AD chains, web exploitation, Linux pivots — written up in ctf-writeups with methodology over flags.
open · SOC · detection · pentest · purple-team · Morocco / EU / remote
Yassir Zahidi
Cybersecurity engineer-in-training · blue+red+purple
I work the seam between defence and offence. I build the SIEM — Wazuh + Suricata + Sysmon + MISP + FortiGate — then I attack it on purpose to see what it misses, then I write the rule that catches the next one. Blue is the build, red is the gym, purple is the loop.
0production projects shipped
0cybersecurity certifications
0incidents triaged at ALTEN N1/N2
0records in water-stress warehouse
0to spin up the SIEM lab
01. About
Engineering student in Morocco with a Specialized Technician diploma in Cybersecurity already done. Most of what I know about security I learned by deploying it — then trying to break what I just deployed. Reading about it came last.
The defensive side I built for real: a multi-layer SIEM at the Préfecture de Tétouan (SSIC, Ministère de l'Intérieur) in May 2024 — Wazuh + Suricata + Sysmon + MISP + VirusTotal integrated with a FortiGate firewall, with Nessus scans on top. The reproducible lab version is on this site, packaged as a docker-compose project so anyone can spin it up in three minutes.
The offensive muscle I sharpen on TryHackMe / HackTheBox / OSCP-track labs and inside my own lab segment — web exploitation, Active Directory pivoting, post-exploitation. Atomic Red Team closes the loop: every red find becomes a new Wazuh rule the next day.
On the dev side I've shipped a few full projects (a billing system in C++, a WordPress site, a BI/data-warehouse on Moroccan water stress, an interactive HTML/CSS course platform). They're not rocket science — they're shipped, documented, and they work.
What I'm looking for: a cybersecurity internship — SOC, detection engineering, pentest, or purple-team. I prefer environments where I can ship something real, not just shadow somebody.
02. Case study — SIEM at the Préfecture de Tétouan
May 2024. One month, on site, real ministry network. Below is what was actually built and what shipped to production. The reproducible lab version is the home-lab-siem repo.
Endpoints (Win/Linux) Network perimeter
│ Sysmon → Wazuh agent │
│ │ FortiGate (syslog)
│ │ Suricata IDS (EVE JSON)
▼ ▼
┌──────────────────────────────────────────┐
│ Wazuh manager · Wazuh indexer (OS) │
│ Decoders · rules · alerts │
│ MISP — IoCs/feeds │
│ VirusTotal — hash/file enrichment │
│ Nessus — weekly vuln scan │
└───────────────────────┬──────────────────┘
▼
Wazuh dashboard · SOC views
MITRE ATT&CK mapping · hunts
What I actually wrote, in detail
Detection
- Custom Wazuh decoder + rules for FortiGate
trafficandeventlogs (failed VPN, geo-anomaly, admin login outside hours). - Sysmon channel pulled in via the Wazuh agent on Windows endpoints (process create / network connect / image load).
- Suricata in IDS mode, EVE JSON tailed by Wazuh → alerts mapped to MITRE ATT&CK techniques.
Enrichment
- MISP feeds (CIRCL, Abuse.ch) syncing IoCs every 6h; Wazuh integration script tagging alerts with matching threat-intel hits.
- VirusTotal v3 API for hash + URL lookups on suspicious download alerts.
Vulnerability management
- Nessus authenticated scans on the Windows fleet, weekly cadence, results piped into the Wazuh vulnerability module.
- Initial penetration tests inside the lab segment — documented findings and remediation.
What I would change next time
- Atomic Red Team for continuous detection validation (now in the lab repo).
- SOAR layer (TheHive + Cortex) to formalise incident handling.
- Sigma-rule pipeline so detections aren't tied to one engine.
03. Detection coverage blue · defence
What the lab actually catches, mapped to MITRE ATT&CK. Hover any technique to see the rule that fires. Green = covered by a rule I wrote, dim = next on the backlog.
Sources: home-lab-siem Wazuh ruleset + Suricata signatures. Coverage rebuilt every time I add a rule — not aspirational. Every “covered” cell has a corresponding atomic-red-team test in the purple loop.
<rule id="100210" level="10">
<if_group>authentication_failures</if_group>
<same_source_ip />
<same_user />
<different_geoip />
<description>Impossible-travel sign-in: same user, two countries < 1h</description>
<mitre>
<id>T1078</id>
<tactic>Initial Access</tactic>
</mitre>
</rule>04. Offensive arsenal red · offence
Gym time. I attack the same architectures I deploy on the blue side. Recon → enum → foothold → priv-esc → pivot → loot. Every box I solve becomes a writeup, and every pattern I learn becomes a Wazuh rule on the way back.
-
01
Recon
passive + active enum on the target perimeter, identify the soft side.
nmap · masscan · subfinder · amass · gowitness · whatweb · shodan -
02
Initial Access
web exploitation, exposed services, password spray, controlled phishing in lab.
burp · ffuf · sqlmap · spray · cve-* · phishing-template -
03
Foothold
get a stable shell, drop tooling, baseline the host.
msfvenom · python-revshell · evil-winrm · nc · chisel -
04
Priv-Esc
local enum scripts, GTFOBins / LOLBAS, kernel CVEs, AD misconfig.
linpeas · winpeas · GTFOBins · LOLBAS · BloodHound -
05
Lateral / AD
impacket toolkit, Kerberos abuse, PtH/PtT, abuse-able trusts.
impacket · crackmapexec · rubeus · mimikatz · kerberoast · PtH -
06
Loot → Blue
credential dump, evidence pack, IOC list — then handed back to the SIEM.
secretsdump · evidence-pack.md · ioc.csv → wazuh · misp
Buffer-overflow refresh, Active Directory attack paths, manual exploit dev. Targeting OSCP within the next certification cycle.
I run my own home-lab-siem stack as the target — atomic-red-team campaigns + manual chain attempts. Findings feed the next sprint of detections.
Working notes I keep close — recon → enum → AD → web → post-ex. Not a copy of someone else's gist.
05. Purple-team — the validation loop purple · the loop
Where blue and red meet. Every red find ships as a new blue rule the next day; every blue rule gets attacked on purpose to confirm it actually fires. The loop is the product.
- 01
Hypothesise
Pick a TTP from MITRE — say T1003.001 (LSASS dump). Find the gap in current detections.
- 02
Emulate
Fire the technique against the lab using
atomic-red-teamor a manual exploit chain. - 03
Observe
Did Wazuh / Suricata catch it? At what level? With what false-positive rate?
- 04
Tune
Write or refine the Sigma / Wazuh rule. Keep alert noise low; keep coverage honest.
- 05
Re-fire
Run the test again. Confirm the alert fires & that no benign workload is now noisy.
- 06
Document
Push the rule + the test + the writeup to
home-lab-siemandctf-writeups.
22atomic-red-team tests in rotation
14sigma rules authored
8red→blue closures shipped
~24htypical loop time
Concrete example — LSASS-dump closure
Hypothesis: if a red operator dumps LSASS via comsvcs.dll, current rules might miss it (no .exe touches lsass.exe).
Emulation: Atomic Red Team test T1003.001 → atomic-2 — rundll32 comsvcs.dll, MiniDump <pid> out.dmp full.
Observed: sysmon Event 10 fires (process access lsass.exe), but base wazuh ruleset only flags Event 1 by image name. Miss.
Tune: wrote rule 100620 matching Event 10 + granted_access mask 0x10|0x1410|0x1010 on lsass.exe.
Re-fire: alert level=14, MTTD <30s, no false positives over a week of normal workload.
Documented: rule + atomic test + screenshots in home-lab-siem/docs/closures/T1003.001.md.
06. Playground — Sigma → multi-engine live · compiler
Type a Sigma rule on the left. It gets transpiled live — in your browser — to Wazuh XML, Splunk SPL, KQL / Microsoft Sentinel, and Suricata. Pure JS, ~280 lines of pattern-matching, zero backend, zero telemetry.
07. Projects
Five repos shipped, two more in progress. Code is open, READMEs are written, none of them are toy code.
Cybersecurity
home-lab-siem
Reproducible SIEM lab built around the architecture I deployed at the Préfecture de Tétouan.
Wazuh manager + indexer + dashboard, Suricata as the network IDS feeding EVE JSON to Wazuh, Sysmon-ready Windows agents, FortiGate / Nessus / MISP integration patterns documented. docker compose up brings the whole thing online in ~3 minutes.
FacturationPro-Enterprise
Windows desktop billing & invoicing app — C++ / VCL, MySQL backend.
Multi-user, role-based, prints PDF invoices, tracks clients and stock. Built with Embarcadero RAD Studio (VCL) for production-shaped Windows deployments.
water-stress-morocco-analytics
Data warehouse + BI on water stress in Morocco (2015–2025).
Star-schema model, 68k+ records loaded into MySQL, dashboards in QlikView. Shows the gap between renewable and consumed water across the 12 regions over a decade.
HTMLCamp
E-learning platform for web dev, with live Monaco editor and context-aware hints.
Interactive lessons, in-browser code editor, MySQL persistence, PHP backend. Aimed at students learning HTML / CSS / JS from zero.
Rabat-Cultural-Website
WordPress platform showcasing Morocco's capital — accessible, responsive, multilingual-ready.
Built around accessibility (WCAG-aware) and a clean tourism-grade design. CSS-heavy, responsive across phone / tablet / desktop, hosted on standard LAMP.
pentest-cheatsheet
My working notes on offensive security — recon → enum → AD → web → post-exploitation.
Curated commands and recipes I use when learning. Not a copy-paste of someone else's gist; it's the stuff I actually keep close while studying for OSCP / HTB / THM.
ctf-writeups
Walkthroughs of the CTFs / boxes I solve — methodology over flags.
TryHackMe and HackTheBox machines I've finished, written up in a consistent template: recon, enum, foothold, priv-esc, lessons learned.
08. Now
A snapshot of what's currently on the workbench. Updated by hand, not generated.
This week
- purple Atomic Red Team validation pack against the lab Wazuh rules — detection coverage report.
- blue MISP
misp-moduleswired in for hash + url enrichment, instead of one-off scripts. - red Writing up two HTB boxes (active directory chain + linux pivot) for the writeups repo.
This month
- red OSCP-track lab time — buffer overflow refresh, Active Directory attack paths.
- blue Sigma rule pipeline so the lab's detections aren't tied to Wazuh alone.
- dev Polishing the C++ billing app (FacturationPro) for a 1.0 cut — PDF templates, multi-user.
This quarter
- Internship applications — SOC · detection · pentest · purple-team, remote / EU / Morocco. open.
- CCNA Security track — finishing labs, scheduling exam.
- Open-sourcing one detection-engineering write-up and one offensive write-up per month.
09. Achievements
Milestones unlocked across the three tracks. Solid line is shipped, dashed line is in progress.
SIEM in production
Multi-layer Wazuh + Suricata + Sysmon + MISP + FortiGate stack deployed at the Préfecture de Tétouan — 1 month, real network.
13 cybersec certifications
Fortinet NSE 1–3, EC-Council, ICSI, CCNA-track, Google IT Support, Linux Essentials, and more.
50+ tickets at ALTEN
N1/N2 incident triage — ticket lifecycle, runbooks, escalation path. Real users, real pressure.
OSCP-track
Buffer-overflow refresh, AD attack paths, manual exploit dev — in active prep.
HTB / THM rooms cleared
AD chains + Linux pivots + web exploitation. Writeups in ctf-writeups.
pentest-cheatsheet — published
Public, opinionated, kept current.
Atomic-Red-Team validation
22 tests in rotation against the home-lab-siem rules — every covered cell has a matching test.
Sigma rule pipeline
Detections decoupled from Wazuh alone — portable across Splunk / Elastic.
red→blue closures
8 closures shipped, 6 more in the backlog. Goal: one new closure per week.
10. Detection-engineering activity blue · year
Rules shipped, atomic tests run, closures documented — week by week, full year. Hand-rolled SVG, hand-curated data. Hover a cell to see what shipped that week.
0contributions · last 52 weeks
0current streak (weeks)
0best week
0median per active week
11. Stack
Blue — detect
- Wazuh
- Suricata
- Sysmon
- MISP
- VirusTotal
- FortiGate
- Nessus
- Sigma
- MITRE ATT&CK
Red — attack
- Burp Suite
- Nmap
- Metasploit
- BloodHound
- Mimikatz
- Impacket
- CrackMapExec
- OSCP path
Purple — validate
- Atomic Red Team
- Sigma pipeline
- Caldera (study)
- Detection-as-code
Network & system
- FortiGate VM
- Cisco (CCNA-track)
- VLANs / IPSec
- Linux (Ubuntu / Debian)
- Windows Server
- Active Directory basics
Dev
- C / C++ (VCL, RAD Studio)
- PHP
- HTML / CSS / JS
- SQL (MySQL)
- Bash
- Python (basics)
DevOps / data
- Docker / Compose
- Git / GitHub
- QlikView
- WordPress
- Monaco editor
- VMware Workstation
12. Certifications
13 certifications — kept current, all with verification links on LinkedIn.
Fortinet NSE 1–3
FortinetCertified Ethical Hacker (CEH essentials)
EC-CouncilICSI | CNSS — Cybersecurity Specialist
ICSICCNA — Routing & Switching track
CiscoGoogle IT Support
GoogleLinux Essentials
LPINetwork Defense Essentials
EC-CouncilCybersecurity Bootcamp
Diverse providers13. Get in touch
Recruiting, internship, security side-project, want a second pair of eyes on a SIEM rule — drop me a line.