Listen to this Post

Introduction:
In the ever-escalating cyber arms race, proactive threat hunting has become the critical differentiator between a reactive security team and a resilient fortress. Izzmier Izzuddin Zulkepli, a Head of Security Operations Center, has publicly released a comprehensive set of five practical threat hunting exercises for 2026, complete with downloadable forensic logs. This resource is a goldmine for SOC analysts and threat hunters aiming to move beyond alert triage and actively uncover adversary tactics, techniques, and procedures (TTPs) lurking within their networks.
Learning Objectives:
- Develop a systematic methodology for investigating suspicious network and endpoint activity across diverse log sources.
- Translate theoretical ATT&CK framework knowledge into practical, hands-on investigation steps using real-world data.
- Build and reinforce essential skills in log analysis, timeline creation, and evidence correlation to determine the scope and impact of a security incident.
You Should Know:
1. Setting Up Your Forensic Analysis Environment
Before diving into the logs, a proper analysis environment is crucial. You need tools to parse, search, and visualize the provided data, which likely includes Windows Event Logs, firewall traffic, process execution logs, and potentially PowerShell transcripts.
Step‑by‑step guide explaining what this does and how to use it.
First, establish a secure, isolated virtual machine (preferably Linux for tool flexibility). Install essential analysis tools:
– Siesta/SQLite Browser: Many log files, especially from tools like Velociraptor or Osquery, are in SQLite format.
– jq: For parsing and filtering JSON-based log outputs.
– Logcli or grep/awk: For efficient text log searching.
– Wireshark: If packet captures (PCAPs) are included in the logs.
– Timeline generators: Like `plaso` (log2timeline) to unify timestamps from disparate sources.
Linux Command Example – Bulk File Inspection:
Navigate to the downloaded log directory
cd ~/Downloads/ThreatHunt_2026/
Get a high-level overview of file types
file ./
Search for a common IOC like a suspicious IP across all text-based logs
grep -r "192.168.1.100" . --include=".txt" --include=".log" --include=".json"
Parse a JSON log file and extract specific fields (e.g., process names)
cat process_events.json | jq '. | {timestamp: .utc_time, process: .process_name, cmdline: .cmdline}'
2. Exercise 1: Initial Foothold & Command Execution
This exercise likely focuses on the initial exploitation phase. The logs will contain evidence of an attacker gaining a foothold, possibly through a phishing payload or exploit, and executing their first commands.
Step‑by‑step guide explaining what this does and how to use it.
Start by identifying the initial malicious process. In Windows Event Logs (Security and Sysmon), look for Event ID 4688 (process creation) or Sysmon Event ID 1. Correlate this with network connections (Event ID 5156 or firewall logs) to identify beaconing to a Command & Control (C2) server.
Windows Command (If analyzing a live system or memory dump):
Query Windows Security logs for process creation events (PowerShell as admin) Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4688]]" | Select-Object -First 20 | Format-List TimeCreated, Message Using Sysinternals Sysmon (if configured), filter for parent/child process relationships This is often where you see `cmd.exe` spawned from `outlook.exe` or `powershell.exe` from <code>mshta.exe</code>.
Analysis Steps:
- Sort all logs by timestamp to establish a timeline.
2. Identify the earliest anomalous process execution.
- Examine its parent process. Was it a legitimate application (like Office, browser) or a service?
- Extract the command-line arguments of the suspicious process. Look for encoded strings, suspicious flags (
-Enc,-e,IEX), or downloads from external IPs. - Cross-reference the process hash with VirusTotal or internal intelligence.
3. Exercise 2: Persistence Mechanism Deployment
After initial access, attackers establish persistence. This exercise’s logs will hide evidence of registry run keys, scheduled tasks, service installations, or WMI event subscriptions.
Step‑by‑step guide explaining what this does and how to use it.
Focus on Windows management logs. For registry persistence, examine `Microsoft-Windows-Sysmon/Operational` Event ID 12 (Registry object create/delete) targeting paths like HKLM\Software\Microsoft\Windows\CurrentVersion\Run. For scheduled tasks, look for Event ID 4698 (Scheduled task created) or Sysmon Event ID 19 (WMIEvent).
Windows Registry Analysis Command:
Check common AutoStart locations via PowerShell (live analysis) Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User Query Registry for Run keys (current user and local machine) reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Analysis Steps:
- Filter logs for registry modification events post-initial access timestamp.
2. Look for modifications under known persistence paths.
- For scheduled tasks, analyze the `Actions` field to see what command is executed.
- Correlate the persistence mechanism’s creation time with network or process execution logs to confirm it’s attacker-driven.
4. Exercise 3: Lateral Movement & Credential Access
Here, the hunt shifts to movement across the network. Logs will contain evidence of techniques like PsExec, WMI execution, SMB shares, or suspicious RDP connections, alongside tools like Mimikatz for credential dumping.
Step‑by‑step guide explaining what this does and how to use it.
Key log sources are Windows Security Event IDs for logon events (4624, 4625, 4648 for explicit credentials) and network logs. A successful lateral movement will show a logon from one internal host to another. Look for `Logon Type 3` (Network logon) or `Logon Type 10` (RemoteInteractive for RDP) from a suspicious source.
Network & Logon Correlation (Hypothetical log analysis):
Using combined logs, you might script a search for logons from a compromised host (10.0.0.15) This grep looks for successful logons (EventID 4624) from that source IP. grep "EventID=4624" security_events.evtx.xml | grep "SourceNetworkAddress=10.0.0.15" Check for privileged account usage across systems (e.g., Domain Admin) This searches for the account name in various log files. cat | grep -i "DOMAIN\Administrator" | grep -v "Logon Failure"
Analysis Steps:
- Map all logon events, especially successful ones, after the initial compromise.
- Identify logons from the compromised host to other internal systems.
- Look for associated events indicating credential dumping, such as `LSASS` process access (Sysmon Event ID 10) or large volumes of `Kerberos TGT` requests.
- Correlate with firewall/IDS logs for unusual protocols (e.g., SMB, RPC) between internal hosts not normally communicating.
5. Exercise 4: Data Exfiltration & C2 Communication
This exercise targets the attacker’s goal: stealing data. Logs will show large outbound data transfers, unusual protocols (DNS tunneling, HTTP POSTs to unknown domains), or connections to known-bad IPs from the threat intelligence feeds.
Step‑by‑step guide explaining what this does and how to use it.
Concentrate on proxy logs, DNS query logs, and netflow data. Look for statistical anomalies: a host suddenly generating significantly more outbound traffic than its baseline, or making repeated DNS queries for long, random subdomains.
Linux-based Netflow/DNS Analysis Examples:
Analyze a netflow capture file (using nfdump) for top talkers by bytes
nfdump -r netflow.log -s ip/bytes -n 10
Parse DNS query logs for suspicious patterns (e.g., very long subdomains, TXT record spikes)
cat dns_queries.log | awk '{print $9}' | grep -E '([a-z0-9]{30,}.)' | sort | uniq -c | sort -nr
Check for HTTP POST requests with large `content-length` in proxy logs
grep "POST" proxy_access.log | awk '{if($12 > 1000000) print $3, $7, $12}' | sort -k3 -nr
Analysis Steps:
- Baseline normal outbound traffic patterns for the affected host.
- Identify connections to external IPs/domains not in the organization’s whitelist.
- Look for protocol misuse: Is DNS query payload size abnormally large? Are HTTPS connections going to non-standard ports?
- Correlate exfiltration activity timestamps with file access logs on sensitive data stores.
-
Exercise 5: Full Kill Chain Reconstruction & Reporting
The final exercise ties all previous phases together. The objective is to create a cohesive narrative of the attack, from initial access to impact, documenting all evidence (IOCs, TTPs) for eradication and a formal report.
Step‑by‑step guide explaining what this does and how to use it.
Use a timeline analysis approach. Tools like `log2timeline/plaso` can automate this from raw logs. The goal is to produce a single, chronologically ordered file of all events, which allows you to see the attacker’s workflow clearly.
Creating a Super Timeline:
Generate a Plaso timeline database from a mounted evidence disk/image log2timeline.py --parsers win7,win7_slow,custom_destinations ./case.plaso /mnt/evidence/ Query the timeline for events related to a specific file or user psort.py -w timeline.csv ./case.plaso "date > '2026-01-01' and (filename contains 'invoice.pdf' or user contains 'svc_backup')"
Analysis Steps:
- Ingest all logs from Exercises 1-4 into your timeline tool or a SIEM-like environment.
- Filter and tag events related to each phase of the kill chain (Initial Access, Execution, Persistence, etc.).
- Identify the root cause and key pivoting points (e.g., which compromised credential was used for lateral movement).
- Extract a complete list of IOCs (IPs, domains, hashes, registry keys) and map TTPs to the MITRE ATT&CK framework.
- Draft a report summarizing the incident scope, attacker actions, impacted assets, and recommended containment strategies.
What Undercode Say:
- Proactive Practice is Non-Negotiable: These exercises bridge the gap between theoretical security frameworks and the messy reality of log data. Regularly practicing with such datasets is the most effective way to sharpen investigative intuition and reduce mean time to detect (MTTD).
- The Devil is in the Correlation: Individual log entries are rarely conclusive. The true skill of a threat hunter lies in connecting seemingly disparate events across multiple sources (endpoint, network, identity) to build an undeniable story of compromise.
The release of these exercises underscores a major shift in cybersecurity culture towards open collaboration and practical skill development. Rather than guarding proprietary playbooks, leading practitioners are sharing real-world scenarios to elevate the entire community’s defensive capabilities. This approach directly combats the asymmetric advantage attackers have, by creating a larger pool of analysts trained to recognize advanced TTPs. The future impact is a more resilient, skilled, and standardized global SOC workforce, capable of not just responding to alerts, but consistently hunting down and ejecting adversaries before they achieve their ultimate objectives.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Izzmier Threat – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


