In this chapter, we learned how to carry out atomic tests and atomic hunts, thinking about the underlying processes that are going on in the operating system when preparing the search for traces of suspicious activity in our dataset. We also learned how to carry out our first queries using our Kibana instance. We then reviewed a few real-world scenarios where threat actors leverage publicly available tools to carry out their attacks. We deployed and executed one of those tools, Quasar RAT, in our environment and hunted for it in our research lab.
In the following chapter, we are going to execute and emulate an adversary following the last example of the APT29 MITRE ATT&CK Evaluations.