SARANJITH02/Ransomware-Detection-Response-Lab

GitHub: SARANJITH02/Ransomware-Detection-Response-Lab

一个完整的 SOC 分析师家庭实验项目,通过在隔离环境中模拟勒索软件攻击来教授检测、调查和事件响应的全流程。

Stars: 2 | Forks: 0

# Ransomware Detection & Response Lab ### A Complete SOC Analyst Home Lab Project ## Table of Contents 1. [Project Overview](#1-project-overview) 2. [What You Will Learn](#2-what-you-will-learn) 3. [Tools & Technologies Used](#3-tools--technologies-used) 4. [Lab Architecture](#4-lab-architecture) 5. [Prerequisites](#5-prerequisites) 6. [Environment Setup — Step by Step](#6-environment-setup--step-by-step) - [6.1 Install VMware Workstation on Kali Linux](#61-install-vmware-workstation-on-kali-linux) - [6.2 Create Isolated Windows 10 VM](#62-create-isolated-windows-10-vm) - [6.3 Install Sysmon on Windows VM](#63-install-sysmon-on-windows-vm) - [6.4 Install & Configure Wazuh](#64-install--configure-wazuh) - [6.5 Install & Configure Splunk](#65-install--configure-splunk) - [6.6 Connect Splunk Universal Forwarder](#66-connect-splunk-universal-forwarder) - [6.7 Configure Wireshark on Kali](#67-configure-wireshark-on-kali) 7. [Day 1 — Lab Setup Verification](#7-day-1--lab-setup-verification) 8. [Day 2 — Baseline Establishment](#8-day-2--baseline-establishment) 9. [Day 3 — Attack Simulation (Atomic Red Team T1486)](#9-day-3--attack-simulation-atomic-red-team-t1486) 10. [Day 4 — Detection in Wazuh](#10-day-4--detection-in-wazuh) 11. [Day 5 — Correlation in Splunk & Wireshark](#11-day-5--correlation-in-splunk--wireshark) 12. [Day 6 — Triage & Kill Chain Analysis](#12-day-6--triage--kill-chain-analysis) 13. [Incident Report](#13-incident-report) 14. [MITRE ATT&CK Mapping](#14-mitre-attck-mapping) 15. [Key Findings Summary](#15-key-findings-summary) 16. [Indicators of Compromise (IOCs)](#16-indicators-of-compromise-iocs) 17. [Lessons Learned](#17-lessons-learned) 18. [References](#18-references) ## 1. Project Overview This project simulates a real-world ransomware attack in a completely isolated home lab environment and demonstrates how a SOC (Security Operations Center) analyst would detect, investigate, and respond to the incident. The attack was simulated using **Atomic Red Team's T1486** technique (Data Encrypted for Impact), specifically the **PureLocker** and **Akira ransomware** variants. The detection and investigation were performed using an industry-standard SOC toolset: **Wazuh** (SIEM), **Splunk** (log correlation), and **Wireshark** (network forensics). **Project Duration:** 7 days **Difficulty Level:** Intermediate **Environment:** Kali Linux host + Windows 10 VM (isolated, host-only network) ## 2. What You Will Learn By following this project, you will understand: - How to build an isolated SOC home lab safely (no risk to your real system) - How ransomware behaves at the process, file, and network level - How to use Wazuh's File Integrity Monitoring (FIM) to detect mass file changes - How to write SPL queries in Splunk to correlate attack events - How to analyze network traffic in Wireshark during an attack - How to classify an incident (True/False Positive, severity, scope) - How to map findings to the MITRE ATT&CK framework - How to write a professional SOC incident report ## 3. Tools & Technologies Used | Tool | Purpose | Where it runs | |---|---|---| | Kali Linux | Analyst/host OS | Physical machine (dual boot) | | VMware Workstation | Virtualization | Kali Linux host | | Windows 10 x64 | Victim machine | Inside VMware VM | | Wazuh v4.10.3 | SIEM — log collection, FIM, alerting | Kali Linux host | | Splunk Enterprise (Free) | Log correlation, dashboards, SPL queries | Kali Linux host | | Splunk Universal Forwarder | Log shipper from Windows to Splunk | Windows 10 VM | | Sysmon (SwiftOnSecurity config) | Deep Windows telemetry (process, file, network) | Windows 10 VM | | Wireshark | Network packet capture and analysis | Kali Linux host | | Atomic Red Team | Safe ransomware simulation (T1486) | Windows 10 VM | | MITRE ATT&CK | Attack framework for mapping findings | Reference | ## 4. Lab Architecture ┌─────────────────────────────────────────────────────┐ │ KALI LINUX (Host) │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ │ │ │ Wazuh │ │ Splunk │ │Wireshark │ │ │ │ Manager │ │ Enterprise │ │ vmnet1 │ │ │ └──────┬───────┘ └──────┬───────┘ └────┬─────┘ │ │ │ │ │ │ │ └────────┬────────┘ │ │ │ │ Host-only (vmnet1) │ │ │ 192.168.176.1 │ │ └──────────────────┼────────────────────────┼─────────┘ │ │ ┌─────────▼────────────────────────▼──────┐ │ WINDOWS 10 VM (Victim) │ │ 192.168.176.128 │ │ │ │ ┌─────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Sysmon │ │ Wazuh │ │ Splunk │ │ │ │(logging)│ │ Agent │ │Forwarder │ │ │ └─────────┘ └──────────┘ └──────────┘ │ │ │ │ ┌──────────────────────────────────┐ │ │ │ Atomic Red Team T1486 │ │ │ │ (Ransomware Simulation Engine) │ │ │ └──────────────────────────────────┘ │ │ │ │ Network: Host-Only (NO internet) │ └──────────────────────────────────────────┘ **Why host-only network?** The Windows VM has no internet access and cannot reach your real network. It can only communicate with the Kali host over the virtual `vmnet1` interface. This means: - Your confidential data on the host is completely safe - The simulated ransomware cannot spread anywhere - All traffic is fully captured by Wireshark ## 5. Prerequisites **Hardware:** - Minimum 8GB RAM (4GB for host, 4GB for VM) - Minimum 100GB free disk space - CPU with virtualization support (Intel VT-x or AMD-V — enable in BIOS) **Software (free):** - Kali Linux (dual boot or dedicated machine) - VMware Workstation Player (free for personal use) - Windows 10 ISO (from Microsoft's official site) - Wazuh (free, open source) - Splunk Enterprise Free license (500MB/day, never expires) - Sysmon + SwiftOnSecurity config (free from Microsoft) **Knowledge assumed:** - Basic Linux command line (cd, nano, sudo, systemctl) - Basic Windows usage - Basic understanding of what a SIEM is ## 6. Environment Setup — Step by Step ### 6.1 Install VMware Workstation on Kali Linux # Download VMware Workstation Player from vmware.com # Then install: sudo chmod +x VMware-Player-*.bundle sudo ./VMware-Player-*.bundle # Verify installation vmware --version ### 6.2 Create Isolated Windows 10 VM 1. Open VMware → **Create a New Virtual Machine** 2. Select your Windows 10 ISO 3. Allocate: **4GB RAM, 60GB disk, 2 CPU cores** 4. Network adapter: **Host-only** 5. Install Windows normally 6. After installation, go to **VM Settings → Network Adapter → Host-only** 7. **Disable shared folders, drag-and-drop, and shared clipboard** — this ensures complete isolation VM IP after setup: 192.168.176.128 Host (Kali) IP on vmnet1: 192.168.176.1 ### 6.3 Install Sysmon on Windows VM Sysmon is a free Microsoft tool that provides deep telemetry on process creation, file creation, and network connections — far more detailed than default Windows logs. Inside the Windows VM: 1. Download Sysmon from Microsoft Sysinternals: `https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon` 2. Download SwiftOnSecurity config (a well-tuned detection ruleset): `https://github.com/SwiftOnSecurity/sysmon-config` Download `sysmonconfig-export.xml` 3. Open PowerShell as Administrator in the same folder: .\Sysmon64.exe -accepteula -i sysmonconfig-export.xml 4. Verify Sysmon is running: Get-Service sysmon64 # Should show: Running 5. View Sysmon logs in Event Viewer: - `Applications and Services Logs → Microsoft → Windows → Sysmon → Operational` **Key Sysmon Event IDs you'll use:** | Event ID | What it logs | |---|---| | 1 | Process creation | | 3 | Network connection | | 11 | File created | | 12/13 | Registry events | ### 6.4 Install & Configure Wazuh **On Kali Linux host — Install Wazuh Manager:** # Add Wazuh repository curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list # Install sudo apt update sudo apt install wazuh-manager wazuh-dashboard wazuh-indexer -y # Start services sudo systemctl start wazuh-manager sudo systemctl enable wazuh-manager Access Wazuh dashboard: `https://localhost` (default credentials: admin/admin) **Configure FIM (File Integrity Monitoring) on Windows VM:** Edit `C:\Program Files (x86)\ossec-agent\ossec.conf` inside the Windows VM. Add the directories you want to monitor inside the `` block: no 60 C:\Windows\System32\drivers\etc C:\Users\Public C:\Users\karansaran\Desktop C:\Users\karansaran\AppData\Local\Temp **Install Wazuh Agent on Windows VM:** # Run in PowerShell as Administrator inside Windows VM msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="192.168.176.1" WAZUH_AGENT_NAME="Victim-Win10" NET START WazuhSvc Also add Sysmon log collection to `ossec.conf`: Microsoft-Windows-Sysmon/Operational eventchannel ### 6.5 Install & Configure Splunk **On Kali Linux host:** 1. Download Splunk Enterprise from `https://www.splunk.com/en_us/download/splunk-enterprise.html` (Free account required — no credit card) sudo dpkg -i splunk-*.deb sudo /opt/splunk/bin/splunk start --accept-license # Set admin username and password when prompted 2. Access Splunk: `http://localhost:8000` 3. Switch to Free license (never expires, 500MB/day): - Settings → Licensing → Change license group → **Free** → Restart 4. Enable receiving port (so forwarder can send logs): - Settings → Forwarding and receiving → Configure receiving → New → Port `9997` ### 6.6 Connect Splunk Universal Forwarder **On Windows VM:** 1. Download Universal Forwarder from Splunk's website (Windows version) 2. During install, set receiving indexer: `192.168.176.1:9997` 3. After install, edit `C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf`: [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false index = main [WinEventLog://Security] disabled = false index = main 4. Restart forwarder: net stop SplunkForwarder net start SplunkForwarder 5. Verify on Kali in Splunk search: index=main sourcetype="WinEventLog:Sysmon" | head 10 ### 6.7 Configure Wireshark on Kali # Install if not present sudo apt install wireshark -y # Add your user to wireshark group (avoids needing sudo every time) sudo usermod -aG wireshark $USER # Log out and log back in # Start capturing wireshark # Select interface: vmnet1 # Apply filter: ip.addr == 192.168.176.128 ## 7. Day 1 — Lab Setup Verification Before doing anything else, verify all 3 tools are receiving data from the Windows VM. **Check 1 — Wazuh:** - Dashboard → Agents → `Victim-Win10` should show **Active** (green) **Check 2 — Splunk:** index=main host="DESKTOP-CE6SSAK" | head 10 Should return events from the Windows VM. **Check 3 — Wireshark:** - Start capture on `vmnet1` - Filter: `ip.addr == 192.168.176.128` - Ping from VM: `ping 192.168.176.1` - ICMP packets should appear in Wireshark All 3 green? You're ready to proceed. **Day 1 — Lab Setup Proof:** ![Windows VM Program Files — Agents Installed](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/filemanager.jpeg) *Windows 10 VM Program Files showing SplunkUniversalForwarder and ossec-agent (Wazuh) both installed and present. Confirms Day 1 setup complete.* ## 8. Day 2 — Baseline Establishment **Why baseline matters:** A baseline tells you what "normal" looks like. Without it, you can't distinguish malicious activity from regular system noise. This is a core SOC analyst skill. **Steps:** 1. Start Wireshark capture on `vmnet1` (leave running) 2. Open Wazuh dashboard → Threat Hunting → Events 3. Open Splunk → run: `index=main host="DESKTOP-CE6SSAK" | timechart span=1m count` 4. Generate normal activity on Windows VM for 30-60 minutes: - Open/edit text files - Browse folders in File Explorer - Open Task Manager, Notepad, Calculator, Paint 5. Observe in Wazuh: sparse, low-severity events (level 3-5) 6. Observe in Splunk: flat, low event count per minute 7. **Screenshot both** — these are your "before" evidence **Baseline observations recorded:** | Metric | Baseline Value | |---|---| | Wazuh events (24hr) | 9 hits | | Wazuh max severity | Level 5 | | Splunk events (Jul 5) | 2,570 | | Dominant EventCode | 4688 (normal process creation) | | Network traffic | Low — only Wazuh/Splunk heartbeats | **Baseline Evidence Screenshots:** ![Wazuh Baseline Events — 9 hits, low severity](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/wazuh_usual_log.jpeg) *Wazuh Threat Hunting showing sparse baseline events from Victim-Win10 — Windows Logon Success, File added, Wazuh agent started/stopped. Only 9 hits in 24 hours. Max severity level 5. This is what "normal" looks like before the attack.* ![Splunk Baseline — whoami process captured](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/splunk.jpeg) *Splunk capturing baseline activity — whoami.exe process execution (C:\Windows\System32\whoami.exe) at 07:57 AM. EventCode 4688 process creation. Shows Splunk is receiving Windows Security logs correctly.* ![Splunk Baseline — 1,946 events from VM](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/splunk1.jpeg) *Splunk showing 1,946 baseline events from DESKTOP-CE6SSAK on July 5. EventCode 4688 dominates — normal process creation activity. Flat, steady event rate confirms healthy baseline.* ![Wireshark Baseline Capture on vmnet1](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/wireshark.jpeg) *Wireshark capturing on vmnet1 interface — shows Wazuh agent traffic (TCP port 1514) and Splunk forwarder traffic (port 9997) between VM (192.168.176.128) and Kali host (192.168.176.1). DNS queries to Microsoft domains returning ICMP unreachable — confirms host-only isolation working.* ![Windows VM Baseline Activity — whoami in CMD](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/whoami.jpeg) *Windows VM baseline activity — whoami command run in CMD showing user desktop-ce6ssak\karansaran. This was captured by both Wazuh and Splunk, confirming end-to-end log pipeline is working.* ![Windows VM Task Manager — Normal Processes](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/wind10_in_vm.jpeg) *Windows VM Task Manager showing normal baseline processes: Edge, Paint, File Explorer, CMD. ossec-agent folder visible in File Explorer quick access — confirms Wazuh agent running. Sysmon folder in Downloads confirms Sysmon installed.* 8. Take VM snapshot — this is your safety net: vmrun snapshot "/path/to/Windows 10 x64.vmx" "Clean-Baseline" ## 9. Day 3 — Attack Simulation (Atomic Red Team T1486) **Pre-detonation checklist:** - [ ] Wireshark capturing on `vmnet1` with filter `ip.addr == 192.168.176.128` - [ ] Wazuh dashboard open on Integrity Monitoring tab - [ ] Splunk search running: `index=* host="DESKTOP-CE6SSAK" | tail 20` - [ ] Clean-Baseline snapshot taken **Install Atomic Red Team on Windows VM:** Since the VM has no internet (host-only network), download on Kali first and transfer: # On Kali cd /tmp wget https://github.com/redcanaryco/invoke-atomicredteam/archive/refs/heads/master.zip -O invoke-atomicredteam.zip wget https://github.com/redcanaryco/atomic-red-team/archive/refs/heads/master.zip -O atomics.zip wget https://github.com/cloudbase/powershell-yaml/archive/refs/heads/master.zip -O powershell-yaml.zip # Start HTTP server to transfer to VM python3 -m http.server 8080 # On Windows VM — PowerShell as Administrator Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force New-Item -ItemType Directory -Path "C:\AtomicRedTeam" -Force # Download from Kali's HTTP server Invoke-WebRequest "http://192.168.176.1:8080/invoke-atomicredteam.zip" -OutFile "C:\AtomicRedTeam\invoke-atomicredteam.zip" Invoke-WebRequest "http://192.168.176.1:8080/atomics.zip" -OutFile "C:\AtomicRedTeam\atomics.zip" Invoke-WebRequest "http://192.168.176.1:8080/powershell-yaml.zip" -OutFile "C:\AtomicRedTeam\powershell-yaml.zip" # Extract Expand-Archive "C:\AtomicRedTeam\invoke-atomicredteam.zip" -DestinationPath "C:\AtomicRedTeam\" -Force Expand-Archive "C:\AtomicRedTeam\atomics.zip" -DestinationPath "C:\AtomicRedTeam\" -Force Expand-Archive "C:\AtomicRedTeam\powershell-yaml.zip" -DestinationPath "C:\AtomicRedTeam\" -Force # Rename folders Rename-Item "C:\AtomicRedTeam\invoke-atomicredteam-master" "invoke-atomicredteam" Rename-Item "C:\AtomicRedTeam\atomic-red-team-master" "atomics" Rename-Item "C:\AtomicRedTeam\powershell-yaml-master" "powershell-yaml" # Install powershell-yaml dependency Copy-Item "C:\AtomicRedTeam\powershell-yaml" -Destination "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\powershell-yaml" -Recurse -Force **Atomic Red Team Download on Kali (HTTP Server Transfer):** ![Atomic Red Team Downloaded on Kali via wget](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/infection2.png) *Kali Linux terminal showing wget downloading Atomic Red Team framework files (invoke-atomicredteam.zip and atomics.zip) from GitHub. Files transferred to Windows VM via Python HTTP server since VM has no internet access.* ![Atomic Red Team Extracted on Windows VM](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/infection3.png) *Windows PowerShell showing Expand-Archive extracting both zip files and Rename-Item renaming folders to correct names — invoke-atomicredteam and atomics. Framework setup complete.* **Detonate T1486:** # Import modules Import-Module "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\powershell-yaml" -Force Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force # Preview what will run (no attack yet) Invoke-AtomicTest T1486 -ShowDetailsBrief -PathToAtomicsFolder "C:\AtomicRedTeam\atomics\atomics" # DETONATE Invoke-AtomicTest T1486 -PathToAtomicsFolder "C:\AtomicRedTeam\atomics\atomics" **What happened during detonation:** | Test | Description | Result | |---|---|---| | T1486-5 | PureLocker Ransom Note simulation | ✅ Success (Exit 0) | | T1486-8 | GPG4Win encryption simulation | ⚠️ Tool not installed (expected) | | T1486-9 | DiskCryptor simulation | ⚠️ Tool not installed (expected) | | T1486-10 | Akira ransomware — .akira extension + ransom note | ✅ Success (Exit 0) | **Attack artifacts created:** C:\Users\karansaran\Desktop\akira_readme.txt (5,408 bytes — Akira ransom note) C:\Users\karansaran\Desktop\YOUR_FILES.txt (33 bytes — ransom notification) C:\Users\karansaran\AppData\Local\Temp\test.txt (37 bytes — simulation marker) C:\Users\karansaran\AppData\Local\Temp\Invoke-AtomicTest-ExecutionLog.csv **Detonation Evidence:** ![Atomic Red Team T1486 Detonation Output](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/infection.png) *PowerShell output showing T1486 tests executing — T1486-5 (PureLocker) and T1486-10 (Akira) both returned Exit code 0 (success). T1486-8 and T1486-9 skipped as tools not installed — expected behavior.* ![Splunk Detecting Attack Events During Infection](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/detection_in_splunk.png) *Splunk showing 2,076 events during the attack window (July 6-7) with EventCode 4688 flooding in — rapid process creation spike confirming ransomware simulation executing. Timeline bar chart shows concentrated burst of activity.* ![Ransom Note and Attack Files on Desktop](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/malware_files.png) *Windows VM Desktop showing akira_readme.txt (5,408 bytes) and YOUR_FILES.txt created by the Akira simulation at 11:21 AM on July 7, 2026. These are the ransom notes dropped by T1486-10.* ## 10. Day 4 — Detection in Wazuh ### What Wazuh detected **File Integrity Monitoring (FIM) alerts:** Wazuh's FIM module detected **75 file creation events** (Rule 554 — "File added to the system") in `AppData\Local\Temp` and on the Desktop within minutes of detonation. Key observations: - Mass file creation in rapid succession (multiple events per second at 20:11, 20:12, 20:17, 20:21, 20:26, 20:32, 20:39) - All flagged as `syscheck.event: added` - Contrast with baseline: 0 FIM events during normal activity **How to find these in Wazuh:** 1. Wazuh Dashboard → Victim-Win10 → **File Integrity Monitoring** 2. Set time range to cover attack window 3. Filter: `rule.groups: syscheck` 4. Look for columns: `syscheck.path`, `syscheck.event`, `rule.description` **Sysmon events via Wazuh Discover:** Wazuh also captured Sysmon Event ID 11 (file creation) showing PowerShell as the creating process: data.win.eventdata.image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe data.win.eventdata.targetFilename: C:\Users\karansaran\AppData\Local\Temp\__PSScriptPolicyTest_dkvvtn0d.3xf.ps1 data.win.system.eventID: 11 data.win.system.channel: Microsoft-Windows-Sysmon/Operational **Wazuh Detection Screenshots:** ![Wazuh FIM — 75 File Creation Hits](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/file_added.png) *Wazuh File Integrity Monitoring showing 75 "File added to the system" alerts (Rule 554, Level 5) from Windows10-VM. Mass file creation in AppData\Local\Temp at rapid succession timestamps — confirms automated ransomware behavior.* ![Wazuh High Severity Alerts During Attack](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/wazuh_alerts_in_infected.png) *Wazuh Discover showing 42 high-severity alerts (rule.level: 7-11) during attack window. "Executable file dropped in folder commonly used by malware" rule triggered — Wazuh's built-in malware detection confirming the attack.* ![Wazuh Malware Rule Detail — Rule 92213](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/malware.png) *Wazuh expanded alert showing rule.description: "Executable file dropped in folder commonly used by malware", rule.id 92213, fired 27 times. Sysmon EventID 11 detected suspicious DLL files dropped in Temp by cleanmgr.exe.* ![Wazuh Sysmon Event ID 11 — PowerShell File Creation](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/eve1_wazuh.png) *Wazuh Discover expanded document — Sysmon Event ID 11, powershell.exe (PID 6408) created __PSScriptPolicyTest_dkvvtn0d.3xf.ps1 in AppData\Local\Temp at 14:35:31. Confirms PowerShell as the attack process.* ![Wazuh Log Analysis — Attack Timeline](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/analyse_in_log.png) *Wazuh showing high-severity events (rule.level 7-11) during attack timeframe. Clear spike pattern visible — events cluster around attack execution, silent during baseline. This contrast is the core of detection.* **SPL queries to search Wazuh alerts in Splunk:** index=wazuh-alerts-* agent.name="Windows10-VM" | search rule.description="File added to the system" | table _time, syscheck.path, syscheck.event, rule.level | sort _time ## 11. Day 5 — Correlation in Splunk & Wireshark ### Splunk Analysis **Event volume comparison (attack vs baseline):** index=* host="DESKTOP-CE6SSAK" | timechart span=1d count | sort by count reverse Results: | Date | Event Count | Notes | |---|---|---| | 2026-07-07 | **2,710** | 🔴 Attack day — highest volume | | 2026-07-05 | 2,570 | Baseline day | | 2026-07-09 | 657 | Post-attack | | 2026-07-01 | 102 | Pre-lab | **EventCode breakdown on attack day:** index=* host="DESKTOP-CE6SSAK" | stats count by EventCode | sort -count | EventCode | Count | Meaning | |---|---|---| | 4688 | 1,506 (55%) | Process creation — spike indicates high process activity | | 5379 | 720 (26%) | Credential manager read | | 4624 | 146 | Logon events | | 4672 | 137 | Special privilege logon | ![Splunk Event Spike — July 7 Attack Day](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/date_log.png) *Splunk timechart (span=1d) showing event count by day — July 7 (attack day) peaks at 2,710 events vs July 5 baseline of 2,570. Clear volume spike on attack day confirms detection.* ![Splunk EventCode Distribution on Attack Day](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/event_code_splunk.png) *Splunk EventType bar chart visualization for July 7 — EventType 0 dominates at 2,592 events (95.6%). Massive process and system activity volume during attack window.* ![Splunk EventCode Breakdown — 4688 Dominates](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/eventid.png) *Splunk field analysis showing EventCode distribution — 4688 (process creation) leads at 1,506 events (55.5%), followed by 5379 (credential reads) at 720 events. Process creation spike is key ransomware indicator.* **Process creation search (find the ransomware process):** index=* host="DESKTOP-CE6SSAK" EventCode=4688 | where Creator_Process_Name like "%powershell%" | table _time, New_Process_Name, Creator_Process_Name | sort _time ![Splunk Process Creation — ipconfig Reconnaissance](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/process_creation.png) *Splunk EventCode 4688 expanded event showing cmd.exe spawning ipconfig.exe (New Process: C:\Windows\System32\ipconfig.exe, Creator: C:\Windows\System32\cmd.exe). Network reconnaissance activity captured.* ![Splunk whoami Execution — Baseline Recon](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/splunk_whomai.png) *Splunk catching whoami.exe execution (C:\Windows\System32\whoami.exe) at 07:57 AM on July 5 — baseline reconnaissance activity. Confirms Splunk is capturing all process creation events correctly.* **Find ransom note creation:** index=* host="DESKTOP-CE6SSAK" | search "akira" OR "ransom" OR "YOUR_FILES" **Rare process detection (reconnaissance):** index=* host="DESKTOP-CE6SSAK" Creator_Process_Name="*" | rare limit=20 Creator_Process_Name Notable finding: `ipconfig.exe` spawned from `cmd.exe` — typical attacker reconnaissance to map network. ![Splunk Rare Process Detection — Recon Identified](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/creator_process.png) *Splunk rare process analysis showing unusual creator processes — OneDriveStandaloneUpdater.exe, Defrag.exe, WerFault.exe appearing only once each. Rare process hunting identifies low-frequency suspicious executions during the attack window.* ### Wireshark Analysis **Capture file:** `ransomware-vm.pcapng` **Conversations view (Statistics → Conversations → IPv4):** | Connection | Packets | Volume | Significance | |---|---|---|---| | 192.168.176.128 ↔ 192.168.176.1 | 130,940 | **179 MB** | Massive log forwarding spike to Kali (Wazuh + Splunk) during attack | | 192.168.176.128 ↔ 192.168.176.255 | 15 | 2 KB | Broadcast traffic — normal | ![Wireshark Conversations — 179MB Traffic Spike](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/wireshark_convo.png) *Wireshark Conversations view (IPv4) from ransomware-vm.pcapng — 130,940 packets / 179MB between VM (192.168.176.128) and Kali host (192.168.176.1). Massive log forwarding spike during attack. No unknown external IPs — confirms no C2 communication.* **DNS analysis (filter: `ip.src == 192.168.176.128 && dns`):** - Repeated queries to `edge.microsoft.com` and `g.live.com` — normal Windows telemetry - All DNS queries returned **ICMP Destination Unreachable** — confirms VM has no internet (isolation working) - DNS retransmissions observed — VM keeps retrying because no response arrives - **No suspicious/unknown domains detected** — no C2 callback (expected for Atomic Red Team simulation) ![Wireshark DNS Analysis — No C2 Detected](https://raw.githubusercontent.com/SARANJITH02/Ransomware-Detection-Response-Lab/main/wireshark_c2_check.png) *Wireshark DNS filter (ip.src == 192.168.176.128 && dns) showing repeated queries to edge.microsoft.com and g.live.com — all returning ICMP Destination Unreachable. DNS retransmissions visible. No suspicious external domains. Confirms zero C2 communication.* **Key Wireshark filters used:** # All VM traffic ip.addr == 192.168.176.128 # DNS queries from VM ip.src == 192.168.176.128 && dns # Outbound connection attempts tcp.flags.syn == 1 && ip.src == 192.168.176.128 # Splunk log forwarding traffic tcp.port == 9997 # Wazuh agent traffic tcp.port == 1514 ## 12. Day 6 — Triage & Kill Chain Analysis ### Formal Incident Classification | Field | Value | |---|---| | **Classification** | ✅ True Positive | | **Severity** | 🔴 Critical | | **Scope** | Single host — DESKTOP-CE6SSAK | | **Impact** | Data availability — files encrypted/renamed, ransom note dropped | | **Lateral Movement** | None detected | | **External C2** | None detected | | **Containment Status** | Host isolated (host-only network throughout) | ### Kill Chain Mapping ┌─────────────────────────────────────────────────────────────┐ │ ATTACK KILL CHAIN │ ├──────────────┬──────────────────────────────────────────────┤ │ STAGE │ DETAIL │ ├──────────────┼──────────────────────────────────────────────┤ │ Delivery │ Atomic Red Team T1486 executed directly on │ │ │ victim host via PowerShell │ │ │ Time: July 7, 2026 @ 11:21 AM │ ├──────────────┼──────────────────────────────────────────────┤ │ Execution │ powershell.exe (PID 6408) launched │ │ │ Parent process: cmd.exe │ │ │ Evidence: Splunk EventCode 4688 │ │ │ MITRE: T1059.001 - PowerShell │ ├──────────────┼──────────────────────────────────────────────┤ │ Discovery │ ipconfig.exe executed from cmd.exe │ │ │ Network reconnaissance attempted │ │ │ Evidence: Splunk rare process analysis │ │ │ MITRE: T1082 - System Information Discovery │ ├──────────────┼──────────────────────────────────────────────┤ │ Defense │ Set-ExecutionPolicy Bypass used to allow │ │ Evasion │ unsigned script execution │ │ │ MITRE: T1562 - Impair Defenses │ ├──────────────┼──────────────────────────────────────────────┤ │ Impact │ Mass file creation in AppData\Local\Temp │ │ │ Ransom notes dropped on Desktop │ │ │ Files: akira_readme.txt, YOUR_FILES.txt │ │ │ Evidence: Wazuh FIM 75 hits, Rule 554 │ │ │ MITRE: T1486 - Data Encrypted for Impact │ ├──────────────┼──────────────────────────────────────────────┤ │ C2/Exfil │ No external C2 detected │ │ │ DNS queries to Microsoft only │ │ │ All blocked by isolated network │ └──────────────┴──────────────────────────────────────────────┘ ### Containment & Response Actions In a real SOC environment, the following actions would be taken: 1. ISOLATE → Immediately disconnect host from network Block all traffic at firewall/NAT level (In lab: already isolated via host-only adapter ✅) 2. PRESERVE → Take forensic image of VM disk before any changes (In lab: Post-Attack-Day3 snapshot taken ✅) 3. BLOCK → Add PowerShell script hash to EDR blocklist Block execution policy bypass via GPO 4. NOTIFY → Escalate to IR team — Critical severity Notify affected users and management 5. HUNT → Search all hosts for same PowerShell execution pattern SPL: index=* EventCode=4688 | search powershell 6. RECOVER → Restore from last known clean backup (In lab: revert to Clean-Baseline snapshot ✅) 7. HARDEN → Enable PowerShell Constrained Language Mode Implement application whitelisting Deploy EDR on all endpoints ## 13. Incident Report **INCIDENT REPORT** **Report ID:** IR-2026-001 **Classification:** CONFIDENTIAL — LAB EXERCISE **Date:** July 9, 2026 **Analyst:** Saranjith R ### Executive Summary On July 7, 2026 at approximately 11:21 AM, a ransomware attack was simulated on an isolated Windows 10 host (DESKTOP-CE6SSAK) using Atomic Red Team's T1486 technique. The simulation executed two successful test variants: PureLocker ransom note simulation (T1486-5) and Akira ransomware file extension and ransom note simulation (T1486-10). The attack was detected across three tools: Wazuh flagged 75 FIM alerts indicating mass file creation, Splunk showed a significant event volume spike (2,710 events vs 2,570 baseline), and Wireshark confirmed no external C2 communication. The incident is classified as a **True Positive, Critical severity, single-host scope**. ### Timeline of Events | Time (IST) | Event | |---|---| | Jul 5 @ 07:46 | Wazuh agent started on Victim-Win10 — baseline begins | | Jul 5 @ 07:55 | Baseline activity generated — normal file/process events observed | | Jul 5 @ 08:29 | Clean-Baseline VM snapshot taken | | Jul 7 @ 11:03 | Atomic Red Team framework installed on victim VM | | Jul 7 @ 11:21 | **T1486 detonation — attack begins** | | Jul 7 @ 11:21 | T1486-5 PureLocker ransom note dropped — Exit 0 | | Jul 7 @ 11:21 | T1486-10 Akira ransomware simulation — Exit 0 | | Jul 7 @ 11:21 | akira_readme.txt (5.4KB) created on Desktop | | Jul 7 @ 11:21 | YOUR_FILES.txt created on Desktop | | Jul 7 @ 11:21 | Mass file creation in AppData\Local\Temp begins | | Jul 9 @ 20:11 | Wazuh FIM detects 75 file addition events | | Jul 9 @ 20:49 | Full investigation complete | ### Technical Findings **Finding 1 — Mass File Creation Detected by Wazuh FIM** - 75 file creation events in `AppData\Local\Temp` and Desktop - Rule 554 triggered — "File added to the system" - Rapid succession timestamps confirm automated/scripted behavior - Severity: Level 5 **Finding 2 — PowerShell Execution Chain (Splunk + Sysmon)** - `cmd.exe` spawned `powershell.exe` (PID 6408) - PowerShell created `__PSScriptPolicyTest_dkvvtn0d.3xf.ps1` in Temp - EventCode 4688 count spiked to 1,506 events (55% of all events on attack day) - Execution policy bypass used: `Set-ExecutionPolicy Bypass` **Finding 3 — No External C2 (Wireshark)** - 130,940 packets exchanged between VM and Kali host (log forwarding) - All DNS queries resolved to Microsoft domains (edge.microsoft.com, g.live.com) - All DNS responses returned ICMP unreachable — no external communication - No suspicious domains or IPs identified ## 14. MITRE ATT&CK Mapping | Tactic | Technique Name | ID | Evidence Source | |---|---|---|---| | Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Splunk EventCode 4688, Sysmon EID 1 | | Execution | User Execution | T1204 | Atomic Red Team manual execution | | Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562 | Set-ExecutionPolicy Bypass in PowerShell | | Discovery | System Information Discovery | T1082 | ipconfig.exe via cmd.exe — Splunk rare process | | Impact | Data Encrypted for Impact | **T1486** | Wazuh FIM 75 hits, akira_readme.txt, YOUR_FILES.txt | **MITRE ATT&CK Navigator reference:** https://attack.mitre.org/techniques/T1486/ ## 15. Key Findings Summary | # | Finding | Tool | Severity | |---|---|---|---| | 1 | 75 FIM alerts — mass file creation in Temp and Desktop | Wazuh | 🔴 High | | 2 | PowerShell spawned by cmd.exe — 1,506 process creation events | Splunk | 🔴 High | | 3 | Ransom notes confirmed on Desktop (akira_readme.txt, YOUR_FILES.txt) | Manual | 🔴 Critical | | 4 | Event volume spike on attack day (2,710 vs 2,570 baseline) | Splunk | 🟡 Medium | | 5 | ipconfig.exe execution via cmd.exe — network reconnaissance | Splunk | 🟡 Medium | | 6 | Execution policy bypass used to enable unsigned scripts | Wazuh/Splunk | 🟡 Medium | | 7 | No external C2 detected — all DNS to Microsoft domains | Wireshark | 🟢 Info | | 8 | No lateral movement detected | Wireshark/Wazuh | 🟢 Info | ## 16. Indicators of Compromise (IOCs) ATTACK METADATA ─────────────── Attack Date : July 7, 2026 Attack Time : 11:21 AM IST Host : DESKTOP-CE6SSAK User : karansaran IP Address : 192.168.176.128 OS : Windows 10 Education 10.0.19045.2965 MITRE Technique: T1486 — Data Encrypted for Impact FILE IOCs ───────── C:\Users\karansaran\Desktop\akira_readme.txt (5,408 bytes) C:\Users\karansaran\Desktop\YOUR_FILES.txt (33 bytes) C:\Users\karansaran\AppData\Local\Temp\test.txt (37 bytes) C:\Users\karansaran\AppData\Local\Temp\Invoke-AtomicTest-ExecutionLog.csv PROCESS IOCs ──────────── Process : powershell.exe PID : 6408 Parent : cmd.exe Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Script created : __PSScriptPolicyTest_dkvvtn0d.3xf.ps1 NETWORK IOCs ──────────── No external C2 IPs or domains detected DNS queries: edge.microsoft.com, g.live.com (legitimate Microsoft domains) All external DNS: blocked by isolated host-only network WINDOWS EVENT IOCs ────────────────── EventCode 4688 — Process Creation spike: 1,506 events EventCode 5379 — Credential Manager reads: 720 events Sysmon EID 11 — File creation by powershell.exe in Temp Wazuh Rule 554 — File added to system: 75 hits ## 17. Lessons Learned **What worked well:** - Host-only network isolation completely prevented any risk to the real network or host data - Sysmon provided rich telemetry that neither Wazuh nor Splunk alone would capture - Running both Wazuh and Splunk simultaneously gave visibility from two different angles on the same data — this is how enterprise SOCs operate - Wireshark confirmed network-level indicators (or in this case, their absence) which is critical for ruling out C2 activity **What was challenging:** - Wazuh FIM requires explicit directory configuration — it won't detect files in directories you haven't told it to watch. This is a common beginner mistake. - The UTF-8 BOM encoding issue when writing XML config via PowerShell broke the Wazuh agent silently — always use `[System.IO.File]::WriteAllText` with `UTF8Encoding($false)` when writing config files from PowerShell - Atomic Red Team requires internet to install normally — in an isolated lab you must manually transfer the framework via HTTP server **Real-world SOC takeaways:** - FIM alone is not enough — you need process-level visibility (Sysmon) to understand *what* caused the file changes - Baseline establishment is not optional — without it you cannot distinguish an attack spike from normal noise - Cross-tool correlation (Wazuh + Splunk + Wireshark) gives much higher confidence than any single tool - Network evidence is just as important as host evidence — Wireshark confirmed no data exfiltration occurred ## 18. References - MITRE ATT&CK T1486: https://attack.mitre.org/techniques/T1486/ - MITRE ATT&CK T1059.001: https://attack.mitre.org/techniques/T1059/001/ - Atomic Red Team T1486 tests: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md - Wazuh FIM documentation: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html - SwiftOnSecurity Sysmon config: https://github.com/SwiftOnSecurity/sysmon-config - Sysmon Event IDs reference: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon - Splunk SPL documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference ## Author **Saranjith R** B.E. Computer Science (Cyber Security) — SKCET, Coimbatore ISC2 Certified in Cybersecurity (CC) TryHackMe: Top 15% globally *This project was built as part of an independent SOC analyst portfolio to demonstrate hands-on detection and response skills across Wazuh, Splunk, and Wireshark.* *⭐ If this project helped you, please star the repository and share it with other cybersecurity students!*
标签:x64dbg, 入侵分析, 勒索软件检测, 安全培训, 安全实验环境, 安全运营, 扫描框架