Back to labs
IntermediateDetection EngineeringOctober 15, 2025
Detection Engineering Lab: Elastic SIEM vs Cobalt Strike

Detection Engineering Lab: Elastic SIEM vs Cobalt Strike

Deploy a compact Elastic Stack, ingest Sysmon telemetry, simulate a Cobalt Strike beacon, and harden detections with ATT&CK-aligned analytics and Sigma automation.

These home labs are placeholder scenarios while I document the full walkthroughs. The environments, objectives, and tooling reflect my real-world practice runs, and I'm actively expanding the playbooks with screenshots, scripts, and validation data.

3.5 hours
Elastic Stack 8.x ยท Sysmon for Windows ยท Caldera (Atomic Red Team profile) ยท Sigma CLI
Ready for execution

Detection Engineering Lab: Elastic SIEM vs Cobalt Strike

This homelab compresses my full detection tuning workflow into a single evening run. You will stand up Elastic Stack inside Docker, forward Windows telemetry with Sysmon, emulate a Cobalt Strike beacon using Caldera, and solidify a Sigma rule that survives production deployment.

Rationale: I use this setup to regression-test content before it goes to production SOC environments. The lab intentionally limits hardware to consumer gear, forcing optimizations that translate well to constrained enterprise nodes.

๐Ÿ“ก Architecture Overview

mermaid
graph TD;
  A[Caldera Operator] -->|ATT&CK T1105| B[Windows Target VM];
  B -->|Sysmon Logs(EVTX)| C[Winlogbeat];
  C -->|TCP/5044| D[Logstash];
  D -->|Enriched Events| E[Elasticsearch];
  E --> F[Kibana Detection Dashboards];
  E --> G[Sigma CLI Pipeline];
  • Collection: Sysmon with custom configuration tuned for command-line and network telemetry.
  • Processing: Logstash pipeline disables field explosion and retains only ATT&CK-relevant fields.
  • Detection: Sigma rule automation transforms YAML into Elastic Detection Rules via CLI.
  • Validation: Saved searches plus detection alerts confirm the analytic catches beacon spawn and lateral process injection attempts.

๐Ÿš€ Step 1 โ€” Provision Elastic Stack

  1. Clone my baseline compose file:
    bash
    "token keyword">git clone https://github.com/zer0spin/homelab-detection-stacks."token keyword">git
"token keyword">cd homelab-detection-stacks/elastic-minimal
  2. Copy .env.example to .env and set passwords (use openssl rand -base64 18).
  3. Start the stack:
    bash
    "token keyword">docker compose up -d
"token keyword">docker compose ps
  4. Validate health via https://<ubuntu-ip>:5601 and enroll the built-in Fleet Server.

Keep Elasticsearch JVM heap at 2 GB; the goal is to mimic resource-constrained analysts laptops.

๐Ÿ›ก๏ธ Step 2 โ€” Harden Sysmon Noise Profile

  1. Install Sysmon (v15+) on the Windows VM using Olaf Hartong's modular config:
    powershell
    .\Sysmon64.exe -i sysmonconfig-"token keyword">export-block.xml -accepteula
  2. Apply the noise suppression patch shipped in ./configs/sysmon/zer0spin-detections.xml to track LOLBins without drowning in events.
  3. Confirm event flow with:
    powershell
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} -MaxEvents 5

๐ŸŽฏ Step 3 โ€” Execute ATT&CK Atomic via Caldera

  1. Launch Caldera with the sandcat plugin enabled.
  2. Create an operation targeting the Windows VM using the Built-in Cobalt Strike adversary profile.
  3. Run the following abilities:
    • T1105 โ€” remote payload execution (reverse shell).
    • T1059.003 โ€” PowerShell spawn with encoded command.
    • T1569.002 โ€” Service execution for persistence test.
  4. Annotate timestamps; later you will correlate them inside Kibana to prove detection fidelity.

๐Ÿง  Step 4 โ€” Craft Detection & Deploy

Create a Sigma rule in rules/cobalt_strike_spawn.yml:

yaml
detection:
  selection:
    EventID: 1
    Image|endswith:
      - "\\rundll32.exe"
    CommandLine|contains|all:
      - "C:\\Users"
      - "-enc"
  condition: selection
level: high

Publish it to Elastic Detection Engine:

bash
sigma convert -t es-qs rules/cobalt_strike_spawn.yml | tee generated/rule.ndjson
python scripts/es_push_rule.py generated/rule.ndjson

The helper script authenticates against Kibana API and creates the detection rule with schedule 5m.

โœ… Step 5 โ€” Validate and Tune

  1. Inside Kibana > Security > Alerts, ensure at least one alert fired matching your operation timestamp.
  2. Confirm the alert contains fields:
    • process.command_line
    • host.name
    • event.code
  3. Use the saved search detections/cobalt_strike_validation.ndjson to visualize distinct hosts.
  4. Document a false positive analysis session; note any legitimate PowerShell automation excluded by your rule.

๐ŸŒ€ Continuous Improvement Hooks

  • Export detection coverage by running:
    bash
    python scripts/mapping/export_mitre_matrix.py --rule cobalt_strike_spawn.yml
  • Schedule nightly replays with Caldera's autonomous mode to prevent detection drift.
  • Publish final artifacts (Sigma + Elastic JSON) to your GitHub security-content repository.

๐Ÿ“ฆ Deliverables Checklist

  • [x] Docker Compose stack running with TLS-enabled transport.
  • [x] Sysmon tuned configuration committed under version control.
  • [x] Sigma analytic validated with at least one true positive alert.
  • [x] MITRE ATT&CK mapping exported (T1059, T1105, T1569).
  • [x] Runbook notes stored in ./docs/runbook.md for rapid replays.

When you can re-run this lab in under 30 minutes and still catch the beacon, the detection is ready for enterprise promotion.

All labsBack to home
Detection Engineering Lab: Elastic SIEM vs Cobalt Strike | Your Full Name