Attack–Defense Simulation Framework
Status: Scaffold — content in progress
Each simulation scenario ties together the lab environment (Section 03), attack techniques (Section 04), and detection rules (Section 05) into a full attack–defense exercise.
Scenario Format
Every scenario includes:
Header
- Scenario Name
- Lab Required: which lab environment(s) needed
- ATT&CK Techniques Covered: technique IDs
- Difficulty: Beginner / Intermediate / Advanced
- Estimated Time: setup + execution
Narrative
A realistic threat scenario context (threat actor archetype, initial access method, objective).
Pre-Exercise Checklist
- Lab state verification (clean snapshot)
- Logging verification (audit policies, Sysmon, SIEM connectivity)
- Attack tool availability on attacker machine
Attacker Steps
Numbered, ordered steps with exact commands. Each step annotated with:
- ATT&CK technique
- Expected log evidence
Defender Monitoring Checklist
What the defender should see in the SIEM at each step. Links to the relevant detection page.
Expected Detection Triggers
Table of: Attack Step → Expected Alert → Log Source → Detection Rule Reference
After-Action Review
- Was each attack step detected? (DRL-level honest assessment)
- Which steps had detection gaps?
- What telemetry was missing?
- Recommendations for coverage improvement
Lab Requirements Summary
| Scenario | Lab | Key Attacks |
|---|---|---|
| Domain Compromise Chain | AD Lab | Kerberoasting → PtH → DCSync → Golden Ticket |
| Cloud Identity Takeover | Entra ID Lab | Device code phishing → token persistence → privilege escalation |
| Hybrid Golden SAML | AD + Entra ID | On-prem ADFS compromise → Golden SAML → cloud access |
| Certificate Escalation | AD Lab (ADCS) | ESC1 → Domain Admin certificate → persistent auth |
Cross-Links
| Topic | Link |
|---|---|
| Lab Architecture | lab-architecture |
| Detection Framework | detection-framework |