In a previous red team simulation project, we demonstrated how an attacker could successfully execute Command and Control (C2) operations using phishing techniques and a backdoor in a controlled lab environment. The outcome highlighted significant visibility gaps in the organization's ability to detect and respond to such threats.
Based on the simulation findings, the organization made a strategic decision to deploy Splunk as a Security Information and Event Management (SIEM) solution. This project involves the end-to-end setup and configuration of Splunk to collect, normalize, analyze, and visualize logs from critical endpoints, servers, and network devices
first, we create a free trial account on Splunk and download the setup file
Splunk dashboard
Sysmon64.exe -accepteula -i sysmonconfig.xml
If you encounter any issues or need to investigate suspicious activity, export the Sysmon event logs and analyze them using your preferred monitoring .
select monitor