// labs
Each lab is a complete, reproducible notebook covering attacker behavior, required telemetry, safe validation, Wazuh rule logic, log analysis, and a detection confidence score.
featured lab · MITRE ATT&CK T1059.001
PowerShell Detection Engineering Lab
Detecting attacker abuse of PowerShell before privilege escalation or persistence, using Windows-native logging, Sysmon, and Wazuh.
Labs
16
Maturity
Phase 1 → 3
Validation
16 labs · all validated
Avg confidence
84 / 100
#Wazuh#Sysmon#Windows EventLog#PowerShell Script Block Logging
// detection roadmap
Browse all 16 detections by maturity phase
Phase 1 quick wins, Phase 2 correlation, Phase 3 advanced engineering — searchable and tag-filterable.
// att&ck coverage
ATT&CK coverage matrix
Every lab mapped to a sub-technique, signal value, and difficulty rating.
// upcoming labs
T1003.001 — LSASS Memory Access
#Sysmon 10#Wazuhplanned
T1547.001 — Registry Run Keys
#Sysmon 13#Wazuhplanned
T1021.006 — WinRM Lateral Movement
#WinRM logs#Wazuhplanned
T1218 — Signed Binary Proxy Execution
#Sysmon 1#AppLockerplanned
T1071.004 — DNS C2
#Suricata#Wazuhplanned
T1486 — Ransomware Behavior
#Sysmon 11#Wazuhplanned