Lab 16 – Threat Hunting Validation & Attack Simulation

This lab validates your threat‑hunting workflows by simulating attacker behavior across authentication, network, and system layers. You’ll run controlled attacks, test your hunting queries, and refine your playbooks.

• Outcome 1: Simulated attacker behavior executed safely.
• Outcome 2: Hunting queries validated across multiple log sources.
• Outcome 3: Dashboards and playbooks tested for accuracy.
• Outcome 4: Gaps identified and improvements documented.

• DL16.1: Simulated attacker behaviors executed.
• DL16.2: Hunting queries validated.
• DL16.3: Dashboards and playbooks tested.
• DL16.4: Detection gaps documented.
• DL16.5: Month 4 final report completed.

1. From WIN10‑LAB, simulate:
   • Failed logon bursts
   • Password‑spray attempts
   • Unusual logon hours
2. Validate hunting queries for:
   • Failed logon spikes
   • Unusual user behavior
   • Repeated authentication failures

1. Run controlled scans:

   nmap -sS 10.10.10.1

   nmap -A 10.10.10.1

2. Trigger suspicious DNS queries.
3. Validate hunting queries for:
   • Port scans
   • DNS anomalies
   • High‑volume connections

1. Simulate:
   • Suspicious PowerShell commands
   • Unauthorized service creation
   • Privilege escalation attempts
2. Validate hunting queries for:
   • Process anomalies
   • Service modifications
   • Privilege escalation patterns

1. Review dashboards for:
   • Authentication anomalies
   • Network spikes
   • System‑level alerts
2. Run playbooks for:
   • Brute‑force attacks
   • Suspicious DNS activity
   • Lateral movement
3. Document detection gaps and improvements.

• Validation: How simulated attacks confirm your hunting logic works.
• Correlation: How multi‑layer logs reveal attacker behavior.
• Improvement: How detection gaps guide future tuning.

With this lab, you’ve completed Month 4 and validated your proactive detection capabilities. In Month 5, you’ll move into endpoint security and EDR tooling.