dc.description.abstract | Abstract
Ransomware attacks have become increasingly prevalent and sophisticated, posing significant threats to organizations and individuals worldwide. To effectively combat these threats,
security professionals must continuously develop and adapt their detection and mitigation
strategies. This master thesis presents the design and implementation of a ransomware simulator to facilitate an in-depth analysis of ransomware Tactics, Techniques, and Procedures
(TTPs) and to evaluate the effectiveness of centralized logging and Sysmon, including the
latest event types, in detecting and responding to such attacks.
The study explores the advanced capabilities of Sysmon as a logging tool and data source,
focusing on its ability to capture multiple event types, such as file creation, process execution,
and network traffic, as well as the newly added event types. The aim is to demonstrate the
effectiveness of Sysmon in detecting and analyzing malicious activities, with an emphasis on
the latest features. By focusing on the comprehensive aspects of a cyber-attack, the study
showcases the versatility and utility of Sysmon in detecting and addressing various attack
vectors.
The ransomware simulator is developed using a PowerShell script that emulates various
ransomware TTPs and attack scenarios, providing a comprehensive and realistic simulation
of a ransomware attack. Sysmon, a powerful system monitoring tool, is utilized to monitor
and log the activities associated with the simulated attack, including the events generated by
the new Sysmon features. Centralized logging is achieved through the integration of Splunk
Enterprise, a widely used platform for log analysis and management. The collected logs are
then analyzed to identify patterns, indicators of compromise (IoCs), and potential detection
and mitigation strategies.
Through the development of the ransomware simulator and the subsequent analysis of
Sysmon logs, this research contributes to strengthening the security posture of organizations
and improving cybersecurity measures against ransomware threats, with a focus on the latest
Sysmon capabilities. The results demonstrate the importance of monitoring and analyzing
system events to effectively detect and respond to ransomware attacks. This research can serve
as a basis for further exploration of ransomware detection and response strategies, contributing
to the advancement of cybersecurity practices and the development of more robust security
measures against ransomware threats. | |