End-to-End Attack Simulation in My SOC Lab: From Attack to Detection, MITRE Mapping, and Executive Report

ratikraj01 -
April 2, 2026
Detailed view of Ruby on Rails code highlighting software development intricacies.
Uncategorized

INTRODUCTION

In this guide, I demonstrate a complete end-to-end attack simulation in my SOC lab.

This is not theory.

It shows how a real attack works and how I detect it using:

  • Windows Event Logs
  • Splunk queries
  • MITRE ATT&CK mapping
  • Dashboard visualization
  • Executive reporting

The goal is to simulate a real-world scenario and analyze it like a SOC L3 analyst.

ATTACK SCENARIO

Attack type:

👉 Phishing → PowerShell Execution

Steps of the attack:

  1. User opens a malicious document
  2. Document launches PowerShell
  3. PowerShell executes encoded command
  4. Payload is downloaded or executed

This is one of the most common real-world attack chains.

STEP 1 — ATTACK EXECUTION

In a real environment, the attacker uses:

  • Word or Excel document
  • Embedded macro
  • Hidden PowerShell execution

Example behavior:

Word → PowerShell → encoded command

STEP 2 — LOG GENERATION

This activity generates logs in:

👉 Windows EventCode 4688 (Process Creation)

Important fields captured:

  • Parent process → winword.exe
  • Child process → powershell.exe
  • Command line → encoded command
  • User → victim account
  • Host → affected system

STEP 3 — DETECTION IN SPLUNK

Detection logic:

index=botsv3 EventCode=4688
| search powershell
| where like(Command_Line,”%enc%”)

What this does:

  • Finds PowerShell execution
  • Filters encoded commands
  • Highlights suspicious activity

STEP 4 — ANALYSIS (SOC L3 THINKING)

Now we investigate:

Command Line

Encoded command → HIGH RISK

Parent Process

Word launching PowerShell → NOT normal

User

Non-technical user → suspicious

Behavior

Matches phishing pattern

STEP 5 — MITRE MAPPING

This attack maps to:

  • T1566 — Phishing
  • T1059.001 — PowerShell Execution

This helps classify the attack using industry standards.

STEP 6 — DASHBOARD CREATION

Panel Title:

PowerShell Abuse — MITRE T1059.001

Dashboard:

SOC L3 – Windows Attack Technique Detections

Visualization:

Table showing:

  • Time
  • User
  • Host
  • Command
  • Suspicious flag

This converts raw logs into readable insights.

STEP 7 — EXECUTIVE REPORT (PDF)

The dashboard is exported to PDF.

The report includes:

  • Detection summary
  • MITRE mapping
  • Affected systems
  • Suspicious activity

This allows sharing with management.

FINAL ANALYSIS

This attack demonstrates:

  • Initial access via phishing
  • Execution via PowerShell
  • Possible payload delivery

Risk level:

👉 High

Recommended action:

  • Investigate host
  • Isolate system
  • Check lateral movement

WHAT THIS PROVES

This lab demonstrates that I can:

  • Simulate real attacks
  • Detect using logs
  • Analyze behavior
  • Map to MITRE
  • Present findings

This is the core responsibility of a SOC L3 analyst.

COMMON LESSONS

  • Most attacks start with user interaction
  • PowerShell is heavily abused
  • Command line analysis is critical
  • Parent-child relationships reveal attacks

FINAL THOUGHT

Detection alone is not enough.

The real skill is:

👉 Understanding the full attack chain

This is what separates beginner analysts from SOC L3 professionals.

#No Tag

Comments are closed