A hands-on lab for endpoint detection using Sysmon, Splunk, and attack simulation.
A detection pipeline I built to learn how endpoint telemetry works in practice:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Attacker │ ───► │ Windows │ ───► │ Splunk │
│ (Kali) │ │ + Sysmon │ │ (SIEM) │
└─────────────┘ └─────────────┘ └─────────────┘
Attack Logs Detection
Run attacks. See what logs they generate. Write rules to catch them.
| Component | Purpose |
|---|---|
| Windows 10 VM | Target endpoint |
| Sysmon | Endpoint telemetry |
| Splunk | Log aggregation + detection |
| Atomic Red Team | Attack simulation |
- Sysmon deployment with SwiftOnSecurity config
- Splunk Universal Forwarder setup
- Log ingestion and parsing
- Attack simulations (Mimikatz, Kerberoasting)
- Detection rules with MITRE ATT&CK mapping
See SETUP.md for full installation steps and troubleshooting.
| MITRE ID | Technique | Status |
|---|---|---|
| T1003.001 | LSASS Memory Dump | Done |
| T1558.003 | Kerberoasting | Planned |
| T1021.001 | RDP Lateral Movement | Planned |
edr-detection-lab/
├── README.md
├── SETUP.md # Installation guide + lessons learned
└── detections/ # Detection rules with evidence
└── T1003.001-lsass-dump/
I wanted to understand detection engineering from the ground up — not just run tools, but know why alerts fire and how to tune them. This lab is my sandbox for that.
Arda Fidancı
Cybersecurity student focused on Blue Team and SOC operations.
