⭐ Day 6 – MITRE ATT&CK Hands-On + Splunk Detection (Beginner Level)

After learning MITRE theory on Day 5, today students will practice real attack detection in Splunk.

We connect three things:

• MITRE tactic
• Real log behavior
• Splunk search query

This creates real SOC thinking.

🧠 What Students Will Learn Today

✔ How to map logs → MITRE
✔ How to detect brute-force (Credential Access)
✔ How to detect suspicious commands (Execution)
✔ How to detect lateral movement (Lateral Movement)
✔ How to detect persistence activity (Persistence)
✔ How to use Splunk search effectively

🔥 MITRE Technique #1 – Brute Force (Credential Access)

Technique ID: T1110
Tactic: Credential Access

What happens:

Many failed login attempts in a short time.

Splunk Query

index=* (fail OR failed) 
| stats count by user, IP 
| where count > 5

What to teach students

• Attackers try many passwords
• Appears as multiple “failed login” logs
• If count > 5 → suspected brute force

🔥 MITRE Technique #2 – Suspicious Commands (Execution)

Technique ID: T1059
Tactic: Execution

Windows Example

Attackers run PowerShell with encoded commands.

Splunk Query

index=* powershell 
| search "EncodedCommand"

Linux Example

index=* sourcetype=linux_secure "sudo" "root"

Teach Students

• PowerShell misuse is common
• Encoded commands = red flag

🔥 MITRE Technique #3 – Discovery (Network/Host Scanning)

Technique ID: T1087 / T1083 / T1046
Tactic: Discovery

Splunk Query

index=* ( "nmap" OR "port scan" OR "masscan" )

Or check many connections from same IP

index=* 
| stats count by src_ip 
| where count > 100

🔥 MITRE Technique #4 – Lateral Movement (Remote Login Attempts)

Technique ID: T1021
Tactic: Lateral Movement

Windows RDP Example

index=* sourcetype=WinEventLog:Security EventCode=4624 
| search Logon_Type=10

Linux SSH Example

index=* ssh "Accepted password" OR "Failed password"

Explain

• Type 10 → remote login
• Lateral movement happens after credential theft

🔥 MITRE Technique #5 – Persistence (New Accounts Created)

Technique ID: T1136
Tactic: Persistence

Windows New User

index=* EventCode=4720

This shows new users added.

Linux New User

index=* "useradd" OR "adduser"

🧪 Day 6 Hands-On Lab for Students (Simple)

Give students 5 tasks.

Task 1 – Detect Brute Force (Credential Access)

index=* fail
| stats count by IP
| where count > 5

MITRE: T1110

Task 2 – Detect Remote Logins (Lateral Movement)

index=* 4624 
| search Logon_Type=10

MITRE: T1021

Task 3 – Detect Suspicious PowerShell (Execution)

index=* powershell "EncodedCommand"

MITRE: T1059

Task 4 – Detect Enumeration (Discovery)

index=* "nmap" OR "masscan"

Task 5 – Detect New User Created (Persistence)

index=* EventCode=4720

🎤 Trainer Script for Day 6

Use this script to explain:

“Today you connected MITRE ATT&CK with actual logs.
When you see failed logins, that’s Credential Access.
When you see RDP logins, that’s Lateral Movement.
MITRE helps SOC analysts understand where the attacker is in the attack chain.”

📝 Homework for Day 6

Tell students to write:

• One MITRE technique
• Example log
• Example Splunk query

Example:

MITRE: T1110 Brute Force
Log Example: Multiple failed logins
Splunk Query:

index=* fail | stats count by IP