Incident Response Lab

slide 1 slide 2 slide 3 slide 4 slide 5

Overview - MyGitHub

🔐 This project demonstrates my ability to detect, analyze, and respond to real-world cyber threats through a hands-on incident response simulation. The goal was to replicate a realistic phishing-based attack and execute a full end-to-end response workflow within a controlled lab environment. The scenario involved a malicious phishing email delivering a reverse shell payload to a Windows 11 system, resulting in unauthorized command-and-control (C2) access.

⚙️ The lab was built using a layered defensive security stack including Wazuh SIEM for centralized logging and alerting, Sysmon for detailed endpoint telemetry, Suricata IDS/IPS for network traffic inspection, and a pfSense firewall for segmentation and containment. Wazuh correlated endpoint and network events to detect suspicious process execution and outbound connections, providing early visibility into the compromise.

🔍 During the detection and analysis phase, I investigated process execution logs, email artifacts, and Sysmon network events to confirm malware execution and C2 communication. The malicious executable used masquerading techniques and connected to a non-standard port commonly associated with reverse shells. Findings were mapped to the MITRE ATT&CK framework to align technical evidence with adversary behavior.

🛑 Containment was achieved through firewall-based isolation and C2 blocking. Using pfSense, I created targeted firewall rules to isolate the infected host and disrupt attacker communication while preserving forensic evidence. The malware was then eradicated by removing the malicious payload, validating the absence of persistence mechanisms, and conducting endpoint security scans.

🚀 This project strengthened my incident response and SOC skill set by applying the NIST SP 800-61 Incident Response lifecycle from preparation through post-incident lessons learned. It highlights practical experience in SIEM-driven detection, endpoint and network analysis, threat containment, and structured incident documentation—core skills required in blue team and cybersecurity operations roles.

Copied to clipboard!