Threat Hunting
Threat hunting labs and exercises using Splunk, ELK, and endpoint tools.
Hunting PowerShell / .NET Malware
Endpoint hunting lab using Sysmon logs and PowerShell to trace .NET malware execution, MSBuild abuse, certutil downloads, and SILENTTRINITY C2 activity.
→Splunk Lab 1 - Brute Force Detection
Splunk threat hunting lab covering password brute-force detection, attack frequency visualization, IP geolocation, and process execution analysis using BOTSv1 data.
→Splunk Lab 2 - PowerShell Empire / Lateral Movement / Exfiltration
Splunk hunting lab covering PowerShell Empire C2 detection, FTP and DNS data exfiltration analysis, adversary infrastructure discovery, and WMI lateral movement using BOTSv2 data.
→Splunk Lab 3 - AD Brute Force, Kerberoasting, Credential Dumping
Comprehensive Splunk lab covering Active Directory attack detection including brute force, Kerberoasting, credential dumping of lsass.exe, DCSync, and GPP honeypots.
→ELK Lab 1 - PowerShell Threat Hunting
ELK-based threat hunting lab covering detection of PowerShell offensive frameworks, suspicious parent processes, renamed executables, base64-encoded commands, GZIP compression, XOR obfuscation, and download techniques.
→ELK Lab 2 - LOLBAS, UAC Bypass, DCSync
ELK hunting lab covering rundll32 abuse, UAC bypass via cliconfg.exe and sdclt.exe, RDP tampering detection, DCSync, remote WMI usage, LOLBAS openurl techniques, and scheduled task persistence.
→Splunk Threat Hunting: APT Intrusion & Cobalt Strike
Threat hunting exercise using Splunk to detect APT activity, Cobalt Strike stagers, lateral movement via SMB, and mapped findings to the Cyber Kill Chain.
→ELK Threat Hunting: Timestomping, Meterpreter, WMI & Credential Harvesting
Threat hunting exercise using ELK/Kibana to detect timestomping (T1099), Meterpreter process migration (T1055), WMI abuse (T1021), xp_cmdshell execution, browser credential harvesting (T1081), and RottenPotato privilege escalation (T1134).
→