Blue Team Investigation of a Simulated Metasploit Attack

Posted on August 11, 2025

This project simulates a Metasploit PsExec attack in a controlled Proxmox lab, followed by an incident response investigation using PowerShell and Sysmon.

I used two virtual machines in my Proxmox lab environment:

  1. Windows 10 workstation (victim): I disabled Windows Defender to allow realistic payload execution.
  2. Kali Linux system (attacker): I used Kali to launch the exploitation and post-exploitation actions.

From the Kali machine, I used Metasploit’s PsExec module to gain NT AUTHORITY\SYSTEM access on the Windows 10 machine, then performed several post-exploitation actions:

  • Credential dumping using hashdump.
  • System reconnaissance (sysinfo, ps, getpid).
  • File transfer (uploading nc.exe) and exfiltration.
  • Creating a Netcat backdoor for secondary C2 access.

On the defender side, I investigated the incident using PowerShell and host-based forensics with Sysmon, configured with SwiftOnSecurity’s config. I identified:

  • Malicious service creation.
  • Process execution chains.
  • Two outbound C2 connections to the attacker machine.

I concluded the project by terminating the Meterpreter and Netcat processes and removing the backdoor binary (nc.exe).

Read More →

Creating and Defending Against Netcat Backdoor Shells with Named Pipes

Posted on July 17, 2025

During the SANS SEC504 (Hacker Tools, Techniques, and Incident Handling) course, I learned how attackers use Netcat to create backdoor login shells, reverse shell backdoors, transfer files, and cause other mischief.

I created several VMs in Proxmox to learn how RITA detects C2 beaconing traffic, but I first wanted to practice using Netcat to create a backdoor login shell and a reverse shell backdoor. However, Ubuntu no longer supports the -e switch due to security restrictions. To work around this, I used the mkfifo command to create a named pipe — explained in detail below.

Finally, I share steps defenders can take to prevent, detect, and mitigate Netcat-based reverse shells using named pipes.

Read More →

National Cyber League Spring 2025 CTF

Posted on May 1, 2025

NCL Spring 2025 Team Game

I competed with six other SANS classmates in the NCL Spring 2025 Team Game, placing 63rd out of 4,798 teams nationwide, ranking within the top 1.3% of all competitors. The CTF ran from Friday, April 25 through Sunday, April 27.

Throughout the event, I gained hands-on experience across several cybersecurity domains, including log analysis, network scanning and reconnaissance, network traffic analysis, password cracking, and more. I was able to apply many of the techniques I learned from SEC401 (GSEC) and SEC504 (GCIH).

Read More →