This project illustrates the simulation of a malicious insider threat, exploiting Windows server vulnerabilities through the SMB protocol to deliver backdoor malware. Utilizing automation in incident response, the objective is to detect, contain, and eradicate the threat effectively, highlighting the importance of modern cybersecurity practices. Affected: Windows Server, SMB Protocol, Insider Threats, Cybersecurity Environment
Keypoints :
- The WannaCry ransomware attack in 2017 underscored the necessity for advanced cybersecurity solutions.
- The project simulates an insider threat compromising a Windows server using the SMB protocol.
- Automation and the incident response lifecycle are leveraged for threat detection and containment.
- Defensive measures include log monitoring, email alerts, and JIRA integration for incident tracking.
- The use of specific tools such as Sysmon, Splunk Enterprise, and Splunk SOAR is essential for effective threat management.
- The project encompasses various phases: setup, integration, testing, and post-incident review.
MITRE Techniques :
- T1071.001 – Application Layer Protocol (SMB): Used SMB protocol to deliver backdoor malware.
- T1086 – PowerShell: Employed in executing scripts and payloads for threat actions.
- T1070 – Indicator Removal on Host: Altered registry settings to maintain persistence of malware.
- T1027 – Obfuscated Files or Information: Utilized payload and delivery methods that obscure intended purpose.
- T1046 – Network Service Scanning: Scanned for live hosts and SMB service prior to exploitation.
Indicator of Compromise :
- No IOCs found