SIEM Log Analysis: Detecting Cleartext Traffic and HTTP-Based Data Exfiltration
๐ Overview
This project focuses on hands-on SOC-style log analysis using a simulated environment to investigate two real-world attack scenarios:
- Log4j vulnerability exploitation via HTTP
- Data exfiltration over HTTP
The goal was not just detection, but understanding attacker behavior, correlating evidence across tools, and documenting findings in a clear, analyst-ready format.
๐งช Scenario 1: Log4j Vulnerability Analysis (HTTP)
Log4Shell (CVE-2021-44228) remains one of the most impactful vulnerabilities in recent years. In this scenario, I analyzed HTTP traffic to identify exploitation attempts leveraging JNDI injection patterns.
Tools Used
- Wireshark โ packet capture and protocol inspection
- CyberChef โ decoding and transforming obfuscated payloads
๐ Key Observations
- Suspicious
${jndi:ldap://}strings embedded in HTTP headers - Encoded payloads requiring transformation before analysis
- Clear indicators of remote lookup attempts
This image shows the start of a "Log4j" attack phase after filtering for parameters such as (ip contains "jndi") and (http.user_agent contains "$") among others.
๐ฅ Risk Assessment
Risk Level: Medium
Assessment: The observed HTTP traffic contained indicators consistent with Log4j (Log4Shell) exploitation attempts, including JNDI lookup patterns embedded in request headers. While no evidence of successful remote code execution was identified, the presence of these indicators suggests an active attempt to exploit a critical vulnerability.
Potential Impact: If successful, Log4j exploitation could allow attackers to execute arbitrary code, leading to system compromise, lateral movement, and data exposure.
Risk Rationale:
- Exploitation attempt detected
- No confirmed execution observed
- High-impact vulnerability warrants proactive mitigation
Recommended Priority: Patch verification, enhanced monitoring, and immediate alerting for similar patterns.
๐ค Scenario 2: Data Exfiltration via HTTP
In the second scenario, I investigated potential data exfiltration over HTTP, combining packet-level analysis with SIEM correlation.
Tools Used
- Splunk โ correlating events, timestamps, and source IPs
- Wireshark โ identifying abnormal HTTP POST behavior
๐ Key Observations
- Repeated outbound HTTP requests to uncommon destinations
- Abnormal payload sizes inconsistent with normal browsing
- Timeline reconstruction showing staged exfiltration behavior
๐ This scenario highlights how SIEM + network visibility work together in a SOC environment.
This image demonstrates the use of queries within Splunk to search for a potential attacker based upon large outbound POST requests.
This image shows the raw data of the identified suspicious packet within Wireshark. In the packet, we have many more details including credentials and notes.
๐ฅ Risk Assessment
Risk Level: High
Assessment: Analysis identified abnormal outbound HTTP traffic patterns, including repeated POST requests with unusually large payloads sent to an external destination. These behaviors are consistent with potential data exfiltration techniques.
Potential Impact: Successful data exfiltration could result in loss of sensitive or proprietary information, regulatory exposure, and reputational damage.
Risk Rationale:
- Repeated abnormal outbound traffic observed
- Payload characteristics inconsistent with normal behavior
- Indicators suggest possible successful data transfer
Recommended Priority: Immediate investigation, host isolation if applicable, and outbound traffic controls.
๐งฉ Key Skills Demonstrated
- Log ingestion and baseline analysis
- Network traffic inspection (HTTP)
- Threat detection & investigation workflow
- Clear documentation and reporting
- SOC-style remediation recommendations
๐ Final Deliverables
- SIEM Log Analysis Report (PDF) Download โฌ๏ธ
SIEM Log Analysis Report (PDF)
- Detection queries and investigation notes
- Anonymized log samples
๐ Full report and supporting files available on GitHub
This analysis was conducted in a simulated SOC lab environment using anonymized data adapted from a TryHackMe training exercise for educational and portfolio purposes.
Feel free to reach out with questions or thoughts.