🔍 **Attacker Simulation Synopsis (Phase 1: Host Compromise Actions)**

**Step 1 – Failed + Successful Logons**

✅ Executed: Three failed logon attempts followed by a successful logon using the Steve account.

🎯 Simulated Behavior: Brute-force or password guessing attempts.

🏢 Enterprise Analogy: A malicious insider or external actor tries to access a user account (successfully), possibly after credential harvesting or phishing.

**Step 2 – Obfuscated PowerShell Execution**

✅ Executed: Used variable indirection to launch notepad.exe via iex. Used variable indirection to launch Notepad via iex, a method commonly used by attackers to evade detection. Instead of calling the binary directly, the command was stored in a variable and executed dynamically, simulating lightweight obfuscation tactics often seen in PowerShell-based attacks.
 
🎯 Simulated Behavior: Living-off-the-land (LOTL) technique using PowerShell obfuscation to evade detection.

🏢 Enterprise Analogy: Scripted malware or post-exploitation tools (e.g., Cobalt Strike) hiding execution chains within PowerShell commands.

**Step 3 – Scheduled Task Persistence**

✅ Executed: Created scheduled task Updater2 to run mspaint.exe at user logon. MSPaint (Microsoft Paint) is a built-in Windows graphical editing tool used for creating and modifying images. In this simulation, it's a benign executable chosen to demonstrate persistence without triggering antivirus, mimicking how attackers might use trusted programs or LOLBins to maintain stealthy footholds.

🎯 Simulated Behavior: Establishing persistence through legitimate OS tasking mechanisms.

🏢 Enterprise Analogy: APTs or malware deploy scheduled tasks to reinitiate malicious payloads (e.g., remote access tools) after reboot or logon.

**Step 4 – Simulated Lateral Movement Attempt**

✅ Executed: Ran mstsc /v:192.168.56.102 and net use \\192.168.56.102\C$, captured via Wireshark. mstsc /v:<IP> launches the Remote Desktop Protocol (RDP) client and attempts to connect to the specified IP address, simulating how attackers try to gain interactive desktop access to remote systems.

net use \\<IP>\C$ tries to connect to the default administrative SMB share (the C$ drive) on the target system, mimicking lateral movement via network file access.

🎯 Simulated Behavior: Attempted use of RDP and SMB to access another internal system.

🏢 Enterprise Analogy: Attackers use stolen credentials to pivot between hosts, exploiting trust relationships and misconfigured shares.

**Step 5 – Nmap Scan of External Target**

✅ Executed: Port scan against 192.168.56.102 targeting common ports (22, 80, 443, etc.). Executed a port scan against 192.168.56.102, a fabricated private IP address used solely to simulate attacker lateral movement or reconnaissance behavior. Although this IP does not map to an active system, Nmap may still return "filtered" results due to the way local network firewalls or the OS respond (or drop) unsolicited packets. This models how attackers often probe local subnets for reachable hosts — even if the scans result in timeouts or filtered responses, the attempt itself is a valuable signal for detection.

🎯 Simulated Behavior: Network reconnaissance after foothold to find lateral movement or data exfiltration paths.

🏢 Enterprise Analogy: Attackers scan internal ranges for open services like RDP, HTTP apps, or unpatched legacy systems.

**Step 6 – Nmap Scan of Local Host**

✅ Executed: Scanned 127.0.0.1 to identify open ports and services running on the compromised system. The IP address 127.0.0.1 is the loopback address, which refers to the local machine itself. By scanning this address, the attacker is probing the host they currently control to discover what services are exposed internally — a common post-exploitation reconnaissance technique in real-world attacks.

🎯 Simulated Behavior: Privilege-aware reconnaissance to enumerate local services or potential privilege escalation vectors.

🏢 Enterprise Analogy: An attacker inside a host audits its surface area (e.g., Splunk ports, open RDP) to deploy exploits or install implants.

**Step 7 – Simulated Privilege Escalation**

✅ Executed: Ran whoami /priv and icacls C:\Windows to probe privilege levels and file system access. whoami /priv lists the current user's security privileges, revealing what actions they are authorized to perform. These include:

Impersonation: The ability to temporarily adopt the security context of another user. Attackers can abuse this to perform actions as a more privileged account without directly acquiring its credentials.

Debugging: The right to attach a debugger to processes, including those running as system or other users. Malicious actors may exploit this to inspect or manipulate memory, inject code, or escalate privileges.

Shutting down the system: Grants authority to power off or restart the machine. While seemingly basic, this privilege can be abused in ransomware operations or availability attacks to disrupt business operations.

The second command, icacls C:\Windows, displays the access control list (ACL) for the core Windows directory. This helps determine which users or groups have permission to read, modify, or take ownership of system-critical files — essential for evaluating privilege escalation paths

🎯 Simulated Behavior: Post-compromise privilege inspection, a prelude to escalation.

🏢 Enterprise Analogy: Threat actors enumerate permissions to assess whether they can dump credentials, modify services, or escalate to SYSTEM.


**This simulation captures core, widely observed attacker behaviors aligned with common enterprise intrusion patterns. From brute-force access to obfuscated execution, persistence, recon, and privilege assessment, each step reflects actions that threat actors commonly execute after compromising a host. Understanding and detecting these behaviors forms the foundation of SOC operations and enables timely incident response.**

**SIEM Alert Summary: Suspicious Local Host Activity Detected**
Alert Name:
Suspicious Local Host Activity – Privilege Abuse & Host Enumeration

**Alert Trigger:**
Multiple high-risk actions observed within a short timeframe on local host DESKTOP-UPKRV33 (127.0.0.1), including privilege enumeration, file system access checks, scheduled task creation, and process execution via obfuscated PowerShell.

**Key Indicators:**

Obfuscated PowerShell used to launch Notepad (iex with variable indirection)

Scheduled task Updater2 created to run mspaint.exe at user logon (persistence mechanism)

Failed SMB and RDP connection attempts to 192.168.56.102 (possible lateral movement)

Nmap scan targeting common external and localhost ports (host/service enumeration)

Execution of whoami /priv and icacls C:\Windows indicating privilege probing

**Risk Level:**
Medium–High (Privilege Enumeration + Persistence + Reconnaissance)

**Recommended Action:**
Investigate user Steve activity during timeframe 06:44–08:32 AM on 07/03/2025. Review event logs for related task creation (Event ID 4698), privilege usage (Event ID 4672), and process launches (Event ID 4688). Correlate with PowerShell logs and network telemetry.

**✅ Insider Threat Simulation – Final Write-up** 

🎯 **Objective**
Simulate attacker behaviors from a local Windows account ("Steve") to assess SIEM detection coverage using Splunk.

Test visibility for logon activity, PowerShell abuse, scheduled task persistence, lateral movement, Nmap scanning, and privilege escalation probes.

Document detection gaps caused by misconfiguration, audit limitations, or Splunk service privilege.

🧪 Simulated Attacker Actions
Step 1: Multiple failed logon attempts followed by a successful interactive login.

Step 2: Obfuscated PowerShell command used to launch notepad.exe with -EncodedCommand.

Step 3: Created a scheduled task named Updater2 that executes mspaint.exe at logon.

Step 4: Attempted lateral movement using:

Remote Desktop Protocol (RDP) via mstsc /v:192.168.56.102

SMB access via net use \\192.168.56.102\C$

Step 5: Performed local Nmap scan with nmap -T4 -A localhost.

Step 6: Executed privilege inspection commands in elevated PowerShell:

whoami /priv

icacls C:\Windows

📊 Splunk Detection Results
Step 1 – Logon Events

✅ Detected: All three failed logons (4625) and one successful logon (4624) correctly ingested.

✅ Confirmed timeline and sequence.

Step 2 – Obfuscated PowerShell Execution

⚠️ Partially detected: powershell.exe process seen.

⚠️ Not decoded: -EncodedCommand not parsed or flagged; command content not visible in logs.

⚠️ 4688 not functioning at time of execution; no command-line arguments captured.

Step 3 – Scheduled Task Creation

✅ Detected: Event ID 4698 showed task name Updater2 and full XML configuration.

✅ Account attribution correctly logged as Steve.

Step 4 – Lateral Movement Attempt

✅ Detected: Multiple 4625 failed logons triggered by mstsc and net use activity.

❌ Not detected: Corresponding process creation events (4688) for RDP/SMB commands were not ingested.

Step 5 – Nmap Scan

❌ Not detected: No 4688 event generated for nmap.exe.

❌ No indication of network scan activity in logs.

Step 6 – Privilege Escalation Probes

❌ Not detected: Neither whoami /priv nor icacls generated any logs in Splunk.

❌ Missing telemetry attributed to 4688 failure.

⚠️ Issues Encountered
4688 Logging Failure

Most critical gap: process creation (4688) not visible in Splunk during or after simulation.

Prevented detection of PowerShell usage, Nmap activity, and privilege escalation tools.

Splunk Service Account Privilege

Splunk splunkd was running under Local System, not an admin or Event Log Reader account.

Prevented full access to Security log telemetry.

Audit Policy Timing

Custom PowerShell audit policy block applied after some attacker actions had occurred.

Likely reason for missed events even after enabling proper subcategories.

✅ Confirmed Working Telemetry
Logon events (4624, 4625)

Scheduled task creation (4698)

Basic system service activity (splunkd, svchost.exe noise)

🔁 Lessons and Recommendations
Always confirm live 4688 ingestion before simulation.

Use a test executable like notepad.exe after audit policy is applied.

Validate with a real-time Splunk query before proceeding.

Update Splunk to run as a privileged local account.

Configure the Splunk service (splunkd) to run under Steve or Administrator.

Ensure this account is part of “Event Log Readers” and has appropriate rights.

Apply audit policies at system boot or before simulation starts.

Do not rely on mid-session configuration; logs may be dropped.

Build a pre-check script for audit readiness.

Use auditpol /get to verify subcategory status before launching attacker steps.

Consider adding Sysmon for richer telemetry.

Especially valuable for process, command-line, and network event visibility.

🧩 **Summary**
Simulation successfully replicated realistic attacker behaviors from a local account.

Splunk captured logons and persistence mechanisms, but failed to detect most process-level activity due to configuration gaps.

Future iterations should emphasize telemetry readiness before initiating simulation steps.











