abdsiddi/elastic-threat-detection-lab

# Cyber Threat Intelligence — Home Lab

### Author Muhammad Abdullah Siddiqui

### Environment Kali Linux + Windows 11 VM

### Stack Elastic Stack 8.x · Sysmon · Winlogbeat

### Framework MITRE ATT&CK · Atomic Red Team

# 📂 Contents 1. [Static File Analysis — Malware Identification](#01-static-file-analysis) 2. [Elastic Stack Setup & Log Verification](#02-elastic-stack-setup--log-verification) 3. [Attack Simulation — Atomic Red Team](#03-attack-simulation--atomic-red-team) 4. [Log Analysis in Kibana Discover](#04-log-analysis-in-kibana-discover) 5. [Detection Rules & SIEM Alerting](#05-detection-rules--siem-alerting) 6. [MITRE ATT&CK Coverage](#06-mitre-attck-coverage) # 01. Static File Analysis Four files of unknown origin were analyzed using standard static analysis tooling: * `file` * `strings` * `binwalk` * `exiftool` * VirusTotal ## 📊 Analysis Summary | Metric | Value | | ----------------------------- | ------- | | Files Analyzed | 4 | | Files Flagged Malicious | 4 | | Highest VT Detection Count | 59 / 71 | | Malware Categories Identified | 4 | ## 📄 file1 — Composite Document File V2 (.doc) The sample presented as a legacy Microsoft Word document using the OLE Compound Document format. Static inspection revealed suspicious macro execution behavior and evidence of embedded payload staging. ### Strings Analysis C:\Users\Public winmm.dll Rundll32 Certutil -decode ### Observations * `Certutil -decode` identified as LOLBin usage * `Rundll32` referenced for DLL execution * Embedded payload delivery indicators detected * Multiple archive signatures identified through Binwalk ### Binwalk Findings * StuffIt archive segments * Embedded PNG structures * ZIP archive containers * `[Content_Types].xml` * `.rels` relationship files ### VirusTotal Classification | Engine Result | Detection | | --------------- | --------- | | Trojan.VBA | ✓ | | W97M.Downloader | ✓ | | Malicious Macro | ✓ | ### Detection Ratio 44 / 63 ### SHA-256 dc40e48d2e0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95 ## ⚙️ file2 — PE32 .NET Executable (.exe) Identified as a 32-bit Windows executable compiled against the .NET framework. Metadata attempted to disguise the sample as a legitimate utility application. ### Metadata Analysis | Field | Value | | ------------- | ------------------ | | Internal Name | GuidTypeIn.exe | | Product Name | WinThumbsPreloader | | Machine Type | Intel 386 / PE32 | | Subsystem | Windows GUI | ### API References GetWindowLongPtr32 SetWindowLong32 ### Observations * UI hook manipulation indicators * Behavioral overlap with Remote Access Trojans * Embedded compressed resources detected * Potential spyware capability ### VirusTotal Classification | Engine Result | Detection | | ------------- | --------- | | Trojan.MSIL | ✓ | | Backdoor.Win | ✓ | | RAT | ✓ | | Spyware | ✓ | ### Detection Ratio 59 / 71 ### SHA-256 9c9a99423087bdfd23df04a29984273ba056021ee54e815d2cd85103a9548eff ## 📊 file3 — Composite Document File V2 (.xls) Legacy Excel document stored in OLE format. Static analysis indicated VBA macro obfuscation and embedded payload nesting. ### Indicators * Auto-open macro behavior * Embedded ZIP structures * VBA obfuscation * Downloader characteristics ### VirusTotal Classification | Category | Result | | ---------------- | ------ | | Trojan | ✓ | | Macro Downloader | ✓ | | Auto Execute | ✓ | ### Detection Ratio 40 / 62 ### SHA-256 de8e60c9b433dca50790371de29f6e6f68f3f244b060f838cdd07eea944f4f48 ## 🌐 file4 — Obfuscated HTML Payload HTML sample containing heavily obfuscated JavaScript embedded inside abnormally large ASCII structures. ### Indicators ### VirusTotal Classification | Category | Result | | ------------- | ------ | | HTML Trojan | ✓ | | Exploit Agent | ✓ | | Embedded JS | ✓ | ### Detection Ratio 22 / 61 ### SHA-256 c41d9cf3dcabc161c040a8c3fcf8cfc18983fc896ce55003e230eff37171835 # 📋 Static Analysis Summary | File | Type | Malware Class | VT Detections | Verdict | | ----- | ---------------- | ---------------- | ------------- | --------- | | file1 | .doc (OLE) | VBA Macro Trojan | 44 / 63 | Malicious | | file2 | .exe (.NET PE32) | RAT / Spyware | 59 / 71 | Malicious | | file3 | .xls (OLE) | Macro Downloader | 40 / 62 | Malicious | | file4 | .html | HTML Trojan | 22 / 61 | Malicious | # 02. Elastic Stack Setup & Log Verification Configured a local Elastic SIEM environment using: * Elasticsearch 8.x * Kibana * Winlogbeat * Sysmon * Windows 11 VM * Kali Linux analyst station ## 🧱 Infrastructure Components | Component | Role | | ------------- | -------------------------------------- | | Elasticsearch | Log indexing and storage | | Kibana | Visualization and detection management | | Winlogbeat | Windows event log forwarding | | Sysmon | Enhanced Windows telemetry | | Windows 11 VM | Attack target environment | | Kali Linux | Analyst workstation | ## Verification Workflow ### 1. Kibana Discover Validation Confirmed active ingestion into: winlogbeat-* Total indexed events observed: 3,446 documents ### 2. Event Stream Validation Observed telemetry included: * PowerShell Event ID 4104 * Windows Security Logs * Sysmon Process Creation Events * Service Control Manager events ### 3. ECS Field Validation Verified presence of: @timestamp host.name event.code winlog.provider_name # 03. Attack Simulation — Atomic Red Team Used Atomic Red Team to simulate real adversary behaviors mapped directly to MITRE ATT&CK techniques. ## T1053.005 — Scheduled Task Creation ### Technique Category Persistence ### PowerShell Execution Invoke-AtomicTest T1053.005 -TestNumbers 2 ### Direct Command Equivalent schtasks /Create /SC ONCE /TN spawn /TR cmd.exe /ST 20:10 ### Result SUCCESS: The scheduled task "spawn" has successfully been created. ## T1003.001 — LSASS Memory Dump ### Technique Category Credential Access ### PowerShell Execution Invoke-AtomicTest T1003.001 -TestNumbers 2 ### Direct Command Equivalent rundll32.exe comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass.dmp full ### Result Done executing test: T1003.001-2 Dump LSASS.exe Memory using comsvcs.dll ## T1136.001 — Local User Account Creation ### Technique Category Persistence ### Commands net user attacker123 P@ssw0rd123 /add net localgroup administrators attacker123 /add ### Result The command completed successfully. ## T1569.002 — Service-Based Execution ### Technique Category Execution ### Configuration ServiceName: ARTService BinaryPath: C:\WINDOWS\system32\cmd.exe /c powershell.exe -nop -w hidden ### Detection Artifact Windows Event ID 7045 # 04. Log Analysis in Kibana Discover Following execution of Atomic Red Team simulations, telemetry was investigated in Kibana Discover using KQL. ## KQL Queries ### Scheduled Task Activity message: "*schtasks*" ### LSASS Credential Dumping message: "*lsass*" OR message: "*MiniDump*" ### User Account Creation event.code: 4720 ### Service Installation event.code: 7045 ## Detection Findings | Technique | Event Source | Event ID | Detected | | --------------------- | ----------------------- | -------- | -------- | | Scheduled Task | Sysmon | 1 | ✓ | | LSASS Dump | PowerShell / Sysmon | 1 | ✓ | | User Account Creation | Windows Security | 4720 | ✓ | | Service Installation | Service Control Manager | 7045 | ✓ | # 05. Detection Rules & SIEM Alerting Custom detection rules were authored inside Kibana Security using KQL-based rule logic. ## 🔴 LSASS Credential Dump Detection ### Severity High ### Query message: "*lsass*" OR message: "*MiniDump*" OR message: "*comsvcs.dll*" ### MITRE Mapping T1003.001 ### Alerts Generated 20 Alerts ## 🟡 Scheduled Task Persistence Detection ### Severity Medium ### Query message: "*schtasks*" AND message: "*/Create*" ### MITRE Mapping T1053.005 ### Alerts Generated 6 Alerts ## 🟡 User Account Creation Detection ### Severity Medium ### Query event.code: 4720 ### MITRE Mapping T1136.001 ### Alerts Generated 2 Alerts # 📈 Alert Summary | Metric | Count | | --------------- | ----- | | Total Alerts | 28 | | High Severity | 20 | | Medium Severity | 8 | | Rules Triggered | 3 | # 06. MITRE ATT&CK Coverage | Tactic | Technique | ID | Method | | ----------------- | ----------------------- | --------- | --------------- | | Credential Access | LSASS Memory Dumping | T1003.001 | comsvcs.dll | | Persistence | Scheduled Task Creation | T1053.005 | schtasks.exe | | Persistence | Local Account Creation | T1136.001 | net user | | Execution | Service Execution | T1569.002 | sc create | | Execution | VBScript Execution | T1059.005 | Atomic Red Team | # Key Takeaways * Successfully built a functional Elastic SIEM pipeline * Verified Windows telemetry ingestion using Winlogbeat + Sysmon * Simulated adversary techniques using Atomic Red Team * Authored custom KQL detection rules * Generated high-fidelity detections from Windows native telemetry * Mapped attack activity directly to MITRE ATT&CK techniques # Screenshots To Add Later * Kibana Discover dashboard * Elastic Security alerts * Atomic Red Team execution terminal * Winlogbeat configuration * Sysmon telemetry logs * Detection rule configuration