Project Summary

This project demonstrates a network-based attack simulation where a staged Meterpreter reverse shell payload (update.exe) is delivered from a Kali Linux attacker to a Windows 10 victim via HTTP. Detection is achieved through Sysmon endpoint telemetry forwarded to Wazuh SIEM, with additional network-layer detection via Suricata IDS.

Overview

This lab simulates a full attack chain — from payload generation to post-exploitation reconnaissance — and validates detection across three layers: EDR (Sysmon), SIEM (Wazuh), and IDS (Suricata).

The objective was to demonstrate that multi-layer detection significantly increases confidence when investigating a compromise.

Lab Environment

RoleOSIPTools
AttackerKali Linux (VM)192.168.0.244Metasploit 6.4.56, msfvenom
VictimWindows 10 (VM)192.168.0.29Sysmon v15, Wazuh Agent 004
SIEM / IDSUbuntu Server (VM)Wazuh 4.x, Suricata

Network: Isolated lab environment. Microsoft Defender disabled on victim for simulation purposes.

Attack Chain

  1. Payload generation — msfvenom creates update.exe (windows/x64/meterpreter/reverse_tcp)
  2. Delivery — Python HTTP server serves payload; victim downloads via browser
  3. Execution — victim runs update.exe; Meterpreter session opens on port 4444
  4. Reconnaissance — attacker runs whoami, ipconfig, net user, net localgroup administrators

Detection Results

Sysmon Event ID 1 — Process Creation

update(2).exe spawned from explorer.exe with no file metadata (no FileVersion, Company, Description). Unsigned binary — MD5: 856F45F605191F839014C98830D2525F

Sysmon Event ID 1 capturing update(2).exe execution — unsigned binary, no metadata, spawned from explorer.exe.

whoami.exe spawned from cmd.exe inside the Downloads directory — post-exploitation recon pattern.

Sysmon Event ID 1 — whoami.exe spawned from cmd.exe in C:\Users\vboxuser\Downloads\.

Sysmon Event ID 3 — Network Connection (C2)

update(2).exe initiated outbound TCP connection to 192.168.0.244:4444.

Sysmon Event ID 3 — update(2).exe connecting to attacker IP 192.168.0.244 on port 4444.

Wazuh — Account Discovery Alert (T1087)

The net localgroup administrators command triggered Wazuh Rule 92031. Four alerts fired in rapid succession for Account Discovery activity from agent windows10-lab.

Wazuh alert detail — Rule 92031, MITRE T1087 Account Discovery, triggered by net localgroup administrators.
Wazuh dashboard showing 4 T1087 Account Discovery alerts from windows10-lab.

Suricata — Network-Layer Detection

Suricata fast.log captured three key signatures:

  • ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response — EXE file downloaded over HTTP
  • ET INFO Python SimpleHTTP ServerBanner — attacker’s delivery server identified
  • SURICATA Applayer Protocol detection skipped — unknown protocol on port 4444 (C2 channel)
Suricata fast.log showing MZ response detection, Python HTTP server banner, and C2 traffic on port 4444.

MITRE ATT&CK Techniques Observed

Technique IDName
T1059.003Command and Scripting Interpreter: Windows Command Shell
T1087Account Discovery — Wazuh Rule 92031, 4 alerts
T1105Ingress Tool Transfer — payload via Python HTTP server
T1571Non-Standard Port — C2 on port 4444
T1562.001Impair Defenses — Defender disabled

Key Findings

  • A staged Meterpreter reverse shell was successfully delivered and executed on the victim machine.
  • Sysmon EID 1 identified the malicious binary by the absence of file metadata — a reliable IOC for unsigned payloads.
  • Sysmon EID 3 confirmed the C2 connection with full source/destination detail.
  • Wazuh fired 4 alerts for post-exploitation reconnaissance (T1087).
  • Suricata independently confirmed payload delivery and C2 communication at the network layer.
  • Key lesson: no single tool caught everything — multi-layer detection (EDR + SIEM + IDS) is essential.

Full Technical Project

GitHub

Scroll to Top