Projects | Kennedy Aikohi

Loading projects…

DFIR Incident Response WSL Backdoor MITRE ATT&CK CVE-2024-3400 Case Study

Upstyle Backdoor - Incident Response Report

Incident Responder / Forensic Analyst - Security Blue Team Labs

Full forensic reconstruction of a simulated multi-stage intrusion triggered by a "black screen" alert. Initial access via RDP brute-force (NTLM, Logon Type 10). Post-compromise chain included: AsyncRAT dropper deployed to %TEMP%, PowerShell enumeration bypass (-ExecutionPolicy Bypass), credential harvesting via WebBrowserPassView, lateral movement using Credential Manager (Event ID 5379), and WSL-based fileless persistence via a malicious Python .pth file inside the Ubuntu distribution. AnyDesk used for persistent remote access with auto-start on boot. Full attack timeline reconstructed from Event Logs, MFT records, Prefetch artefacts, PowerShell logs, and browser history. Backdoor identified as Upstyle (CVSS 10.0, CVE-2024-3400, MITRE S1164).

Full attack chain reconstructed: Initial Access - Persistence - Credential Access - Lateral Movement - C2

T1078 - T1059.001 - T1057 - T1555.003 - T1021 - T1547 - T1620 - T1070 - T1486

View Full IR Report (PDF)

Purple Team Lab Detection Engineering SIEM

PurpleLab - Adversary Simulation Platform

SOC Analyst · Home Lab · Docker/VMware

Designed and built a three-VM purple team home lab integrating Elastic Stack SIEM, Windows detonation sandbox, and a DFIR VM running Caldera and Velociraptor. Implemented idempotent provisioning scripts, .env-based secrets management, ILM retention policies, and full Velociraptor agent deployment guides.

Full-stack adversary emulation pipeline with automated detection validation

GitHub

Malware Analysis Reverse Engineering CTF

Go-Based Stealer Binary Analysis (MaskGram/Go2bypass)

CTF · Malware RE · Go / x64 PE

Deep static analysis of a 64-bit Go PE binary from the Go2bypass framework. Extracted PE sections, parsed Go pclntab function tables, and decrypted staged payloads using AES-CFB and RC4. Identified Donut shellcode loader and reconstructed the RC4-obfuscated C2 configuration without executing the sample.

Full C2 config recovered via static decryption chain - no detonation required

Case Study

Detection Engineering Splunk MITRE ATT&CK

SOC Correlation Rule Tuning & Playbook Engineering

SOC Analyst · DuskBeacon · Remote

Reduced SIEM false positives by ~30% through systematic correlation rule review, threshold baselining, and whitelist management. Rebuilt SOC playbooks aligned to MITRE ATT&CK tactics. Documented all changes against ISO/IEC 27001 controls to simplify compliance audit trails.

~30% false-positive reduction · Analyst throughput increased significantly

Professional

FlamingoLab Docker Flask SIEM

FlamingoLab Appliance v5 - SOC Operations Platform

Personal Project · Ubuntu 22.04 · Docker 28

Containerised cybersecurity operations platform integrating Splunk, Elasticsearch/Kibana, Ollama (local LLM), Velociraptor, and a custom Flask web UI. Audited and hardened the full codebase - fixing logic bugs, broken template field access, CSS regressions, and SIEM-conditional display errors.

Production-ready SOC appliance deployable on a single Ubuntu host

GitHub

CTF Threat Hunting Forensics

Security BlueTeam Frostbyte CTF 2025 - 1st Place

CTF · Security BlueTeam · Global Competition

Achieved 1st place globally in the Security BlueTeam Frostbyte CTF 2025 - a blue team-focused competition covering incident analysis, log forensics, threat hunting, and DFIR investigation across realistic enterprise scenarios.

🥇 1st place globally - Security BlueTeam Frostbyte 2025

Competition

CTF HTB Malware

HTB Holmes CTF - Top 0.3% Finish

CTF · Hack The Box · 11,342 teams

Ranked 24th out of 11,342 teams in the Hack The Box Holmes CTF (2025), placing in the top 0.3% globally. Challenges covered forensics, reverse engineering, malware analysis, web exploitation, and blue team scenarios under time pressure.

Top 0.3% globally · 24th / 11,342 teams

Competition

Lab Writeups & Investigations

Active practitioner across CyberDefenders BlueYard, Security Blue Team, and MalOps.io. Published writeups covering SOC investigations, DFIR analysis, and malware reverse engineering with full MITRE ATT&CK mapping on LinkedIn.

🛡️

CyberDefenders

Active CTF Player · BlueYard

🏆

Security Blue Team

Frostbyte 2025 · 1st Global

🔬

MalOps.io

Malware RE · MaskGram Challenge

Ransomware IR DFIR MITRE ATT&CK Apr 2026

ClickFix - Phishing-Driven Ransomware Investigation

Security Blue Team Lab · Released 10 April 2026

Deep-dive investigation into a sophisticated phishing-driven ransomware intrusion. Reconstructed the full attack timeline using host-based artefacts: event logs, registry analysis, and file system metadata. Initial access traced to user-driven execution of a malicious command (T1204.002). Payload delivery via T1105 Ingress Tool Transfer, followed by C2 communication (T1071) and interactive shell access. Persistence achieved through Boot or Logon Autostart Execution (T1547). Privilege escalation exploited a trusted Windows component without user interaction (T1068). Defence evasion included registry modification (T1112), log tampering and clearing (T1070), and cleanup script execution. Network share enumeration (T1135) preceded final ransomware deployment: Data Encrypted for Impact (T1486).

Risk: Very High · Stealthy initial access · Reliable privilege escalation · Anti-forensic TTPs

→ T1204.002 · T1105 · T1071 · T1082 · T1547 · T1068 · T1112 · T1070 · T1135 · T1486

LinkedIn Writeup SBT Platform

Malware RE radare2 Go Binary Stealer

MaskGram - Go-Based Stealer Reverse Engineering

MalOps.io Challenge · Static + Dynamic Analysis · radare2

Hands-on reverse engineering of a Go-based loader using radare2, focusing on real execution flow rather than surface-level indicators. Traced dynamic syscall resolution via indirect gate jumps (T1106 Native API), recovered key material during runtime by observing RC4 initialisation with the combined key passed via registers. Decrypted staged payloads and validated through embedded constants. Exposed a multi-stage chain: reflective payload delivery (T1620), layered obfuscation (T1027), and a Dead Drop Resolver (T1102.001) that decodes external ciphertext from a legitimate web service to dynamically generate C2 infrastructure - bypassing static IP/domain blacklists. Final-stage payload uses deterministic path generation for HTTP communication (T1071), then performs browser process injection (T1055) and credential harvesting from local password stores (T1555).

Key finding: Dead Drop Resolver · RC4 key extracted at runtime · C2 via legitimate web services

→ T1106 · T1620 · T1027 · T1102.001 · T1071 · T1055 · T1555

LinkedIn Writeup MalOps.io

Threat Hunting Splunk ELK Medium

GoldenSpray

CyberDefenders BlueYard · Threat Hunting Lab

Investigated a password spray attack that led to RDP-based initial access, followed by persistence establishment, Mimikatz credential dumping, Kerberoasting, and lateral movement across the SecureTech domain. Used Splunk and ELK to trace the full attack chain from 4625 brute-force events to scheduled task persistence and data exfiltration.

Full TTP chain reconstructed: Initial Access → Credential Access → Lateral Movement → Exfiltration

LinkedIn Post Lab

Cloud Forensics GCP Threat Hunting

GoogleCloudHunt

CyberDefenders BlueYard · Cloud Forensics Lab

Investigated adversary activity within a Google Cloud Platform environment. Analysed GCP audit logs and cloud telemetry to trace lateral movement across cloud services and reconstruct the full attack timeline - building practical cloud DFIR skills against real GCP threat scenarios.

Cloud-native TTP identification across GCP audit trail and IAM telemetry

LinkedIn Post

Endpoint Forensics DFIR Windows

Boomer

CyberDefenders BlueYard · Endpoint Forensics Lab

Endpoint forensics investigation applying DFIR analysis techniques against Windows host artefacts. Analysed registry hives, event logs, file system metadata, and execution traces as part of ongoing structured blue team practice across real-world SOC scenarios on the BlueYard platform.

Registry · Event logs · File system metadata · Execution artefact analysis

LinkedIn Post

Interested in collaborating?

Open to SOC roles, DFIR engagements, and blue team consulting opportunities.

Get In Touch