This graduation project demonstrates the setup and operation of a miniature Security Operations Center (SOC) environment. The project simulates a real-world cyberattack scenario and investigates it using SIEM tools.
- Abdelrahman Waleed Ibrahim
- Khaled Mohammed Rihan
- Ahmed Raed Abdelgawad
- Mohamed Bakr Mohamed
- Ahmed Mohamed Abd elmoghny
- Waleed Wael Shehata
- Mohamed Farrag Ahmed
- IP Address: 192.168.56.103
- Role: Security Monitoring Station
- Software: Splunk Enterprise Edition
- Purpose: Central log collection and analysis
- IP Address: 192.168.56.102
- Role: Client/Victim Machine
- Software: Splunk Universal Forwarder
- Purpose: Log generation and forwarding
- IP Address: 192.168.56.101
- Role: Penetration Testing System
- Purpose: Vulnerability scanning and exploitation
Network Range: 192.168.56.101 - 192.168.56.103
- Configured three virtual machines using VirtualBox
- Installed and configured Splunk Enterprise on Windows Server
- Deployed Splunk Universal Forwarder on Windows 10 client
- Established network connectivity between all systems
- Verified log forwarding from client to SIEM server
-
Reconnaissance
- Used Nmap for vulnerability scanning
- Tested SMB and Meterpreter exploits
- Identified firewall blocking SMB attacks
-
Payload Development
- Created malicious executable:
learn.exe - Set up multi-handler on Kali Linux
- Configured LHOST: 192.168.56.101
- Configured listening port: 3333
- Created malicious executable:
-
Attack Execution
- Hosted payload via Python HTTP server
- Social engineering: victim visited malicious website
- Payload executed on target system
- Reverse shell established
-
Post-Exploitation
- Captured system screenshots
- Established live screen sharing
- Monitored mouse events
- Maintained remote access
- Used Splunk Search & Reporting app
- Ran multiple search queries for suspicious activity
- Identified execution of
learn.exein logs - Traced attack timeline and connection establishment
- Confirmed payload delivery and system compromise
- Documented all findings
- Created comprehensive incident report
- Recommended immediate removal of
learn.exe - Closed incident after mitigation
The attack demonstrated the following techniques:
| Technique ID | Technique Name | Description |
|---|---|---|
| T1189 | Drive-by Compromise | Payload downloaded from attacker's website |
| T1204.002 | User Execution: Malicious File | Victim executed malicious executable |
| T1105 | Ingress Tool Transfer | Transferred attack tools to target |
| T1059 | Command and Scripting Interpreter | Remote command execution |
| T1071.001 | Application Layer Protocol | Used HTTP for command and control |
- Virtualization: Oracle VirtualBox
- SIEM Platform: Splunk Enterprise & Universal Forwarder
- Attack Tools:
- Nmap
- Metasploit Framework
- Meterpreter
- Python HTTP Server
- Operating Systems:
- Windows Server 2022
- Windows 10 (x64)
- Kali Linux
- SIEM Configuration: Successfully configured centralized log collection and monitoring
- Attack Techniques: Gained hands-on experience with common attack vectors
- Incident Investigation: Learned to analyze logs and trace attack patterns
- Incident Response: Practiced documentation and remediation procedures
- Security Awareness: Understood the importance of user education and endpoint protection
This project was conducted in a controlled lab environment for educational purposes only. All attack techniques demonstrated were performed on systems owned and operated by the project team. Unauthorized access to computer systems is illegal and unethical.
Institution: DEPI
Course: Information Security Analyst