Module 4: Network and Endpoint Hunting
Expand beyond the SIEM. Hunt with Suricata network signatures and Velociraptor endpoint forensics.
Lessons & Labs
Lesson 4.1 — Network Beaconing and DNS Hunting
Detecting C2 beaconing patterns, DNS tunneling, protocol abuse, and anomalous traffic using Suricata/EveBox alert data.
Lab 4.1 — Beaconing Detection
Decompose a fictional CERT advisory on the NightCrypt ransomware campaign into MITRE-mapped, testable hunt hypotheses, prioritized query plans, and a Hunt Hypothesis Document (browser-only).
Lesson 4.2 — Endpoint Stacking with VQL
Using Velociraptor Query Language to stack processes, services, scheduled tasks, and autoruns across endpoints — finding the one anomaly in hundreds of legitimate entries.
Lab 4.2 — Hypothesis-Driven Endpoint Hunt
Operationalize hunt findings: write Sigma rules for three patterns, convert with sigma-cli to OpenSearch/Wazuh, validate in Threat Hunting, and document tuning.
Lesson 4.3 — Fleet-Wide Anomaly Detection
Baseline profiling across multiple endpoints. What's normal for your fleet? What deviates? Techniques for scale-aware hunting.
Lab 4.3 — Fleet Stacking
Conduct a comprehensive threat hunt across all log sources to identify three concurrent campaigns, build timelines, extract IOCs, and deliver an executive investigation summary.
Lesson 4.4 — Cross-Tool Correlation
Pivoting between SIEM, network, and endpoint data. Building unified timelines. The art of connecting evidence from different tools into a single narrative.
Lab 4.4 — Cross-Tool Campaign Trace
Trace a complete credential spray campaign from initial reconnaissance through C2 establishment using cross-source SIEM correlation across multiple agents and log types.