Embedded Files
Step 1. Establish Baseline
Section 1 – Authentication Monitoring Baseline
Verified auth.log ingestion
Observed sudo and session lifecycle events
Confirmed credential agents initialize correctly
Screenshot #1:
Auth.LogOutput
Description: Output from /var/log/auth.log showing sudo and session events on FORTRESS.
Section 2 — Privilege Escalation Abuse Detection
Section 2 — Privilege Escalation Abuse Detection
Objective
Demonstrate detection of suspicious privilege escalation activity using native Linux authentication logs.
Abuse scenario (controlled)
Simulated post-authentication privilege abuse by executing multiple sudo commands in rapid succession
Accessed restricted directories to generate a clear privilege-escalation signal
No remote access or system modification involved
Detection logic
Filtered auth.log for sudo events
Identified repeated sudo executions within a short time window
Correlated commands and timestamps to confirm abnormal privilege usage patterns
Finding
Detected repeated sudo privilege escalation events consistent with post-authentication abuse behavior
Evidence
Screenshot: SudoAbuseDetected
Multiple sudo commands logged closely in time, showing command context and user attribution
SudoAbuseDetected captured Screenshot #2
Section 3 — SIEM Ingestion and Correlation (Splunk)
Section 3 — SIEM Ingestion and Correlation (Splunk)
(Phase 2 — in progress)
Objective
Ingest Linux authentication logs into Splunk and validate that the previously identified privilege escalation abuse is detectable through a SIEM.
Planned scope
Install and configure Splunk Enterprise
Ingest /var/log/auth.log into Splunk
Verify sudo and session events are indexed correctly
Reproduce the same privilege escalation abuse scenario
Confirm visibility of the abuse pattern through Splunk search and correlation
Status
Phase prepared
Implementation to be completed in the next session
Splunk.AuthLogIngested Screenshot 3
Page updated
Google Sites
Report abuse