Ransomware Simulator for In-Depth Analysis and Detection: Leveraging Centralized Logging and Sysmon for Improved Cybersecurity
Abstract
AbstractRansomware attacks have become increasingly prevalent and sophisticated, posing significant threats to organizations and individuals worldwide. To effectively combat these threats,security professionals must continuously develop and adapt their detection and mitigationstrategies. This master thesis presents the design and implementation of a ransomware simulator to facilitate an in-depth analysis of ransomware Tactics, Techniques, and Procedures(TTPs) and to evaluate the effectiveness of centralized logging and Sysmon, including thelatest event types, in detecting and responding to such attacks.The study explores the advanced capabilities of Sysmon as a logging tool and data source,focusing on its ability to capture multiple event types, such as file creation, process execution,and network traffic, as well as the newly added event types. The aim is to demonstrate theeffectiveness of Sysmon in detecting and analyzing malicious activities, with an emphasis onthe latest features. By focusing on the comprehensive aspects of a cyber-attack, the studyshowcases the versatility and utility of Sysmon in detecting and addressing various attackvectors.The ransomware simulator is developed using a PowerShell script that emulates variousransomware TTPs and attack scenarios, providing a comprehensive and realistic simulationof a ransomware attack. Sysmon, a powerful system monitoring tool, is utilized to monitorand log the activities associated with the simulated attack, including the events generated bythe new Sysmon features. Centralized logging is achieved through the integration of SplunkEnterprise, a widely used platform for log analysis and management. The collected logs arethen analyzed to identify patterns, indicators of compromise (IoCs), and potential detectionand mitigation strategies.Through the development of the ransomware simulator and the subsequent analysis ofSysmon logs, this research contributes to strengthening the security posture of organizationsand improving cybersecurity measures against ransomware threats, with a focus on the latestSysmon capabilities. The results demonstrate the importance of monitoring and analyzingsystem events to effectively detect and respond to ransomware attacks. This research can serveas a basis for further exploration of ransomware detection and response strategies, contributingto the advancement of cybersecurity practices and the development of more robust securitymeasures against ransomware threats.