01 Lab Overview
The Wazuh server runs inside a pre-built virtual machine (OVA) on VirtualBox โ no Linux setup, no installation commands, just import and start. A Wazuh Agent installed on Windows automatically ships Security Event Logs to it. Kali (WSL2) runs attacks against Windows. You detect everything in the Wazuh web dashboard.
monitored endpoint
VirtualBox runs here
:1514
Manager + Indexer
Dashboard :443
nmap ยท hydra
no Wazuh here
We monitor the Windows machine โ specifically its Windows Security Event Logs. The Wazuh Agent reads these automatically and ships them to the Wazuh VM. Wazuh has hundreds of built-in detection rules so alerts fire without writing any rule logic.
| Component | Where it runs | What it does |
|---|---|---|
| Wazuh OVA (VM) | VirtualBox on Windows | The SIEM โ Manager + Indexer + Dashboard all pre-installed. Access dashboard at https://<VM-IP> |
| Wazuh Agent | Windows (native service) | Collects Security, System, and App event logs automatically and ships them to the VM on port 1514 |
| Kali Linux (WSL2) | WSL2 only | The attacker โ runs nmap and hydra only. Nothing else installed here. |
RAM: 8 GB minimum โ 4 GB allocated to Wazuh VM, rest for Windows + WSL2 ยท Disk: 50 GB free (OVA is ~4 GB, expands to ~20 GB) ยท OS: Windows 10/11 64-bit ยท CPU: Hardware virtualisation enabled in BIOS (Intel VT-x or AMD-V) ยท WSL2 with Kali installed
02 Required Tools
Everything is free. No accounts or licences required.
wazuh-agent-4.9.2-1.msi file from the link in Section 02.Wazuh OVA โ wazuh-4.14.4.ova (~4 GB)
VirtualBox โ Windows โ VirtualBox-7.2.6a-Win.exe
VirtualBox โ macOS Intel โ VirtualBox-7.2.6-OSX.dmg
VirtualBox โ macOS Apple Silicon โ VirtualBox-7.2.6-macOSArm64.dmg
Wazuh Agent (Windows) โ wazuh-agent-4.9.2-1.msi
nmap and hydra โ installed via apt on Kali, no download needed
03 Installation Instructions
Download and run the VirtualBox installer for Windows hosts. Accept all defaults during installation. Restart Windows if prompted.
If VirtualBox shows an error about virtualisation not being enabled, restart your PC, enter BIOS/UEFI settings, and enable Intel VT-x or AMD-V. The option is usually under Advanced CPU settings.
Download the OVA file from the link in Section 02. It is approximately 4 GB โ this will take a few minutes.
Once downloaded, import it into VirtualBox:
File โ Import Appliance โ browse to the downloaded wazuh-4.14.4.ova file โ Next โ Import
The import takes 2โ5 minutes. Leave all settings at their defaults during import.
After import, select the VM โ Settings โ Display โ Graphics Controller โ change to VMSVGA. Using any other controller will freeze the VM window.
The Wazuh VM must be on the same network as your Windows machine so the agent can reach it. Set the network adapter to Bridged:
Select the Wazuh VM โ Settings โ Network โ Adapter 1 โ Attached to: Bridged Adapter โ Name: select your active Windows network adapter โ OK
Click Start in VirtualBox to boot the Wazuh VM. Wait for the boot to complete (1โ2 minutes) until you see the login prompt.
Log in to the VM console with these credentials:
Username: wazuh-user Password: wazuh
Once logged in, get the VM's IP address โ you need this for the agent and the dashboard:
ip addr show | grep "inet " | grep -v 127.0.0.1
Note the IP shown (e.g. 192.168.x.x). This is your Wazuh Server IP โ write it down. You will use it in the agent installation and to access the dashboard.
On your Windows machine, open a browser and navigate to the Wazuh VM's IP address:
https://192.168.x.x
Your browser will show a certificate warning โ click Advanced โ Proceed. This is expected for the self-signed lab certificate.
Username: admin Password: admin
You see the Wazuh home screen with the Overview panel. It will show 0 agents connected โ that is correct at this stage. The agent comes next.
Open PowerShell as Administrator and run the silent install. Replace 192.168.x.x with your Wazuh VM IP from Step 4:
# Install the agent โ replace 192.168.x.x with your Wazuh VM IP
msiexec.exe /i wazuh-agent-4.9.2-1.msi /q `
WAZUH_MANAGER="192.168.x.x" `
WAZUH_AGENT_NAME="Windows-Lab"
Start the agent service:
NET START WazuhSvc
Verify it is running:
Get-Service WazuhSvc
Go to Wazuh Dashboard โ Agents. You should see Windows-Lab listed with status Active within 1โ2 minutes. Windows Security Events will begin flowing immediately once the agent connects.
Open your Kali WSL2 terminal. This is the only thing installed on Kali for this lab:
sudo apt update && sudo apt install -y nmap hydra
Every attack command targets the Windows machine IP. Get it from Kali:
cat /etc/resolv.conf | grep nameserver
The IP shown (usually 172.x.x.x) is your Windows host. Write it down โ every attack command uses this IP.
Wazuh VM IP (Step 4, e.g. 192.168.x.x) โ used when installing the agent and accessing the dashboard.
Windows host IP (Step 8, e.g. 172.x.x.x) โ used as the attack target in hydra and nmap commands.
04 Attack & Detect
This lab simulates real attacker behaviour instead of brute force noise. Each exercise represents a stage of an attack lifecycle.
powershell -ExecutionPolicy Bypass -Command "Start-Process cmd"
data.win.system.eventID: 4688
schtasks /create /tn "Updater" /tr "cmd.exe" /sc minute /mo 5
data.win.system.eventID: 4698
net user backdoor P@ssword123 /add net localgroup administrators backdoor /add
data.win.system.eventID: 4720 OR data.win.system.eventID: 4732
sc.exe create "WindowsUpdateHelper" binPath= "C:\Windows\Temp\update.exe" start= auto
data.win.system.eventID: 7045
wevtutil cl Security
data.win.system.eventID: 1102
05 Complete Uninstall
Run through these steps after your test run to get back to a clean slate. Once done, the machine will be in exactly the same state as before โ ready to redo the lab in class.
Stop the agent before uninstalling it, and power off the VM before deleting it. Skipping the stop steps can leave orphaned processes.
# Stop the agent service NET STOP WazuhSvc # Uninstall the agent via MSI โ finds and removes it automatically $agent = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Wazuh Agent*" } if ($agent) { msiexec.exe /x $agent.IdentifyingNumber /qn /norestart Write-Host "Wazuh Agent removed." } else { Write-Host "Wazuh Agent not found." }
Or uninstall manually: Settings โ Apps โ search "Wazuh" โ Wazuh Agent โ Uninstall
# Remove agent installation folder Remove-Item -Path "C:\Program Files (x86)\ossec-agent" -Recurse -Force -ErrorAction SilentlyContinue # Confirm it is gone Test-Path "C:\Program Files (x86)\ossec-agent" # Should return: False
1. Right-click the Wazuh VM in the list โ Close โ Power Off (if it is running)
2. Right-click the VM โ Remove โ Delete all files
This deletes the VM and all its disk files. The OVA download file itself is kept โ you can reimport it for the next session without re-downloading.
# Check agent service is gone โ should return an error Get-Service WazuhSvc -ErrorAction SilentlyContinue # Check agent folder is gone โ should return False Test-Path "C:\Program Files (x86)\ossec-agent"
Get-Service returns nothing (or "not found") and Test-Path returns False. The VM is deleted in VirtualBox. The machine is back to its original state.
# Remove attack tools if you want a fully clean attacker machine
sudo apt remove -y nmap hydra && sudo apt autoremove -y
| # | Action | How | Done? |
|---|---|---|---|
| 1 | Stop Wazuh Agent service | NET STOP WazuhSvc | โ |
| 2 | Uninstall Wazuh Agent | MSI script or Settings โ Apps | โ |
| 3 | Delete agent folder | Remove-Item C:\Program Files (x86)\ossec-agent | โ |
| 4 | Power off Wazuh VM | VirtualBox โ Close โ Power Off | โ |
| 5 | Delete Wazuh VM | VirtualBox โ Remove โ Delete all files | โ |
| 6 | Verify clean state | Get-Service + Test-Path return empty / False | โ |
| 7 | Remove Kali tools (optional) | sudo apt remove nmap hydra | โ |
The OVA file is still on your disk. For the next session: re-import it into VirtualBox (Step 2โ5 of Installation), reinstall the agent pointing to the new VM IP, and you are back to a fresh lab in under 10 minutes.