Module 3: Network and Endpoint Hunting
Expand beyond the SIEM. Hunt with Suricata network signatures and Velociraptor endpoint forensics.
Lessons & Labs
Lesson 3.1 — Network Beaconing and DNS Hunting
Detecting C2 beaconing patterns, DNS tunneling, protocol abuse, and anomalous traffic using Suricata/EveBox alert data.
Lab 3.1 — Beaconing Detection
Detect slow C2 beaconing, DNS-over-HTTPS abuse, and DNS TXT data exfiltration hidden in Suricata network traffic using EveBox timing and payload analysis.
Lesson 3.2 — Endpoint Stacking with VQL
Using Velociraptor Query Language to stack processes, services, scheduled tasks, and autoruns across endpoints — finding the one anomaly in hundreds of legitimate entries.
Lab 3.2 — Hypothesis-Driven Endpoint Hunt
Use Velociraptor to test a hypothesis: 'The Linux endpoint has persistence mechanisms.' Collect artifacts, analyze, confirm or refute.
Lesson 3.3 — Fleet-Wide Anomaly Detection
Baseline profiling across multiple endpoints. What's normal for your fleet? What deviates? Techniques for scale-aware hunting.
Lab 3.3 — Fleet Stacking
Stack 5 artifact categories across the endpoint fleet using Velociraptor. Identify outliers by frequency, naming conventions, and installation patterns.
Lesson 3.4 — Cross-Tool Correlation
Pivoting between SIEM, network, and endpoint data. Building unified timelines. The art of connecting evidence from different tools into a single narrative.
Lab 3.4 — Cross-Tool Campaign
Trace a complete credential spray campaign from initial reconnaissance through C2 establishment using cross-source SIEM correlation across multiple agents and log types.