johnny@cybersec ~ SIEM01 | Security Operations Center

I started by learning Splunk and Windows Event (Sysmon) basics. I ensured all the vulnerabilities I introduced were detected, so that I could understand how to identify common misconfigurations. After I began creating the remediation strategy for the compromised environment, I learned how to improve Mean Time To Respond to future attacks.

🔍 Analysis & Hunting

Credential Theft Detection Lateral Movement Tracking Privilege Escalation Alerts Threat Hunting Workflows

🛡️ Rules & Detection

Correlation Search Rules Automated Alert Configuration Security Dashboard Design Advanced SPL Queries

Monitoring Coverage

🎫 Kerberoasting (T1558.003)

Detection of Event 4769 TGS requests with RC4 encryption (0x17) targeting service accounts with SPNs.

Target: Weak Service Accounts

🔓 AS-REP Roasting (T1558.004)

Monitoring Event 4768 for accounts with pre-authentication disabled allowing offline password cracking.

Target: No Pre-Auth Accounts

🔄 DCSync Attack (T1003.006)

Alert on Event 4662 Directory Services Replication from non-DC hosts leveraging excessive permissions.

Target: Domain Credential Dumping

📝 SMB Relay (T1557.001)

Detection of unsigned SMB authentication attempts and NTLM coercion patterns via Event 4624 Type 3.

Target: SMB Signing Disabled

🌊 Password Spraying (T1110.003)

Correlation of Event 4625 failed logon attempts across multiple accounts from single source without lockout.

Target: Weak Password Policy

🔑 Registry Credential Access (T1552.002)

Alert on Sysmon Event 13 registry modifications to Winlogon keys containing cleartext credentials.

Target: Auto-Logon Credentials

🚫 UAC Bypass (T1548.002)

Detection of registry changes to EnableLUA and ConsentPromptBehaviorAdmin via Event 4657.

Target: Disabled Security Controls

🌐 RDP Lateral Movement (T1021.001)

Monitoring Event 4624 Type 10 (RemoteInteractive) logons from unexpected sources without NLA.

Target: Unrestricted RDP Access

🎭 Token Impersonation (T1134)

Sysmon Event 10 correlation detecting ProcessAccess to SYSTEM processes from medium-integrity contexts.

Target: Privilege Escalation

📄 Credentials in Files (T1552.001)

Detection of web.config, config.php access patterns and file reads containing cleartext credentials.

Target: Configuration Files

📂 Information Disclosure (T1592)

IIS log analysis detecting directory enumeration and HTTP 200 responses for sensitive file extensions.

Target: Directory Browsing Enabled

🐚 Web Shell Detection (T1505.003)

Monitoring w3wp.exe spawning cmd.exe/powershell.exe or unusual parent-child process relationships.

Target: Web Application RCE

🔐 Database Authentication (T1078.001)

MySQL authentication logs correlation detecting brute force attempts and root access from non-localhost.

Target: Remote Database Access

🔄 Pass-the-Hash (T1550.002)

Detection of LogonType 3 (Network) anomalies with NTLM authentication from compromised accounts.

Target: Credential Reuse

💾 LSASS Memory Access (T1003.001)

Alerting on non-standard processes requesting Handle access to lsass.exe via Sysmon Event 10.

Target: Mimikatz / Credential Dumping

Operational Documentation

Monitoring Coverage

🎫 Kerberoasting (T1558.003)

🔓 AS-REP Roasting (T1558.004)

🔄 DCSync Attack (T1003.006)

📝 SMB Relay (T1557.001)

🌊 Password Spraying (T1110.003)

🔑 Registry Credential Access (T1552.002)

🚫 UAC Bypass (T1548.002)

🌐 RDP Lateral Movement (T1021.001)

🎭 Token Impersonation (T1134)

📄 Credentials in Files (T1552.001)

📂 Information Disclosure (T1592)

🐚 Web Shell Detection (T1505.003)

🔐 Database Authentication (T1078.001)

🔄 Pass-the-Hash (T1550.002)

💾 LSASS Memory Access (T1003.001)

Operational Documentation

Coming Soon

Coming Soon

Coming Soon

Coming Soon

Coming Soon

Coming Soon