Built an end-to-end host-based security pipeline on a Windows endpoint: from secure baseline to RDP exposure, brute-force detection, automated alerting, and firewall-level containment — using only native Windows logging, PowerShell, and host-based controls.
| Component | Detail |
|---|---|
| Endpoint | Windows VM |
| Attacker | Kali Linux VM |
| Network | VirtualBox Host-Only + NAT |
| Attack Surface | Remote Desktop Protocol (RDP) |
| Telemetry | Windows Security Event Log |
| Response | Windows Defender Firewall + Task Scheduler |
Network configuration and static IP addressing documented in network/.
| # | Phase | Description |
|---|---|---|
| 01 | Baseline Security Posture | Documented default firewall behavior and confirmed all inbound traffic is blocked on a fresh Windows endpoint. |
| 02 | Controlled Exposure | Introduced scoped inbound ICMP access for a single source to validate firewall rule enforcement. |
| 03 | Remote Access Attack Surface | Enabled RDP and confirmed how exposing a single service changes the attack surface. |
| 04 | Detection Logic | Built PowerShell detection for RDP brute-force patterns using Event ID 4625 and LogonType filtering. |
| 05 | Automated Monitoring & Alerting | Automated detection into a continuous pipeline with Task Scheduler and real-time Discord webhook alerts. |
| 06 | Automated Response | Implemented automated firewall blocking of attacker IPs with persistent ban tracking and alert notifications. |
Each phase has its own README with step-by-step documentation and inline evidence screenshots. Start at Phase 01 and progress sequentially.