Skip to content

nysch3n/SOC-Lab-Detection-Engineering

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
Defensive
Defensive
 
 
Infrastructure
Infrastructure
 
 
Offensive
Offensive
 
 
README.md
README.md
 
 

Repository files navigation

🛡️ SOC & Detection Engineering Home Lab

lab

A comprehensive, custom-built Active Directory environment designed to simulate real-world cyber attacks and engineer robust detection rules. This project bridges the gap between offensive operations (Red Teaming) and defensive monitoring (Blue Teaming/SOC) using industry-standard tools like Splunk, Sysmon, and Kali Linux.

Architecture & Infrastructure

The lab is distributed across two high-performance physical machines, isolating the attack infrastructure from the target network.

Hardware & Virtualization

  • Defensive / Target Host (The "Corporate Network"):
    • Hardware: Custom PC build (Intel Core i7-13700K, 32GB RAM 6400MHz DDR5).
    • Hypervisor: VMware Workstation.
  • Offensive Host (The "Threat Actor"):
    • Hardware: Apple MacBook Pro M1.
    • Hypervisor: VMware Fusion Pro.

Virtual Machines & Roles

Machine Name OS Role Telemetry / Agents
Splunk-SIEM Ubuntu Server Centralized SIEM / Indexer & Search Head Splunk Enterprise (Port 8000, 9997)
DC-01 Windows Server 2022 Domain Controller (soclab.local) Sysmon (SwiftOnSecurity), Splunk UF
WIN10-CLIENT Windows 10 Pro Domain-joined Workstation Sysmon (SwiftOnSecurity), Splunk UF
Kali-Attacker Kali Linux (ARM64) Red Team Operations / Attack Origin Nmap, NetExec, Hydra, Metasploit

Repository Structure

This repository is divided into distinct operational phases:

  • 📁 Infrastructure/ - Deployment scripts, agent configurations, and data pipeline setup.
  • 📁 Offensive/ - Attack playbooks, payload generation, and execution logs.
  • 📁 Defensive/ - Threat hunting SPL queries, blind spot analysis, and detection logic.

Future Roadmap & Next Steps

This lab is a living project. Upcoming scenarios include:

  • Initial Infrastructure Setup & Data Pipeline
  • Network Recon & Documentation of Detection Blind Spots
  • SMB Brute Force Execution & Detection (Overcoming Localization Issues)
  • Advanced Lateral Movement using Impacket (WMIexec)
  • Credential Dumping (SAM/LSA) & Defender Evasion Analysis
  • Pass-the-Hash (PtH) attacks and Event ID 4624 (Logon Type 3 vs Type 9) analysis
  • Advanced Lateral Movement using C2 Frameworks (e.g., Sliver)
  • Implementing automated alerts and Sigma Rules
screens-sliver

Disclaimer: This environment is completely isolated and built solely for educational purposes and detection engineering research.

About

🛡️Advanced Purple Team Homelab focusing on Active Directory adversary emulation and Detection Engineering. Features Splunk SIEM configuration, Sysmon telemetry, and custom alert generation for lateral movement (Pass-the-Hash, WMIexec) and C2 beaconing (Sliver).

Topics

splunk active-directory sysmon threat-hunting siem blue-team adversary-emulation purple-team detection-engineering sliver-c2

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors