ShadowHunt

Inspired by cybersecurity talent shortages and DSOC's secure systems challenge, I built ShadowHunt a containerized red-team simulator with privacy-preserving detection. This framework turns a simple VM into a live ATT&CK lab, blending attack emulation, real-time alerts, and anonymized logging for ethical pentesting demos.

Inspiration

Real-world breaches like SolarWinds showed detection gaps, while hackathon limits demanded isolated sims. DSOC's privacy focus sparked the diffprivlib integration fuzz logs during attacks to prove compliant threat hunting. Drew from MITRE Caldera for emulation and Docker labs for rapid setup, but added evasion-hardening demos missing in existing tools.

What I Learned

ATT&CK in action: T1003 credential dumps via Impacket trigger Suricata SMB sigs, but ML isolation forests catch stealthier lateral moves on syslogs.
Privacy math: Differential privacy with (\epsilon = 1.0) adds Gaussian noise to metrics like connection counts, preserving heatmap utility: (\tilde{x} = x + \mathcal{N}(0, \sigma^2)) where (\sigma \propto \frac{1}{\epsilon}).
Container isolation: Docker networks prevent breakout; Helm charts scale to K8s for cloud judges.

How I Built It

Day 1 - Sim Core: Docker Compose spun up victim (Ubuntu+Impacket-sim AD), attacker (Kali-lite), and airgapped network (--internal). Scripted T1078 brute-force and SecretsDump.
Day 2 - Detection + Privacy: Suricata IDS container with custom rules; scikit-learn anomaly model trained on baseline PCAPs. diffprivlib hashed PII pre-storage.
Day 3 - API/Dashboard: FastAPI /start_sim triggers attacks; Streamlit dashboard shows ATT&CK matrix heatmaps and evasion rates (80% → 20% post-patch).

Repo at https://github.com/elonmasai7/ShadowHunt includes full stack: docker-compose.yml, API, models, and README with GIF demo.

Component	Tech Stack	Key Feature
Simulation	Impacket + Caldera Docker	Headless ATT&CK T1078/T1003
Detection	Suricata + Isolation Forest	EVE JSON → ML alerts ((n_estimators=100))
Privacy	diffprivlib	(\epsilon)-DP log fuzzing
Viz	Streamlit	Live evasion rate: (\frac{\text{detections}}{\text{sims}} \times 100\%)
Deploy	Docker/Helm	`docker compose up` in 2min

Challenges Faced

Network Leaks: Sims escaped initial namespaces; fixed with unshare -n and --network none for true isolation.
ML Tuning: 40% false positives on benign traffic; grid-searched hyperparameters, cutting FPR to 12% via cross-validation.
Time Crunch: Metasploit flaked headless; pivoted to pure Impacket/Scapy (saved 6h). Slow Nakuru internet delayed pulls—added multi-arch manifests.
Privacy Balance: High noise ((\epsilon < 0.5)) broke dashboards; settled on (\epsilon=1.0) after utility testing.

ShadowHunt proves iterative hardening works even evasion v1 fooled sigs, but v2 ML crushes it. Ready for DSOC judges: clone, run, watch attacks get caught live!

Built With

Submitted to

Dev Season of Code

Created by

My primary contribution to ShadowHunt is the complete design, development, and deployment of this containerized red-team simulation framework, from concept to a fully functional GitHub repo at https://github.com/elonmasai7/ShadowHunt.

Technical Contributions
Simulation Engine: Authored custom Python scripts using Impacket for ATT&CK techniques T1078 (Valid Accounts brute-force) and T1003 (OS Credential Dumping via SecretsDump), integrated with MITRE Caldera Docker for scalable adversary emulation.

Detection Pipeline: Implemented Suricata IDS with custom rules for signature-based alerts, plus a scikit-learn Isolation Forest model (
n
e
s
t
i
m
a
t
o
r
s
=
100
n
e
stimators=100) trained on syslog/PCAP features to reduce false positives from 40% to 12%.

Privacy Layer: Added differential privacy using diffprivlib, applying Gaussian noise (
ϵ
=
1.0
ϵ=1.0) to log metrics like connection counts before storage, ensuring anonymized analysis without utility loss.

API & Orchestration: Built FastAPI endpoints (/start_sim, /detect, /report) to trigger attacks and generate reports; Docker Compose for local labs and Helm chart for Kubernetes demos.

Dashboard: Developed Streamlit interface for real-time ATT&CK matrix heatmaps, evasion success rates (
detections
sims
×
100
%
sims
detections
×100%), and live PCAP visualizations.

Key Innovations
Evasion-hardening demo: v1 payloads bypassed Suricata (80% success), v2 ML patches drop it to 20% shows iterative security.

Airgapped isolation via Docker internal networks and unshare -n, preventing real-world risks.

Hackathon-optimized: Full stack deploys in 2 minutes with docker compose up.

Documentation & Open-Sourcing
Wrote comprehensive README with setup, ATT&CK coverage matrix, demo GIFs, and contribution guidelines. Made multi-arch images for global accessibility (ARM/AMD64), tested on Nakuru VMs.

This 72-hour sprint delivered a DSOC-ready prototype that combines practical pentesting, ML threat detection, and privacy engineering clone and run for instant impact!

Private user

Updates

Private user started this project — Feb 27, 2026 02:39 PM EST

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.