WEEK_1 · DAY_06 · LAB

Lab 6 — Hunt Office → PowerShell

Windows Event Logs, Sysmon, Linux auth & auditd

LAB PROGRESS0/4 steps · 0%

Lab Objectives

›Read Windows Security & Sysmon events
›Memorize the top 10 high-value Event IDs
›Parse Linux auth.log and auditd records
›Understand the Splunk Universal Forwarder

Lab Instructions

1
Open Splunk → Search.
2
Run the pre-loaded Sysmon query for Office children.
3
Decode any base64 in the CommandLine.
4
Identify the user and host; recommend EDR isolation.

SPL for this Lab

Failed logons by user open in Splunk

index=wineventlog EventCode=4625
| stats count by Account_Name, src_ip
| where count > 10
| sort - count

// Brute force candidates.

Office spawning shells open in Splunk

index=sysmon EventCode=1
  ParentImage IN ("*winword.exe","*excel.exe","*outlook.exe")
  Image IN ("*powershell.exe","*cmd.exe","*wscript.exe")
| table _time Computer User ParentImage Image CommandLine

// Macro-based execution chain — phishing payload.

← LAB 5

Lab 5 — DNS Tunneling Hunt

LAB 7 →

Lab 7 — Map a Real Breach