Alert Summary Initial investigation began with one suspected infected endpoint in a ransomware simulation. Evidence Observed Repeated outbound traffic with consistent interval behavior Beac...

Alert Summary Detection triggered for suspicious PowerShell execution on host WIN-01 under user jsmith. Evidence Observed Event ID 4688 – Process creation Command line included base64-encod...

In the SANS SEC504 course, I conducted a full-scope investigation into a simulated ransomware attack by the “Midnite Meerkats” threat group. This series of labs required pivoting from live system a...

Project Overview In this project, I demonstrated how to effectively use SQL filters, operators, and keywords to extract specific security-relevant data from large databases. SQL filtering is a cru...

Scope Quick-reference event IDs used regularly in SOC triage and investigation workflows. Event ID 4688 - Process Creation Use to confirm process execution details: Process name Command-li...

Purpose Standardize Tier 1 triage for suspicious PowerShell alerts in lab and simulation workflows. Required Data EDR or endpoint process telemetry Windows Security logs (Event ID 4688) A...

In the SANS SEC504 course, I targeted the “Falsimentis Customer Support” portal to identify and exploit common web vulnerabilities found in the OWASP Top 10. Here is the step-by-step methodology I...

In the SANS SEC504 course, I explored the techniques used to capture and crack credentials. Credentials are the keys to the kingdom; acquiring them allows an attacker to bypass sophisticated exploi...

In the SANS SEC504 course, I performed comprehensive network reconnaissance against a simulated corporate network (“Falsimentis”). The goal was to map the attack surface, identify running services,...

In the SANS SEC504 course, I focused on the unique misconfigurations found in cloud environments, specifically AWS S3 buckets and Cloud metadata services. The goal was to understand how simple conf...