Module 3: Adversary Technique Hunting
Hunt for specific ATT&CK technique categories: credential access, persistence, lateral movement, privilege escalation, and defense evasion.
Lessons & Labs
Lesson 3.1 — Credential Access Hunting
Hunting for Kerberoasting (EID 4769), LSASS access (Sysmon EID 10), NTLM downgrade (EID 4776), and credential dumping indicators across the enterprise.
Lab 3.1 — Credential Access Hunt
Hunt for Kerberoasting and LSASS access attempts in shared Wazuh data. Identify which attack scenarios use credential theft and what distinguishes malicious from legitimate access.
Lesson 3.2 — Persistence Mechanism Hunting
Systematically hunting for persistence: WMI event subscriptions (Sysmon EID 19/20/21), scheduled tasks (EID 4698), registry modifications (Sysmon EID 13), and service installations (EID 7045).
Lab 3.2 — Persistence Mechanism Hunt
Find all persistence mechanisms planted by the three attack scenarios (APT Breach, Inside Out, LOLBin Strike). Categorize by technique type and prioritize by impact.
Lesson 3.3 — Lateral Movement Hunting
Detecting PsExec/SMB patterns, WMI remote execution, RDP anomalies, and 4624 Type 3 fan-out patterns that reveal attackers moving through the network.
Lab 3.3 — Lateral Movement Hunt
Trace lateral movement fan-out patterns across all 12 agents. Identify which hosts were compromised, in what order, and what tools the attackers used.
Lesson 3.4 — Privilege Escalation Hunting
Hunting for token manipulation, UAC bypass indicators, Sysmon EID 8/10 process injection, and unusual privilege assignment patterns.
Lesson 3.5 — Defense Evasion Hunting
Detecting timestomping, log clearing (EID 1102), process hollowing indicators, Defender exclusion modifications (EID 4104), and anti-forensics techniques.