Adversary emulation scenarios using Atomic Red Team to validate SIEM detection coverage. 3 attack scenarios covering 10 MITRE ATT&CK techniques across the credential theft → lateral movement → persistence kill chain.
Each scenario documents the full attack → detect → investigate → contain cycle, simulating how a SOC analyst would handle a real intrusion.
| Scenario | ATT&CK Techniques | Kill Chain Phase | Detections Validated |
|---|---|---|---|
| Credential Dumping | T1003.001, T1003.003, T1003.006 | Initial compromise → credential theft | 4 rules |
| Lateral Movement | T1021.001, T1570, T1047 | Credential use → host-to-host movement | 3 rules |
| Persistence & Evasion | T1543.003, T1547.001, T1053.005, T1070.001 | Foothold → persistence → cover tracks | 4 rules |
Kill Chain Progression
═══════════════════════
Credential Access Lateral Movement Persistence / Evasion
───────────────── ──────────────── ─────────────────────
T1003.001 LSASS Dump T1021.001 RDP T1543.003 New Service
T1003.003 NTDS Copy T1570 PsExec T1547.001 Registry Run Key
T1003.006 DCSync T1047 WMI T1053.005 Scheduled Task
T1070.001 Log Clearing
Scenario 1 ──────────▶ Scenario 2 ──────────▶ Scenario 3
Each scenario maps to specific detection rules in the Detection-Engineering-Lab:
| Technique | Expected Detection | Dashboard |
|---|---|---|
| T1003.001 LSASS Dump | lsass-memory-dump.spl | Authentication Overview |
| T1003.003 NTDS Copy | ntds-shadow-copy.spl | Endpoint Process Activity |
| T1003.006 DCSync | dcsync-detection.spl | Authentication Overview |
| T1021.001 RDP | rdp-lateral-movement.spl | Network Connections |
| T1570 PsExec | psexec-execution.spl | Endpoint Process Activity |
| T1047 WMI | wmi-remote-execution.spl | Endpoint Process Activity |
| T1543.003 Service | new-service-created.spl | Persistence Mechanisms |
| T1547.001 Run Key | registry-run-key.spl | Persistence Mechanisms |
| T1053.005 Sched Task | scheduled-task-created.spl | Endpoint Process Activity |
| T1070.001 Log Clear | event-log-cleared.spl | Alert Summary |
| Requirement | Purpose |
|---|---|
| AD-Lab-Setup | Windows AD domain with DC + 2 workstations |
| SIEM-Detection-Lab | Splunk server with forwarders deployed |
| Detection-Engineering-Lab | Detection rules loaded into Splunk |
| Kali Linux or Windows attack host | Atomic Red Team + offensive tools |
| Sysmon deployed on all endpoints | Required for process-level telemetry |
- Deploy infrastructure — Set up AD (AD-Lab-Setup) and Splunk (SIEM-Detection-Lab)
- Load detections — Import rules from Detection-Engineering-Lab into Splunk
- Run scenarios in order — Start with Credential Dumping (Scenario 1) since later scenarios build on compromised credentials
- Validate detections — Check Splunk dashboards for alerts after each attack step
- Practice investigation — Follow the investigation workflow in each scenario doc
- Attack Simulations Guide — Overview, tools, and workflow
Attack-Simulation-Lab/
├── simulations/
│ ├── 01-credential-dumping.md LSASS, NTDS, DCSync
│ ├── 02-lateral-movement.md RDP, PsExec, WMI
│ └── 03-persistence-evasion.md Services, registry, scheduled tasks, log clearing
└── docs/
└── attack-simulations.md Overview and methodology
This lab is part of a multi-project SOC environment:
| Project | Purpose |
|---|---|
| AD-Lab-Setup | Windows Active Directory infrastructure |
| SIEM-Detection-Lab | Splunk SIEM deployment and log collection |
| Detection-Engineering-Lab | Detection rules, dashboards, and tuning |
| Attack-Simulation-Lab (this repo) | Adversary emulation and attack validation |