This project demonstrates the design, detection, investigation, and response to a credential brute-force attack against an Active Directory environment using centralized SIEM monitoring.
The lab was built to reflect real-world SOC, IAM, and GRC workflows, focusing on visibility, detection logic, and incident response rather than tool-only usage.
The environment consists of a small enterprise-style network built in a virtualized lab:
- Windows Server 2022 acting as a Domain Controller
- Windows 10 domain-joined endpoint
- Ubuntu Server running Splunk Enterprise
- Kali Linux attacker system
- Isolated NAT network for controlled traffic flow
All systems communicate within the same private network to simulate an internal enterprise environment.
The Active Directory environment was designed with identity governance and access control principles in mind:
- Centralized authentication through Active Directory
- Organizational Units (OUs) aligned to business roles (IT, HR, Employee)
- Role-based access control using domain groups
- Controlled Remote Desktop access via group membership
- Domain-joined endpoint authentication enforcement
These controls support least privilege, separation of duties, and auditability.
Centralized visibility was achieved by forwarding Windows Security logs from domain systems to Splunk:
- Authentication events collected from endpoints and the domain controller
- Successful and failed logon activity monitored
- Source IP addresses and workstation identifiers retained for attribution
- Continuous telemetry ingestion validated across monitored hosts
This provided the foundation for reliable detection and investigation.
To validate detection logic, authentication attack traffic was generated in a controlled and isolated lab environment:
- Repeated authentication attempts targeted a domain user account
- Activity was limited to the lab network and test credentials
- The objective was to simulate brute-force behavior, not exploitation
No production systems or real user data were involved.
Detection focused on identifying abnormal authentication behavior and correlating events across multiple dimensions:
- High volumes of failed authentication attempts
- User-centric analysis to identify impacted accounts
- Correlation of failed and successful logons
- Attribution of activity to a specific source system and IP address
This investigation workflow mirrors real SOC analysis practices.
Detailed detection logic and investigation notes are documented in the
detections/ directory.
An incident response playbook was developed to outline structured response actions following detection:
- Immediate containment actions to stop attacker activity
- Eradication steps to remove compromised access
- Recovery actions to restore normal operations
- Lessons learned to improve security posture
This demonstrates readiness to move from detection to response.
Technical controls and response actions were mapped to governance frameworks to demonstrate GRC awareness:
- Identity and access management (IAM) best practices
- Continuous monitoring and detection
- Incident analysis and mitigation
- Alignment with NIST Cybersecurity Framework (CSF) functions
Framework mappings are documented in the grc-mapping/ directory.
- Active Directory administration
- Identity and access management (IAM)
- SIEM-based detection and investigation
- Authentication attack analysis
- Incident response methodology
- GRC and NIST CSF alignment
- Log analysis and attacker attribution
All activity in this project was conducted in an isolated lab environment for educational and defensive security purposes only.