back to day 30
WEEK_4 · DAY_30 · LAB
Lab 30 — CAPSTONE
Phish → cred theft → VPN → PsExec → DNS exfil → ransomware
LAB PROGRESS0/6 steps · 0%
Lab Objectives
- ›Triage 10 connected Notable Events
- ›Reconstruct the full attack timeline
- ›Map every step to ATT&CK
- ›Produce IR report, IOCs, containment plan, 3 new detections
Lab Instructions
- 1Open Splunk ES → Incident Review (10 notables loaded).
- 2Triage every notable. Read the SPL. Read the detail.
- 3Order them on a timeline. They span 12:04 → 12:55.
- 4Map each to ATT&CK.
- 5Build the kill chain narrative: phish → exec → C2 → priv esc → lateral → exfil → ransom.
- 6Produce: IR report (1 page), IOC list, containment plan, 3 new detections (with SPL).
SPL for this Lab
Capstone — risk by entity open in Splunk
index=risk earliest=-24h | stats sum(risk_score) as total values(search_name) as contributing by risk_object | where total > 100 | sort - total
// Surfaces the entities most involved in the chain.