SOC Analyst · Cloud Pentester · Red Team Operator
Evidence over conversation. Terminal output or it didn't happen.
This repo is my working portfolio — real investigations, real terminal logs, real detection rules. I build in both directions: red team (offensive) and blue team (defensive). The best attackers understand defense, and the best defenders think like attackers.
Currently: Phase 2 — AWS Cloud Pentesting (IAM enumeration)
/red-team/ ← Offensive operations
web-attacks/ — OWASP Top 10, blind exploitation
aws-pentesting/ — IAM escalation, Lambda, S3, IMDS
active-directory/ — Kerberoasting, BloodHound, Impacket
ai-llm-attacks/ — Prompt injection, RAG exploitation
/blue-team/ ← Defensive operations
soc-investigations/ — Phishing, malware, incident response
phishing/ — Email triage, URL analysis, containment
malware/ — Static/dynamic analysis, IOC extraction
detection-rules/ — Sigma rules, Splunk queries
sigma/ — Production-ready Sigma detection rules
splunk/ — SPL hunt queries
/labs/ — Lab write-ups and infrastructure
s3-enumeration/ — AWS Account ID via public S3
infrastructure/ — Lab architecture manifest
| ID | Type | Verdict | CVE |
|---|---|---|---|
| SOC120 | Phishing (Internal) | 🟢 False Positive | — |
| SOC140 | Phishing (Attachment) | 🔴 True Positive | — |
| SOC141 | Phishing (URL) | 🔴 True Positive | — |
| SOC104 | Malware (Download) | 🟢 False Positive | — |
| SOC137 | Malware (Macro) | 🔴 True Positive | — |
| SOC138 | Malware (C2) | 🔴 True Positive | — |
| SOC342 | Web Attack (RCE) | 🔴 True Positive | CVE-2025-53770 |
| SOC287 | Network (LFI) | 🔴 True Positive | CVE-2024-24919 |
| Rule | Technique | MITRE ATT&CK |
|---|---|---|
| Internal Phishing | Email keyword + sender verification | T1566.001 |
| Malicious Attachments | Macro-enabled Office docs | T1566.001, T1204.002 |
| Malicious URL Access | Proxy/DNS detection | T1189, T1204.001 |
| Suspicious Downloads | Allowlist-filtered download detection | T1189 |
| Macro → PowerShell | AutoOpen spawning PowerShell | T1204.002, T1059.001 |
| C2 Beaconing | Periodic outbound C2 traffic | T1071.001 |
| SharePoint RCE | ToolPane.aspx exploitation | T1190 |
| csc.exe Compile | w3wp.exe → csc.exe | T1059.001 |
| Directory Traversal | ../ on network gateways | T1190, T1083 |
Each Sigma rule is production-ready and mapped to its corresponding SOC investigation.
I run a dual-agent setup: Hermes (this VPS) for strategy and documentation, Agent0 (local) for execution. Obsidian vault for knowledge management. GitHub for evidence storage and portfolio.
Every lab session produces terminal output, an Obsidian note, and an artifact in this repo.
MIT — see LICENSE
focused. minimal. execution-first.