A hands-on SOC analyst lab covering detection of Pass-the-Hash (MITRE T1550.002) and Token Impersonation (T1134.001) lateral movement in an IT/OT environment using Elastic SIEM and ES|QL. The scenario follows an attacker who crossed from a corporate IT workstation into OT SCADA systems controlling factory floor PLCs using stolen NTLM hashes. The lab walks through five hunt phases: identifying the compromised source workstation, detecting NTLM-based PtH logons to OT servers, spotting privilege escalation via Event 4672, confirming token impersonation via delegation-level tokens, and mapping the full hop chain. Each phase includes ES|QL queries with detailed explanations, Hunt Notebook templates, and concludes with three deployable Sigma detection rules for GitHub portfolio building.
Sort: