This repository documents a full multi-stage Linux intrusion simulated in a home SOC lab and analyzed using Splunk.
The lab is aligned with CompTIA CySA+ (CS0-003) and focuses on behavioral detection, MITRE ATT&CK mapping, and analyst decision-making, including failed attack interpretation.
Attacker / Compromised Host
- Raspberry Pi (Linux)
- Role: execution, C2 beaconing, persistence, discovery, exfiltration
SOC / Analysis Platform
- Splunk SOC VM
- Role: log ingestion, detection, correlation
Logs & Telemetry
- syslog
- auth.log
- cron
- HTTP/network activity
| Stage | MITRE Tactic | Technique | Outcome |
|---|---|---|---|
| Script Execution | Execution | T1059 | Successful |
| HTTP Beaconing | Command & Control | T1071.001 | Successful |
| Cron Persistence | Persistence | T1053.003 | Successful |
| Host & Network Recon | Discovery | T1082 / T1016 / T1033 | Successful |
| SSH Lateral Movement | Lateral Movement | T1021.004 | Attempted / Blocked |
| HTTP Data Exfiltration | Exfiltration | T1041 | Successful |
- Detection relied on event correlation, not single alerts
- SSH lateral movement was attempted but blocked (
connection refused) - Absence of authentication logs does not indicate absence of attack
- Successful HTTP exfiltration confirms attacker end-goal intent
- Bash executed a staged script (
payload.sh) - File permissions modified using
chmod +x
- Script-based execution is common in early attack stages
- Often used to launch persistence or C2 mechanisms
- Tactic: Execution
- Technique: T1059 — Command and Scripting Interpreter
index=linux process_name=bash
(command="*payload.sh*" OR command="*chmod +x*")
| table _time host user command
- Periodic outbound HTTP GET requests
- Requests occurred at regular time intervals
- Low data volume per request
- Humans do not generate perfectly timed traffic
- Regular intervals strongly indicate automated C2 beaconing
- Tactic: Command & Control
- Technique: T1071.001 — Web Protocols
index=net* http_method=GET
| bin _time span=1m
| stats count by src_ip dest_ip _time
| where count > 3
- A cron job configured with
@reboot - Script executed from a user home directory
- Persistence survived system restarts
- Uses a native OS scheduling mechanism
- Blends in with legitimate administrative activity
- Common Linux malware persistence technique
- Tactic: Persistence
- Technique: T1053.003 — Cron
index=linux "@reboot"
| table _time host user message
- Multiple system and network reconnaissance commands
- Commands executed within a short time window
- Individual commands are benign
- Command clustering indicates post-compromise enumeration
- Strong behavioral detection signal
- Tactic: Discovery
- Techniques:
- T1082 — System Information Discovery
- T1016 — Network Configuration Discovery
- T1033 — Account Discovery
index=linux process_name=bash
(command="whoami" OR command="uname -a" OR command="ip a")
| bin _time span=2m
| stats count values(command) by host user _time
| where count >= 3
- SSH connection attempts to another internal host
- Connection refused by the target system
- Indicates attempted lateral movement
- Failure occurred before authentication
- Explains absence of authentication logs
- Tactic: Lateral Movement
- Technique: T1021.004 — SSH
index=linux "Connection refused"
- HTTP POST request with binary payload
- Data compressed prior to transfer
- Compression + POST is common for data theft
- Indicates attacker end-goal behavior
- Tactic: Exfiltration
- Technique: T1041 — Exfiltration Over C2 Channel
index=net* http_method=POST
| stats sum(bytes_out) by src_ip dest_ip
| where bytes_out > 50000
|sort - total_bytes