⭐ Day 11 – Full Attack Scenario Simulation (Phishing → Brute Force → Privilege Escalation)

Today you will teach students a complete SOC workflow:

1. Attacker sends phishing
2. User gets compromised
3. Brute-force attack begins
4. Successful login happens
5. Privilege escalation occurs
6. Persistence created
7. Evidence appears in Splunk
8. SOC Analyst investigates & maps to MITRE

This gives students REAL experience.

🎯 Objectives

By end of Day 11 your students should understand:

✔ How attackers chain multiple techniques
✔ How logs reveal each step
✔ How to detect attacks using Splunk
✔ How MITRE ATT&CK maps to each stage
✔ How SOC Analysts investigate incidents

🧩 Attack Scenario Overview (Simple Story)

Explain to students:

“An attacker targets an employee with a phishing email.
They get initial access, try multiple logins, escalate privileges, and create persistence.
We will detect all this through Windows + Linux logs in Splunk.”

🔥 Stage 1 – Initial Access (Phishing Simulation)

Tell students:

• User clicked a fake PDF
• Attacker now has password

Since we can’t simulate phishing directly, we simulate results:

✔ Attacker tries multiple login failures
✔ Then succeeds one login

Splunk Query:

index=* EventCode=4625

MITRE: Initial Access (T1566)

🔥 Stage 2 – Credential Access (Brute Force Simulation)

Attacker tries many passwords.

Splunk:

index=* EventCode=4625
| stats count by IpAddress
| where count > 5

MITRE: T1110 Brute Force

🔥 Stage 3 – Successful Compromise

After several failures:

index=* EventCode=4624

Look for successful logons in same time window.

MITRE: T1078 Valid Accounts

🔥 Stage 4 – Lateral Movement (RDP Login)

Attacker uses RDP to get inside.

Splunk:

index=* EventCode=4624 Logon_Type=10

MITRE: T1021 Lateral Movement

🔥 Stage 5 – Privilege Escalation

Attacker gets admin rights.

Splunk:

index=* EventCode=4672

MITRE: T1068 Privilege Escalation

🔥 Stage 6 – Persistence (New Account Created)

Attacker creates a new admin account:

Splunk:

index=* EventCode=4720 OR EventCode=4732

MITRE: T1136 Create Account

🧪 Day 11 Hands-On Simulation

Give students these tasks:

Task 1 – Identify initial brute-force

index=* EventCode=4625
| stats count by Account_Name, IpAddress

Task 2 – Identify the successful login

index=* EventCode=4624
| stats count by Account_Name, IpAddress

Task 3 – Correlate failed + successful logins

index=* (4624 OR 4625)
| transaction Account_Name maxspan=5m

Task 4 – Detect lateral movement

index=* EventCode=4624 Logon_Type=10

Task 5 – Detect privilege escalation

index=* EventCode=4672

Task 6 – Detect persistence

index=* (EventCode=4720 OR EventCode=4732)

🎤 Trainer Script (Say to Students)

“This is how attackers behave in real life.
They don’t use one technique — they chain multiple.
Today you detected an attack from initial access to persistence.
This is real SOC work.”

📝 Homework (Day 11)

Students submit:

1. Screenshot of brute-force detection
2. Screenshot of successful login
3. Screenshot of privilege escalation
4. Screenshot of persistence
5. MITRE mapping for each