Back to labs
IntermediatePurple TeamAugust 30, 2025
Purple Team Lab: Ransomware Kill Chain in Proxmox

Purple Team Lab: Ransomware Kill Chain in Proxmox

Stage a compact Proxmox cluster, simulate a ransomware campaign end-to-end with Atomic Red Team, and capture telemetry into LimaCharlie for cross-vendor detection benchmarking.

These home labs are placeholder scenarios while I document the full walkthroughs. The environments, objectives, and tooling reflect my real-world practice runs, and I'm actively expanding the playbooks with screenshots, scripts, and validation data.

5 hours
Proxmox VE ยท Atomic Red Team ยท LimaCharlie ยท Velociraptor
Iterate for coverage

Purple Team Lab: Ransomware Kill Chain in Proxmox

This lab orchestrates a safe ransomware exercise to benchmark telemetry sources and incident readiness. The infrastructure runs on a Proxmox home server, while LimaCharlie consolidates sensor data across the Windows and Linux fleet.

๐Ÿ—๏ธ Environment Blueprint

  1. Create an internal-only VLAN on Proxmox (e.g., vmbr2) with no WAN access.
  2. Deploy the following VMs from templates:
    • win11-target โ€” used for execution and user simulation.
    • win2019-fileserver โ€” houses sample data sets.
    • ubuntu-c2 โ€” orchestrates Atomic Red Team and hosts the command-and-control emulator.
  3. Enable daily snapshots so the environment can be rolled back quickly after encryption runs.

โš™๏ธ Sensor Instrumentation

  • Install LimaCharlie sensors on all Windows and Linux hosts.
  • Configure LimaCharlie detections package mod-zer0spin-ransomware to watch for:
    • Unexpected vssadmin.exe delete shadows calls.
    • High-frequency file rename operations.
    • Service creation referencing ransomware keywords.
  • Add Velociraptor on the file server to capture timeline artifacts and memory images.

๐ŸŽญ Adversary Simulation

  1. Clone Atomic Red Team repository on ubuntu-c2 and configure the default path:
    bash
    "token keyword">git clone https://github.com/redcanaryco/atomic-red-team."token keyword">git
Invoke-AtomicTest T1486 -ParameterFile atoms/t1486_params.yaml
  2. Execute the following atoms sequentially:
    • T1486 โ€” encrypt files via 7zip payload.
    • T1059.001 โ€” PowerShell execution of the ransom note dropper.
    • T1490 โ€” delete Volume Shadow Copies.
  3. Capture LimaCharlie detections and note the detection latency for each step.

๐Ÿ“ˆ Detection Scoring

  • Export LimaCharlie detection results as CSV and load them into the scoring notebook notebooks/ransomware_coverage.ipynb.
  • Score each atomic against MITRE ATT&CK technique coverage (use 0 = miss, 1 = partial, 2 = full detection).
  • Generate a heatmap to visualize coverage across hosts and tools.

๐Ÿงต Response Drill

  • Use Velociraptor to acquire disk artifacts from win11-target.
  • Document the manual response steps as if the event was escalated to the on-call rotation.
  • Test the rollback procedure by reverting to the previous Proxmox snapshot and re-running the detection to ensure determinism.

โœ… Success Criteria

  • LimaCharlie generated at least three high-confidence detections mapped to T1486.
  • Atomic Red Team execution can be repeated with one command.
  • Coverage gaps are logged in ./reports/gap-analysis.md with remediation owners.
  • All artifacts (logs, pcaps, memory dumps) archived under ./artifacts/<date>.

Tip: Run this lab quarterly with updated ransomware tradecraft to keep the playbook current.

All labsBack to home
Purple Team Lab: Ransomware Kill Chain in Proxmox | Your Full Name