SOC Portfolio Lab
Demond Mack
SOC Analyst   |   Threat Detection & Incident Response
Built and operated a fully integrated enterprise SOC environment on Azure. Real external attacks detected, investigated, and closed using Splunk, ServiceNow, Suricata, and GoPhish — with every decision documented from first alert to resolved ticket.
0
Brute force attempts detected
0
IDS network alerts
0
End-to-end investigations
0
Validated detections
View Investigations See the Environment
Environment Architecture
AZURE CLOUD — suffice.local VNet: SUFFice-vnet / 10.0.0.0/24 SUFFice Domain Controller 10.0.0.4 · WS2022 Active Directory · DNS Sysmon · UF Agent suffice.local WIN-SERVER-CLIE Windows Client 10.0.0.5 · 20.123.90.160 Sysmon · Suricata IDS GoPhish · Papercut SMTP UF Agent · Atomic Red Team Splunk Server Linux VM · East US 40.76.99.227 index=main,suricata,gophish 13 validated detections Azure North Europe NSG Firewall RDP · SSH · restricted 3333/8080 analyst-only ServiceNow PDI — cloud hosted dev386008.service-now.com Incidents · ITSM · Analyst INC0010660 · INC0013219 Dmack — SOC Analyst Tier 1 External Threats 273 attacker IPs · 38 countries RDP Brute Force · SSH Scan MySQL/MSSQL/VoIP probe Nmap recon · 23 IDS sigs Phishing simulation SOC Analyst Demond Mack — Tier 1 Alert triage · Investigation · Closure Pipeline 01 — Endpoint Pipeline 02 — IDS Pipeline 03 — Phishing External attack traffic
Infrastructure
Enterprise SOC Environment
Three fully integrated detection pipelines on Azure. Click the diagram icon on any pipeline to see exactly where it flows through the environment.
Pipeline 01 — Endpoint
Windows Events
Sysmon
UF Agent
Splunk
Alert fires
ServiceNow
diagram
Pipeline 02 — Network IDS
Network Traffic
Suricata IDS
eve.json
Splunk
Alert fires
ServiceNow
diagram
Pipeline 03 — Phishing
GoPhish
Papercut SMTP
gophish.log
Splunk
Alert fires
ServiceNow
diagram
SP
Splunk Enterprise
SIEM
SN
ServiceNow
ITSM / Ticketing
SU
Suricata IDS
Network Detection
AZ
Azure Cloud
Infrastructure
AD
Active Directory
Domain Controller
SY
Sysmon
Endpoint Telemetry
GP
GoPhish
Phishing Simulation
AT
Atomic Red Team
Attack Simulation
Case Studies
SOC Investigations
Three documented investigations using real external attack telemetry — structured analyst workflow from alert receipt to ticket closure. Click any finding to expand the exact analyst action taken.
Case Study 01 — Endpoint / Network
External RDP Brute Force Campaign
INC0010660 Priority 1 Critical T1110.001 Resolved Real Attack Telemetry
273
Unique IPs
14,661
Attempts
38
Countries
10
Days active
0
Breaches

Real external attackers discovered the Azure lab environment's RDP port exposed to the internet and launched a sustained distributed brute force campaign targeting the Administrator account. 273 unique IPs across 38 countries generated 14,661 failed authentication attempts over 10 days.

Root cause: Azure NSG rule permitted inbound RDP from 0.0.0.0/0. Upon detection the NSG was restricted to authorized IPs — attack traffic dropped to zero immediately and verifiably.

ANALYST FINDING

No successful unauthorized logons confirmed across the entire 10-day attack window. Incident closed at Tier 1.

Primary Detection Query
index=* source="XmlWinEventLog:Security" EventCode=4625 LogonType=3 | where IpAddress!="10.0.0.5" AND IpAddress!="::1" AND IpAddress!="-" | stats dc(IpAddress) as UniqueAttackerIPs, sum(count) as TotalAttempts
Attack Tooling Identified — click each finding to expand analyst action
FreeRDP and Rdesktop workstation names confirm Linux-based automated attack tooling
// Splunk — identify workstation names used by attackers
index=* EventCode=4625 LogonType=3 | stats count by WorkstationName | sort - count // Result: FreeRDP, Rdesktop, kali — Linux attack tools confirmed
Generic "workstation" name in 87% of attempts — mass-automated credential stuffing
// Splunk — calculate percentage of generic workstation names
index=* EventCode=4625 LogonType=3 | eval generic=if(WorkstationName="workstation" OR WorkstationName="-","yes","no") | stats count by generic | eventstats sum(count) as total | eval pct=round(count/total*100,1)
273 IPs across 38 countries — botnet-driven distributed campaign confirmed
// Splunk — GeoIP enrichment to confirm geographic distribution
index=* EventCode=4625 LogonType=3 | iplocation IpAddress | stats dc(IpAddress) as UniqueIPs by Country | sort - UniqueIPs
NTLM authentication via NtLmSsp — Logon Type 3 network logons confirmed
// Splunk — confirm authentication package
index=* EventCode=4625 LogonType=3 | stats count by AuthenticationPackageName, LogonProcessName | sort - count // Result: AuthPackage=NTLM, LogonProcess=NtLmSsp
Top Attacker Threat Intel
123.30.106.163
Top — 422 attempts
6/91
VirusTotal vendors
194
AbuseIPDB reports
MITRE ATT&CK
IDTechniqueEvidence
T1110.001Brute Force: Password Guessing14,661 failed logon attempts against Administrator
T1133External Remote ServicesRDP port 3389 targeted as primary access vector

No breach occurred. The following documents what would have triggered escalation and the exact response actions.

IOCs That Would Have Indicated Compromise
▶ Event ID 4624 from unknown external IP after brute force activity
▶ Logon Type 10 (RemoteInteractive) from attacker IP — RDP access gained
▶ New process spawned under Administrator from external session
▶ Lateral movement — logon from compromised host to Domain Controller
▶ New scheduled task or service — persistence mechanism established
Response Actions
Step 1: Isolate host — restrict Azure NSG to block all traffic immediately
// PowerShell — add deny-all inbound rule to NSG
$nsg = Get-AzNetworkSecurityGroup -Name "WIN-SERVER-CLIENT-nsg" -ResourceGroupName "SUFFice_group" $rule = New-AzNetworkSecurityRuleConfig -Name "DenyAllInbound" -Priority 100 ` -Direction Inbound -Access Deny -Protocol * ` -SourceAddressPrefix * -DestinationAddressPrefix * ` -SourcePortRange * -DestinationPortRange * $nsg.SecurityRules.Add($rule) Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg
Step 2: Disable compromised account in Active Directory
// PowerShell — disable account and force logoff
Disable-ADAccount -Identity "Administrator" Set-ADUser -Identity "Administrator" -LockedOut $true query session /server:WIN-SERVER-CLIE logoff [sessionID] /server:WIN-SERVER-CLIE
Step 3: Check for lateral movement to Domain Controller
// Splunk — confirm if compromised host authenticated to DC
index=* source="XmlWinEventLog:Security" EventCode=4624 LogonType=3 | where WorkstationName="WIN-SERVER-CLIE" AND ComputerName="SUFFice" | table _time TargetUserName IpAddress LogonType ComputerName | sort _time

Evidence collected during investigation — screenshots from Splunk, ServiceNow, Azure NSG, VirusTotal, and AbuseIPDB.

ServiceNow INC0010660
ServiceNow INC0010660
Priority 1 Critical — Assigned to Demond Mack
Splunk 273 Unique IPs
Splunk — 273 Unique IPs
UniqueAttackerIPs=273, TotalAttempts=14,661
GeoIP Breakdown
GeoIP Breakdown
38 countries — Vietnam, US, Germany top sources
Attack Timeline
Attack Timeline
May 22 to June 1 — drops to zero post-remediation
VirusTotal
VirusTotal — 6/91 Vendors
123.30.106.163 — VNPT Corp Vietnam
AbuseIPDB
AbuseIPDB — 194 Reports
Active RDP brute force confirmed
Azure NSG Before
Azure NSG — Before
Port 3389 open to 0.0.0.0/0
Azure NSG After
Azure NSG — After
Restricted to authorized IPs only
Case Study 02 — Network IDS
Multi-Vector External Attack Campaign
INC0013219 Priority 1 Critical T1595 · T1046 · T1110.001 Resolved 23 Suricata Signatures
2,327
IDS Alerts
233
Unique IPs
23
Signatures
15,422
AbuseIPDB Reports
0
Breaches

Suricata IDS detected a comprehensive multi-vector attack — RDP brute force, SSH scanning, MySQL, PostgreSQL, MSSQL, VoIP/SIP, SNMP, and active Nmap reconnaissance all firing simultaneously. 23 distinct signatures revealed a fully automated framework probing every available service.

Primary attacker 194.165.16.167 hosted on Flyservers S.A. (AS48721) — documented bulletproof hosting in Lithuania. 15,422 AbuseIPDB reports at 100% confidence. Same IP confirmed actively attacking other organizations during the investigation window.

ANALYST FINDING

No lateral movement, no breach, no malicious execution detected across all 6 alert categories.

Top Signatures by Volume
SignatureCountCategory
ET INFO RDP Response To External1,385Misc Activity
ET POLICY MS RDP Admin Login662Protocol Decode
ET DROP Dshield Block Listed209Misc Attack
ET SCAN Potential SSH Scan6Network Scan
ET SCAN RDP Connection from Nmap1Network Scan
Investigation Findings — click to expand analyst actions
194.165.16.167 confirmed on Flyservers S.A. bulletproof hosting — Vilnius, Lithuania
// Splunk — isolate top attacker and pull all associated signatures
index=suricata src_ip="194.165.16.167" | stats count by alert.signature, alert.category | sort - count // Cross-reference: VirusTotal 12/91, AbuseIPDB 15,422 reports 100% confidence
Multi-service scanning confirmed — SSH, MySQL, MSSQL, VoIP, SNMP all probed simultaneously
// Splunk — map destination ports to identify full attack surface
index=suricata | eval service=case(dest_port=22,"SSH",dest_port=3306,"MySQL", dest_port=1433,"MSSQL",dest_port=5060,"VoIP/SIP", dest_port=161,"SNMP",dest_port=3389,"RDP",true(),"Other") | stats count by service, alert.category | sort - count
ET DROP Dshield Block Listed Source — 209 hits — known malicious infrastructure confirmed
// Splunk — extract all Dshield-listed IPs
index=suricata alert.signature="ET DROP Dshield*" | stats dc(src_ip) as unique_ips, count by src_ip | sort - count | head 10
MITRE ATT&CK
IDTechniqueEvidence
T1595Active ScanningNmap sig — multi-port across 8+ services
T1046Network Service DiscoverySSH, MySQL, MSSQL, VoIP, SNMP probed simultaneously
T1110.001Brute Force662 RDP Administrator login signatures

No breach occurred. The following shows what compromise indicators would have looked like and the exact response.

IOCs That Would Have Indicated Compromise
▶ Successful logon Event ID 4624 from any of the 233 attacker IPs
▶ Suricata C2 traffic signature firing post initial access
▶ Outbound connection from Windows Client to attacker IP on non-standard port
▶ ET COMPROMISED signature on internal east-west traffic
Response Actions
Step 1: Block attacker IPs at NSG and verify no active sessions
// Splunk — confirm no successful auth from attacker IPs before blocking
index=* EventCode=4624 | where match(IpAddress,"194\.165\.16\.167|123\.30\.106") | table _time TargetUserName IpAddress LogonType
Step 2: If C2 traffic detected — capture network traffic for forensics
// PowerShell — start packet capture on compromised host
netsh trace start capture=yes tracefile=C:\evidence\capture.etl maxsize=500 # Run for 5 minutes then stop netsh trace stop

Evidence collected — Suricata alerts, threat intelligence, ServiceNow ticket documentation.

ServiceNow INC0013219
ServiceNow INC0013219
Priority 1 Critical — In Progress
Splunk Signatures
Splunk — 23 Signatures
2,327 alerts across 23 distinct signatures
Attack Timeline
Attack Timeline
Peak 1,000+ alerts/hr — zero after NSG
VirusTotal
VirusTotal — 12/91
Flyservers bulletproof hosting confirmed
AbuseIPDB
AbuseIPDB — 100%
15,422 reports — attacking multiple orgs
No Lateral Movement
No Lateral Movement
0 results — attackers never authenticated
Case Study 03 — Phishing / Credential Harvesting
Microsoft 365 Credential Phishing Campaign
Priority 1 Critical T1566.001 · T1078 · T1056.003 Resolved Credentials Captured
55s
Time to click
<3m
Time to submit
100%
Capture rate
8
Investigation phases
0
Unauthorized access

A simulated phishing campaign delivered a convincing Microsoft 365 password expiry notification to an internal user. The spoofed sender and urgency messaging caused the target to click within 55 seconds and submit credentials within 3 minutes — a textbook demonstration of how social engineering bypasses technical controls.

GoPhish captured the full credentials in cleartext. An 8-phase post-compromise investigation confirmed no unauthorized credential use, no lateral movement, no malicious process execution, and no data exfiltration.

ANALYST FINDING

Credential theft confirmed. No post-compromise activity detected. Critical gap identified: absence of MFA means stolen credentials would allow immediate account takeover with no additional barriers.

Attack Chain Timeline
June 6, 2026 — 8:36:30 PM
Phishing email delivered
Sent from it-support@suffice.local — "Action Required: Your Microsoft 365 Password Expires Today" — via Papercut SMTP to demondmack1976@suffice.local
8:37:25 PM — 55 seconds later
Phishing link clicked
Target visited http://10.0.0.5/?rid=EzTGqOq — fake M365 login page rendered — Windows 10 / Chrome 149.0.0.0
8:39:05 PM — 1m 40s after clicking
Credentials submitted and captured
Username: demondmack1976@suffice.local — Password captured in cleartext — victim redirected to microsoft.com, unaware of compromise
Post-compromise — 8 investigation phases
No breach confirmed across all phases
Credential use, process execution, lateral movement, file downloads, network connections — all verified clean. Resolved Tier 1.
Investigation Findings — click to expand analyst actions
Verified harvested credentials were not used by unauthorized parties
// Splunk — all logons for demondmack1976 after phishing timestamp
index=* source="XmlWinEventLog:Security" EventCode=4624 | where TargetUserName="demondmack1976" | where _time > strptime("2026-06-06 20:36:30","%Y-%m-%d %H:%M:%S") | table _time TargetUserName IpAddress LogonType WorkstationName // Result: Only known analyst IPs 96.89.65.77 and 76.17.8.33 — clean
No suspicious process execution under targeted account — 0 results confirmed
// Splunk — any processes spawned under demondmack1976
index=* source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 | where User="SUFFICE\\demondmack1976" | table _time User Image CommandLine ParentImage // Result: 0 events — no process execution under this account
No lateral movement — all network logons verified as analyst sessions
// Splunk — network logons using harvested account credentials
index=* source="XmlWinEventLog:Security" EventCode=4624 LogonType=3 | where TargetUserName="demondmack1976" | table _time TargetUserName IpAddress WorkstationName // Result: IPs 96.89.65.77 and 76.17.8.33 only — both verified analyst IPs
MITRE ATT&CK
IDTechniqueEvidence
T1566.001Spearphishing LinkEmail with malicious link to credential harvesting page
T1078Valid AccountsLegitimate internal credentials captured in cleartext
T1056.003Web Portal CaptureFake M365 login page captured submitted credentials
T1204.001User Execution: Malicious LinkTarget clicked 55 seconds after delivery

Credentials harvested but never used maliciously. Each phase shows what real compromise would have looked like and the exact response.

Phase 4 — If Credentials Were Used
▶ Event ID 4624 from unknown external IP using demondmack1976 credentials
▶ Logon from foreign geographic location or at unusual hours
▶ Multiple rapid logons from different countries — impossible travel
Response: Disable account, force password reset, preserve logs, escalate
// PowerShell — disable account and reset password immediately
Disable-ADAccount -Identity "demondmack1976" Set-ADAccountPassword -Identity "demondmack1976" ` -NewPassword (ConvertTo-SecureString "TempP@ss2026!" -AsPlainText -Force) -Reset Set-ADUser -Identity "demondmack1976" -ChangePasswordAtLogon $true
Phase 5 — If Malicious Process Executed
▶ chrome.exe spawning powershell.exe — browser-to-shell execution
▶ CommandLine containing -EncodedCommand or Invoke-WebRequest
▶ Process path in AppData\Local\Temp\ or Downloads\
Response: Decode encoded command, hash file, isolate host
// PowerShell — decode base64 encoded command
[System.Text.Encoding]::UTF8.GetString( [System.Convert]::FromBase64String("ENCODED_STRING_HERE") ) # Hash suspicious file Get-FileHash -Algorithm SHA256 "C:\Users\demondmack1976\AppData\Local\Temp\suspicious.exe" # Submit hash to VirusTotal for analysis
Scope — Isolated or Widespread
Check: Other users targeted? — index=gophish msg="Email sent" | stats count by email
Check: Other machines visited phishing URL? — Sysmon DNS logs across all hosts
If widespread: Full incident declaration → IR team → executive notification → org-wide password reset

Evidence collected — GoPhish dashboard, Papercut inbox, credential capture, Splunk investigation queries.

📧
Papercut Inbox
Phishing email delivered — M365 subject line
🎣
Rendered Phishing Email
Microsoft branding and urgency message
🔐
Fake M365 Login Page
Landing page at 10.0.0.5/?rid=EzTGqOq
💀
Credentials Captured
Username and password harvested in cleartext
📊
GoPhish Dashboard
Email Sent=1, Clicked=1, Submitted=1
No Breach Confirmed
8 investigation phases — all clean results
Background
About

SOC Analyst with hands-on experience building and operating an enterprise-grade security operations environment. I designed, deployed, and integrated a full detection and response stack from scratch — SIEM, IDS, ticketing, Active Directory, and phishing simulation — on Azure cloud infrastructure.

My investigations use real external attack telemetry, not simulated lab traffic. Real attackers hit my environment. I detected them, investigated them, and documented the analyst workflow from first alert to resolved ticket.

I built this because I wanted to show what I can actually do — not just what I've studied. Every detection, every investigation, every case study in this portfolio reflects how I'd operate in a real SOC environment.

Certifications
  • CompTIA Security+
  • Google Cybersecurity Certificate
  • TryHackMe — SOC Level 1
  • SOC Core Skills — Antisyphon Training
Technical Skills
  • Splunk Enterprise — Detection & Investigation
  • ServiceNow — Incident Management
  • Suricata IDS — Network Threat Detection
  • Azure Cloud — Infrastructure & NSG
  • Active Directory — Domain Administration
  • Sysmon — Endpoint Telemetry
  • GoPhish — Phishing Simulation
  • MITRE ATT&CK Framework
Get In Touch
Contact
Open to SOC Analyst, Security Operations, and Threat Detection roles.
Email
demondmack2@gmail.com
GitHub
github.com/DemondMack
LinkedIn
linkedin.com/in/demondmack
Portfolio
demondmack-security.com