⭐ Day 9 – Windows Log Correlation + Linux Attack Simulation (Hands-On SOC)

Today students will do real SOC work:

• Correlate Windows log events
• Detect attack sequences (MITRE based)
• Perform a small Linux brute-force simulation
• See the attack appear in Splunk
• Investigate it like a SOC analyst

🧠 1. What is Windows Log Correlation?

Correlation = combining multiple log events to understand a full attack.

Example:
➡ 4625 (Failed logins)
➡ Then 4624 (Successful login)
➡ Then 4672 (Admin rights)
➡ Then 4720 (New user created)

This shows the full attacker movement.

🔥 2. Windows Event Sequence Example (Real Attack)

Stage 1 – Brute Force

4625 – Failed login

Stage 2 – Compromise

4624 – Successful login

Stage 3 – Privilege Escalation

4672 – Special privileges assigned

Stage 4 – Persistence

4720 – New user created
4728 – Added to admin group

Stage 5 – Execution / Action

7045 – New service installed (possible malware)

This is a MITRE chain:

• T1110 Brute Force
• T1078 Valid Accounts
• T1068 Priv Esc
• T1136 Persistence
• T1569 Execution

🔍 3. Splunk Correlation Queries (Beginner-Friendly)

Correlation 1 – Failed + Successful Logon

index=* (EventCode=4625 OR EventCode=4624)
| transaction Account_Name maxspan=5m
| table Account_Name, EventCode, IpAddress, _time

Correlation 2 – Privilege escalation after login

index=* EventCode=4624 Logon_Type=2 OR Logon_Type=10
| join Account_Name 

[search index=* EventCode=4672]

Correlation 3 – New admin user created

index=* (EventCode=4720 OR EventCode=4732)
| table Account_Name, Target_Username, Group_Name

🟩 4. Linux Attack Simulation (Students Will Perform)

We will simulate a small SSH brute-force attack from within WSL or another Linux system.

This will generate:

• “Failed password” logs
• “Accepted password” if success
• MITRE T1110 pattern
• Splunk detection

🚀 Linux Attack Simulation Steps

Step 1 – Open WSL or Linux terminal

Step 2 – Run a small brute-force loop

(This does NOT harm your system)

for i in {1..10}; do
  ssh user@localhost;
done

You will see 10 failed login attempts.

Step 3 – Check logs in Linux

sudo tail -f /var/log/auth.log

You will see:

Failed password for user from 172.x.x.x

Step 4 – Splunk Universal Forwarder will send logs to Splunk

🔍 Splunk Query to Detect the Brute Force

index=* "Failed password"
| stats count by src_ip
| where count > 5

You will see your attacker IP.

MITRE:

• T1110 – Brute Force

🔥 5. Correlate Linux Attack with Windows Activity (Advanced for students)

Tell students to look for:

• Suspicious Windows logons (4624 type 10)
• Followed by admin changes
• Combined with Linux brute-force

Example correlation:

(index=* "Failed password") 
OR (index=* EventCode=4625) 
OR (index=* EventCode=4624 Logon_Type=10)

This teaches them multi-system detection.

🛠 6. Day 9 Hands-On Tasks

✅ Task 1 – Correlate failed + successful Windows logins

index=* (4624 OR 4625)
| transaction Account_Name maxspan=5m

✅ Task 2 – Detect Linux brute-force simulation

index=* "Failed password"
| stats count by src_ip

✅ Task 3 – Find privilege escalation

index=* EventCode=4672

✅ Task 4 – Find persistence attempts

index=* EventCode=4720 OR EventCode=4732

✅ Task 5 – Build a two-panel dashboard:

• Brute-force attempts
• New users created

🎤 Trainer Script

Say this during class:

“Correlation is the heart of SOC.
One log does not tell the story — but multiple logs together reveal the attacker’s path.
Today you learned how to connect events and simulate real attacks.”

📝 Homework for Day 9

Students submit:

1. Their Linux brute-force output
2. Windows correlation screenshot
3. MITRE mapping
4. Explanation of attack sequence