SARANJITH02/Ransomware-Detection-Response-Lab
GitHub: SARANJITH02/Ransomware-Detection-Response-Lab
一个完整的 SOC 分析师家庭实验项目,通过在隔离环境中模拟勒索软件攻击来教授检测、调查和事件响应的全流程。
Stars: 2 | Forks: 0
# Ransomware Detection & Response Lab
### A Complete SOC Analyst Home Lab Project
## Table of Contents
1. [Project Overview](#1-project-overview)
2. [What You Will Learn](#2-what-you-will-learn)
3. [Tools & Technologies Used](#3-tools--technologies-used)
4. [Lab Architecture](#4-lab-architecture)
5. [Prerequisites](#5-prerequisites)
6. [Environment Setup — Step by Step](#6-environment-setup--step-by-step)
- [6.1 Install VMware Workstation on Kali Linux](#61-install-vmware-workstation-on-kali-linux)
- [6.2 Create Isolated Windows 10 VM](#62-create-isolated-windows-10-vm)
- [6.3 Install Sysmon on Windows VM](#63-install-sysmon-on-windows-vm)
- [6.4 Install & Configure Wazuh](#64-install--configure-wazuh)
- [6.5 Install & Configure Splunk](#65-install--configure-splunk)
- [6.6 Connect Splunk Universal Forwarder](#66-connect-splunk-universal-forwarder)
- [6.7 Configure Wireshark on Kali](#67-configure-wireshark-on-kali)
7. [Day 1 — Lab Setup Verification](#7-day-1--lab-setup-verification)
8. [Day 2 — Baseline Establishment](#8-day-2--baseline-establishment)
9. [Day 3 — Attack Simulation (Atomic Red Team T1486)](#9-day-3--attack-simulation-atomic-red-team-t1486)
10. [Day 4 — Detection in Wazuh](#10-day-4--detection-in-wazuh)
11. [Day 5 — Correlation in Splunk & Wireshark](#11-day-5--correlation-in-splunk--wireshark)
12. [Day 6 — Triage & Kill Chain Analysis](#12-day-6--triage--kill-chain-analysis)
13. [Incident Report](#13-incident-report)
14. [MITRE ATT&CK Mapping](#14-mitre-attck-mapping)
15. [Key Findings Summary](#15-key-findings-summary)
16. [Indicators of Compromise (IOCs)](#16-indicators-of-compromise-iocs)
17. [Lessons Learned](#17-lessons-learned)
18. [References](#18-references)
## 1. Project Overview
This project simulates a real-world ransomware attack in a completely isolated home lab environment and demonstrates how a SOC (Security Operations Center) analyst would detect, investigate, and respond to the incident.
The attack was simulated using **Atomic Red Team's T1486** technique (Data Encrypted for Impact), specifically the **PureLocker** and **Akira ransomware** variants. The detection and investigation were performed using an industry-standard SOC toolset: **Wazuh** (SIEM), **Splunk** (log correlation), and **Wireshark** (network forensics).
**Project Duration:** 7 days
**Difficulty Level:** Intermediate
**Environment:** Kali Linux host + Windows 10 VM (isolated, host-only network)
## 2. What You Will Learn
By following this project, you will understand:
- How to build an isolated SOC home lab safely (no risk to your real system)
- How ransomware behaves at the process, file, and network level
- How to use Wazuh's File Integrity Monitoring (FIM) to detect mass file changes
- How to write SPL queries in Splunk to correlate attack events
- How to analyze network traffic in Wireshark during an attack
- How to classify an incident (True/False Positive, severity, scope)
- How to map findings to the MITRE ATT&CK framework
- How to write a professional SOC incident report
## 3. Tools & Technologies Used
| Tool | Purpose | Where it runs |
|---|---|---|
| Kali Linux | Analyst/host OS | Physical machine (dual boot) |
| VMware Workstation | Virtualization | Kali Linux host |
| Windows 10 x64 | Victim machine | Inside VMware VM |
| Wazuh v4.10.3 | SIEM — log collection, FIM, alerting | Kali Linux host |
| Splunk Enterprise (Free) | Log correlation, dashboards, SPL queries | Kali Linux host |
| Splunk Universal Forwarder | Log shipper from Windows to Splunk | Windows 10 VM |
| Sysmon (SwiftOnSecurity config) | Deep Windows telemetry (process, file, network) | Windows 10 VM |
| Wireshark | Network packet capture and analysis | Kali Linux host |
| Atomic Red Team | Safe ransomware simulation (T1486) | Windows 10 VM |
| MITRE ATT&CK | Attack framework for mapping findings | Reference |
## 4. Lab Architecture
┌─────────────────────────────────────────────────────┐
│ KALI LINUX (Host) │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ │
│ │ Wazuh │ │ Splunk │ │Wireshark │ │
│ │ Manager │ │ Enterprise │ │ vmnet1 │ │
│ └──────┬───────┘ └──────┬───────┘ └────┬─────┘ │
│ │ │ │ │
│ └────────┬────────┘ │ │
│ │ Host-only (vmnet1) │ │
│ 192.168.176.1 │ │
└──────────────────┼────────────────────────┼─────────┘
│ │
┌─────────▼────────────────────────▼──────┐
│ WINDOWS 10 VM (Victim) │
│ 192.168.176.128 │
│ │
│ ┌─────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Sysmon │ │ Wazuh │ │ Splunk │ │
│ │(logging)│ │ Agent │ │Forwarder │ │
│ └─────────┘ └──────────┘ └──────────┘ │
│ │
│ ┌──────────────────────────────────┐ │
│ │ Atomic Red Team T1486 │ │
│ │ (Ransomware Simulation Engine) │ │
│ └──────────────────────────────────┘ │
│ │
│ Network: Host-Only (NO internet) │
└──────────────────────────────────────────┘
**Why host-only network?**
The Windows VM has no internet access and cannot reach your real network. It can only communicate with the Kali host over the virtual `vmnet1` interface. This means:
- Your confidential data on the host is completely safe
- The simulated ransomware cannot spread anywhere
- All traffic is fully captured by Wireshark
## 5. Prerequisites
**Hardware:**
- Minimum 8GB RAM (4GB for host, 4GB for VM)
- Minimum 100GB free disk space
- CPU with virtualization support (Intel VT-x or AMD-V — enable in BIOS)
**Software (free):**
- Kali Linux (dual boot or dedicated machine)
- VMware Workstation Player (free for personal use)
- Windows 10 ISO (from Microsoft's official site)
- Wazuh (free, open source)
- Splunk Enterprise Free license (500MB/day, never expires)
- Sysmon + SwiftOnSecurity config (free from Microsoft)
**Knowledge assumed:**
- Basic Linux command line (cd, nano, sudo, systemctl)
- Basic Windows usage
- Basic understanding of what a SIEM is
## 6. Environment Setup — Step by Step
### 6.1 Install VMware Workstation on Kali Linux
# Download VMware Workstation Player from vmware.com
# Then install:
sudo chmod +x VMware-Player-*.bundle
sudo ./VMware-Player-*.bundle
# Verify installation
vmware --version
### 6.2 Create Isolated Windows 10 VM
1. Open VMware → **Create a New Virtual Machine**
2. Select your Windows 10 ISO
3. Allocate: **4GB RAM, 60GB disk, 2 CPU cores**
4. Network adapter: **Host-only**
5. Install Windows normally
6. After installation, go to **VM Settings → Network Adapter → Host-only**
7. **Disable shared folders, drag-and-drop, and shared clipboard** — this ensures complete isolation
VM IP after setup: 192.168.176.128
Host (Kali) IP on vmnet1: 192.168.176.1
### 6.3 Install Sysmon on Windows VM
Sysmon is a free Microsoft tool that provides deep telemetry on process creation, file creation, and network connections — far more detailed than default Windows logs.
Inside the Windows VM:
1. Download Sysmon from Microsoft Sysinternals:
`https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon`
2. Download SwiftOnSecurity config (a well-tuned detection ruleset):
`https://github.com/SwiftOnSecurity/sysmon-config`
Download `sysmonconfig-export.xml`
3. Open PowerShell as Administrator in the same folder:
.\Sysmon64.exe -accepteula -i sysmonconfig-export.xml
4. Verify Sysmon is running:
Get-Service sysmon64
# Should show: Running
5. View Sysmon logs in Event Viewer:
- `Applications and Services Logs → Microsoft → Windows → Sysmon → Operational`
**Key Sysmon Event IDs you'll use:**
| Event ID | What it logs |
|---|---|
| 1 | Process creation |
| 3 | Network connection |
| 11 | File created |
| 12/13 | Registry events |
### 6.4 Install & Configure Wazuh
**On Kali Linux host — Install Wazuh Manager:**
# Add Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo gpg --dearmor -o /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
# Install
sudo apt update
sudo apt install wazuh-manager wazuh-dashboard wazuh-indexer -y
# Start services
sudo systemctl start wazuh-manager
sudo systemctl enable wazuh-manager
Access Wazuh dashboard: `https://localhost` (default credentials: admin/admin)
**Configure FIM (File Integrity Monitoring) on Windows VM:**
Edit `C:\Program Files (x86)\ossec-agent\ossec.conf` inside the Windows VM. Add the directories you want to monitor inside the `` block:
no
60
C:\Windows\System32\drivers\etc
C:\Users\Public
C:\Users\karansaran\Desktop
C:\Users\karansaran\AppData\Local\Temp
**Install Wazuh Agent on Windows VM:**
# Run in PowerShell as Administrator inside Windows VM
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="192.168.176.1" WAZUH_AGENT_NAME="Victim-Win10"
NET START WazuhSvc
Also add Sysmon log collection to `ossec.conf`:
Microsoft-Windows-Sysmon/Operational
eventchannel
### 6.5 Install & Configure Splunk
**On Kali Linux host:**
1. Download Splunk Enterprise from `https://www.splunk.com/en_us/download/splunk-enterprise.html`
(Free account required — no credit card)
sudo dpkg -i splunk-*.deb
sudo /opt/splunk/bin/splunk start --accept-license
# Set admin username and password when prompted
2. Access Splunk: `http://localhost:8000`
3. Switch to Free license (never expires, 500MB/day):
- Settings → Licensing → Change license group → **Free** → Restart
4. Enable receiving port (so forwarder can send logs):
- Settings → Forwarding and receiving → Configure receiving → New → Port `9997`
### 6.6 Connect Splunk Universal Forwarder
**On Windows VM:**
1. Download Universal Forwarder from Splunk's website (Windows version)
2. During install, set receiving indexer: `192.168.176.1:9997`
3. After install, edit `C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf`:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
index = main
[WinEventLog://Security]
disabled = false
index = main
4. Restart forwarder:
net stop SplunkForwarder
net start SplunkForwarder
5. Verify on Kali in Splunk search:
index=main sourcetype="WinEventLog:Sysmon" | head 10
### 6.7 Configure Wireshark on Kali
# Install if not present
sudo apt install wireshark -y
# Add your user to wireshark group (avoids needing sudo every time)
sudo usermod -aG wireshark $USER
# Log out and log back in
# Start capturing
wireshark
# Select interface: vmnet1
# Apply filter: ip.addr == 192.168.176.128
## 7. Day 1 — Lab Setup Verification
Before doing anything else, verify all 3 tools are receiving data from the Windows VM.
**Check 1 — Wazuh:**
- Dashboard → Agents → `Victim-Win10` should show **Active** (green)
**Check 2 — Splunk:**
index=main host="DESKTOP-CE6SSAK" | head 10
Should return events from the Windows VM.
**Check 3 — Wireshark:**
- Start capture on `vmnet1`
- Filter: `ip.addr == 192.168.176.128`
- Ping from VM: `ping 192.168.176.1`
- ICMP packets should appear in Wireshark
All 3 green? You're ready to proceed.
**Day 1 — Lab Setup Proof:**

*Windows 10 VM Program Files showing SplunkUniversalForwarder and ossec-agent (Wazuh) both installed and present. Confirms Day 1 setup complete.*
## 8. Day 2 — Baseline Establishment
**Why baseline matters:**
A baseline tells you what "normal" looks like. Without it, you can't distinguish malicious activity from regular system noise. This is a core SOC analyst skill.
**Steps:**
1. Start Wireshark capture on `vmnet1` (leave running)
2. Open Wazuh dashboard → Threat Hunting → Events
3. Open Splunk → run: `index=main host="DESKTOP-CE6SSAK" | timechart span=1m count`
4. Generate normal activity on Windows VM for 30-60 minutes:
- Open/edit text files
- Browse folders in File Explorer
- Open Task Manager, Notepad, Calculator, Paint
5. Observe in Wazuh: sparse, low-severity events (level 3-5)
6. Observe in Splunk: flat, low event count per minute
7. **Screenshot both** — these are your "before" evidence
**Baseline observations recorded:**
| Metric | Baseline Value |
|---|---|
| Wazuh events (24hr) | 9 hits |
| Wazuh max severity | Level 5 |
| Splunk events (Jul 5) | 2,570 |
| Dominant EventCode | 4688 (normal process creation) |
| Network traffic | Low — only Wazuh/Splunk heartbeats |
**Baseline Evidence Screenshots:**

*Wazuh Threat Hunting showing sparse baseline events from Victim-Win10 — Windows Logon Success, File added, Wazuh agent started/stopped. Only 9 hits in 24 hours. Max severity level 5. This is what "normal" looks like before the attack.*

*Splunk capturing baseline activity — whoami.exe process execution (C:\Windows\System32\whoami.exe) at 07:57 AM. EventCode 4688 process creation. Shows Splunk is receiving Windows Security logs correctly.*

*Splunk showing 1,946 baseline events from DESKTOP-CE6SSAK on July 5. EventCode 4688 dominates — normal process creation activity. Flat, steady event rate confirms healthy baseline.*

*Wireshark capturing on vmnet1 interface — shows Wazuh agent traffic (TCP port 1514) and Splunk forwarder traffic (port 9997) between VM (192.168.176.128) and Kali host (192.168.176.1). DNS queries to Microsoft domains returning ICMP unreachable — confirms host-only isolation working.*

*Windows VM baseline activity — whoami command run in CMD showing user desktop-ce6ssak\karansaran. This was captured by both Wazuh and Splunk, confirming end-to-end log pipeline is working.*

*Windows VM Task Manager showing normal baseline processes: Edge, Paint, File Explorer, CMD. ossec-agent folder visible in File Explorer quick access — confirms Wazuh agent running. Sysmon folder in Downloads confirms Sysmon installed.*
8. Take VM snapshot — this is your safety net:
vmrun snapshot "/path/to/Windows 10 x64.vmx" "Clean-Baseline"
## 9. Day 3 — Attack Simulation (Atomic Red Team T1486)
**Pre-detonation checklist:**
- [ ] Wireshark capturing on `vmnet1` with filter `ip.addr == 192.168.176.128`
- [ ] Wazuh dashboard open on Integrity Monitoring tab
- [ ] Splunk search running: `index=* host="DESKTOP-CE6SSAK" | tail 20`
- [ ] Clean-Baseline snapshot taken
**Install Atomic Red Team on Windows VM:**
Since the VM has no internet (host-only network), download on Kali first and transfer:
# On Kali
cd /tmp
wget https://github.com/redcanaryco/invoke-atomicredteam/archive/refs/heads/master.zip -O invoke-atomicredteam.zip
wget https://github.com/redcanaryco/atomic-red-team/archive/refs/heads/master.zip -O atomics.zip
wget https://github.com/cloudbase/powershell-yaml/archive/refs/heads/master.zip -O powershell-yaml.zip
# Start HTTP server to transfer to VM
python3 -m http.server 8080
# On Windows VM — PowerShell as Administrator
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
New-Item -ItemType Directory -Path "C:\AtomicRedTeam" -Force
# Download from Kali's HTTP server
Invoke-WebRequest "http://192.168.176.1:8080/invoke-atomicredteam.zip" -OutFile "C:\AtomicRedTeam\invoke-atomicredteam.zip"
Invoke-WebRequest "http://192.168.176.1:8080/atomics.zip" -OutFile "C:\AtomicRedTeam\atomics.zip"
Invoke-WebRequest "http://192.168.176.1:8080/powershell-yaml.zip" -OutFile "C:\AtomicRedTeam\powershell-yaml.zip"
# Extract
Expand-Archive "C:\AtomicRedTeam\invoke-atomicredteam.zip" -DestinationPath "C:\AtomicRedTeam\" -Force
Expand-Archive "C:\AtomicRedTeam\atomics.zip" -DestinationPath "C:\AtomicRedTeam\" -Force
Expand-Archive "C:\AtomicRedTeam\powershell-yaml.zip" -DestinationPath "C:\AtomicRedTeam\" -Force
# Rename folders
Rename-Item "C:\AtomicRedTeam\invoke-atomicredteam-master" "invoke-atomicredteam"
Rename-Item "C:\AtomicRedTeam\atomic-red-team-master" "atomics"
Rename-Item "C:\AtomicRedTeam\powershell-yaml-master" "powershell-yaml"
# Install powershell-yaml dependency
Copy-Item "C:\AtomicRedTeam\powershell-yaml" -Destination "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\powershell-yaml" -Recurse -Force
**Atomic Red Team Download on Kali (HTTP Server Transfer):**

*Kali Linux terminal showing wget downloading Atomic Red Team framework files (invoke-atomicredteam.zip and atomics.zip) from GitHub. Files transferred to Windows VM via Python HTTP server since VM has no internet access.*

*Windows PowerShell showing Expand-Archive extracting both zip files and Rename-Item renaming folders to correct names — invoke-atomicredteam and atomics. Framework setup complete.*
**Detonate T1486:**
# Import modules
Import-Module "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\powershell-yaml" -Force
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
# Preview what will run (no attack yet)
Invoke-AtomicTest T1486 -ShowDetailsBrief -PathToAtomicsFolder "C:\AtomicRedTeam\atomics\atomics"
# DETONATE
Invoke-AtomicTest T1486 -PathToAtomicsFolder "C:\AtomicRedTeam\atomics\atomics"
**What happened during detonation:**
| Test | Description | Result |
|---|---|---|
| T1486-5 | PureLocker Ransom Note simulation | ✅ Success (Exit 0) |
| T1486-8 | GPG4Win encryption simulation | ⚠️ Tool not installed (expected) |
| T1486-9 | DiskCryptor simulation | ⚠️ Tool not installed (expected) |
| T1486-10 | Akira ransomware — .akira extension + ransom note | ✅ Success (Exit 0) |
**Attack artifacts created:**
C:\Users\karansaran\Desktop\akira_readme.txt (5,408 bytes — Akira ransom note)
C:\Users\karansaran\Desktop\YOUR_FILES.txt (33 bytes — ransom notification)
C:\Users\karansaran\AppData\Local\Temp\test.txt (37 bytes — simulation marker)
C:\Users\karansaran\AppData\Local\Temp\Invoke-AtomicTest-ExecutionLog.csv
**Detonation Evidence:**

*PowerShell output showing T1486 tests executing — T1486-5 (PureLocker) and T1486-10 (Akira) both returned Exit code 0 (success). T1486-8 and T1486-9 skipped as tools not installed — expected behavior.*

*Splunk showing 2,076 events during the attack window (July 6-7) with EventCode 4688 flooding in — rapid process creation spike confirming ransomware simulation executing. Timeline bar chart shows concentrated burst of activity.*

*Windows VM Desktop showing akira_readme.txt (5,408 bytes) and YOUR_FILES.txt created by the Akira simulation at 11:21 AM on July 7, 2026. These are the ransom notes dropped by T1486-10.*
## 10. Day 4 — Detection in Wazuh
### What Wazuh detected
**File Integrity Monitoring (FIM) alerts:**
Wazuh's FIM module detected **75 file creation events** (Rule 554 — "File added to the system") in `AppData\Local\Temp` and on the Desktop within minutes of detonation.
Key observations:
- Mass file creation in rapid succession (multiple events per second at 20:11, 20:12, 20:17, 20:21, 20:26, 20:32, 20:39)
- All flagged as `syscheck.event: added`
- Contrast with baseline: 0 FIM events during normal activity
**How to find these in Wazuh:**
1. Wazuh Dashboard → Victim-Win10 → **File Integrity Monitoring**
2. Set time range to cover attack window
3. Filter: `rule.groups: syscheck`
4. Look for columns: `syscheck.path`, `syscheck.event`, `rule.description`
**Sysmon events via Wazuh Discover:**
Wazuh also captured Sysmon Event ID 11 (file creation) showing PowerShell as the creating process:
data.win.eventdata.image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
data.win.eventdata.targetFilename: C:\Users\karansaran\AppData\Local\Temp\__PSScriptPolicyTest_dkvvtn0d.3xf.ps1
data.win.system.eventID: 11
data.win.system.channel: Microsoft-Windows-Sysmon/Operational
**Wazuh Detection Screenshots:**

*Wazuh File Integrity Monitoring showing 75 "File added to the system" alerts (Rule 554, Level 5) from Windows10-VM. Mass file creation in AppData\Local\Temp at rapid succession timestamps — confirms automated ransomware behavior.*

*Wazuh Discover showing 42 high-severity alerts (rule.level: 7-11) during attack window. "Executable file dropped in folder commonly used by malware" rule triggered — Wazuh's built-in malware detection confirming the attack.*

*Wazuh expanded alert showing rule.description: "Executable file dropped in folder commonly used by malware", rule.id 92213, fired 27 times. Sysmon EventID 11 detected suspicious DLL files dropped in Temp by cleanmgr.exe.*

*Wazuh Discover expanded document — Sysmon Event ID 11, powershell.exe (PID 6408) created __PSScriptPolicyTest_dkvvtn0d.3xf.ps1 in AppData\Local\Temp at 14:35:31. Confirms PowerShell as the attack process.*

*Wazuh showing high-severity events (rule.level 7-11) during attack timeframe. Clear spike pattern visible — events cluster around attack execution, silent during baseline. This contrast is the core of detection.*
**SPL queries to search Wazuh alerts in Splunk:**
index=wazuh-alerts-* agent.name="Windows10-VM"
| search rule.description="File added to the system"
| table _time, syscheck.path, syscheck.event, rule.level
| sort _time
## 11. Day 5 — Correlation in Splunk & Wireshark
### Splunk Analysis
**Event volume comparison (attack vs baseline):**
index=* host="DESKTOP-CE6SSAK"
| timechart span=1d count
| sort by count reverse
Results:
| Date | Event Count | Notes |
|---|---|---|
| 2026-07-07 | **2,710** | 🔴 Attack day — highest volume |
| 2026-07-05 | 2,570 | Baseline day |
| 2026-07-09 | 657 | Post-attack |
| 2026-07-01 | 102 | Pre-lab |
**EventCode breakdown on attack day:**
index=* host="DESKTOP-CE6SSAK"
| stats count by EventCode
| sort -count
| EventCode | Count | Meaning |
|---|---|---|
| 4688 | 1,506 (55%) | Process creation — spike indicates high process activity |
| 5379 | 720 (26%) | Credential manager read |
| 4624 | 146 | Logon events |
| 4672 | 137 | Special privilege logon |

*Splunk timechart (span=1d) showing event count by day — July 7 (attack day) peaks at 2,710 events vs July 5 baseline of 2,570. Clear volume spike on attack day confirms detection.*

*Splunk EventType bar chart visualization for July 7 — EventType 0 dominates at 2,592 events (95.6%). Massive process and system activity volume during attack window.*

*Splunk field analysis showing EventCode distribution — 4688 (process creation) leads at 1,506 events (55.5%), followed by 5379 (credential reads) at 720 events. Process creation spike is key ransomware indicator.*
**Process creation search (find the ransomware process):**
index=* host="DESKTOP-CE6SSAK" EventCode=4688
| where Creator_Process_Name like "%powershell%"
| table _time, New_Process_Name, Creator_Process_Name
| sort _time

*Splunk EventCode 4688 expanded event showing cmd.exe spawning ipconfig.exe (New Process: C:\Windows\System32\ipconfig.exe, Creator: C:\Windows\System32\cmd.exe). Network reconnaissance activity captured.*

*Splunk catching whoami.exe execution (C:\Windows\System32\whoami.exe) at 07:57 AM on July 5 — baseline reconnaissance activity. Confirms Splunk is capturing all process creation events correctly.*
**Find ransom note creation:**
index=* host="DESKTOP-CE6SSAK"
| search "akira" OR "ransom" OR "YOUR_FILES"
**Rare process detection (reconnaissance):**
index=* host="DESKTOP-CE6SSAK" Creator_Process_Name="*"
| rare limit=20 Creator_Process_Name
Notable finding: `ipconfig.exe` spawned from `cmd.exe` — typical attacker reconnaissance to map network.

*Splunk rare process analysis showing unusual creator processes — OneDriveStandaloneUpdater.exe, Defrag.exe, WerFault.exe appearing only once each. Rare process hunting identifies low-frequency suspicious executions during the attack window.*
### Wireshark Analysis
**Capture file:** `ransomware-vm.pcapng`
**Conversations view (Statistics → Conversations → IPv4):**
| Connection | Packets | Volume | Significance |
|---|---|---|---|
| 192.168.176.128 ↔ 192.168.176.1 | 130,940 | **179 MB** | Massive log forwarding spike to Kali (Wazuh + Splunk) during attack |
| 192.168.176.128 ↔ 192.168.176.255 | 15 | 2 KB | Broadcast traffic — normal |

*Wireshark Conversations view (IPv4) from ransomware-vm.pcapng — 130,940 packets / 179MB between VM (192.168.176.128) and Kali host (192.168.176.1). Massive log forwarding spike during attack. No unknown external IPs — confirms no C2 communication.*
**DNS analysis (filter: `ip.src == 192.168.176.128 && dns`):**
- Repeated queries to `edge.microsoft.com` and `g.live.com` — normal Windows telemetry
- All DNS queries returned **ICMP Destination Unreachable** — confirms VM has no internet (isolation working)
- DNS retransmissions observed — VM keeps retrying because no response arrives
- **No suspicious/unknown domains detected** — no C2 callback (expected for Atomic Red Team simulation)

*Wireshark DNS filter (ip.src == 192.168.176.128 && dns) showing repeated queries to edge.microsoft.com and g.live.com — all returning ICMP Destination Unreachable. DNS retransmissions visible. No suspicious external domains. Confirms zero C2 communication.*
**Key Wireshark filters used:**
# All VM traffic
ip.addr == 192.168.176.128
# DNS queries from VM
ip.src == 192.168.176.128 && dns
# Outbound connection attempts
tcp.flags.syn == 1 && ip.src == 192.168.176.128
# Splunk log forwarding traffic
tcp.port == 9997
# Wazuh agent traffic
tcp.port == 1514
## 12. Day 6 — Triage & Kill Chain Analysis
### Formal Incident Classification
| Field | Value |
|---|---|
| **Classification** | ✅ True Positive |
| **Severity** | 🔴 Critical |
| **Scope** | Single host — DESKTOP-CE6SSAK |
| **Impact** | Data availability — files encrypted/renamed, ransom note dropped |
| **Lateral Movement** | None detected |
| **External C2** | None detected |
| **Containment Status** | Host isolated (host-only network throughout) |
### Kill Chain Mapping
┌─────────────────────────────────────────────────────────────┐
│ ATTACK KILL CHAIN │
├──────────────┬──────────────────────────────────────────────┤
│ STAGE │ DETAIL │
├──────────────┼──────────────────────────────────────────────┤
│ Delivery │ Atomic Red Team T1486 executed directly on │
│ │ victim host via PowerShell │
│ │ Time: July 7, 2026 @ 11:21 AM │
├──────────────┼──────────────────────────────────────────────┤
│ Execution │ powershell.exe (PID 6408) launched │
│ │ Parent process: cmd.exe │
│ │ Evidence: Splunk EventCode 4688 │
│ │ MITRE: T1059.001 - PowerShell │
├──────────────┼──────────────────────────────────────────────┤
│ Discovery │ ipconfig.exe executed from cmd.exe │
│ │ Network reconnaissance attempted │
│ │ Evidence: Splunk rare process analysis │
│ │ MITRE: T1082 - System Information Discovery │
├──────────────┼──────────────────────────────────────────────┤
│ Defense │ Set-ExecutionPolicy Bypass used to allow │
│ Evasion │ unsigned script execution │
│ │ MITRE: T1562 - Impair Defenses │
├──────────────┼──────────────────────────────────────────────┤
│ Impact │ Mass file creation in AppData\Local\Temp │
│ │ Ransom notes dropped on Desktop │
│ │ Files: akira_readme.txt, YOUR_FILES.txt │
│ │ Evidence: Wazuh FIM 75 hits, Rule 554 │
│ │ MITRE: T1486 - Data Encrypted for Impact │
├──────────────┼──────────────────────────────────────────────┤
│ C2/Exfil │ No external C2 detected │
│ │ DNS queries to Microsoft only │
│ │ All blocked by isolated network │
└──────────────┴──────────────────────────────────────────────┘
### Containment & Response Actions
In a real SOC environment, the following actions would be taken:
1. ISOLATE → Immediately disconnect host from network
Block all traffic at firewall/NAT level
(In lab: already isolated via host-only adapter ✅)
2. PRESERVE → Take forensic image of VM disk before any changes
(In lab: Post-Attack-Day3 snapshot taken ✅)
3. BLOCK → Add PowerShell script hash to EDR blocklist
Block execution policy bypass via GPO
4. NOTIFY → Escalate to IR team — Critical severity
Notify affected users and management
5. HUNT → Search all hosts for same PowerShell execution pattern
SPL: index=* EventCode=4688 | search powershell
6. RECOVER → Restore from last known clean backup
(In lab: revert to Clean-Baseline snapshot ✅)
7. HARDEN → Enable PowerShell Constrained Language Mode
Implement application whitelisting
Deploy EDR on all endpoints
## 13. Incident Report
**INCIDENT REPORT**
**Report ID:** IR-2026-001
**Classification:** CONFIDENTIAL — LAB EXERCISE
**Date:** July 9, 2026
**Analyst:** Saranjith R
### Executive Summary
On July 7, 2026 at approximately 11:21 AM, a ransomware attack was simulated on an isolated Windows 10 host (DESKTOP-CE6SSAK) using Atomic Red Team's T1486 technique. The simulation executed two successful test variants: PureLocker ransom note simulation (T1486-5) and Akira ransomware file extension and ransom note simulation (T1486-10).
The attack was detected across three tools: Wazuh flagged 75 FIM alerts indicating mass file creation, Splunk showed a significant event volume spike (2,710 events vs 2,570 baseline), and Wireshark confirmed no external C2 communication. The incident is classified as a **True Positive, Critical severity, single-host scope**.
### Timeline of Events
| Time (IST) | Event |
|---|---|
| Jul 5 @ 07:46 | Wazuh agent started on Victim-Win10 — baseline begins |
| Jul 5 @ 07:55 | Baseline activity generated — normal file/process events observed |
| Jul 5 @ 08:29 | Clean-Baseline VM snapshot taken |
| Jul 7 @ 11:03 | Atomic Red Team framework installed on victim VM |
| Jul 7 @ 11:21 | **T1486 detonation — attack begins** |
| Jul 7 @ 11:21 | T1486-5 PureLocker ransom note dropped — Exit 0 |
| Jul 7 @ 11:21 | T1486-10 Akira ransomware simulation — Exit 0 |
| Jul 7 @ 11:21 | akira_readme.txt (5.4KB) created on Desktop |
| Jul 7 @ 11:21 | YOUR_FILES.txt created on Desktop |
| Jul 7 @ 11:21 | Mass file creation in AppData\Local\Temp begins |
| Jul 9 @ 20:11 | Wazuh FIM detects 75 file addition events |
| Jul 9 @ 20:49 | Full investigation complete |
### Technical Findings
**Finding 1 — Mass File Creation Detected by Wazuh FIM**
- 75 file creation events in `AppData\Local\Temp` and Desktop
- Rule 554 triggered — "File added to the system"
- Rapid succession timestamps confirm automated/scripted behavior
- Severity: Level 5
**Finding 2 — PowerShell Execution Chain (Splunk + Sysmon)**
- `cmd.exe` spawned `powershell.exe` (PID 6408)
- PowerShell created `__PSScriptPolicyTest_dkvvtn0d.3xf.ps1` in Temp
- EventCode 4688 count spiked to 1,506 events (55% of all events on attack day)
- Execution policy bypass used: `Set-ExecutionPolicy Bypass`
**Finding 3 — No External C2 (Wireshark)**
- 130,940 packets exchanged between VM and Kali host (log forwarding)
- All DNS queries resolved to Microsoft domains (edge.microsoft.com, g.live.com)
- All DNS responses returned ICMP unreachable — no external communication
- No suspicious domains or IPs identified
## 14. MITRE ATT&CK Mapping
| Tactic | Technique Name | ID | Evidence Source |
|---|---|---|---|
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Splunk EventCode 4688, Sysmon EID 1 |
| Execution | User Execution | T1204 | Atomic Red Team manual execution |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562 | Set-ExecutionPolicy Bypass in PowerShell |
| Discovery | System Information Discovery | T1082 | ipconfig.exe via cmd.exe — Splunk rare process |
| Impact | Data Encrypted for Impact | **T1486** | Wazuh FIM 75 hits, akira_readme.txt, YOUR_FILES.txt |
**MITRE ATT&CK Navigator reference:** https://attack.mitre.org/techniques/T1486/
## 15. Key Findings Summary
| # | Finding | Tool | Severity |
|---|---|---|---|
| 1 | 75 FIM alerts — mass file creation in Temp and Desktop | Wazuh | 🔴 High |
| 2 | PowerShell spawned by cmd.exe — 1,506 process creation events | Splunk | 🔴 High |
| 3 | Ransom notes confirmed on Desktop (akira_readme.txt, YOUR_FILES.txt) | Manual | 🔴 Critical |
| 4 | Event volume spike on attack day (2,710 vs 2,570 baseline) | Splunk | 🟡 Medium |
| 5 | ipconfig.exe execution via cmd.exe — network reconnaissance | Splunk | 🟡 Medium |
| 6 | Execution policy bypass used to enable unsigned scripts | Wazuh/Splunk | 🟡 Medium |
| 7 | No external C2 detected — all DNS to Microsoft domains | Wireshark | 🟢 Info |
| 8 | No lateral movement detected | Wireshark/Wazuh | 🟢 Info |
## 16. Indicators of Compromise (IOCs)
ATTACK METADATA
───────────────
Attack Date : July 7, 2026
Attack Time : 11:21 AM IST
Host : DESKTOP-CE6SSAK
User : karansaran
IP Address : 192.168.176.128
OS : Windows 10 Education 10.0.19045.2965
MITRE Technique: T1486 — Data Encrypted for Impact
FILE IOCs
─────────
C:\Users\karansaran\Desktop\akira_readme.txt (5,408 bytes)
C:\Users\karansaran\Desktop\YOUR_FILES.txt (33 bytes)
C:\Users\karansaran\AppData\Local\Temp\test.txt (37 bytes)
C:\Users\karansaran\AppData\Local\Temp\Invoke-AtomicTest-ExecutionLog.csv
PROCESS IOCs
────────────
Process : powershell.exe
PID : 6408
Parent : cmd.exe
Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Script created : __PSScriptPolicyTest_dkvvtn0d.3xf.ps1
NETWORK IOCs
────────────
No external C2 IPs or domains detected
DNS queries: edge.microsoft.com, g.live.com (legitimate Microsoft domains)
All external DNS: blocked by isolated host-only network
WINDOWS EVENT IOCs
──────────────────
EventCode 4688 — Process Creation spike: 1,506 events
EventCode 5379 — Credential Manager reads: 720 events
Sysmon EID 11 — File creation by powershell.exe in Temp
Wazuh Rule 554 — File added to system: 75 hits
## 17. Lessons Learned
**What worked well:**
- Host-only network isolation completely prevented any risk to the real network or host data
- Sysmon provided rich telemetry that neither Wazuh nor Splunk alone would capture
- Running both Wazuh and Splunk simultaneously gave visibility from two different angles on the same data — this is how enterprise SOCs operate
- Wireshark confirmed network-level indicators (or in this case, their absence) which is critical for ruling out C2 activity
**What was challenging:**
- Wazuh FIM requires explicit directory configuration — it won't detect files in directories you haven't told it to watch. This is a common beginner mistake.
- The UTF-8 BOM encoding issue when writing XML config via PowerShell broke the Wazuh agent silently — always use `[System.IO.File]::WriteAllText` with `UTF8Encoding($false)` when writing config files from PowerShell
- Atomic Red Team requires internet to install normally — in an isolated lab you must manually transfer the framework via HTTP server
**Real-world SOC takeaways:**
- FIM alone is not enough — you need process-level visibility (Sysmon) to understand *what* caused the file changes
- Baseline establishment is not optional — without it you cannot distinguish an attack spike from normal noise
- Cross-tool correlation (Wazuh + Splunk + Wireshark) gives much higher confidence than any single tool
- Network evidence is just as important as host evidence — Wireshark confirmed no data exfiltration occurred
## 18. References
- MITRE ATT&CK T1486: https://attack.mitre.org/techniques/T1486/
- MITRE ATT&CK T1059.001: https://attack.mitre.org/techniques/T1059/001/
- Atomic Red Team T1486 tests: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
- Wazuh FIM documentation: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
- SwiftOnSecurity Sysmon config: https://github.com/SwiftOnSecurity/sysmon-config
- Sysmon Event IDs reference: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- Splunk SPL documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference
## Author
**Saranjith R**
B.E. Computer Science (Cyber Security) — SKCET, Coimbatore
ISC2 Certified in Cybersecurity (CC)
TryHackMe: Top 15% globally
*This project was built as part of an independent SOC analyst portfolio to demonstrate hands-on detection and response skills across Wazuh, Splunk, and Wireshark.*
*⭐ If this project helped you, please star the repository and share it with other cybersecurity students!*
标签:x64dbg, 入侵分析, 勒索软件检测, 安全培训, 安全实验环境, 安全运营, 扫描框架