This project demonstrates how to build a complete blue-team detection lab inspired by real-world SOC operations, centered around detecting malicious behaviors like Command and Control (C2) beaconing and network threats.
✅ Collecting endpoint telemetry with Sysmon and forwarding via Winlogbeat/Splunk UF.
✅ Monitoring network traffic with Suricata NIDS.
✅ Visualizing threats using Grafana dashboards connected to Elasticsearch.
✅ Creating real-time alerts via ElastAlert for suspicious behaviors.
✅ Beaconing C2 Simulating C2 beaconing with PowerShell for testing detections.
By implementing this detection lab, you can gain hands-on SOC experience, understand the security monitoring pipeline, and prepare for security analyst roles.
| Tool | Description |
|---|---|
| Sysmon | System Monitor for Windows, providing detailed system activity logging. |
| Winlogbeat | Forwards Windows event logs to Elasticsearch. |
| Splunk UF | Universal Forwarder sending Windows logs to Splunk server. |
| Elasticsearch | Stores and indexes logs forwarded from Winlogbeat. |
| Grafana | Visualization platform for creating dashboards from Elasticsearch data. |
| Suricata | Network Intrusion Detection System (NIDS) for monitoring traffic. |
| ElastAlert 2 | Alert generation framework for Elasticsearch with email notifications. |
| PowerShell Script | Custom script to simulate C2 beaconing behavior. |
Specifications
- RAM: 4GB+
- HDD: 50GB+
- OS: Windows Server 2019
Follow these steps to install and configure Sysmon:
-
Download Sysmon from Microsoft Sysinternals:
# Download Sysmon and SwiftOnSecurity's config Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "Sysmon.zip" Expand-Archive -Path "Sysmon.zip" -DestinationPath "C:\Sysmon" Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile "C:\Sysmon\sysmonconfig.xml"
-
Install Sysmon with the configuration:
cd C:\Sysmon .\sysmon64.exe -accepteula -i sysmonconfig.xml
-
Verify installation:
Get-Service sysmon64
Follow these steps to install Splunk UF:
-
Download Splunk Universal Forwarder
-
Install Splunk Universal Forwarder
-
Configure Splunk Universal Forwarder to Forward Logs
cd "C:\Program Files\SplunkUniversalForwarder\bin" .\splunk.exe start .\splunk.exe enable boot-start .\splunk.exe add forward-server <SPLUNK_SERVER_IP>:9997
-
Configure Splunk UF for Sysmon:
#Create inputs.conf file in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf:
[default] host = WIN-FR3H8BJTJ78 [WinEventLog://Application] disabled = 0 index = wineventlog [WinEventLog://System] disabled = 0 index = wineventlog [WinEventLog://Security] disabled = 0 index = wineventlog [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = 0 index = sysmon renderXml = true -
Restart Splunk UF service:
Restart-Service "SplunkForwarder"
Follow these steps to install and configure Winlogbeat:
-
Download Winlogbeat:
# Download latest Winlogbeat from Elastic website Invoke-WebRequest -Uri "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.10.4-windows-x86_64.zip" -OutFile "winlogbeat.zip" Expand-Archive -Path "winlogbeat.zip" -DestinationPath "C:\Program Files\Winlogbeat"
-
Configure Winlogbeat:
cd "C:\Program Files\Winlogbeat" # Edit winlogbeat.yml file
Content for winlogbeat.yml:
winlogbeat.event_logs: - name: Microsoft-Windows-Sysmon/Operational - name: Security - name: System - name: Application output.elasticsearch: hosts: ["http://<KALI_IP>:9200"]
-
Install and start Winlogbeat service:
.\install-service-winlogbeat.ps1 Start-Service winlogbeat
Specifications
- RAM: 4GB+
- HDD: 40GB+
- OS: Kali Linux
Run the following commands to install Splunk Enterprise on Kali:
# Download Splunk Enterprise
wget -O splunk-8.2.9-linux-2.6-amd64.deb "https://download.splunk.com/products/splunk/releases/8.2.9/linux/splunk-8.2.9-linux-2.6-amd64.deb"
# Install Splunk
sudo dpkg -i splunk-8.2.9-linux-2.6-amd64.deb
sudo /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme
# Configure receiving on port 9997
sudo /opt/splunk/bin/splunk enable listen 9997 -auth admin:changeme
# Create sysmon and suricata indexes
sudo /opt/splunk/bin/splunk add index sysmon -auth admin:changeme
sudo /opt/splunk/bin/splunk add index suricata -auth admin:changemeAccess Splunk Web UI at http://localhost:8000
Follow these steps to install Elasticsearch:
# Install Java requirements
sudo apt update && sudo apt install -y default-jre
# Install Elasticsearch
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch -y
# Configure Elasticsearch
sudo nano /etc/elasticsearch/elasticsearch.ymlUpdate elasticsearch.yml configuration:
network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: false
xpack.security.transport.ssl.enabled: false# Start Elasticsearch
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearchVerify with: curl http://localhost:9200
Follow these steps to install Grafana:
# Add Grafana APT repository
sudo apt-get install -y apt-transport-https software-properties-common
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
# Install Grafana
sudo apt update && sudo apt install grafana -y
# Start Grafana
sudo systemctl daemon-reload
sudo systemctl enable grafana-server
sudo systemctl start grafana-serverAccess Grafana at http://localhost:3000 with default credentials admin/admin
Install and configure Suricata NIDS:
# Install Suricata
sudo apt update && sudo apt install suricata -y
# Edit configuration
sudo nano /etc/suricata/suricata.yamlUpdate suricata.yaml for your network interface:
# Find and edit your network interface name
af-packet:
- interface: eth0 # Change to your interface name# Update Suricata rules
sudo suricata-update
# Configure outputs for Elasticsearch and Splunk
sudo nano /etc/suricata/suricata.yamlConfigure Suricata Eve output:
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: /var/log/suricata/eve.json
types:
- alert
- http
- dns
- tls
- flow# Start Suricata
sudo systemctl enable suricata
sudo systemctl start suricataInstall and configure ElastAlert for email notifications:
# Install Python packages
pip3 install elastalert
# Create ElastAlert Directory
mkdir elastalert
cd elastalert
# Configure ElastAlert
nano config.yamlUpdate config.yaml with SMTP and Elasticsearch details:
# Basic configuration
es_host: localhost
es_port: 9200
run_every:
minutes: 1
buffer_time:
minutes: 15
writeback_index: elastalert_status
# Email configuration
email_reply_to: [email protected]
email_from: [email protected]
smtp_host: smtp.gmail.com
smtp_port: 587
smtp_auth_file: smtp_auth_file.yamlCreate smtp_auth_file.yaml:
user: "[email protected]"
password: "your_app_password"Create a rule file for PowerShell beaconing:
mkdir rules
nano rules/powershell_beacon.yamlpowershell_beacon.yaml content:
name: PowerShell Beaconing Detection
type: frequency
index: winlogbeat-*
num_events: 5
timeframe:
minutes: 1
filter:
- query:
query_string:
query: "event.code:3 AND process.name:*powershell.exe"
alert:
- email
email:
- [email protected]
alert_subject: "PowerShell Potential C2 Beaconing Detected"
alert_text: "Detected 5 or more PowerShell network connections within 5 minute.\n
\nSource Host: {0}\nSource User: {1}\nDestination IPs: {2}"
alert_text_args:
- host.hostname
- user.name
- destination.ip# Run ElastAlert
elastalert-create-index --config config.yaml
elastalert --verbose --config config.yaml# Output
INFO:elastalert:Queried rule Detect Frequent PowerShell Network Connections from 2024-05-13 11:12:00 to 2024-05-13 11:14:00: 5 hits
INFO:elastalert:Alert for Detect Frequent PowerShell Network Connections at 2024-05-13 11:14:20
INFO:elastalert:Sent email to ['[email protected]']This workflow demonstrates how to simulate and detect C2 beaconing:
1️⃣ Create a PowerShell beaconing script on the Windows victim machine.
2️⃣ Execute the script to simulate periodic outbound connections.
3️⃣ Observe the logs in Splunk.
4️⃣ Visualize the beaconing pattern in Grafana dashboards.
5️⃣ Receive alerts via ElastAlert when beaconing threshold is reached.
🔹 Create beacon.ps1 on Windows machine
# beacon.ps1 - Simulate C2 beaconing behavior
while ($true) {
Invoke-WebRequest -Uri "http://KALI_IP:8080/ping" -UseBasicParsing
Start-Sleep -Seconds 10
}🔹 Execute the script in PowerShell
# Run as Administrator
Set-ExecutionPolicy Bypass -Scope Process
.\beacon.ps1- Log into Grafana (http://localhost:3000) with admin/admin
- Add Elasticsearch as a data source
- Setup Elasticsearch URL : localhost:9200
- Add Index: winlogbeat-*
- Done
Top Ip Source's Panel:
Query:
event.code:"3"
Visualization: Bar Chart
Metrics: Count
Group by: source.ip Terms
Suspicious PowerShell Activity Panel:
Query:
event.code:"3" AND destination.port:"8080" AND process.executable:*powershell.exe
Visualization: Time Series
Group by: destination.ip Terms
Metrics: Count
Then by: @timestamp (1m interval)
Suspicious Parent-Child Process Execution:
Query:
event.code:1 AND process.name:"powershell.exe" AND process.executable:/C:\\Users\\.*/
Visualization: Table
Logs
- Log into Splunk (http://localhost:8000)
- Create the following searches:
PowerShell Network Connections:
index=sysmon EventCode=3
Beaconing Detection Search:
index=sysmon EventCode=3 Image="*\\powershell.exe"
| bucket span=5m _time
| stats count as connection_count by _time, User, DestinationIp
| where connection_count >= 3
Manually Run:
elastalert --verbose --config config.yml
Wait for few minutes..
Create a custom Suricata rule to detect repetitive connections:
sudo nano /etc/suricata/rules/local.rulesAdd the following rule:
# Detect potential C2 beaconing (multiple connections in short timeframe)
alert tcp any any -> any any (msg:"Potential C2 Beaconing Activity"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; sid:1000001; rev:1;)
# Reload Suricata rules
sudo systemctl reload suricataThis detection lab covers the following MITRE ATT&CK techniques:
| Technique ID | Name | Description |
|---|---|---|
| T1071 | Application Layer Protocol | Detecting C2 communications using web protocols |
| T1095 | Non-Application Layer Protocol | Monitoring for unusual network protocols |
| T1571 | Non-Standard Port | Identifying communications on uncommon ports |
| T1573 | Encrypted Channel | Detecting encrypted communications patterns |
| T1105 | Ingress Tool Transfer | Monitoring for file downloads via PowerShell |
| T1059.001 | PowerShell | Detecting suspicious PowerShell execution |
🔹 Add YARA rules for file-based detection.
🔹 Integrate MISP for threat intelligence.
🔹 Implement automated containment via Windows Firewall rules.
🔹 Add Sigma rules for standardized detection logic.
🔹 Create a Kibana instance alongside Grafana for additional visualizations.
👤 Arunkumar R
