Introduction

Security Operations Center (SOC) teams need continuous, realistic training to stay sharp against evolving threats. This article provides a practical guide for designing and executing a hands-on training scenario using the M&NTIS platform in combination with Azure Arc and Microsoft Sentinel. The goal is to simulate a real-world attack — specifically the Lumidus scenario, which includes a Zerologon exploit — and walk through the necessary steps to prepare the environment, configure alerting rules in Microsoft Sentinel, and guide SOC teams through detection and incident response. Whether you are a SOC lead or an instructor, this guide will help you set up an effective, immersive training experience.

The selected scenario for the exercise is Lumidus. In the scenario, the attacker performs a Zerologon attack on the AD server of the lab.

Lumidus related detection rules

M&NTIS provides SIEM detection rules along with its scenarios. The idea behind those signatures is to create an entry point for SOC teams to start the analysis of the scenario. When executed, the scenario will triger alerts in the SIEM. Thanks to these alerts, analysts can retrieve logs on the machines and investigate to understand the whole killchain.

The selected scenario, Lumidus, is provided with at least two signatures detecting:

• an attempt to a Zerologon attack and
• an evil file hash execution detection.

It is possible to retrieve the signatures of a scenario by either using the M&NTIS Command Line Interface (CLI) or the frontend (GUI).

M&NTIS GUI

In order to retrieve the signatures directly from the M&NTIS frontend, you have to click View more on the Lumidus scenario. Then, on the kill chain attack list, you have at least two signatures (the blue symbol on the right) :

By clicking on the signature pane, you can see the signatures the M&NTIS Platform offers for the scenario.

The signature format here is KQL for Azure Sentinel.

M&NTIS CLI

To achieve this, you can execute the next command:

$ mantis signature info --scenario lumidus

[+] intern_zerologon
  [+] available implementations:
  [>] powershell
    [+] Format azure_kql
    Event | where RenderedDescription contains "20b6b9f1e67d98a853730bd0f73f8eae06958a6156a9b8b69ea33366b2e91195"

  [>] powershell
    [+] Format azure_kql
    SecurityEvent | where EventID == 4742 | extend TargetUserName = extract('<Data Name="TargetUserName">([^<]+)</Data>', 1, EventData) | extend SubjectUserName = extract('<Data Name="SubjectUserName">([^<]+)</Data>', 1, EventData) | extend PasswordLastSet = extract('<Data Name="PasswordLastSet">([^<]+)</Data>', 1, EventData) | where SubjectUserName == "ANONYMOUS LOGON" | where PasswordLastSet != "-" and isnotempty(PasswordLastSet) | project TimeGenerated, TargetUserName, SubjectUserName, PasswordLastSet, Computer, EventID

[+] intern_secretdumps_smb
  [+] available implementations:
  [>] powershell
    [+] Format azure_kql
    Event | where RenderedDescription contains "50b252867fab0a37ea53b5f4967ede4307eda1e0b4d42b026551c2e226c75f46"

Detection rules used in the tutorial

Three different detection rules for two attacks are available for the Lumidus scenario: intern_zerologon and intern_secretdumps_smb.

In this article the signatures used are:

• the one of intern_secretdumps_smb and
• the second one for intern_zerologon.

Preparing Azure Arc

Scenario setup

In this article, the organizer adds both of the rules to the Microsoft Sentinel. However, he could choose to add only one of them or none in order to increase the difficulty for the SOC team under test. On the M&NTIS platform lab creation page, you need to first create a lab. You can tweak the delay between attacks to increase the realism of a real attack killchain. On the “Monitoring and integrations” page, you have to enable the Azure Arc Agent connector of the Agents category.

This article does not expand the connector configuration. However, the Azure Arc Agent documentation page can guide you through these steps. Once you reach the Public access tab, enable the feature. It is useful for your learner to get the public version of the link. On this public link, the killchain and the attack steps do not appear in order to prevent learner to get any extra information during the exercise.

At this point your lab is configured. The Azure Arc Agent will be installed on every compatible machine in the lab (Linux and Windows). Do not start the scenario execution already since the Microsoft Sentinel’s alerts must be configured.

Create alerts in Microsoft Sentinel

In the signatures, the format azure_kql is the one used for creating alert rules in Microsoft Sentinel. Open Microsoft Sentinel and click on the Analytics tab of the Configuration pane.

Then, create a new “Scheduled query rule”

Fill in the general information

Then, in the Set rule logic tab, copy paste the signature as shown in the previous section in the “Rule query” field. You can tweak the Query scheduling to improve the detection reactivity.

In the Indicent settings tab, make sure the functionality is enabled.

Validate your new alert. It now shall show up in your alert list as follow.

You can add as many signatures as you want. You might want to add the one of intern_secretdumps_smb to improve realism. You are now ready to launch the scenario execution.

After the scenario execution

At the end of the execution of the scenario, incidents should appear in the “Incidents” tab of the “Threat management” pane.

You can get more details about a specific incident. You can click the “View full details” blue button to open the incident menu displaying more information for further analysis.

This page allows SOC analysts to describe and follow together the workflow of an incident. They can sort the incident, write tasks and assign each other in order to fully understand an incident.

For more information about, check out the dedicated Microsoft documentation.

Conclusion

By following the steps outlined in this guide, you can create a realistic and controlled training environment for SOC analysts using M&NTIS, Azure Arc, and Microsoft Sentinel. From configuring your lab and enabling telemetry collection with the Azure Arc Agent to crafting custom detection rules in Azure Sentinel, you have full control over the complexity and visibility of the simulated attacks.

Once the scenario is executed, your SOC team can thoroughly test the investigation processes, analyze alerts, investigate incidents, and sharpen their threat detection skills in a safe yet authentic setting.

This method not only reinforces theoretical knowledge but also builds confidence in handling future real-world intrusions.