Lab 12 – Network Attack Simulation & Detection Validation

This lab validates your IDS/IPS and SIEM by simulating port scans, exploit attempts, and suspicious DNS queries. You’ll confirm alerts fire correctly, correlate across systems, and document detection accuracy.

• Outcome 1: Controlled attacks executed safely inside the homelab.
• Outcome 2: IDS/IPS alerts triggered and validated.
• Outcome 3: SIEM correlation confirmed across host and network layers.
• Outcome 4: Detection gaps identified and documented.

• DL12.1: Port‑scan alerts validated.
• DL12.2: Exploit‑attempt alerts validated.
• DL12.3: SIEM correlation confirmed.
• DL12.4: Detection gaps documented.
• DL12.5: Final Month 3 report completed.

1. From WIN10‑LAB, run:

   nmap -sS 10.10.10.1

2. Run a more aggressive scan:

   nmap -A 10.10.10.1

3. Verify IDS/IPS alerts for:
   • SYN scans
   • OS fingerprinting
   • Service enumeration
4. Confirm SIEM correlation with host logs.

1. Use Metasploit (or a safe test script) to simulate:
   • SMB probe
   • HTTP directory traversal
   • Weak‑credential login attempts
2. Verify IDS/IPS signatures fire correctly.
3. Check SIEM for correlated host‑based alerts.

1. Query known test domains (non‑malicious but flagged for training).
2. Verify DNS‑related IDS/IPS alerts.
3. Confirm SIEM enrichment with threat‑intel feeds.

1. Review SIEM correlation rules for:
   • Network + host events
   • Threat‑intel matches
   • Repeated attacker behavior
2. Document any missed detections.
3. Update IDS/IPS rules or SIEM logic as needed.

• Validation: How simulated attacks confirm your detection stack works.
• Correlation: How IDS/IPS and SIEM combine to reveal attacker behavior.
• Improvement: How detection gaps guide tuning and rule updates.

With this lab, you’ve completed Month 3 and validated your network‑defense capabilities. In Month 4, you’ll move into threat hunting and automation to further mature your homelab.