Investigated a simulated ransomware attack within a SOC environment to reconstruct the full attack chain from initial compromise through impact. Using Splunk and Windows security telemetry, I correlated events across multiple log sources to identify attacker activity, track intrusion progression, and map observed behavior to the MITRE ATT&CK framework.

Analyzed Windows Security Logs and endpoint telemetry for signs of compromise

Correlated authentication, process creation, and system activity events in Splunk

Reconstructed the attack timeline from initial access to ransomware execution

Identified indicators of persistence, privilege escalation, and lateral movement

Mapped attacker techniques to MITRE ATT&CK tactics and techniques

Documented findings and detection opportunities from the investigation

Identified multiple stages of the ransomware attack lifecycle

Detected suspicious authentication activity leading to system compromise

Observed persistence mechanisms and privilege escalation attempts

Tracked attacker movement across the environment before impact

Recognized behavioral indicators consistent with ransomware deployment