Jonathan-Sproule/Corvid

# Corvid Detection engineering portfolio lab. Working towards a production-style detection pipeline using Sigma-first authoring, Splunk, and Atomic Red Team for validation as well as manual validation. ## Lab Overview | Component | Role | |---|---| | Splunk Enterprise (Ubuntu VM) | SIEM - detection writing, tuning, and testing | | Windows 11 VM | Detection target + Atomic Red Team runner | | Kali Linux VM | Red team simulation - manual adversary emulation for ground-truth telemetry | | Sysmon (Olaf Hartong config) | Endpoint telemetry source | | Universal Forwarder | Ships Sysmon, PowerShell, and Security logs to Splunk | | Atomic Red Team | Adversary simulation for detection validation | | Domain Controller VM | Built, promoted - standing by for identity phase | | Raspberry Pi 5 | Planned network sensor (Suricata/Zeek) | ## Repo Structure /Detections per-attack detection folders; each contains Sigma rule, Splunk SPL, research notes, references, and variant subdirs /Templates reusable Sigma scaffold for new detections /Infrastructure /Phase-Log narrative log per phase (phase0.md, phase1.md, ...) /Atomic-Red-VM-Config Build-Notes.md VM-specific troubleshooting log /PowerShell-Profile atomicred-vm-profile.ps1 (lab helpers) /SplunkForwarder-Config-Files /Splunk-Server-VM-Config Build-Notes.md Splunk VM build and config notes /Notes SPL query scratchpad, reference material /Tools run-atomic.ps1 toggles Defender, detonates Atomic tests /hooks post-commit.py structured commit hook - auto-updates detection log and state install-hooks.sh run once after cloning to wire up git hooks ## Setup After cloning, install the git hooks: bash Tools/hooks/install-hooks.sh This wires up the post-commit hook that parses structured commit messages and maintains the local detection log and project state file automatically. ## Commit Convention (): **Detection cycle types** - `scope` is the ATT&CK technique ID: | Type | Step | Example | |---|---|---| | `research` | 1 - Research | `research(T1053.005): scheduled task persistence source analysis` | | `detonate` | 2 - Red side | `detonate(T1053.005): confirmed EID 4698 from manual detonation` | | `author` | 3 - Author | `author(T1053.005): draft Sigma rule - TaskName and image conditions` | | `validate` | 4 - Validate | `validate(T1053.005): rule fires against detonation events in Splunk` | | `evade` | 5 - Evade | `evade(T1053.005): task name mutation bypass identified` | | `tune` | 6 - Tune | `tune(T1053.005): tightened ParentImage condition after evasion test` | | `backtest` | 7 - Backtest | `backtest(T1053.005): zero false positives against 30 days historical` | | `ship` | 8 - Ship | `ship(T1053.005): scheduled task persistence detection complete` | **Structural types:** | Type | Scope | Example | |---|---|---| | `phase` | transition | `phase(2→3): identity arc begins - DC online` | | `infra` | component | `infra(splunk): added winsec index` | | `docs` | component | `docs(readme): update lab overview` | Non-structured commits are accepted without restriction - the hook ignores them silently. ## Detection Methodology Every detection follows an eight-step cycle from research through detonation, validation, evasion testing, and backtest. See [Detections/README.md](Detections/README.md) for the full lifecycle and detection philosophy. ## Phase Roadmap Phase 0 - Pipeline build ........................... COMPLETE Splunk lab: Sysmon + PowerShell telemetry, Universal Forwarder, end-to-end ingestion verified. Phase 1 - Ship ClickFix detection .................. COMPLETE Sigma-first authoring, structured research, five-layer validation. CrashFix/KongTuke rule shipped: OriginalFileName anchor, detonation confirmed across three iterations. Phase 2 - Detection-as-code + CI/CD ............... COMPLETE GitHub Actions pipeline: sigma-cli validation on every PR, gitleaks OPSEC secret scan, pySigma conversion to SPL artifact. Branch protection requires all three jobs to pass before merge to main. --- Identity detection arc --- Phase 3 - On-prem identity: AD detection Domain-join Windows VM, bring DC online. Kerberoasting, password spraying, privilege escalation, replication abuse. Phase 4 - Detection library + eval harness Golden TP/FP datasets; local LLM (Ollama) for payload analysis. Phase 5 - Cloud identity: Entra ID / Azure Sentinel + Azure. AiTM, session hijacking, illicit consent / OAuth abuse, CA tampering. --- Tooling and long tail --- Phase 6 - Python tooling Sigma→Splunk pusher, Atomic Red Team MCP server. Phase 7 - Network telemetry (Pi 5 + Suricata) Long-tail phase - added once identity arc is mature. ## Key Docs - [Phase 0 build log](Infrastructure/Phase-Log/phase0.md) - [Phase 1 build log](Infrastructure/Phase-Log/phase1.md) - [Atomic Red VM build notes](Infrastructure/Atomic-Red-VM-Config/Build-Notes.md) - [Splunk server build notes](Infrastructure/Splunk-Server-VM-Config/Build-Notes.md) - [PowerShell profile for the lab](Infrastructure/Atomic-Red-VM-Config/PowerShell-Profile/README.md)