magarsurajjj-alt/Network-Reconnaissance-Detection-Incident-Response-Lab

# 网络侦察检测与事件响应实验室 SOC 事件响应项目 ## 概述 本项目模拟了一个真实的 SOC（安全运营中心）场景，其中从 Kali Linux 机器上使用 Nmap 执行网络侦察攻击，并使用 Windows 防火墙日志进行检测。随后对该攻击进行了分析，并使用防火墙规则实施了缓解措施。 本项目旨在演示： - 网络侦察检测 - 使用 Windows 防火墙日志进行日志分析 - 事件响应工作流（检测 → 分析 → 响应） - 基于防火墙的缓解技术 ## 实验环境 - 🖥️ 攻击者：Kali Linux - 🖥️ 目标靶机：Windows 11 - 📊 日志记录：Windows 防火墙日志记录 - 🛠️ 使用的工具： - Nmap（网络扫描） - Windows 防火墙 - PowerShell ## 攻击模拟 在 Kali Linux 上使用 Nmap 执行了网络扫描： ``` nmap -sS -sV -T4 192.168.1.67 or aggressive scan: nmap -A 192.168.1.67 This simulates a reconnaissance attack where an attacker tries to discover: Open ports Running services System exposure Tool used: Nmap ## 检测方法 Detection was performed using Windows Firewall logs. Log Location: %systemroot%\System32\LogFiles\Firewall\pfirewall.log Indicators of Reconnaissance: Multiple connection attempts from same IP Sequential port scanning behavior DROP / REJECT entries in logs High frequency TCP SYN requests ## 事件分析 From log analysis, the following were identified: Attacker IP: 192.168.1.71 Targeted Ports: 21, 22, 80, 135, 445, 3389 Behavior: Network reconnaissance (port scanning) ## 事件响应 (缓解) A firewall rule was created to block the attacker: New-NetFirewallRule -DisplayName "Block Nmap Scanner" ` -Direction Inbound ` -RemoteAddress 192.168.1.71 ` -Action Block This successfully stopped further scanning activity. ## 可选分析工具 For deeper analysis: Windows Event Logs Wireshark packet analysis (Wireshark) Splunk dashboards (Splunk) ## 关键学习成果 Understanding reconnaissance attacks (network scanning) Log-based threat detection SOC incident response workflow Firewall-based threat mitigation Basic Blue Team security operations ## 结论 This project demonstrates how SOC analysts detect and respond to reconnaissance attacks using log analysis and firewall controls. It simulates a real-world attack scenario and shows the full incident response lifecycle: detection, analysis, and mitigation. ```

标签：AI合规, AMSI绕过, CTI, IPv6, Nmap, PowerShell, Windows 11, Windows防火墙, Wireshark, 句柄查看, 威胁检测, 子域名变形, 安全实验, 安全运营中心, 实验室环境, 密码管理, 库, 应急响应, 插件系统, 攻击模拟, 数据统计, 端口扫描, 缓解措施, 网络侦察检测, 网络安全, 网络映射, 虚拟驱动器, 防御策略, 隐私保护, 驱动签名利用