β Day 9 β Windows Log Correlation + Linux Attack Simulation (Hands-On SOC)
Today students will do real SOC work:
- Correlate Windows log events
- Detect attack sequences (MITRE based)
- Perform a small Linux brute-force simulation
- See the attack appear in Splunk
- Investigate it like a SOC analyst
π§ 1. What is Windows Log Correlation?
Correlation = combining multiple log events to understand a full attack.
Example:
β‘ 4625 (Failed logins)
β‘ Then 4624 (Successful login)
β‘ Then 4672 (Admin rights)
β‘ Then 4720 (New user created)
This shows the full attacker movement.
π₯ 2. Windows Event Sequence Example (Real Attack)
Stage 1 β Brute Force
4625 β Failed login
Stage 2 β Compromise
4624 β Successful login
Stage 3 β Privilege Escalation
4672 β Special privileges assigned
Stage 4 β Persistence
4720 β New user created
4728 β Added to admin group
Stage 5 β Execution / Action
7045 β New service installed (possible malware)
This is a MITRE chain:
- T1110 Brute Force
- T1078 Valid Accounts
- T1068 Priv Esc
- T1136 Persistence
- T1569 Execution
π 3. Splunk Correlation Queries (Beginner-Friendly)
Correlation 1 β Failed + Successful Logon
index=* (EventCode=4625 OR EventCode=4624)
| transaction Account_Name maxspan=5m
| table Account_Name, EventCode, IpAddress, _time
Correlation 2 β Privilege escalation after login
index=* EventCode=4624 Logon_Type=2 OR Logon_Type=10
| join Account_Name
[search index=* EventCode=4672]
Correlation 3 β New admin user created
index=* (EventCode=4720 OR EventCode=4732)
| table Account_Name, Target_Username, Group_Name
π© 4. Linux Attack Simulation (Students Will Perform)
We will simulate a small SSH brute-force attack from within WSL or another Linux system.
This will generate:
- βFailed passwordβ logs
- βAccepted passwordβ if success
- MITRE T1110 pattern
- Splunk detection
π Linux Attack Simulation Steps
Step 1 β Open WSL or Linux terminal
Step 2 β Run a small brute-force loop
(This does NOT harm your system)
for i in {1..10}; do
ssh user@localhost;
done
You will see 10 failed login attempts.
Step 3 β Check logs in Linux
sudo tail -f /var/log/auth.log
You will see:
Failed password for user from 172.x.x.x
Step 4 β Splunk Universal Forwarder will send logs to Splunk
π Splunk Query to Detect the Brute Force
index=* "Failed password"
| stats count by src_ip
| where count > 5
You will see your attacker IP.
MITRE:
- T1110 β Brute Force
π₯ 5. Correlate Linux Attack with Windows Activity (Advanced for students)
Tell students to look for:
- Suspicious Windows logons (4624 type 10)
- Followed by admin changes
- Combined with Linux brute-force
Example correlation:
(index=* "Failed password")
OR (index=* EventCode=4625)
OR (index=* EventCode=4624 Logon_Type=10)
This teaches them multi-system detection.
π 6. Day 9 Hands-On Tasks
β Task 1 β Correlate failed + successful Windows logins
index=* (4624 OR 4625)
| transaction Account_Name maxspan=5m
β Task 2 β Detect Linux brute-force simulation
index=* "Failed password"
| stats count by src_ip
β Task 3 β Find privilege escalation
index=* EventCode=4672
β Task 4 β Find persistence attempts
index=* EventCode=4720 OR EventCode=4732
β Task 5 β Build a two-panel dashboard:
- Brute-force attempts
- New users created
π€ Trainer Script
Say this during class:
βCorrelation is the heart of SOC.
One log does not tell the story β but multiple logs together reveal the attackerβs path.
Today you learned how to connect events and simulate real attacks.β
π Homework for Day 9
Students submit:
- Their Linux brute-force output
- Windows correlation screenshot
- MITRE mapping
- Explanation of attack sequence
"Share Knowledge" 
Leave a comment