This repository documents my hands-on learning journey through defensive security and DFIR projects. It focuses on practical exercises to detect, analyze, and respond to cyber threats in real-world scenarios, helping me build core blue team skills.
- Network Traffic Analysis (Wireshark, TCP/UDP, Telnet exploitation)
- DFIR & Incident Response (Event log analysis, Sysmon, Windows artifacts)
- Malware Analysis (Malicious process identification, VirusTotal checks)
- Credential & Command Extraction (User accounts, brute-force investigation)
- Persistence Identification (Backdoor accounts, scripts, MITRE ATT&CK mapping)
- Threat Detection & Mitigation (C2 detection, log correlation, IOCs)
- Data Exfiltration Investigation (Database and file extraction, SQL queries)
- Timeline & Contextual Analysis (Event correlation, session reconstruction)
- Security Monitoring & Alerting (DLP alerts, suspicious GET requests)
-
Meerkat: PCAP and log analysis of a credential stuffing attack, CVE-2022-25237 exploitation, and SSH persistence using Wireshark, tshark, and jq.
-
Malware compromise: Investigated a malware infection through PCAP analysis, identifying malicious domains, payload downloads, TLS C2 communication, and Ursnif/Dridex-related activity using Wireshark, Zui, and VirusTotal.
-
Web shell: Investigated a web application compromise involving SYN scanning, Gobuster enumeration, SQL injection with sqlmap, malicious PHP web shell upload, and reverse shell execution through PCAP analysis.
-
Telly: Analyzed a compromised backup server involving Telnet exploitation, backdoor account creation, C2 persistence, and database exfiltration through PCAP and SQLite forensic analysis.
-
Unit42: Investigated a malicious UltraVNC campaign using Sysmon and Event Viewer, identifying the malware, tracing DNS/network activity, and reconstructing the attack timeline.
-
Brutus: Investigated a successful SSH brute-force attack through Linux authentication logs, identifying the attacker IP, compromised root account, persistence via local account creation, and post-compromise activity.
Browse through the individual lab folders to see detailed documentation of each exercise. Screenshots, command-line examples, and extracted evidence are included to demonstrate investigation steps and analytical reasoning.