SANS marketing calls the Spring 2025 FOR508 update “forward-looking” and “thoughtful.” Here is the stripped-down diff—new labs, free scripts, and memory-artefact packs that alumni are loading into production the Monday after class. No flyer downloads required.
- Credential Theft — Completely Re-shot
- Lab: coercion → relay → delegation abuse in 90 seconds
- Script:
coercion-hunter.ps1(BSD-3) hunts MS-EVEN6 events; pushed to Sigma GitHub same week - Visual: 6-slide sequence shows authN vs authZ in Windows logs (4624/4625 vs 4672)
- Exit-exam addition: identify forged Kerberos delegation; fail-rate first attempt 34 % (proof of rigour)
- Lateral Movement — Network-Logon Focus
- New attack vectors: Remote Registry, DCOM ShellWindows, Impacket
dcomexec.py - Detection: Sysmon Event 10 & 1 overlap rule included; fires on 11 % of 2024 images where service is disabled but still callable
- Air-gapped lab: students pivot against a cloned DC with only open-source tools
- Hybrid Cloud — Entra ID Added
- 14-step chain: on-prem AD → Entra ID → Intune → cloud app
- Tool:
azure-hound-linux(MIT) graphs permissions without paid licence - Exam item: hybrid token-replay; median solve-time 18 min (vs 42 min pre-update)
- Memory Forensics — LOLdrivers & Hibernation
- Acquisition:
winpmem_2025.exeships with HVCI-compatible driver - New artefact: hibernation file parsing (laptops found shut at scene)
- Hunt:
loldrivers.txt(community CSV) mapped to MITRE T1547.008; 63 malicious drivers flagged in class data set
- Behaviour-Based Detection Rule Requirement
- Students must write a Sigma rule that triggers on behaviour (not hash) before advancing
- 47 rules already merged to public Sigma repo under MIT licence
- Most common rejection: regex too wide (hits > 5 % of traffic)
- Open-Source Pack Released (Today)
Repo:github.com/sans-for508/spring-2025-tools(BSD-3)
Contents:
hunt-cookbook.pdf– 60-page tactics quick-refevtx-hunter.ps1– hunts 76 log artefacts in < 2 min on live systemmem-timeline.py– builds 30-day memory timeline from hibernation + pagefile
- Public Metrics (First 3 Classes, n = 312)
- Mean exam score: 84 % (+6 pts vs 2024)
- Sigma rule accepted: 89 % of students
- Students building internal hunt team ≤ 90 days: 41 % (vs 22 % last year)
- Cost & Access Reality Check
- List price unchanged: USD 7,900
- Virtual range burns AWS spot instances; average lab cost USD 0.80 h⁻¹ (billed to SANS, not student)
- No new licensing fees; every script is MIT/BSD
- Fast-Track for Alumni Already Holding GCFE/GCFA
- Clone repo above
- Run
evtx-hunter.ps1against last month’s DC backup - Feed output into Sigma template; push to SIEM
- You have replicated Day-1 of the new course without booking a hotel
Bottom Line
Threat hunting is now an inside job—outsourcing dropped to 30 %. The Spring 2025 refresh gives you the playbook, the scripts and the behavioural rules to run the same hunt on Monday morning. Clone the repo, test the scripts, and decide later if the classroom is worth the airfare.
正文完
