Sysmon-based detection of NMAP, Brute Force & Akira Ransomware
Student: Uliya Fatima | ID: 232098 | Date: March 9, 2026
This lab demonstrates how to deploy Sysmon (System Monitor) on a Windows machine to detect real-world cyber threats in a controlled lab environment. Three attack scenarios were simulated from a Kali Linux attacker machine and successfully detected using Sysmon logs and Windows Event Viewer.
| Attack Type | Detection Method | MITRE ATT&CK |
|---|---|---|
| 🔍 NMAP Port Scanning | Sysmon Event ID 3 (NetworkConnect) | T1046 – Network Service Discovery |
| 🔐 Brute Force Login | Windows Event ID 4625 (Failed Logon) | T1110 – Brute Force |
| 💀 Akira Ransomware | Sysmon Event ID 1 & 11 | T1486, T1490, T1003.001 |
┌─────────────────────────────────────────────────────────┐
│ VMware NAT Network │
│ 192.168.17.0/24 │
│ │
│ ┌──────────────────┐ ┌──────────────────────┐ │
│ │ Kali Linux │──────▶│ Windows 10 │ │
│ │ (Attacker) │ │ (Target) │ │
│ │ 192.168.17.128 │ │ 192.168.17.1 │ │
│ └──────────────────┘ └──────────────────────┘ │
└─────────────────────────────────────────────────────────┘
| Component | Details |
|---|---|
| Attacker OS | Kali Linux |
| Target OS | Windows 10 |
| Network | VMware VMnet8 (NAT) |
| Detection Tool | Sysmon v15.15 |
| Monitoring | Windows Event Viewer |
# 1. Download Sysmon from Microsoft Sysinternals
# https://download.sysinternals.com/files/Sysmon.zip
# 2. Extract to C:\Sysmon
# 3. Create custom config.xml (see below)
# 4. Install via Administrator CMD
Sysmon64.exe -accepteula -i config.xmlOutput: Sysmon64 started ✅
The config.xml file defines detection rules for three threat categories:
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Detect NMAP scanning -->
<NetworkConnect onmatch="include">
<DestinationPort condition="is">445</DestinationPort>
<DestinationPort condition="is">3389</DestinationPort>
</NetworkConnect>
<!-- Detect Brute Force tools -->
<ProcessCreate onmatch="include">
<Image condition="contains">nmap</Image>
<Image condition="contains">hydra</Image>
</ProcessCreate>
<!-- Detect Akira Ransomware behavior -->
<ProcessCreate onmatch="include">
<CommandLine condition="contains">vssadmin delete shadows</CommandLine>
<CommandLine condition="contains">recoveryenabled no</CommandLine>
</ProcessCreate>
<!-- Detect Akira file encryption -->
<FileCreate onmatch="include">
<TargetFilename condition="end with">.akira</TargetFilename>
<TargetFilename condition="contains">akira_readme</TargetFilename>
</FileCreate>
</EventFiltering>
</Sysmon>Event Viewer → Applications and Services Logs
→ Microsoft → Windows → Sysmon → Operational
# Disable Windows Firewall on target first
netsh advfirewall set allprofiles state off
# Run NMAP service version scan from Kali
nmap -sV 192.168.17.1| Port | State | Service | Description |
|---|---|---|---|
| 135/tcp | Open | msrpc | Microsoft Windows RPC |
| 139/tcp | Open | netbios-ssn | Microsoft Windows NetBIOS |
| 445/tcp | Open | microsoft-ds | SMB File Sharing |
| 902/tcp | Open | vmware-auth | VMware Authentication Daemon |
| 912/tcp | Open | vmware-auth | VMware Authentication Daemon |
| 5357/tcp | Open | http | Microsoft HTTPAPI |
⚠️ Port 445 (SMB) is a critical finding — this port is exploited by Akira ransomware for lateral movement.
Sysmon Event ID 3 captured 30 network connection events
| Field | Value |
|---|---|
| Event ID | 3 (NetworkConnect) |
| SourceIp | 192.168.17.128 (Kali Linux) |
| DestinationIp | 192.168.17.1 (Windows) |
| DestinationPort | 445 (SMB) |
| DestinationPortName | microsoft-ds |
# Enable failed logon auditing on Windows
auditpol /set /subcategory:"Logon" /failure:enable
# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f# Simulate multiple failed login attempts
for /L %i in (1,1,6) do net use \\192.168.17.1\IPC$ /user:administrator wrongpassword123Windows Security Log Event ID 4625 — 8 Audit Failure events captured
| Field | Value | Meaning |
|---|---|---|
| Event ID | 4625 | An account failed to log on |
| TargetUserName | administrator | Account being targeted |
| LogonType | 3 | Network-based login attempt |
| AuthenticationPackage | NTLM | Auth protocol used |
| IpAddress | 192.168.17.1 | Source of attempts |
| Status | 0xc000006d | Wrong username or password |
🚨 Detection Rule: 5+ Event ID 4625 events within 60 seconds from same source = Brute Force alert
Akira is a double-extortion ransomware group active since 2023 targeting Windows/Linux systems. Key behaviors:
- Deletes Volume Shadow Copies to prevent file recovery
- Disables Windows Recovery Mode
- Encrypts files with
.akiraextension - Drops
akira_readme.txtransom note in every directory
# Step 1: Create simulated target files
mkdir C:\TestFiles
echo test > C:\TestFiles\document.akira
echo test > C:\TestFiles\spreadsheet.akira
echo "You have been hacked" > C:\TestFiles\akira_readme.txt
# Step 2: Delete Volume Shadow Copies (T1490)
vssadmin delete shadows /all /quiet
# Step 3: Disable Windows Recovery (T1490)
bcdedit /set recoveryenabled no| Field | Value |
|---|---|
| Event ID | 1 (ProcessCreate) |
| Image | bcdedit.exe |
| CommandLine | bcdedit /set recoveryenabled no |
| IntegrityLevel | High (Admin privileges) |
| ParentImage | cmd.exe |
| User | DESKTOP-JJJMI2P\Toshiba |
| Field | Value |
|---|---|
| Event ID | 11 (FileCreate) |
| Image | cmd.exe |
| TargetFilename | C:\TestFiles\akira_readme.txt |
| User | DESKTOP-JJJMI2P\Toshiba |
A Custom View was created in Windows Event Viewer to monitor all three threat categories from a single dashboard:
Event Viewer → Custom Views → Create Custom View
├── Name: "Sysmon Threat Detection"
├── Log: Microsoft-Windows-Sysmon/Operational
├── Event IDs: 1, 3, 11
└── Level: Information
Result: 49 total events captured across all three attack types ✅
| Technique ID | Name | Lab Activity |
|---|---|---|
| T1046 | Network Service Discovery | NMAP port scan |
| T1110 | Brute Force | Failed login attempts (Event ID 4625) |
| T1486 | Data Encrypted for Impact | .akira file encryption simulation |
| T1490 | Inhibit System Recovery | vssadmin + bcdedit commands |
| T1003.001 | LSASS Memory Dump | Monitored via Sysmon Event ID 10 |
| Event ID | Category | Description | Threat Detected |
|---|---|---|---|
| 1 | Process Creation | Full command line logging | Akira — bcdedit/vssadmin |
| 3 | Network Connection | All inbound/outbound connections | NMAP scanning, SMB |
| 10 | Process Access | Process memory access | Akira — LSASS credential dump |
| 11 | File Creation | New files with full path | Akira — .akira encrypted files |
| 12/13 | Registry Event | Key creation & modification | Malware persistence |
| Figure | Description |
|---|---|
| Fig 1.1 | Sysmon v15.15 installation via CMD |
| Fig 1.2 | Sysmon Operational — 19 events post-install |
| Fig 1.3 | Custom config.xml detection rules |
| Fig 2.1 | Windows IP (192.168.17.1) — VMnet8 |
| Fig 2.2 | Kali Linux IP (192.168.17.128) |
| Fig 2.3 | Ping test confirming connectivity |
| Fig 2.4 | NMAP scan — open ports discovered |
| Fig 2.5 | Event ID 3 — 30 NMAP connections logged |
| Fig 2.6 | Event ID 3 detail — Kali IP, port 445 |
| Fig 8 | Event ID 4625 — 8 brute force failures |
| Fig 9 | Event ID 4625 detail — administrator, NTLM |
| Fig 10 | vssadmin delete shadows executed |
| Fig 11 | bcdedit /set recoveryenabled no |
| Fig 12 | Event ID 1 — bcdedit.exe detected |
| Fig 13 | Event ID 1 detail — full command line |
| Fig 14 | Event ID 11 — 3 Akira files detected |
| Fig 15 | Event ID 11 detail — akira_readme.txt |
| Fig 16 | Dashboard — 49 total events |
| Tool | Purpose |
|---|---|
| Sysmon v15.15 | Host-based event logging |
| Windows Event Viewer | Log analysis & dashboard |
| Kali Linux | Attacker machine |
| NMAP | Port scanning simulation |
| VMware Workstation | Lab virtualization |
- Microsoft Sysinternals — Sysmon
- MITRE ATT&CK Framework
- Akira Ransomware Analysis — CISA Advisory
- Windows Security Event ID Reference
Uliya Fatima | 232098 | CTI Lab Task 04 | March 2026