A hands-on incident response simulation conducted on a home lab environment. An attacker machine (Kali Linux) compromised an Ubuntu target via SSH brute force, performed post-compromise reconnaissance, created backdoor accounts with sudo privileges, and planted a persistence mechanism. The full PICERL incident response methodology was followed to contain, eradicate, and recover from the incident.
| Component | Details |
|---|---|
| SIEM Host | Ubuntu 26.04 ARM64 — Elasticsearch, Kibana, Elastic Agent |
| Attacker | Kali Linux 2023 ARM64 |
| Host Machine | Apple Mac Mini M4, 32GB RAM |
| Network | Bridged (192.168.1.0/24) |
| Phase | Technique | MITRE ID |
|---|---|---|
| Reconnaissance | Nmap SYN scan | T1046 |
| Credential Access | SSH brute force via Hydra | T1110 |
| Discovery | whoami, id, /etc/passwd, ps aux | T1033, T1087, T1057 |
| Persistence | Backdoor accounts created with sudo access | T1136 |
| Persistence | Malicious cron job planted | T1053 |
| Privilege Escalation | Backdoor accounts added to sudo group | T1078 |
Three detection rules fired during the incident:
| Rule | Type | Severity |
|---|---|---|
| SSH Brute Force Detection | Custom threshold rule | Medium |
| Potential Internal Linux SSH Brute Force Detected | Elastic prebuilt | Medium |
| Suspicious Account Creation or Modification | Custom threshold rule | High |
851 failed authentication attempts captured. All attack phases logged and alerted on in real time through the ELK stack SIEM.
- Preparation — System baseline captured before incident
- Identification — Kibana alerts triggered investigation. Active attacker session confirmed via last and who commands
- Containment — Attacker IP blocked at firewall. Backdoor accounts locked
- Eradication — Backdoor accounts deleted. Malicious cron job removed. Compromised password reset
- Recovery — Firewall hardened with default deny policy. SSH restricted to admin IP only. Services verified operational
- Lessons Learned — Root cause identified as weak password + no host firewall. 7 hardening recommendations documented
~20 minutes from identification to recovery
See ir_report.pdf for the complete incident response report including full timeline, forensic evidence, MITRE ATT&CK mapping, and recommendations.
- Elastic Stack 8.19.14 (Elasticsearch, Kibana, Elastic Agent)
- Kali Linux — Nmap, Hydra
- UFW (host-based firewall)
- Ubuntu 26.04 ARM64
| Lab | Topic | Repo |
|---|---|---|
| Lab 1 | SOC/SIEM Detection | soc-home-lab |
| Lab 2 | Incident Response Simulation | This repo |
| Lab 3 | Web Application Attack | web-app-attack-lab |
| Lab 4 | Vulnerability Assessment | vulnerability-assessment-lab |
| Lab 5 | Malware Analysis | malware-analysis-lab |
