π¨ Network Detection Lab
(SIEM-First SOC Detection, Investigation & Gap Analysis)
π Overview
This lab demonstrates how a Security Operations Center (SOC) detects, investigates, and documents internal reconnaissance and attempted abuse activity using SIEM-style detection logic and investigation workflows.
The focus is detection, correlation, and incident response documentation β not exploitation.
This project builds directly on findings from the network-discovery phase and shows how those activities are translated into actionable detections, incident reports, and improvement plans.
π― Objectives
Detect internal network discovery activity
Identify unauthorized privileged account creation
Validate firewall controls blocking SMB lateral movement
Investigate attempted (but failed) credential abuse
Document a SOC-style incident response
Identify detection gaps and detection maturity level
π§ͺ Lab Environment Component Details Analyst / Attacker Kali Linux Target Host Windows workstation Logs Reviewed Network traffic, Windows Security Events SIEM Elastic-style KQL (conceptual, production-aligned) Scope Detection, investigation, documentation
π Attack & Detection Summary
Internal network scanning and service discovery
Unauthorized local user account created
Attempted credential abuse via scheduled task
Task creation failed
Attempted SMB-based lateral movement
TCP/445 blocked by firewall
Outcome
No authentication success
No persistence achieved
No lateral spread
π‘οΈ Detection Capabilities Demonstrated 1οΈβ£ Network Discovery Detection
Identification of port scanning behavior
Correlation of multiple destination ports
2οΈβ£ Privileged Account Monitoring
Detection of local user creation
Identification of administrator group modification
3οΈβ£ Credential Abuse (Attempted)
Review of failed scheduled task creation
Investigation of misuse attempts without execution
4οΈβ£ Lateral Movement Prevention
Validation of blocked SMB traffic (TCP/445)
Confirmation of firewall effectiveness
π SIEM Detection Logic (Conceptual) Elastic KQL β Blocked SMB Attempt network.transport : "tcp" and destination.port : 445 and event.action : ("DROP", "BLOCK")
Detection logic is conceptual, written to reflect how Elastic Security detections are authored in production SOCs.
π¨ Incident Outcome Attribute Value Impact None Status Contained Severity LowβMedium Root Cause Unauthorized local account creation attempt Lateral Movement Prevented π Detection Gap Analysis
Identified gaps during investigation:
β No alert on failed scheduled task creation
β No behavioral detection for service account misuse
β Limited visibility into blocked authentication attempts
These gaps directly inform future detection engineering and automation efforts.
π Detection Maturity Assessment Area Maturity Reconnaissance Detection π‘ Basic Privileged Account Monitoring π‘ Partial Credential Abuse Detection π΄ Weak Lateral Movement Prevention π’ Strong Automated Correlation π΄ Not Implemented π§ Lessons Learned
Failed attacks provide valuable detection signals
SOC visibility must include attempted abuse, not just success
Preventive controls are strongest when paired with detection
Detection gaps are actionable roadmap items, not failures
𧩠MITRE ATT&CK Mapping (Partial / Prevented)
TA0043 β Reconnaissance
T1046 β Network Service Scanning
TA0006 β Credential Access (Attempted)
Failed scheduled task execution
TA0008 β Lateral Movement (Prevented)
T1021.002 β SMB / Admin Shares
π Repository Structure network-detection-lab/ βββ README.md βββ incident-report.md # Formal SOC incident report βββ detection-gap-analysis.md # Identified detection weaknesses βββ detection-maturity.md # SOC maturity assessment βββ detections/ # KQL / detection logic examples βββ remediation.md # Detection & hardening recommendations
π§ Background Context
This lab builds on hands-on training from:
Google Cybersecurity Professional Certificate
Google Cloud Cybersecurity Certificate
IBM Cybersecurity Case Studies
Google Security Operations (Chronicle)
Focus: Translating theory into observable detections, investigations, and SOC-ready documentation.