Detection Engineering project simulating malware attacks and improving defensive capabilities using Sigma rules and the Pyramid of Pain.
Detection Engineering Report β Summit Room Challenge π Overview This project is based on a purple-team simulation completed on TryHackMe, focused on improving malware detection capabilities in a controlled environment.
The objective was to detect and prevent malware execution while forcing the adversary to adapt their techniques by progressively strengthening detection mechanisms.
This approach aligns with the principles of the Pyramid of Pain, where higher-level detections increase the operational cost for attackers
π― Objective To simulate real-world adversarial behavior and enhance detection capabilities by implementing multiple layers of defense, ranging from basic indicators to behavioral-based detection.
π₯οΈ Scenario The simulation took place on a controlled internal workstation. An external penetration tester attempted to execute multiple malware samples, while I was responsible for detecting and preventing these activities by configuring and improving security controls.
βοΈ Approach πΉ Phase 1 β Hash-Based Detection
The malware sample was executed in a sandbox environment and analyzed using VirusTotal. The MD5 hash was identified as malicious and added to the blocklist in PicoSecure.
This prevented the execution of the known malicious file.
πΈ Figure 1 β Hash-based detection and blocking
Phase 2 β IP-Based Detection
Since hash-based detection is weak, detection was improved by blocking the malicious IP:
154.35.10.113
Blocking IPs increases attacker effort, as they must change infrastructure instead of simply modifying files.
Phase 3 β Domain-Based Detection
To further strengthen detection, the malicious domain was blocked:
emudyn.bresonicz.info
Blocking domains is more effective than IP blocking, as attackers often rotate IP addresses behind domains.
Phase 4 β Registry-Based Detection (Defense Evasion)
The malware attempted to disable Windows Defender Real-Time Protection by modifying the registry:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection Value: DisableRealtimeMonitoring = 1
A Sigma rule was created using Sysmon logs to detect this behavior.
Mapped to:
MITRE ATT&CK: Defense Evasion (TA0005)
πΈ Figure 2 β Registry modification detection
Phase 5 β Beaconing Detection (Command & Control)
The attacker established a Command & Control (C2) channel with:
IP: 51.102.10.19 Port: 443 Data Size: 97 bytes Interval: Every 1800 seconds
This behavior indicated beaconing activity. A Sigma rule was created to detect repeated network patterns.
Mapped to:
MITRE ATT&CK: Command & Control (TA0011)
πΈ Figure 3 β Beaconing detection rule
Phase 6 β Exfiltration Detection
The attacker performed reconnaissance and data exfiltration by storing command outputs in:
Path: %temp%\exfiltr8.log
A Sigma rule was created to detect suspicious file creation in temporary directories.
Mapped to:
MITRE ATT&CK: Exfiltration (TA0010)
πΈ Figure 4 β Rule creation for exfiltration detection
πΈ Figure 5 β Final Sigma rule output
Key Learnings
This simulation demonstrated how detection evolves when moving up the Pyramid of Pain:
Hashes: Easy to bypass IPs/Domains: Moderate difficulty Behavioral Detection: Hard to evade
Key takeaways:
Static indicators are insufficient for long-term defense Behavioral detection provides stronger security Detection engineering increases attacker cost and complexity
Conclusion
This project demonstrates the progression from basic IOC-based detection to advanced behavioral detection techniques.
By implementing layered detection strategies and creating Sigma rules, it was possible to disrupt attacker activity at multiple stages and significantly improve defensive capabilities.
π§° Tools & Technologies Sysmon Sigma Rules VirusTotal PicoSecure Platform