Lab S08 – Detection and Incident Response

Prerequisites

1

Complete Labs S00, S01, S02, S03, and S04 (both Part A and Part B) before starting this lab. All Splunk forwarding, Sysmon, and Zeek infrastructure must already be running.

Prerequisites: S00 · S01 · S02 · S03 · S04A · S04B

2

You need three virtual machines running simultaneously:

Splunk Enterprise on Ubuntu VM (e.g., 192.168.0.136)
Kali Linux attacker VM (e.g., 192.168.0.132)
Windows 10 victim VM with Splunk Universal Forwarder (e.g., 192.168.0.135)

3

Download a Kali Linux image from kali.org/get-kali and import it into your VM software if you have not already done so.

Introduction

Part A — ART Deployment

Part A focuses on the configuration and deployment of Atomic Red Team (ART) from a Kali Linux machine to a Windows 10 host in a controlled lab environment, simulating remote post-exploitation activities. The objective is to prepare the environment for testing MITRE ATT&CK technique T1518.001 (Security Software Discovery) by setting up remote execution using winexe, SMB file transfer, and PowerShell.

A PowerShell script is compiled into a Windows executable using .NET on Kali and served via an NGINX web server to the target host. This script reconfigures the target to allow WinRM and SMB-based communication, opens firewall ports, and enables legacy protocols for full test compatibility. ART modules and atomic test payloads are then transferred to the target using smbclient.

Part B — Detection & Response

Part B examines the detection and analysis of T1518.001 executed remotely via winexe from Kali targeting the Windows 10 system. This technique simulates post-compromise reconnaissance where an adversary identifies installed security defenses. Using Sysmon logs ingested by Splunk, you will detect relevant command-line executions — including chained commands via cmd.exe, netsh.exe, sc.exe, and PowerShell-based AV discovery — then perform a full incident response cycle.

Lab Environment IPs

Windows 10 victim: 192.168.0.135
Kali attacker: 192.168.0.132
Splunk instance: 192.168.0.136

Adjust these IPs to match your own lab network. The Splunk IP is only used for web UI access as in previous labs.

Part A — Kali Dependencies & ART Installation

1

Update your Kali VM and install the required tools: smbclient, winexe, and PowerShell for Linux.

sudo apt update sudo apt install powershell sudo apt install smbclient

Note: This installs PowerShell Core — a cross-platform version built on .NET Core. winexe comes pre-installed on Kali; if not, sudo apt install winexe will redirect to samba-common-bin.

2

Launch PowerShell Core on Kali:

pwsh

3

Inside pwsh, retrieve and install the Invoke-AtomicRedTeam module and the atomics folder:

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicsfolder.ps1' -UseBasicParsing); Install-AtomicsFolder

4

Verify the installation by running a local atomic test:

Invoke-AtomicTest T1548.003-1 -TestNumbers 1

If Invoke-AtomicTest is not found, import the module manually:

Import-Module .\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1;

To list all atomics available for your current platform:

Invoke-AtomicTest All -ShowDetailsBrief -TestNumbers 1

Note: If prompted to install powershell-yaml, run: Install-Module powershell-yaml -Scope CurrentUser -Force

5

Red Canary provides a Getting Started guide for Atomic Red Team. Refer to it for additional context on how atomics are structured.

Part A — Remote Setup & Payload Delivery

WARNING: The following process is meant to be performed in an isolated lab environment only. This will expose your victim Windows 10 machine to remote execution from anywhere on your network. Lab S08B contains steps to reverse these changes. Atomic Red Team is not intended to be used without authorization on any devices you do not personally own — these are emulated malicious techniques intended to aid in the hardening of systems.

1

A PowerShell script needs to be compiled into a Windows executable using .NET on Kali. This script, when run on the victim machine, will open WinRM, enable SMBv1, configure firewall ports, and prepare the system for remote ART execution. Refer to the Part A lab document for the full script contents.

PowerShell script compiled to exe on Kali

2

Serve the compiled executable via NGINX on your Kali machine so the Windows target can download it over HTTP. Start NGINX and verify it is reachable from the victim machine:

sudo service nginx start

3

From the Windows 10 victim machine, download and run the executable. This reconfigures the target for remote access. Refer to the Part A document for the exact PowerShell download command using Invoke-WebRequest.

Executable downloaded and run on Windows 10 victim

4

From Kali, test that remote execution works using winexe:

winexe -U victim%asdfzxc123 //192.168.0.135 "cmd.exe /c whoami"

5

Transfer the ART modules and the specific T1518.001 atomic payload to the Windows victim using smbclient. Place them under C:\Users\Public\AtomicRedTeam\ on the target. Verify the files are present before proceeding to Part B.

smbclient //192.168.0.135/C$ -U victim%asdfzxc123

smbclient file transfer to Windows victim

Part B — Execute ART & Map Output

1

From Kali, execute MITRE ATT&CK T1518.001-1 remotely on the victim via winexe:

winexe -U victim%asdfzxc123 //192.168.0.135 "powershell -ExecutionPolicy Bypass -Command Import-Module C:\\Users\\Public\\AtomicRedTeam\\invoke-atomicredteam\\Invoke-AtomicRedTeam.psd1; Invoke-AtomicTest T1518.001-1 -TestNumbers 1 -PathToAtomicsFolder C:\\Users\\Public\\AtomicRedTeam\\atomics -Confirm:\$false"

The output will be several hundred lines long, enumerating security software, firewall rules, and AV status on the target.

ART T1518.001 execution output from winexe

2

Map the output sections to the underlying commands executed by the atomic test. The key commands run are:

netsh.exe firewall show config — firewall config
netsh.exe advfirewall show allprofiles — all profile settings
netsh.exe advfirewall firewall show rule name=all — all rules
netsh.exe advfirewall show currentprofile — current profile
sc query windefend — Windows Defender service status
Get-Process | Where-Object { $_.ProcessName -eq 'Sysmon' } — Sysmon detection
Get-Service | Where-Object { $_.DisplayName -like '*Sysmon*' } — Sysmon service

Mapping atomic output to T1518.001 YAML commands

Part B — Detection in Splunk

1

Use the T1518.001 YAML to craft a detection query targeting your Sysmon stream. View the atomic YAML with cat AtomicRedTeam/atomics/T1518.001/T1518.001.yaml, then run the following comprehensive SPL in Splunk Search & Reporting:

index=winsysmon source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" ( ( (Image="*\\findstr.exe" OR Image="*\\find.exe" OR OriginalFileName="FINDSTR.EXE" OR OriginalFileName="FIND.EXE") AND ( CommandLine="* virus*" OR CommandLine="* cb*" OR CommandLine="* defender*" OR CommandLine="* cylance*" OR CommandLine="* mc*" OR CommandLine="*symantec*" OR CommandLine="*kaspersky*" OR CommandLine="*sentinel*" OR CommandLine="* 'virus cb defender cylance mc'*" OR CommandLine="*385201*" ) ) OR ( Image="*\\tasklist.exe" OR CommandLine="*tasklist* | *findstr*" ) OR ( Image="*\\netsh.exe" AND ( CommandLine="*advfirewall*" OR CommandLine="*firewall show*" OR CommandLine="*show allprofiles*" OR CommandLine="*firewall dump*" OR CommandLine="*currentprofile*" OR CommandLine="*rule name=all*" OR CommandLine="*set rule*" OR CommandLine="*show config*" OR CommandLine="*show state*" ) ) OR ( Image="*\\wmic.exe" AND ( CommandLine="*AntiVirusProduct*" OR CommandLine="*SecurityCenter2*" OR CommandLine="*MSFT_MpPreference*" ) ) OR ( Image="*\\sc.exe" AND CommandLine="*query*" AND CommandLine="*windefend*" ) OR ( Image="*\\powershell.exe" AND ( CommandLine="*Get-Process*" OR CommandLine="*Get-Service*" OR CommandLine="*Where-Object*" OR CommandLine="*Get-CimInstance*" OR CommandLine="*Get-WmiObject*" OR CommandLine="*Win32_Service*" OR CommandLine="*System Monitor service*" OR CommandLine="*DisplayName -like '*sysm*'*" OR CommandLine="*ProcessName -eq 'Sysmon'*" OR CommandLine="*Get-MpComputerStatus*" OR CommandLine="*Get-MpThreat*" OR CommandLine="*WinDefend*" OR CommandLine="*antivirusproduct*" OR CommandLine="*root\\securitycenter2*" OR CommandLine="*root/securityCenter2*" OR CommandLine="*Get-NetFirewall*" OR CommandLine="*ExclusionPath*" OR CommandLine="*ExclusionExtension*" OR CommandLine="*ExclusionProcess*" OR CommandLine="*DisableRealtimeMonitoring*" ) ) ) |table CommandLine parent_process

Note: Some commands from the ART test are not detectable via Sysmon alone — Get-MpComputerStatus, Get-NetFirewallProfile, wmic AntiVirusProduct, and fltmc | findstr 385201 run inside PowerShell or as piped native commands that don't spawn a new logged process. Full coverage requires PowerShell Script Block Logging forwarded through the Universal Forwarder. You may also see non-malicious Windows Update processes using Get-CimInstance — tuning for your environment is part of effective detection engineering.

Splunk search detecting T1518.001 process events

2

First confirm the parent process of the chained netsh.exe command — search for the Invoke-AtomicTest event and locate its parent_process field. It will show WinExeSvc.exe, confirming remote execution via winexe:

index=winsysmon EventCode=1 CommandLine="*Invoke-AtomicTest*"

Now correlate against the packet_stream index. This query takes the timestamp of the Invoke-AtomicTest event and searches for SMB/WinRM traffic in a ±60-second window:

index=winsysmon EventCode=1 CommandLine="*Invoke-AtomicTest*" | eval start_time=_time - 60 | eval end_time=_time + 60 | table _time host start_time end_time | map maxsearches=10 search=" search index=packet_stream earliest=$start_time$ latest=$end_time$ dest_port IN (135, 139, 445, 5985, 5986, 3389) " | table dest_ip dest_port dest_mac src_ip src_port src_mac protocol_stack

This confirms a connection on port 445 from 192.168.0.132 using the ip:tcp:smb protocol stack — the signature of winexe and smbclient. To generalize to any command run via winexe (your primary alert candidate):

index=winsysmon EventCode=1 parent_process="*winexe*" | eval start_time=_time - 60 | eval end_time=_time + 60 | table _time host start_time end_time | map maxsearches=13 search=" search index=packet_stream earliest=$start_time$ latest=$end_time$ dest_port IN (135, 139, 445, 5985, 5986, 3389) " | table dest_ip dest_port dest_mac src_ip src_port src_mac protocol_stack

Note: maxsearches=13 is set above the default of 10 because more events may be returned in your index. This query/alert surfaces the suspect IP addresses from which winexe commands originated. Alert setup steps are covered in Lab S04B.

3

Correlate the process tree: identify that winexe spawned cmd.exe, which spawned powershell.exe, which in turn ran the enumeration commands. This parent-child chain is a strong indicator of remote execution.

Process tree correlation in Splunk for remote ART execution

Part B — Analysis & Response

1

Root Cause Analysis: Trace the attack chain — the victim was opened to remote execution by the setup script from Part A. The attacker (Kali) used SMB and winexe to remotely invoke Atomic Red Team, which executed a series of enumeration commands via PowerShell and Windows binaries (LOLBins).

2

Block the Attacker IP: As a temporary measure, block the identified Kali IP (192.168.0.132) on the victim machine. In an Administrator PowerShell on your victim Windows 10 machine:

New-NetFirewallRule -DisplayName "Block Inbound from 192.168.0.132" ` -Direction Inbound ` -Action Block ` -RemoteAddress 192.168.0.132 ` -Protocol Any ` -Enabled True ` -Profile Any New-NetFirewallRule -DisplayName "Block Outbound to 192.168.0.132" ` -Direction Outbound ` -Action Block ` -RemoteAddress 192.168.0.132 ` -Protocol Any ` -Enabled True ` -Profile Any

Ensure the firewall is enabled and verify the block by retesting winexe from Kali — no response indicates the block is working:

Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True

To remove the block rules later:

Remove-NetFirewallRule -DisplayName "Block Outbound to 192.168.0.132" Remove-NetFirewallRule -DisplayName "Block Inbound from 192.168.0.132"

Note: This is a temporary host-based measure. While the vulnerability remains open, a malicious actor could pivot or NAT through another host. A network-positioned firewall (pfSense, XDR/EDR) can enforce the block at the network layer instead.

3

Identify Configuration Changes: Start with a simple check of enabled Windows optional features:

Get-WindowsOptionalFeature -Online | Where-Object { $_.State -eq 'Enabled' } | Select-Object FeatureName, State

SMBv1 (SMB1Protocol) will appear as enabled. Return to Splunk and search for encoded PowerShell commands, which were used to hide the configuration changes from Sysmon:

index=winsysmon *Encoded* | table parent_process

The parent_process field will show both the location of the executable (run from the victim's Downloads folder) and the Base64-encoded command it passed to PowerShell. Decode that Base64 string at base64decode.org (use AUTO-DETECT mode) to retrieve the original PowerShell script — this reveals the full set of configuration changes made by the setup executable from Part A.

4

Block Executables from the Download Folder: The attack dropped the payload into C:\Users\*\Downloads\. Use AppLocker to prevent execution from this path. Note: AppLocker path rules require Windows 10 Enterprise or Education.

$rule = New-AppLockerFileRule -RuleType Path -User Everyone -Action Deny -Path "C:\Users\*\Downloads\*.exe" -RuleName "BlockDownloadsEXE" $policy = New-AppLockerPolicy -RuleObject $rule Set-AppLockerPolicy -PolicyObject $policy -Merge

5

Reverse Execution Changes: Run the following script in Administrator PowerShell on the victim machine. This reverses all configuration changes made by the setup executable in Part A — disabling WinRM, SMBv1/SMB2, admin shares, and firewall rules:

# REVERT SCRIPT: Restores system state after ART/Winexe setup $ProgressPreference = 'SilentlyContinue' # Reset network profile to Public Set-NetConnectionProfile -NetworkCategory Public -ErrorAction SilentlyContinue # Disable PowerShell Remoting Disable-PSRemoting -Force -ErrorAction SilentlyContinue # Disable Unencrypted WinRM and TrustedHosts Set-Item wsman:\localhost\Service\AllowUnencrypted -Value $false -Force -ErrorAction SilentlyContinue Set-Item wsman:\localhost\Client\TrustedHosts -Value '' -Force -ErrorAction SilentlyContinue # Stop and disable WinRM Stop-Service WinRM -Force -ErrorAction SilentlyContinue Set-Service WinRM -StartupType Disabled -ErrorAction SilentlyContinue # Disable SMB2 Set-SmbServerConfiguration -EnableSMB2Protocol $false -Force -ErrorAction SilentlyContinue # Disable SMB1 and uninstall features Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart -ErrorAction SilentlyContinue Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Server -NoRestart -ErrorAction SilentlyContinue # Reset SMB1 registry key (set to 0) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name SMB1 -Value 0 -Force -ErrorAction SilentlyContinue # Stop and disable LanmanServer Stop-Service LanmanServer -Force -ErrorAction SilentlyContinue Set-Service LanmanServer -StartupType Disabled -ErrorAction SilentlyContinue # Disable administrative shares reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f # Remove temporary admin shares net share ADMIN$ /delete > $null 2>&1 net share C$ /delete > $null 2>&1 # Remove firewall rules Get-NetFirewallRule -DisplayName "Allow SMB Winexe" | Remove-NetFirewallRule -ErrorAction SilentlyContinue Get-NetFirewallRule -DisplayName "Allow WinRM" | Remove-NetFirewallRule -ErrorAction SilentlyContinue netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=No > $null 2>&1 # Remove current user from Remote Management Users group net localgroup "Remote Management Users" $env:UserName /delete > $null 2>&1 # Remove LocalAccountTokenFilterPolicy Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -ErrorAction SilentlyContinue

Verify the reversal by attempting a winexe connection from Kali — it should now fail.

Detection Engineering & Strategic Improvements

1

Create a Splunk Alert: Using the detection queries from the previous section as your base, save them as Splunk alerts via Save As → Alert. Configure the alert type as Scheduled, set it to run on a cron schedule, and trigger when the number of results is greater than zero. Add actions to send an email and add to triggered alerts. Refer to the Part B lab document for the exact SPL used for alert creation.

Splunk detection rule for T1518.001 activity

2

MITRE ATT&CK Mapping: Tag your Splunk alert with T1518.001 (Security Software Discovery) under the Discovery tactic. This is the technique emulated by the Atomic Red Team test in this lab.

3

Strategic Improvements:

Implement network segmentation to prevent cross-VM SMB access in production
Deploy Splunk's ES (Enterprise Security) or the ESCU (ES Content Updates) app for pre-built T1518 detections
Add a baseline of normal netsh.exe usage so anomalies are easier to detect
Automate continuous ART execution in a sandbox (CALDERA, Ansible) to continuously validate your detection coverage
Use Splunk ML Toolkit to build a model distinguishing legitimate security-tool enumeration from adversarial reconnaissance