Simulate authentication monitoring by generating Windows Security events and analyzing them like a SOC Analyst.
- Findings / analysis write-up:
notes/findings.md - Evidence screenshots:
screenshots/
- VirtualBox Windows 10 VM (4GB RAM / 2 CPU / 35GB Disk)
- Advanced Audit Policy enabled
- 4625 Failed logon attempts
- 4624 Successful logons
- 4720 New user created
- Multiple Event ID 4625 failed logon attempts consistent with password guessing or brute-force behavior
- Event ID 4624 successful authentication following repeated failures (potential compromise indicator)
- Event ID 4720 creation of a new local user account (possible persistence technique)
Visual evidence of the lab setup, event generation, and detections are available in the screenshots folder.
Detailed analysis, findings, and mitigation recommendations are documented in notes/findings.md.