← All student work

[ SECURITY LABS ]

Live SOC Tabletop · Multi-stage Intrusion

Cohort defended against a multi-stage intrusion in the SOC lab — phishing → credential theft → lateral movement.

  • SOC
  • Incident Response

// the_work

A 4-hour tabletop where blue-team students worked alerts as they fired, opened tickets, and walked the chain of custody for evidence. Wrote the post-incident report against NIST 800-61.

// artifacts

FROM THE
PROJECT FILES.

$ terminalalert · stage_2_credential_theft
[ 14:08:21 ] alert.id=A-2391  severity=HIGH
src.user=jdoe@cite.local  src.ip=10.42.7.18
indicator=lsass.dump.candidate  detection=defender_ASR
action=quarantined  next=isolate_host
└─ assigned to analyst.shift.B
▦ diagramkill chain · observed
phish → cred → lateral → priv-esc → exfil
 ▲      ▲      ▲         ▲          ▲
 |      |      |         |          └ blocked at egress
 |      |      |         └ host isolated by ASR
 |      |      └ detected via auth anomaly
 |      └ user trained · MFA fatigue
 └ inbox sandbox match

// more_in_security

More Security Labs.

  • PCAP Hunt · Detect a C2 Beacon

    Wireshark deep-dive — identified a beaconing C2 channel hidden in DNS traffic and wrote detection rules.

    ↗ See the work

// your_work

Want this on your portfolio?