I didn't realize how quickly a simple misconfiguration could snowball into a full compromise, until I caused one myself. The Red vs Blue capstone placed me on both sides of the cybersecurity equation : the attacker exploiting weaknesses and the analyst trying to understand how it happened. Experiencing both perspectives transformed my understanding of how real intrusions unfold and how defenders catch them.
Every attack begins with an infrastructure worth attacking. Our team built "Billiken Solutions," a fictional company with a fully segmented enterprise network:
- Proxmox VE for virtualization
- VyOS router with WAN, LAN & NAT
- PfSense firewall enforcing default deny
- Ubuntu Wazuh Manager (178.18.2.2)
- Windows 10 endpoint with Sysmon + Wazuh agent
This environment gave us a realistic foundation for offensive and defensive operations. Setting up Sysmon, configuring agents, debugging Wazuh pipelines, and ensuring NAT/firewall rules worked as expected forced me to understand how each piece influences visibility and security.
Becoming the Attacker: Red Team Phase
The offensive simulation happened in two waves. Both revealed how small misconfigurations can cascade into total compromise.
1. Weak SMB Credentials -> Full Initial Access
My first discovery was a shockingly simple one:
The SMB service accepted admin/password.
A single weak credential allowed:
- Direct authentication
- Administrative privileges
- SYSTEM-level access without further exploitation
Once inside, enumeration quickly revealed more than I expected.
SMB Authentication with admin/password
2. Finding the Wazuh Logging Server (The Crown Jewel)
Using netstat -an, I noticed the compromised Windows host was communicating with:
178.18.3.2:1514This was the Wazuh Manager, the heart of the organization's detection capability. Compromising it would mean altering logs, suppressing alerts, or pivoting deeper.
Although we didn't fully breach it, identifying it as a lateral movement path was a critical win.
3. Building Persistence Like a Real Adversary
I established multiple layers of persistence, including:
- Hidden admin users
- Scheduled tasks (
SystemHealthMonitor) - Registry Run keys (
SecurityUpdate) - Custom Windows services (
TimeSyncService) - Startup scripts (
update.bat) - Disabled Wazuh agent
This made the host resilient to resets and attempts at remediation.
Red Team Phase 2: Cracking the Custom Challenge
The second offensive challenge was more structured and puzzle-like.
1. Custom PIN Service on Port 4455
A 4-digit PIN was required for access, but with no rate limiting.
I wrote a simple automated brute-forcer, and eventually:
PIN found ->5320
The service returned a string:
C@55j0eq1234A quick ROT13 transformation revealed:
P@55w0rd1234Which turned out to be valid SSH credentials.
2. SSH -> Admin -> Flag Captured
Once inside, I already had administrative rights.
Persistence was re-established, and while exploring the system, I located the final flag:
earsup{You_F0und_the_Tr3@sur3}
This completed the offensive chain, from enumeration, to exploitation, to persistence, to data discovery.
Switching Hats: Blue Team Detection
Once my attacker mindset was complete, I moved to the defensive side to trace the very attacks we had performed earlier.
This was the most eye-opening part.
1. Using Wazuh + Sysmon to Reconstruct the Attack Timeline
The Sysmon -> Wazuh pipeline revealed:
- Multiple brute-force SSH attempts
- A sudden spike in failed logins (Event ID 4625)
- One successful login (Event ID 4624)
- Post-compromise commands:
whoaminet usernet localgroup administrators- New user creation
The attacker (in this case, us) gained full access to the account Amina, then elevated privileges.
Alerts Dashboard
Event ID 4625 & 4624 Timeline
2. MITRE ATT&CK Mapping
Wazuh correlated our actions to real ATT&CK techniques:
- Credential access
- Privilege escalation
- Account discovery
- Persistence
- Possible lateral movement paths
Seeing abstract frameworks applied to our exact attacks helped bridge the gap between academic learning and real-world SOC analysis.
MITRE ATT&CK Mapping
What This Project Taught Me
This capstone was more than an exercise, it reshaped how I think about cybersecurity.
1. Offense and Defense Are Two Sides of the Same Coin
Every action I took as an attacker had a defensive trace:
- A registry value -> Sysmon Event ID
- A new user -> Wazuh alert
- A failed login -> Windows Log 4625
Understanding this duality is what transforms a good analyst into a great one.
2. Troubleshooting Is 50% of Cybersecurity
Some of my biggest struggles came not from hacking, but from making the SIEM behave.
I dealt with:
- XML parsing errors
- Wrong Sysmon configurations
- Missing decoders
- Mapping issues between event IDs and alert rules
Debugging made me appreciate how important accurate logging is.
3. Teamwork Mirrors Real SOC Operations
Working with Lokesh and others taught me:
- How to test logs in parallel
- How attackers and defenders coordinate findings
- How critical communication is during investigations
We weren't just running a lab, we were operating like a small SOC team.
How This Shapes My Cybersecurity Career
This capstone strengthened the exact skills demanded in DFIR, SOC analysis, and offensive security:
- Building SIEM pipelines
- Writing/reading detection rules
- Understanding attacker behavior
- Correlating events to MITRE techniques
- Performing privilege escalation and persistence
- Investigating intrusions end-to-end
It confirmed that cybersecurity isn't just a field I study, it's a field I'm ready to contribute to.
Final Thoughts
Working on this Red vs Blue project gave me something I could never get from theory alone:
A front-row seat to the entire attack lifecycle, from initial access to detection engineering.
The experience helped me grow from someone who could simply run tools into someone who understands how attacks evolve, how defenses break, and how real-world SOC teams fight back.
If you've made it this far in the blog, thank you for reading. This capstone wasn't just a project, it was the beginning of my journey as a cybersecurity professional.