Open to Opportunities

Self-taught security operations professional with A.A.S. in Cybersecurity & Networking. Hands-on experience in SIEM deployment, malware analysis, and incident response. Pursuing Security+ and Linux+.

Credentials & Education

A.A.S. Cybersecurity & Networking

DeVry University, Oct 2025. Associate of Applied Science. Focused on secure network architecture and defense.

Degree A.A.S NSLS
View Diploma

Information Technology Essentials

DeVry University, Apr 2025. Certificate demonstrating core competencies in IT infrastructure and systems.

Certificate IT Fundamentals DeVry
View Certificate

Technical Skills

Systems & Support

  • Windows OS — advanced troubleshooting & administration
  • Ubuntu Linux — command line, file system, basic administration
  • Hardware assembly, component diagnosis & repair
  • Malware remediation & endpoint recovery
  • Virtualization — VirtualBox, VMware, Hyper-V
  • Python scripting (basic)

Networking

  • TCP/IP — addressing, subnetting, routing fundamentals
  • Port & protocol identification
  • Wireless network configuration & WPA2/WPA3 hardening
  • Packet capture & analysis (Wireshark)
  • Network segmentation — NAT & isolated lab environments

Security

  • Dynamic malware analysis & sandbox testing
  • Malware persistence & evasion concepts (self-taught, lab-based)
  • Phishing detection & email threat analysis
  • Social engineering awareness
  • Wazuh SIEM — home lab deployment & log monitoring
  • NIST Cybersecurity Framework

Security Projects

GitLab Projects

View on GitLab →
// Fetching README...

Security & Infrastructure

Transparency report regarding the infrastructure, privacy controls, and supply chain security of this domain.

Last Verified: March 2026

Hosting & Infrastructure

  • EU Jurisdiction: Hosted on privacy-compliant infrastructure in Europe (Hetzner/Finland) via Statichost.eu to ensure strict GDPR adherence.
  • Static Delivery: Zero server-side runtime vulnerability. No database, no PHP, no dynamic scripts to exploit.
  • No-Logs Policy: The hosting provider strictly minimizes access logs, protecting visitor metadata.

Communication Security

Email sent from @jblankenship.me is cryptographically authenticated to prevent spoofing.

SPF Pass
DKIM 2048-bit
DMARC Quarantine

Domain Privacy

  • WHOIS Redaction: Contact details are redacted via Withheld for Privacy (Iceland) to prevent social engineering reconnaissance.
  • DNSSEC: Domain Name System Security Extensions are enabled to protect against DNS spoofing and cache poisoning.

Get In Touch

I'm actively looking for IT support, networking, and security roles. Feel free to reach out directly.

joshua@jblankenship.me
Blue Team SIEM Engineering MITRE ATT&CK

Enterprise SOC Deployment & Threat Detection Lab

Date: December 1, 2025

Environment: VMware Workstation / Wazuh SIEM / Windows 11 / Kali Linux

Download Report

1. Project Scope & Topology

This project involved the design, deployment, and validation of a virtualized Security Operations Center (SOC). The objective was to emulate an enterprise network environment to generate real-world attack telemetry and configure a SIEM (Wazuh) for threat detection.

SIEM Node
  • OS: Amazon Linux 2023 (Wazuh OVA)
  • Software: Wazuh Manager v4.14.1
  • IP: 192.168.245.129
Victim Endpoint
  • OS: Windows 11 Ent.
  • Defensive Tools: Windows Defender, Wazuh Agent, Windows Audit Policies
  • IP: 192.168.245.130
Adversary Node
  • OS: Kali Linux 2025.3
  • Offensive Tools: Hydra, Nmap, Smbclient
  • IP: DHCP Assigned

2. Executive Summary

Objective: To validate the detection capabilities of the Wazuh SIEM against common adversarial tactics, including Credential Access (T1110), Persistence (T1136), and Defense Evasion (T1562).

Key Achievements

  • Infrastructure: Successfully deployed a functional SIEM pipeline ingesting logs from Windows Event Channels (Security, System, Application).
  • Detection Engineering: Authored and verified detection logic for SMB Brute Force attacks (Event ID 4625) and Local Account Manipulation (Event ID 4720).
  • Malware Analysis: Integrated Windows Defender operational logs into Wazuh to capture and alert on EICAR test file signatures.
  • Visibility: Reduced logging blind spots by configuring advanced Audit Policies and disabling NLA to ensure authentication attempts are properly captured.
  • Defensive Hardening: Validated security controls by configuring an Account Lockout Policy that terminated the brute force attack after 5 failed attempts (Event ID 4740).

3. Infrastructure Deployment

The environment was hosted on VMware Workstation, utilizing a shared NAT network adapter to simulate a corporate intranet. The Wazuh Agent was deployed on the Windows 11 victim machine and configured to forward security telemetry over port 1514/TCP.

Figure 1: Wazuh SIEM Dashboard Initial Setup
Wazuh Dashboard

Figure 1: Wazuh SIEM Dashboard Initial Setup

(Click anywhere to close)
Figure 2: Windows Endpoint Successfully Onboarded
Agent Status

Figure 2: Windows Endpoint Successfully Onboarded

(Click anywhere to close)

4. Threat Emulation

Scenario A: Network Propagation via SMB Brute Force

MITRE T1110.001 | Tool: smbclient

Simulated lateral movement via dictionary attack against SMB (Port 445). The attack generated "Logon Failure" events (ID 4625) until the Account Lockout Policy triggered (ID 4740).

Figure 3: Bash script iterating smbclient to execute SMB Brute Force attack
Bash Script Attack

Figure 3: Bash script iterating smbclient to execute SMB Brute Force attack

(Click anywhere to close)

Scenario B: Persistence (Backdoor User)

MITRE T1136.001 | Command: net user /add

Manually created a backdoor user "BlackHat" to simulate persistence. This action triggered Windows Security Event ID 4720.

Figure 4: Manual creation of unauthorized user account
User Creation Command

Figure 4: Manual creation of unauthorized user account

(Click anywhere to close)

5. Detection & Analysis

Evidence of successful ingestion, correlation, and alerting within the Wazuh SIEM.

Unauthorized User Creation

Log telemetry showing the creation of the backdoor user "BlackHat" (Event ID 4720), triggering Wazuh Rule ID 60109.

Wazuh Alert: User Account Created
Log Parsing
Rule ID 60109
Rule Level 8 (High Severity)
Agent Name DESKTOP-EA7SO4Q (192.168.245.130)
Target User BlackHat
Event ID 4720
Provider Microsoft-Windows-Security-Auditing
MITRE Tactic Persistence (T1098)

Figure 5: Parsed log table for unauthorized user creation.

Malware Detection

The following parsed telemetry confirms the successful correlation of Windows Defender events by the Wazuh agent.

Wazuh Alert: Event ID 1116
Log Parsing
Rule ID 62123
Rule Level 12 (High Severity)
Agent Name DESKTOP-EA7SO4Q (192.168.245.130)
Threat Name Virus:DOS/EICAR_Test_File
File Path C:\Users\User\Desktop\eicar_test2.com
Action Taken Detection Only
Provider Microsoft-Windows-Windows Defender
Severity Severe (Category: Virus)
Wazuh Alert: Event ID 1117
Log Parsing
Rule ID 62124
Rule Level 12 (High Severity)
Agent Name DESKTOP-EA7SO4Q (192.168.245.130)
Threat Name Virus:DOS/EICAR_Test_File
File Path C:\Users\User\Desktop\eicar_test2.com
Action Taken Quarantine
Provider Microsoft-Windows-Windows Defender
MITRE Tactic Defense Evasion (T1562.001)

Figure 6: Parsed log tables showing critical EICAR detection details.

Brute Force & Account Lockout

Wazuh Alert: Logon Failure (Brute Force)
Log Parsing
Rule ID 60122
Rule Level 5 (User Error)
Event ID 4625
Source IP 192.168.245.128
Source Workstation KALI
Target User Administrator
Logon Type 3 (Network - SMB)
Failure Reason Unknown user name or bad password

Figure 7: Parsed log showing repeated login failures from the Kali attacker node.

Wazuh Alert: User Account Locked Out
Log Parsing
Rule ID 60115
Rule Level 9 (High Severity)
Event ID 4740
Target User Administrator
Caller Computer KALI
Subject User DESKTOP-EA7SO4Q$
Provider Microsoft-Windows-Security-Auditing
MITRE Tactic Credential Access (T1110)

Figure 8: Parsed log confirming the active defense trigger (Account Lockout).
Incident Response Packet Analysis Threat Intel

Incident Response Report: Malware Traffic Analysis

Operation BURNINCANDLE

Date: December 2, 2025

Tools: Wireshark, VirusTotal, ThreatFox

Download Report

1. Executive Summary

Incident Overview

Severity High
Victim Hostname BURNINCANDLE
Victim IP 10.0.9.14
Malware Family IcedID (BokBot)
Status Closed / Containment Required

A network forensic analysis was conducted on captured traffic (PCAP) originating from the internal host BURNINCANDLE (10.0.9.14). The investigation confirmed a malware infection initiated via an unencrypted HTTP GET request. The host downloaded a GZIP-compressed payload from a malicious domain. Initial hash analysis of the exported file yielded no results; however, a pivot to domain-based threat intelligence confirmed the infrastructure as part of an IcedID (BokBot) banking trojan campaign.

2. Investigation Details & Infection Vector

Infection Timeline
Log Parsing
Initial Access Victim connected to 188.166.154.118 over Port 80 via HTTP GET Request.
Payload Delivery Encrypted GZIP payload (393 kB) downloaded. Validated via Wireshark.
Persistence Observed immediate establishment of multiple HTTPS/TLS connections to external C2 IPs.

Step 1: File Identification & Extraction

The analyst identified a suspicious file transfer within the HTTP traffic. Using Wireshark's "Export HTTP Objects" feature, the GZIP payload was extracted for analysis.

Figure 1a: Wireshark 'Export HTTP Objects' window showing the malicious GZIP payload.
Wireshark Export HTTP Objects

Figure 1a: Wireshark 'Export HTTP Objects' window showing the malicious GZIP payload.

(Click anywhere to close)

Step 2: Hash Verification

The extracted file (malware_payload.gz) was hashed using SHA256.

Figure 1b: Command line hash generation of the extracted payload.
Terminal Hash Generation

Figure 1b: Command line hash generation of the extracted payload.

(Click anywhere to close)

Step 3: Negative Lookup

A search of the file hash in VirusTotal returned 0 detections, indicating a unique or encrypted artifact.

Figure 1c: VirusTotal search result showing 0 detections for the file hash.
VirusTotal Zero Detections

Figure 1c: VirusTotal search result showing 0 detections for the file hash.

(Click anywhere to close)

Step 4: Artifact Analysis

Further inspection of the payload revealed the file Copper.txt, a known artifact associated with IcedID encrypted configurations.

Figure 1d: Visual confirmation of the Copper.txt artifact within the payload.
Copper.txt Artifact

Figure 1d: Visual confirmation of the Copper.txt artifact within the payload.

(Click anywhere to close)

Step 5 & 6: Infrastructure Pivot

Shifted investigation focus from the file to the network infrastructure. Searching the source domain oceriesfornot.top confirmed it as a known Botnet C2 associated with the BokBot (IcedID) malware family.

Figure 1e: Wireshark filter (http.request) isolating the initial malware download.
Wireshark Filter

Figure 1e: Wireshark filter (http.request) isolating the initial malware download.

(Click anywhere to close)
Figure 2: ThreatFox IOC database confirming the malicious domain is linked to BokBot/IcedID.
ThreatFox IOC

Figure 2: ThreatFox IOC database confirming the malicious domain is linked to BokBot/IcedID.

(Click anywhere to close)

3. Indicators of Compromise (IOCs)

Network Indicators

  • Domain: oceriesfornot.top
  • IP (C2): 188.166.154.118
  • Protocol: HTTP (Port 80)

File Artifacts

  • Filename: Copper.txt
  • Type: Encrypted Config
  • Family: IcedID / BokBot
Figure 3: Threat intelligence validating the malicious C2 domain.
Threat Intelligence Validation

Figure 3: Threat intelligence validating the malicious C2 domain.

(Click anywhere to close)
Figure 4: Wireshark Endpoints Statistics identifying external malicious IP connections.
Wireshark Endpoints

Figure 4: Wireshark Endpoints Statistics identifying external malicious IP connections.

(Click anywhere to close)

4. Remediation Recommendations

  • Containment: Isolate the host 10.0.9.14 (BURNINCANDLE) from the network to prevent lateral movement or data exfiltration.
  • Network Blockade: Configure firewall rules to deny all inbound/outbound traffic to oceriesfornot.top and 188.166.154.118.
  • System Restoration: Wipe and re-image the compromised system from a known clean backup.
  • Credential Reset: Force a password reset for the user account associated with the compromised host.