AD
Alex Dawkins
Network and Security Engineering

Coursework Case Study

BOTSv3 Incident Analysis

Investigated a multi-stage compromise in the Splunk Boss of the SOC v3 dataset, correlating evidence across O365, Windows endpoint, Linux, and Sysmon telemetry.

Splunk Enterprise 8 Guided Findings MITRE ATT&CK Mapping

Scope and Method

This report follows a SOC workflow from triage to deeper correlation. I investigated phishing evidence, malicious attachment execution, account manipulation, and internal reconnaissance indicators. Findings were mapped to ATT&CK techniques to keep conclusions operationally useful.

Evidence Correlation

Correlated email upload events, endpoint process activity, and Linux authentication data to reconstruct attack progression.

O365 Logs Sysmon Auth Logs

Persistence and Access Abuse

Identified suspicious account creation and elevated group assignment patterns, then tied those events to likely persistence goals.

T1136.001 T1098.002 Account Analysis

Recon and C2 Indicators

Investigated port 1337 listening activity and scanner artefacts, including hash evidence for suspicious binaries.

T1571 T1046 Threat Hunting

Security Outcomes

  • Produced a clear attack chain from initial access through persistence and reconnaissance.
  • Demonstrated practical SPL filtering and timeline-focused investigation style.
  • Mapped findings to ATT&CK to support defensive remediation planning.
  • Documented control improvements around phishing prevention, account monitoring, and network detection.
View GitHub Repository Back to Projects