WEEK_4 · DAY_25 · LAB

Lab 25 — Run a Hunt

Hypothesis-driven proactive search across 24h+ of data

LAB PROGRESS0/4 steps · 0%

Lab Objectives

›Form a hypothesis (PEAK / TaHiTI methodology)
›Run hunts for LOLBins, beaconing, suspicious parent-child
›Document findings: TPs, FPs, gaps
›Codify successful hunts into correlation searches

Lab Instructions

1
Hypothesis: 'Adversary using LOLBins for download.'
2
Open Splunk → Search and run the LOLBin hunt.
3
Document TPs, FPs, gaps.
4
If signal exists, propose a correlation search.

SPL for this Lab

LOLBin hunt open in Splunk

index=sysmon EventCode=1
  Image IN ("*\\rundll32.exe","*\\mshta.exe","*\\regsvr32.exe","*\\certutil.exe","*\\bitsadmin.exe")
  CommandLine="*http*"
| stats count values(CommandLine) as cmd by Computer, Image, User
| sort - count

// LOLBins fetching over HTTP = textbook abuse.

← LAB 24

Lab 24 — Phishing Investigation

LAB 26 →

Lab 26 — Run an IR Tabletop