Skip to content
View rohithbaggu56-dot's full-sized avatar
🙂
Learning
🙂
Learning
  • 01:29 (UTC +05:30)

Block or report rohithbaggu56-dot

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
rohithbaggu56-dot/README.md

👋 Hi, I’m Rohith Baggu

SOC Analyst | Threat Hunting | Detection Engineering | Incident Response

I investigate real attacks, build detection rules, and analyze alerts across SIEM and endpoint telemetry.

My home lab simulates realistic attack scenarios with detections mapped to MITRE ATT&CK frameworks.

Built 16+ cybersecurity labs covering Active Directory, SIEM, endpoint monitoring, IDS/IPS, threat hunting, phishing investigations, detection engineering, and incident response.

Lab Workflow:
Attacker VM → Target VM → Sysmon / Suricata → SIEM → Alert Validation & Investigation


🔍 How I Investigate

Every investigation follows the same workflow. Here's what I actually do:

  1. Detection – Alert fires (SIEM rule, IDS signature, or log anomaly)
  2. Triage – Is this real or noise? Check the logs
  3. Log Analysis – Build a timeline. What happened? When? From where?
  4. Threat Intelligence – Validate IPs, hashes, domains against external sources
  5. Decision – Close it (benign positive), escalate it (real incident), or tune the rule

This methodology runs through every lab. Pick a repo and you'll see exactly this pattern.


🏆 Featured Projects

Enterprise & Real-World Detection Projects

🏢 Enterprise Active Directory SOC Lab

What: Built an enterprise Active Directory environment with Wazuh, Sysmon, and PowerShell automation to simulate enterprise attack scenarios and practice SOC monitoring and investigation.

Lab Highlights:

  • 4 virtual machines integrated into the lab
  • 10+ Active Directory users and groups configured
  • 2 monitored Windows endpoints with Wazuh + Sysmon
  • Multiple Active Directory attack techniques simulated
  • MITRE ATT&CK mapped detections investigated

What I Did:

  • Built an enterprise Active Directory domain from scratch
  • Joined Windows endpoints to the domain
  • Integrated Wazuh SIEM with Sysmon for endpoint visibility
  • Simulated Active Directory attacks from Kali Linux
  • Investigated detections mapped to MITRE ATT&CK techniques
  • Automated administrative tasks using PowerShell

Tools: Windows Server 2022 | Active Directory | Wazuh | Sysmon | PowerShell | Kali Linux
MITRE ATT&CK: T1087 (Account Discovery), T1018 (Remote System Discovery), T1059.001 (PowerShell)

Repo: Enterprise-Active-Directory-SOC-Lab

🍯 Azure Honeypot – Windows RDP Exposed to the Internet

What: Intentionally exposed Windows Server 2022 VM to collect real attack traffic. No simulation, actual threat actors found the open RDP port within minutes.

By the Numbers:

  • 3,404 failed RDP logins in 14 hours (real brute force)
  • 43 High-severity incidents generated by custom analytics rules
  • 27 unique external IPs identified and validated via threat intel
  • Geolocation mapping of attackers across Argentina, China, India, Japan, Philippines

What I Did:

  • Built custom detection rules in Microsoft Sentinel before the VM went live (detection-first thinking)
  • Investigated real incidents: correlated alerts, pulled Windows logs, validated attacker IPs with VirusTotal
  • Created KQL queries to hunt failed logins and identify successful compromises
  • Built workbooks to visualize attack geography and volume trends

Tools: Microsoft Sentinel | KQL | Azure NSG Rules | GeoIP Watchlist | VirusTotal | AbusePDB
MITRE ATT&CK: T1110 (Brute Force), T1078 (Valid Accounts)

Repo: Azure-Honeypot-SOC-Lab

📊 Splunk Incident Investigation

What: Monitored SSH authentication logs over 21 days. Real automated scanning tools (not simulated) hit the system from IPs across Argentina, China, Philippines, India, Japan, South Korea.

By the Numbers:

  • 17,126 total failed login attempts analyzed
  • 2 malicious IPs validated via threat intelligence
  • 230 successful logins investigated for post-compromise indicators
  • Custom detection dashboard built to visualize attack patterns in real-time

What I Did:

  • Wrote SPL queries to detect password spraying patterns (multiple accounts, single IP)
  • Correlated failed attempts with successful logins to identify breaches
  • Validated suspicious IPs against AbuseIPDB and VirusTotal
  • Built a dashboard showing top attacking sources, failed login trends, and targeted accounts
  • Investigated post-compromise activity – found none, system was defended

Tools: Splunk Enterprise | SPL | Windows Security Event Logs | VirusTotal | AbuseIPDB
MITRE ATT&CK: T1110 (Brute Force), T1110.003 (Password Spraying), T1078 (Valid Accounts)

Repo: SOC-Incident-Investigation-Splunk

🎯 RDP Brute Force Incident – Detection to Closure

What: A real brute force alert fires in Sentinel. I investigate it end-to-end: validate the threat, check logs, verify with threat intel, contain it, and close it. This is an L1 analyst workflow.

The Investigation:

  • Alert: High-severity RDP brute force detected from 103.108.141.126
  • Validation: ~50 failed login attempts from single IP, targeting multiple admin accounts
  • Scope Check: No successful logins, no lateral movement, no file access
  • Threat Intel: VirusTotal flags IP as malicious (10/94 vendors), known for SSH/RDP scanning
  • Actions Taken: Blocked IP at firewall, restricted RDP to trusted subnets, enforced account lockout policy
  • Outcome: Incident closed as True Positive (Attack Contained)

What This Demonstrates:

  • Multi-layer validation (SIEM alert + IDS logs + threat intel + firewall rules agree)
  • Practical L1 mindset (validate before escalating)
  • Incident containment and remediation
  • Understanding that logs tell different stories at different layers

Tools: Microsoft Sentinel | KQL | Suricata IDS | VirusTotal | Azure NSG Rules | Windows Defender Firewall
MITRE ATT&CK: T1110.003 (Password Spraying), T1021.001 (RDP)

Repo: SOC-Workflow-RDP-Brute-Force-Suricata-Sentinel

🔓 Elastic SIEM Lab – Real SSH Attacks Detected at Scale

What: Deployed Elasticsearch + Kibana on Azure. Collected SSH logs from an exposed Ubuntu VM. Real threat actors hit it within minutes.

Findings:

  • External SSH brute force attempts from real internet traffic
  • Detected using authentication failure pattern analysis
  • Timeline reconstruction via Kibana dashboards
  • MITRE ATT&CK mapping and threat correlation

Tools: Elastic Stack | Kibana | Filebeat | EQL queries
MITRE ATT&CK: T1110 (Brute Force), T1078 (Valid Accounts)

Repo: Elastic-SIEM-Lab-Azure-Cloud-Deployment


Simulated Attack Labs (Under My Control)

🔴 Sysmon Attack Investigation – Meterpreter Payload to Credential Theft

What: Staged a complete attack chain on Windows 10. Delivered a Meterpreter reverse shell, established persistence, dumped credentials with Mimikatz. Goal: investigate every trace using only Sysmon event logs.

Attack Chain:

  1. Payload delivered via phishing (FreeGamePasses.exe from Discord CDN)
  2. Reverse shell opened → attacker gained interactive access
  3. Enumeration commands (whoami, systeminfo)
  4. Persistence → scheduled task (backdoortask) + hidden user account
  5. LOLBin abuse → certutil.exe downloading Mimikatz from GitHub
  6. Credential dumping → sekurlsa::logonpasswords

What I Found (Sysmon Only):

  • Event ID 15 (File stream created) – Payload origin and Discord download URL
  • Event ID 3 (Network connection) – Reverse shell callback to attacker IP
  • Event ID 1 (Process creation) – Parent-child relationships showing cmd.exe → backdoor creation
  • Event ID 22 (DNS query) – certutil reaching github.com (LOLBin exposed)
  • Event ID 1 (Masquerading) – Mimikatz renamed, but internal metadata still readable

The Insight: You cannot hide what you are. Renaming a file changes the filename, not the PE header. Sysmon catches what Windows Event Viewer misses.

Tools: Sysmon | Windows Event Viewer | Metasploit | Mimikatz | VirusTotal
MITRE ATT&CK: T1204, T1571, T1189, T1136, T1053, T1218, T1202, T1036, T1003

Repo: Sysmon-attack-investigation-lab

🛡️ Suricata IDS + Sentinel Integration – Network Detection at Scale

What: Deployed Suricata on Ubuntu to detect network attacks. Ran port scans, SSH brute force, and web application attacks from Kali Linux. All alerts flow to Microsoft Sentinel via syslog.

Attacks Simulated & Detected:

  • Port scanning (Nmap) → 29 Suricata alerts
  • SSH brute force (Hydra) → Custom detection rule fired
  • Web application attacks (LFI, SQL injection) → ModSecurity WAF + Suricata rules triggered
  • HTTP reconnaissance → Emerging Threats ruleset caught it

What I Learned:

  • IDS mode (watches, alerts) vs. IPS mode (blocks)
  • How SIEM and IDS complement each other
  • Writing custom Suricata rules from packet analysis
  • Mapping raw alerts to MITRE ATT&CK techniques

Tools: Suricata 7.x | Microsoft Sentinel | Azure Monitor Agent | Emerging Threats Ruleset | Kali Linux | KQL
MITRE ATT&CK: T1595 (Active Scanning), T1110 (Brute Force), T1190 (Exploit Public-Facing Application)

Repo: Suricata-and-Sentinel-integration

🔍 KQL Detection Queries – Real Threat Hunting

What: Wrote detection queries in Microsoft Sentinel's KQL language. Covers authentication threats, endpoint visibility, and network connections.

Queries Included:

  • Brute force detection (Event ID 4625 correlation)
  • Suspicious process execution (parent-child relationships)
  • Lateral movement patterns (RDP to unexpected servers)
  • DNS C2 beaconing (high query volume to rare domains)
  • Failed login aggregation by account and IP

Why This Matters: Detection rules are how L1 analysts scale their attention. Good rules catch attacks automatically; bad rules create alert fatigue.

Tools: Microsoft Sentinel | KQL | Log Analytics Workspace

Repo: Microsoft-Sentinel-KQL-Sysmon-Lab


🧰 Tools & Technologies

SIEM Platforms

Splunk Elastic Stack Wazuh Microsoft Sentinel

Cloud & Detection

Microsoft Azure Azure Monitor Log Analytics Azure NSG

Network Security

Wireshark Suricata Nmap pfSense ModSecurity Hydra

Endpoint & Logs

Sysmon Windows Logs Linux Logs Active Directory PowerShell

Threat Intelligence

VirusTotal AbuseIPDB urlscan.io MXToolbox

Frameworks & Methodologies

MITRE ATT&CK Cyber Kill Chain Pyramid of Pain NIST CSF MITRE D3FEND OWASP Top 10

🖥️ Operating Systems

Windows Server 2022 Windows 10 Ubuntu Kali Linux


📜 Certifications

Google Cybersecurity Microsoft Security TryHackMe SOC Level 1 IBM Ethical Hacking


📚 Current Learning & Practical Labs

TryHackMe
TryHackMe
Completed the SOC Level 1 path – hands‑on modules covering Wireshark, Splunk, Elastic, EDR tools, and incident response.
Currently exploring advanced rooms focused on detection engineering, log analysis, and threat hunting.

Let's Defend
LetsDefend
Engaged in blue‑team simulations and theory learning to strengthen SOC workflow understanding and incident triage skills.

Forage Virtual Internships
Forage
Completed seven SOC analyst simulation internships (Commonwealth Bank and others) — focused on alert analysis, triage, and reporting.


📂 All Repositories

Hands‑on SOC labs mapped to MITRE ATT&CK and real‑world detection workflows.

View all 17 repositories (Click to Expand)

Real Attack Data:

Enterprise & Detection Labs:

Detection & Analysis:

Specialized Topics:


💡 What Matters in My Repositories

I Don’t Just Run Labs – I Investigate Like an Analyst

  • Each repository answers the question: “What happened?”
  • Findings are validated using logs, threat intelligence, and multiple sources.
  • Every decision is documented – escalation, closure, and lessons learned.

I Map to Real‑World Frameworks

  • MITRE ATT&CK techniques integrated into every investigation.
  • Incident response workflow: Detect → Triage → Investigate → Remediate.
  • Alert validation focused on distinguishing signal from noise.

I Learn From Mistakes

  • Labs are real – VMs freeze, configs break, rules need tuning.
  • Each repo includes what went wrong and how it was fixed.
  • Continuous improvement is how true SOC analysts grow.

📬 Get in Touch

Actively exploring opportunities as a SOC Analyst L1 / Security Analyst
Focused on entry‑level roles where I can apply hands‑on detection, investigation, and threat‑hunting skills.

LinkedIn TryHackMe

Pinned Loading

  1. Enterprise-Active-Directory-SOC-Lab Enterprise-Active-Directory-SOC-Lab Public

    Built an enterprise Active Directory lab integrated with Wazuh SIEM to simulate, detect, and investigate common Active Directory attack techniques using MITRE ATT&CK.

  2. Azure-Honeypot-SOC-Lab Azure-Honeypot-SOC-Lab Public

    Built an Azure-based honeypot lab using Microsoft Sentinel to collect, monitor, and investigate real-world attacks against an intentionally exposed Windows Server. Focused on log collection, threat…

  3. SOC-Incident-Investigation-Splunk SOC-Incident-Investigation-Splunk Public

    Performed a SOC-style investigation of brute-force and password spraying activity using Splunk Enterprise, Windows Event Logs, and threat intelligence to identify attacker behavior, validate indica…

  4. Suriata-and-Sentinel-integraion Suriata-and-Sentinel-integraion Public

    Integrated Suricata IDS/IPS with Microsoft Sentinel in Azure to detect simulated attacks, generate custom alerts, forward security events, and investigate incidents using a SIEM workflow.

  5. Microsoft-Sentinel-KQL-Sysmon-Lab Microsoft-Sentinel-KQL-Sysmon-Lab Public

    Developed and tested Microsoft Sentinel KQL queries for authentication monitoring, endpoint visibility, threat detection, and SOC-focused investigation using Windows Security Events and Sysmon tele…

  6. Wazuh-SIEM-SOC-Hands-On-Lab Wazuh-SIEM-SOC-Hands-On-Lab Public

    Built and configured a Wazuh SIEM lab to monitor Windows and Linux endpoints, investigate security events, and practice SOC-style detection using Sysmon and MITRE ATT&CK.