVERY · DETECTION ANALYSIS

⚡ MITRE ATT&CK — T1046 · Network Service Discovery · Tactic: Discovery
💻
KALI LINUX
192.168.100.10
ATTACKER
                    ►
NMAP SCAN PACKETS
TCP SYN · Port Probing
🖥️
WINDOWS 10
192.168.100.20
TARGET
                    ►
SYSMON + WAZUH AGENT
Log Forwarding
🛡️
WAZUH SIEM
192.168.100.40
DETECTION
PHASE 1 · ATTACKER

Reconnaissance Initiated

Attacker on Kali Linux launches an Nmap service version scan targeting the Windows 10 victim machine on the isolated VMnet2 network.

nmap -sV 192.168.100.20
192.168.100.10 → 192.168.100.20
1
2
PHASE 2 · NETWORK

Port Probe Packets Sent

Nmap sends TCP SYN packets across all ports probing for open services. Each packet hits Windows 10 generating network events.

TCP SYN → Port 21 (FTP)
TCP SYN → Port 22 (SSH)
TCP SYN → Port 80 (HTTP)
TCP SYN → Port 445 (SMB)
TCP SYN → Port 3389 (RDP)
Scanning 65535 ports...
HIGH VOLUME · SEQUENTIAL PORTS
PHASE 3 · VICTIM ENDPOINT

Windows 10 Receives Probes

Windows 10 receives the port probes. Sysmon (with SwiftOnSecurity ruleset) detects the unusual network connection patterns and logs Event ID 3 — Network Connection events.

Event ID 3: Network Connection
SourceIp: 192.168.100.10
DestinationPort: [multiple]
Image: System
SYSMON EVENT ID 3 · NETWORK CONNECTION
3
4
PHASE 4 · LOG FORWARDING

Wazuh Agent Forwards Logs

Wazuh Agent running on Windows 10 collects Sysmon events and Windows Event Logs in real-time and forwards them to the Wazuh Manager at 192.168.100.40.

Wazuh Agent → Wazuh Manager
Protocol: TCP 1514
Format: JSON encoded events
Agent: Win10-victim (Active)
REAL-TIME LOG STREAMING
PHASE 5 · SIEM DETECTION

Wazuh Raises 401 Alerts

Wazuh Manager processes incoming logs against its ruleset. The high volume of connection attempts from a single source IP triggers port scan detection rules.

Rule 40111: Multiple connection attempts
Rule Level: 7 (Medium-High)
Source IP: 192.168.100.10
Agent: Win10-victim
Total Alerts: 401
401 TOTAL ALERTS
7 RULE LEVEL
~60s TIMEFRAME
5
6
PHASE 6 · ANALYST RESPONSE

SOC Analyst Investigates

SOC analyst opens Wazuh dashboard, identifies the alert spike, correlates source IP, checks MITRE ATT&CK mapping, and documents findings in an incident report.

MITRE ATT&CK: T1046
Tactic: Discovery
Technique: Network Service Discovery
Severity: MEDIUM
Action: Monitor for follow-on exploitation
✓ DETECTED · DOCUMENTED · REPORTED
ATTACK TOOL
Nmap -sV
ATTACKER IP
192.168.100.10
TARGET IP
192.168.100.20
ALERTS GENERATED
401
MITRE TECHNIQUE
T1046
DETECTION STATUS
✓ DETECTED
SEVERITY
MEDIUM
NETWORK
VMnet2 Isolated
SOC HOME LAB · github.com/Devanshu2107/soc-lab · SCENARIO 01 OF 05