Sign In
In this module

PT1.13 Module Summary

4-8 hours · Module 1 · Free

What you built

Module 1 took you from an empty workstation to a working purple-team lab. Here's what you have:

Four target environments:

  • Windows 10/11 endpoint with Sysmon and Atomic Red Team (PT-WIN-ENDPOINT, 10.0.0.10)
  • Windows Server 2022 domain controller with AD DS (PT-DC01, 10.0.0.1)
  • Ubuntu Server with auditd and Caldera (PT-LINUX01, 10.0.0.20)
  • Microsoft 365 developer tenant with E5 licences and Defender XDR

Three SIEMs:

  • Microsoft Sentinel (primary — KQL, full ingestion pipeline)
  • Defender XDR Advanced Hunting (paired — same KQL, different schema)
  • Splunk Free or Elastic Stack (secondary — SPL or Elastic KQL)

Attack execution framework:

  • Atomic Red Team installed on the Windows endpoint
  • Caldera installed on the Linux VM (ready for Module 14 capstone)

A verified pipeline:

  • You fired T1059.001 and confirmed telemetry arrived in all three SIEMs
  • You recorded your first MTTD measurement

What comes next

Module 2 begins the technique subs. Each sub follows the 11-element structure:

Scene → Learning Objectives → Technique → You Already Know → Safety/Legal → Attack → Telemetry → Detection (tabbed: Sigma + KQL + XDR + SPL) → Tuning → Decision Exercise → Try-it + Ref Card

The first technique module covers Initial Access — phishing, drive-by compromise, and the M365 attack surface. You'll use the M365 developer tenant from PT1.7 and the Windows endpoint from PT1.3.

Every technique sub assumes the lab is working. If you run into telemetry issues during Module 2+, come back to PT1.12 and re-run the smoke test to confirm the pipeline is intact.

Next
PT1.14 — Check My Knowledge. Scenario-based questions covering the lab build and the concepts behind it.
💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the lab and understand the validation gap.

Module 0 showed you why detection rules fail silently — vendor schema changes, attacker tool evolution, environment divergence, tuning drift. Module 1 gave you a working four-environment, three-SIEM purple-team lab. From here, you walk the kill chain technique by technique.

  • 61 ATT&CK techniques across 12 tactic modules — Initial Access through Impact, each walked end-to-end with attack commands, annotated telemetry, and multi-SIEM detection rules
  • Every detection in four formats — Sigma rule (canonical), Sentinel KQL, Defender XDR Advanced Hunting KQL, and Splunk SPL or Elastic. Tabbed side-by-side in every technique sub
  • Module 14 Capstone — CHAIN-HARVEST — full purple-team exercise on an AiTM credential-phishing chain. Multi-stage attack, detection results across all three SIEMs, coverage gaps, tuning recommendations
  • Programme template — coverage matrix, MTTD per technique, FP rates, detection quality scores, remediation backlog. Populated as you work, presentable to leadership by Module 14
  • Public Sigma rule repo — every detection rule in a GitHub repository. Alumni contribute via PR. The artefacts outlive the course
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →