Ashwatha4502/rhysida-ir-investigation
GitHub: Ashwatha4502/rhysida-ir-investigation
Stars: 0 | Forks: 0
# 🔍 Rhysida Ransomware — Incident Response Investigation
A simulated SOC analyst investigation of the Rhysida ransomware attack on
Ann & Robert H. Lurie Children's Hospital of Chicago (January 2024).
Using confirmed TTPs from CISA Advisory AA23-319A, this project simulates
what a properly monitored SOC environment would have detected — and proves
that all 15 attack techniques were detectable in real time.
## 🎯 The Core Finding
In reality, Rhysida operated undetected inside Lurie's network for **5 full days**.
This investigation demonstrates that all 15 confirmed Rhysida TTPs from CISA AA23-319A
are detectable with proper Wazuh SIEM rule coverage — contrasting with the 5-day
undetected dwell time that occurred in reality due to complete absence of monitoring.
| Metric | Without SOC (Reality) | With SOC (This Simulation) |
|---|---|---|
| Detection Time | 5 days | < 1 minute |
| Techniques Detected | 0/15 | 15/15 (rules written for confirmed TTPs) |
| PHI Exfiltrated | 791,784 records | 0 records |
| EHR Downtime | 4 months | < 24 hours |
| Ransom Paid | $0 (refused) | $0 (prevented) |
## 🔴 Attack Chain — 15 MITRE ATT&CK Techniques
| Phase | Technique | ID | Wazuh Level |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | 12 |
| Initial Access | Valid Accounts (VPN) | T1078 | 13 |
| Execution | PowerShell | T1059.001 | 13 |
| Execution | PsExec | T1072 | 13 |
| Persistence | Scheduled Task | T1053.005 | 12 |
| Persistence | New Local Account | T1136.001 | 14 |
| Privilege Escalation | Zerologon CVE-2020-1472 | T1068 | 15 |
| Defense Evasion | Disable Security Tools | T1562.001 | 14 |
| Defense Evasion | Clear Event Logs | T1070.001 | 14 |
| Credential Access | LSASS Memory Dump | T1003.001 | 15 |
| Discovery | Network Scan | T1018 | 12 |
| Discovery | PHI Enumeration | T1083 | 14 |
| Lateral Movement | RDP to Epic EHR | T1021.001 | 13 |
| Exfiltration | PHI Exfiltration | T1048 | 15 |
| Impact | Ransomware Encryption | T1486 | 15 |
## 📁 Repository Structure
rhysida-ir-investigation/
├── simulation/
│ └── rhysida_simulation.py # Attack simulation based on CISA AA23-319A
├── rules/
│ └── rhysida_rules.xml # Wazuh detection rules (15 techniques)
├── investigation/
│ └── incident_report.md # Full IR report with timeline and IOCs
├── dashboard/
│ └── app.py # Interactive Streamlit investigation dashboard
└── README.md
## 🛠️ Tech Stack
- **SIEM**: Wazuh 4.7.5
- **Detection Rules**: 15 custom XML rules mapped to MITRE ATT&CK v14
- **Simulation**: Python 3 (CISA AA23-319A TTPs)
- **Dashboard**: Streamlit + Plotly
- **Source**: CISA Advisory AA23-319A (updated April 2025)
## 🚀 Run It Yourself
# 1. Ensure Wazuh is running
sudo systemctl status wazuh-manager
# 2. Deploy detection rules
sudo cp rules/rhysida_rules.xml /var/ossec/etc/rules/
sudo systemctl restart wazuh-manager
# 3. Run attack simulation
python3 simulation/rhysida_simulation.py
# 4. Check alerts
sudo grep -E "T1566|T1078|T1486" /var/ossec/logs/alerts/alerts.log
# 5. Launch dashboard
streamlit run dashboard/app.py
## 🔗 The Trilogy
| Project | Demonstrates | Link |
|---|---|---|
| TANGEDCO OT/ICS SIEM | Build and deploy threat detection | [GitHub](https://github.com/Ashwatha4502/tangedco-ot-ics-siem) |
| Lurie GRC Assessment | Risk assessment and compliance | [GitHub](https://github.com/Ashwatha4502/lurie-grc-assessment) |
| Rhysida IR Investigation | Incident detection and response | This repo |
## 👤 Author
**Ashwatha Narayan**
Cybersecurity Graduate | SOC Analyst and GRC Analyst Candidate
raman.as@northeastern.edu
*Based on CISA Advisory AA23-319A (updated April 30, 2025)*
*MITRE ATT&CK Enterprise Framework v14*
*May 2026*