Adaptive Cyber Defense: Realistic SOC Workflow Implementation

Abstract

This project simulates the complete cybersecurity attack and defense lifecycle within a controlled virtual environment using Kali Linux and Windows 10, alongside tools such as Metasploit, Sysmon, and Splunk. Virtual machines are deployed in VirtualBox on an isolated internal network, ensuring safe and realistic network interactions. The simulation begins with reconnaissance using Nmap to identify potential vulnerabilities, followed by payload creation in Metasploit to establish unauthorized access via a reverse shell. Defensive strategies include the deployment of Sysmon for detailed system activity logging and the use of Splunk for real-time monitoring and alert generation. This setup effectively replicates real-world attack scenarios and demonstrates the importance of proactive detection, incident response, and continuous monitoring. The project concludes with recommendations for enhancing organizational security postures through integrated threat detection and regular simulation exercises. By combining offensive and defensive methodologies in a hands-on lab, this work offers a practical framework for cybersecurity training and reinforces the need for adaptive defense strategies in today\'s evolving threat landscape.

Introduction

Overview

This project simulates a realistic cyberattack within a controlled virtual environment to examine both offensive (attacker) and defensive (defender) aspects of cybersecurity. Using Kali Linux as the attacker and Windows 10 as the target—both hosted on VirtualBox—the project replicates common cyberattack stages: reconnaissance, exploitation, and incident response.

Problem Statement

Cyber threats are becoming more frequent and sophisticated, often going undetected until significant damage occurs. There is a critical need for better defensive capabilities and practical training in cyberattack detection and response.

Objectives

1. Simulate a cyberattack using Kali Linux and Windows 10.

2. Perform reconnaissance using Nmap to discover vulnerabilities.

3. Generate and deploy malware (via Metasploit) to compromise the target.

4. Monitor system activity with Sysmon on the Windows machine.

5. Analyze logs and detect threats using Splunk.

6. Assess response capabilities and suggest improvements.

7. Enhance cybersecurity learning through hands-on experience.

Related Works & Comparison

Past studies have used a variety of tools and setups, including:

• Host-based detection (Windows logs)

• Penetration testing using Nmap/Metasploit

• Threat hunting with Sysmon + Splunk

• SOC simulations and scalable detection systems

Project Improvement: This project uniquely integrates offensive and defensive tools in a unified, low-cost, virtual environment, bridging the gap between theoretical knowledge and practical cybersecurity skills.

System Design & Implementation

• Setup: VirtualBox VMs with internal networking.

• Scanning: Nmap identifies open/closed ports.

• Payload Creation: Metasploit crafts a reverse shell.

• Deployment: Payload executed on Windows VM.

• Monitoring: Sysmon logs system events; Splunk analyzes them in real time.

• Analysis: Logs used to track attacker behavior and system changes.

Testing & Results

Key Findings:

• Network isolation was effective and secure.

• Most payloads were successfully deployed and detected.

• Sysmon + Splunk enabled near real-time alerting and logging.

• Defensive tools were effective but could benefit from more refined detection rules.

Conclusion

The conclusion of the SOC Home Lab project highlights the effective simulation of a realistic cybersecurity attack and defense lifecycle within a secure, virtualized environment. By leveraging VirtualBox to isolate Kali Linux (as the attacker) and Windows 10 (as the target) on an internal network, the project established a controlled platform for safe and authentic security testing. The exercise commenced with network reconnaissance using Nmap, which identified open and closed ports on the Windows 10 virtual machine, thus exposing potential vulnerabilities. Subsequently, Metasploit was utilized to craft and deploy tailored malicious payloads, successfully demonstrating how attackers can establish unauthorized access through reverse shell connections. On the defensive front, the integration of Sysmon and Splunk proved invaluable. Sysmon offered detailed event logging—including process creation, file modifications, and network activity—while Splunk enabled the real-time ingestion, analysis, and alerting of these logs. This combination underscored the critical importance of proactive monitoring and rapid incident response in minimizing the impact of potential threats. The project culminated in a comprehensive reconstruction of the attack timeline, identification of indicators of compromise (IOCs), and a thorough assessment of the Windows 10 system’s security posture. These findings emphasize the necessity for organizations to conduct regular attack simulations and to maintain robust monitoring frameworks to strengthen their cybersecurity defenses and preparedness against evolving threats.

References

[1] Woo-Jin Joe, Hyong-Shik Kim. \"Host-Based Malware Variants Detection Method Using Logs.\" Journal of Information Processing Systems (JIPS), ISSN: 2092-805X, 2022.Available at: https://jips-k.org/pub-reader/632 [2] Kumar N. S., Kgomotso Tlhagadikgora. \"Internal Network Penetration Testing UsingFree/Open-Source Tools: Network and System Administration Approach.\" In: AdvancedInformatics for Computing Research: Second International Conference, ICAICR 2018,Shimla, India, July 14–15, 2018, Revised Selected Papers, Part II, Communications inComputer and Information Science, Vol. 955, Springer, 2018. Print ISSN: 1865-0929 /Electronic ISSN: 1865-0937. https://link.springer.com/chapter/10.1007/978-3-030-12832-7_24 [3] Tom Ueltschi (Swiss Post CERT). \"Advanced Incident Detection and Threat Huntingusing Sysmon and Splunk.\" Botconf 2025 Conference Presentation. Availableat: https://www.botconf.eu/botconf-presentation-or-article/advanced-incident-detection-and-threat-hunting-using-sysmon-and-splunk/ [4] Yasuhiro Aoki, Katsuya Suzuki. \"A Simple Laboratory Environment for Real-WorldOffensive Security Education.\" In: Proceedings of the 2014 Information SecurityConference (ISC 2014), 2014. Availableat:https://www.researchgate.net/publication/270152499_A_Simple_Laboratory_Environment_for_Real-World_Offensive_Security_Education [5] Charanjeet Dadiyala, Prasanna Tangade, Gaurav Singh. \"Designing and Implementingan Effective Cybersecurity Home Lab for Detection and Monitoring.\" In: Proceedings of the14th International Conference on Computing, Communication and NetworkingTechnologies(ICCCNT 2023), 2023. (Foraccess/search:https://ieeexplore.ieee.org/Xplore/home.jsp) [6] Manfred Vielberth, Fabian Böhm, Ines Fichtinger, Günther Pernul. \"Security Operations Center: A Systematic Study and Open Challenges.\" IEEE Access, ISSN: 2169-3536, 2022.Available at: https://ieeexplore.ieee.org/document/98296846 [7] Christian Bassey, Ebenezer Tonye Chinda, Samson Idowu. \"Building a Scalable SecurityOperations Center: Focus on Open-source Tools.\" Journal of Engineering Research andDept. of CS&E 50Adaptive Cyber Defense Lab: Realistic SOC Workflow implementationReports, 2024, Vol.26, Issue 7, pp.196-209. ISSN: 2582-2926 (general). Availableat: https://journaljerr.com/index.php/ JERR/article/view/1203 [8] Shahroz Tariq, Mohan Baruwal Chhetri, Surya Nepal, Cecile Paris. \"Alert Fatigue inSecurity Operations Centres: Research Challenges and Opportunities.\" ACM ComputingSurveys, ISSN: 0097-8493, 2025. DOI: 10.1145/3723158. Availableat: https://dl.acm.org/doi/10.1145/3723158 [9] https://www.researchgate.net/publication/375880187_Designing_and_Implementing_an_Effective_Cybersecurity_Home_Lab_for_Detection_and_Monitoring [10] https://medium.com/@efamharris/my-first-attempt-at-building-a-simple-home-lab for-threat-detection-and-monitoring-a0e6513e5432 [11] https://www.geeksforgeeks.org/using-metasploit-and-nmap-to-scan-for vulnerabilities-in-kali-linux/? [12] https://www.researchgate.net/publication/361991727_Revisiting_the_Detection_of_Lateral_Movement_through_Sysmon [13] https://docsdrive.com/?pdf=medwelljournals% 2Fjeasci%2F2017%2F8723 8729.pdf [14] Prasanna B.T., Ramya, D., Shelke, N. et al. Radial basis function neural network-based algorithm unfolding for energy-aware resource allocation in wireless networks. Wireless Netw 30, 7041–7058 (2024). [15] Prasanna B. T, and C.B. Akki. \"Dynamic Multi-Keyword Ranked Searchable Security Algorithm Using CRSA and B-Tree.\" Int. J. Comput. Sci. Inf. Technol, IJCSIT, Vol 6 (2015): 826-832

Copyright

Copyright © 2025 Likhith G, Swetha P M. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.