Module Summary

What you built

Module 1 took you from an empty workstation to a working purple-team lab. Here's what you have:

Four target environments:

• Windows 10/11 endpoint with Sysmon and Atomic Red Team (PT-WIN-ENDPOINT, 10.0.0.10)
• Windows Server 2022 domain controller with AD DS (PT-DC01, 10.0.0.1)
• Ubuntu Server with auditd and Caldera (PT-LINUX01, 10.0.0.20)
• Microsoft 365 developer tenant with E5 licenses and Defender XDR

Three SIEMs:

• Microsoft Sentinel (primary — KQL, full ingestion pipeline)
• Defender XDR Advanced Hunting (paired — same KQL, different schema)
• Splunk Free or Elastic Stack (secondary — SPL or Elastic KQL)

Attack execution framework:

• Atomic Red Team installed on the Windows endpoint
• Caldera installed on the Linux VM (ready for Module 14 capstone)

A verified pipeline:

• You fired T1059.001 and confirmed telemetry arrived in all three SIEMs
• You recorded your first MTTD measurement

What comes next

Module 2 begins the technique subs. Each sub follows the 11-element structure:

Scene → Learning Objectives → Technique → You Already Know → Safety/Legal → Attack → Telemetry → Detection (tabbed: Sigma + KQL + XDR + SPL) → Tuning → Decision Exercise → Try-it + Ref Card

The first technique module covers Initial Access — phishing, drive-by compromise, and the M365 attack surface. You'll use the M365 developer tenant from PT1.7 and the Windows endpoint from PT1.3.

Every technique sub assumes the lab is working. If you run into telemetry issues during Module 2+, come back to PT1.12 and re-run the smoke test to confirm the pipeline is intact.