This project simulates a full end-to-end cyber operation in a controlled cyber range environment, demonstrating both offensive (red team) and defensive (blue team) capabilities.
The lab follows a structured attack lifecycle from reconnaissance through objective execution, then transitions into detection, analysis, and incident response using a SIEM platform.
This project highlights how real-world attackers operate across multiple phases of an intrusion and how defenders detect, investigate, and respond to those activities using network and host-based evidence.
- Simulate a structured cyber attack across Linux and Windows systems
- Identify and exploit vulnerable services using reconnaissance-driven methods
- Establish persistence and perform post-exploitation enumeration
- Detect and analyze attacker behavior using Security Onion SIEM
- Map observed activity to MITRE ATT&CK techniques
- Document findings from both attacker and defender perspectives
- Attacker: Kali Linux
- Targets: Linux (Metasploitable-style) and Windows Server
- SIEM: Security Onion (Zeek + Suricata)
- Tools: Nmap, Metasploit, Kibana/Discover, MITRE ATT&CK Navigator
- Network scanning and service enumeration using Nmap
- CPE → CVE mapping and CVSS-based risk prioritization
- Exploitation of vulnerable services on Linux and Windows systems
- Verified command execution and SYSTEM-level access via Meterpreter
- Command history clearing and Windows event log manipulation
- Demonstration of attacker anti-forensic behavior
- Linux cron-based persistence
- Windows scheduled task persistence
- Post-exploitation enumeration
- Artifact discovery and extraction (flag retrieval)
- Identification of scanning, exploitation, and persistence activity in Security Onion
- Analysis of Zeek logs and Suricata alerts
- Correlation of attacker activity using SIEM data
- Evaluation of attack effectiveness
- Mapping activity to structured cyber operation phases
- Analysis of detection gaps and defensive visibility
- Network reconnaissance (Nmap)
- Vulnerability identification and CVE analysis
- Exploitation using Metasploit
- Post-exploitation enumeration
- Persistence techniques (cron, scheduled tasks)
- SIEM analysis using Security Onion
- Log analysis (Zeek, Suricata)
- Indicator of Compromise (IOC) identification
- Incident detection and response workflow
- MITRE ATT&CK mapping
- Real-world attacks follow structured, multi-phase workflows
- Persistence and evasion techniques can reduce host-level visibility
- SIEM tools provide critical detection capability even when artifacts are removed
- Effective defense requires correlation of network and host-based data
/offensive– Red team methodology and execution/defensive– Detection and incident analysis/assessment– Operational evaluation/screenshots– Evidence supporting each phase/references– Supporting research and context
All activities were conducted in a controlled academic cyber range environment. This project is intended for educational, defensive, and professional development purposes only.