CyberSec Lab — Log Analysis & Threat Hunting

OBJECTIVES

Find the initial access in the web log

Identify the webshell process (Sysmon)

Find the privilege escalation event

Detect credential dumping (lsass)

Trace lateral movement

Identify the C2 beacon in DNS logs

Build a complete attack timeline

Submit the IR report

📜

Log Viewer

⏱️

Timeline

🔎

Hunt Queries

📖

Reference

📝

Notepad

📋

IR Report

NETWORK SECURITY — THREAT HUNTING

LOG ANALYSIS & THREAT HUNTING

HOSTS: WEB-01 (10.10.16.10), WKSTN-016 (10.10.14.22)

SCENARIO

The EDR has flagged anomalous activity on WEB-01 and WKSTN-016. You have been given four log sources. Hunt through them, reconstruct the attack timeline, and document the full incident chain from initial access to lateral movement.

LOG SOURCES

Source	Host	Coverage
Windows Events	WKSTN-016	Logons, privilege use, process
Sysmon	WEB-01	Process tree, network, files
Apache Access Log	WEB-01	HTTP requests to web server
DNS Log	10.10.14.1	All DNS queries on network

METHODOLOGY

Use the Log Viewer — switch between log sources with the tabs
Click any log entry to see its full detail
Click Add to Timeline on key events to build your attack chain
Use Hunt Queries to run targeted searches across logs
Complete the Timeline then write up the IR Report

KEY EVENT IDs TO HUNT

Event	Meaning
4624	Successful logon
4625	Failed logon
4672	Special privileges at logon
4688	Process creation
Sysmon 1	Process creation (with hash)
Sysmon 3	Network connection
Sysmon 10	Process access (lsass)
Sysmon 11	File create

LOG VIEWER — Multi-Source Analysis

Time | Level | Source | Message

Click a log entry to inspect it

ATTACK TIMELINE — BUILD YOUR CHAIN

RECONSTRUCTED ATTACK TIMELINE

0 events added

Add events from the Log Viewer to build your timeline. Click a log entry then click "Add to Timeline".

HUNT QUERIES — KQL / GREP

lsass access

cmd.exe from apache

lateral move logons

DNS beacon pattern

privilege escalation

webshell upload

user creation

encoded powershell

Select a preset query or type your own to hunt across all log sources...

REFERENCE — THREAT HUNTING

MITRE ATT&CK TECHNIQUES

Initial Access T1190 — Exploit public-facing application (web server)

Execution T1059 — Command and scripting interpreter (cmd.exe, PowerShell)

Persistence T1505.003 — Web shell

Privilege Escalation T1055 — Process injection

Credential Access T1003.001 — OS Credential Dumping: LSASS Memory

Lateral Movement T1021.002 — Remote Services: SMB/Windows Admin Shares

Command & Control T1071.004 — DNS beaconing

WEBSHELL INDICATORS

Sysmon Event ID 1 — web server process (apache.exe, w3wp.exe) spawning cmd.exe or powershell.exe
Suspicious POST requests to .php files
New file creation in web root directory
Outbound network connections from web server process

LSASS DUMP INDICATORS

Sysmon Event ID 10 — process accessing lsass.exe (GrantedAccess: 0x1010 or 0x1410)
Known tools: mimikatz, procdump, comsvcs.dll
Unexpected process accessing lsass — any non-system process is suspicious

DNS BEACONING

Regular interval queries to external domains (every 60s, 300s)
Long or encoded subdomain labels (Base64, hex)
NXDomain responses with encoded data
Single domain queried exclusively by one internal host

LATERAL MOVEMENT

Windows Event 4624 Type 3 (Network) with NTLM from a workstation to another internal host
Rapid sequential logon attempts across multiple hosts
Use of admin shares (C$, ADMIN$, IPC$)