Detection & Alerting

• Credential Exposure Risk — Azure

  Adapted Microsoft CTI report to model how implicit trust of storage keys enables identity-less persistence, developed KQL detection for anomalous credential enumeration as a potential post-compromise indicator

• Brute Force Detection — Sentinel

  Created scheduled KQL analytics rule to detect repeated failed authentication attempts from single IPs, tuned threshold to 20 failures over 5 hours to balance noise reduction with detection coverage

• Endpoint monitoring & Alert Refinement — Wazuh

  Deployed multi-OS Wazuh EDR with secure VPN configuration, baselined behavior to tune detections and reduce compliance noise

---

Threat Investigations

• Internet Exposure & Initial Access — Defender XDR

  Investigated Azure resource misconfiguration resulting in unintended internet exposure, assessed authentication outcomes, and recommended NSG hardening

• Data Exfiltration — Defender XDR

  Investigated suspected insider data exfiltration following employee PIP placement, observed PowerShell data staging on endpoint, found no evidence of network exfiltration beyond local staging activity

• Tor Browser Final Project — Defender XDR

  Investigated unauthorized Tor browser usage on corporate endpoint, observed installation and active network connections to Tor nodes, isolated device and notified management

• Spear-Phishing — Splunk

  Investigated spear-phishing campaign from initial access through exfiltration, observed 4 compromised hosts with PowerShell C2 beaconing. Estimated ~120MB data exfiltrated

• Intel-Driven Threat Hunt — Splunk

  Conducted CTI-informed threat hunt for APT web targeting, observed 26,000+ unsuccessful credential stuffing attempts against phpMyAdmin endpoint, recommended exposure reduction controls

---

Vulnerability Management

PowerShell scripts for automated Windows 11 STIG remediation

• WN11-AU-000050 STIG Remediation - Enable Process Creation Auditing
• WN11-AU-000560 STIG Remediation - Enable Logon Auditing
• WN11-CC-000110 STIG Remediation - Disable HTTP Printing
• WN11-CC-000185 STIG Remediation - Disable Autorun Commands
• WN11-CC-000005 STIG Remediation - Disable Camera From Lock Screen
• WN11-CC-000315 STIG Remediation - Disable Automatic Elevation
• WN11-AC-000005 STIG Remediation - Configure Account Lockout Duration
• WN11-AC-000010 STIG Remdeiation - Limit Logon Attempts
• WN11-00-000090 STIG Remediation - Enable Password Expiration
• WN11-00-000395 SITG Remediation - Disable PortProxy