SOC-Driven Offensive Research

Offensive Security
& Adversary Simulation

Understanding attacker behaviour to strengthen detection, triage, and incident response in SOC environments.

Why Offensive Knowledge
Makes Better Defenders

Understanding attacker techniques isn't about hacking — it's about closing the gap between what attackers know and what defenders see.

Know What Attackers See

SOC analysts who understand attack paths and reconnaissance techniques catch threats before they escalate — because they're watching the same signals attackers rely on.

Faster Alert Triage

Recognising attack patterns in SIEM telemetry reduces mean time to detect and respond. Offensive experience turns ambiguous alerts into clear, actionable intelligence.

Precision Response

Offensive knowledge removes guesswork from containment decisions. When you know how an attacker thinks and moves, you can anticipate and cut off their next step.

Attack Simulations

Each simulation is documented from both the attack execution and the SOC detection perspective — in a controlled lab environment.

1
Brute Force Attack Simulation
T1110.001 — Brute ForceCredential AccessHydraFail2Ban (monitoring)

Scenario

Targeted a local lab SSH service with a wordlist attack to simulate credential stuffing from a threat actor attempting initial access via compromised credentials.

Attack Execution

Ran Hydra with a 10,000-word common password list against SSH on a test VM. Generated 847 failed login attempts over 4 minutes before triggering account lockout thresholds.

Detection Signals

  • SIEM alert fired: >10 failed authentications from a single IP within 60 seconds
  • auth.log showed rapid sequential failures — same username, incrementing timestamps
  • Source IP outside trusted IP range with no prior access history in baseline

Investigation Steps

  1. 1Confirmed source IP is external with zero prior activity in environment logs
  2. 2Checked for any successful logins post-attack window on the targeted account
  3. 3Reviewed whether account holds service permissions or privileged sudo access
  4. 4Correlated with firewall and VPN logs to identify potential lateral movement

SOC Response Actions

  • Temporary IP block applied via perimeter firewall rule — logged and ticketed
  • Account suspended pending investigation and credential hygiene review
  • Escalated to Tier 2 analyst for full investigation scope assessment
  • Asset owner and IT team notified per incident response playbook

Outcome

Attack fully contained. No successful authentication recorded. Source IP added to blocklist. Playbook updated with refined threshold tuning recommendations.

MITRE: T1110.001 — Password Guessing
2
Phishing Attack Simulation
T1566.001 — PhishingInitial AccessGoPhish (simulated)Manual credential harvesting page

Scenario

Simulated a spear-phishing campaign targeting a finance persona with a crafted email directing to a cloned internal login page designed to harvest credentials in a controlled lab environment.

Attack Execution

Crafted a convincing email mimicking an internal IT access request. Hosted a cloned login page on a test domain. Tracked click-through and credential submission. No real credentials were used — test environment only.

Detection Signals

  • Email gateway flagged sender domain mismatch and SPF/DKIM alignment failure
  • Proxy logs showed user navigating to unrecognised external domain not in whitelist
  • SIEM alerted: successful login from new geographic location (different country, same account, within 10 minutes of phish delivery)

Investigation Steps

  1. 1Reviewed email headers for spoofing indicators, domain registration age, and routing anomalies
  2. 2Pulled proxy logs to confirm suspicious domain access timeline and scope
  3. 3Checked authentication logs for impossible travel anomaly and concurrent session conflicts
  4. 4Reviewed recent file access and outbound email activity for the compromised account

SOC Response Actions

  • Forced immediate password reset on the potentially compromised account
  • Revoked all active sessions and OAuth tokens associated with the account
  • Blocked phishing domain across DNS filter, proxy, and email gateway
  • Notified affected user and initiated targeted phishing awareness follow-up

Outcome

Credential exposure fully contained. No data accessed post-simulated compromise. Phishing domain blocked across all enforcement points. Detection rules tuned for impossible travel.

MITRE: T1566.001 — Spear-phishing Link
3
Web Application Attack — SQL Injection
T1190 — Exploit Public-Facing AppInitial AccessBurp SuiteDVWA (test environment)

Scenario

Tested a deliberately vulnerable web application for SQL injection in the login form to understand exactly what WAF and application logs would surface, and how to triage the associated alerts from a SOC perspective.

Attack Execution

Intercepted login request via Burp Suite Proxy. Modified the username field to inject a classic `' OR '1'='1` payload. Successfully bypassed authentication on the unprotected test application. Tested multiple payload variants for completeness.

Detection Signals

  • WAF logs showed SQLI_MATCH alert with the raw payload visible in request body
  • Web server access logs: unusually high 200 responses to /login from single IP in short window
  • Application logs recorded successful auth event with no corresponding valid credential match

Investigation Steps

  1. 1Correlated WAF SQLI_MATCH alert with web server access logs to confirm exploit execution
  2. 2Extracted and reviewed the raw request log to confirm malicious payload content
  3. 3Identified the affected endpoint and assessed scope of potential data exposure risk
  4. 4Reviewed outbound connection logs for data exfiltration attempts post-exploitation

SOC Response Actions

  • Blocked source IP immediately via WAF rule — applied emergency signature update
  • Raised P2 incident ticket with application development team for urgent review
  • Recommended parameterised query implementation as permanent remediation
  • Audited application for additional unprotected endpoints with similar vulnerability patterns

Outcome

Exploit contained to isolated test environment. Application team notified with full evidence package. WAF ruleset updated with targeted signature. Vulnerability patched within defined SLA.

MITRE: T1190 — Exploit Public-Facing Application, T1059 — Command Injection

How I Use Offensive Knowledge
in a SOC Role

Offensive experience isn't about attacking — it's about thinking like an attacker to defend more effectively.

Faster Alert Triage

I recognise attack patterns in SIEM alerts quickly because I have executed them in controlled environments. This reduces triage time significantly and improves first-response accuracy.

Better False Positive Identification

Understanding what real attack telemetry looks like means I can confidently dismiss noise without unnecessary escalation — reducing analyst fatigue and improving signal quality.

Stronger Incident Response Decisions

When investigating an active incident, I can anticipate the attacker's next move. Containment decisions are made with context, not guesswork — improving response speed and precision.

More Effective Threat Hunting

Offensive knowledge enables me to write precise detection rules and hunt for TTPs that automated tools miss — closing detection gaps before they become incidents.

ATT&CK Framework Aligned

MITRE ATT&CK
Techniques Covered

Techniques mapped from hands-on simulation work in controlled lab environments.

T1110

Brute Force

Credential Access

Adversaries systematically guess credentials to gain unauthorised access to accounts. Typically targets SSH, RDP, web applications, or email portals.

Detection focus: Authentication log volume anomalies, rapid sequential failures, source IP reputation analysis in SIEM.

T1566

Phishing

Initial Access

Malicious messages are crafted to harvest credentials or deliver payloads. Spear-phishing targets specific individuals using contextual social engineering.

Detection focus: Email header analysis, SPF/DKIM failures, impossible travel alerts, and proxy log anomalies post-click.

T1059

Command Injection

Execution

Attacker-controlled commands are executed through vulnerable application endpoints or interpreters, enabling arbitrary code execution on the target system.

Detection focus: WAF alert correlation, web access log anomalies, unexpected outbound connections from web-tier hosts.

Tools Used
in These Simulations

All tools were used in isolated, controlled lab environments for educational and detection-improvement purposes.

Burp Suite

Web application security testing and proxy interception

Hydra

Network login brute-force testing tool

Nmap

Network discovery and port scanning

Wireshark

Packet capture and network traffic analysis

Metasploit

Exploit framework for controlled vulnerability testing

Security Onion

Network security monitoring and intrusion detection

Case Study:
Brute Force Attack Response

A walkthrough of how this attack was detected, investigated, and contained from a SOC analyst perspective — from alert to closure.

🔴
Alert Triggered

SIEM rule fired: >10 failed SSH authentications from a single external IP within 60 seconds. Severity classified as Medium. Alert assigned to analyst queue via ITSM integration.

🔵
Investigation

Pulled auth.log entries confirming 847 failed attempts in 4 minutes. IP geolocation returned Eastern Europe. No prior activity in the environment. Account targeted has sudo access — elevated priority.

🟡
Decision

Determined this is an active, ongoing brute force attempt — not a false positive. No successful authentication recorded yet. Immediate containment actioned; Tier 2 escalation deferred pending outcome.

🟢
Response

Firewall rule added to block source IP at perimeter. Account temporarily locked to prevent any residual access attempts. Asset owner notified per comms protocol. Incident ticket created and documented in ITSM.

Outcome

No successful authentication recorded throughout the incident. Incident closed after 24-hour monitoring period with no recurrence. Threshold alerting rule updated to reduce future false positive rate. Playbook updated.

SOC Analyst · Blue Team Focus

All simulations performed in isolated lab environments for detection and response improvement.

The purpose of this work is to build better defensive instincts — not to demonstrate offensive capability for its own sake.

© 2026 Dylan Curry — Cybersecurity Portfolio