Step-by-Step Red Team vs SOC interactive drill

 Format per step: Attacker Action → Your Move (respond) → Example SOC Play

1) Initial Access — Spearphishing Attachment (TA0001 • T1566.001)

Attacker action: Finance user opens Q3_Report.xlsm, enables macros. Macro drops a loader and reaches out to [C2_DOMAIN].

Artifacts to expect:

• Mail gateway alert on macro doc; attachment hash [HASH].

• Security 4688: EXCEL.EXE → powershell.exe.

• PowerShell 4104/4103: suspicious download/IEX strings.

• Sysmon 1/3: powershell.exe spawned + outbound to [C2_IP]:443.

Your move: What do you triage first, and what do you block/contain?

Example SOC play (peek after you reply):

• Quarantine the email campaign; block [HASH], [C2_DOMAIN], [C2_IP].

• Isolate endpoint [HOST-A].

• Pull mailbox from Finance user + same campaign recipients.

• Start timeline on [HOST-A] (proc tree around 4688/4104/Sysmon 1).

• Create SIEM rule: EXCEL.EXE → powershell.exe with network.

---

2) Execution — PowerShell (TA0002 • T1059.001 / User Execution T1204.002)

Attacker action: Loader runs obfuscated PowerShell to stage an in-memory beacon.

Artifacts:

• PS 4104: base64/obf content; AMSI hits (if enabled).

• Sysmon 3: unusual connections from powershell.exe.

• EDR: LOLBins + AMSI bypass attempts.

Your move: What queries do you run, what do you capture (memory/disk), and how do you verify in-memory execution?

Example SOC play:

• Block PS with network if policy allows; kill offending process.

• Memory capture of [HOST-A] (EDR live response) to confirm injected module.

• SIEM hunt: Image=*\\powershell.exe AND (CommandLine=*FromBase64* OR *IEX* OR *DownloadString*).

---

3) Persistence — Run Keys / Scheduled Task (TA0003 • T1547.001 / T1053.005)

Attacker action: Adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater → [path]\beacon.exe and/or creates schtasks /create /sc minute /tn Updater.

Artifacts:

• Sysmon 13: Registry value set.

• Security 4698: Scheduled task created.

• Autoruns delta shows new entry.

 Your move: How do you enumerate + remove persistence safely?

Example SOC play:

• Export autoruns/registry keys; remove entries post-snapshot.

• Disable and delete suspicious scheduled tasks.

• Add detection: alert on new Run keys + 4698 unknown task names.

---

4) Privilege Escalation — Exploit/Token Abuse (TA0004 • T1068 / T1134.001)

Attacker action: Attempts SYSTEM via vulnerable service/driver or token impersonation on [HOST-A].

Artifacts:

• Security 4672: Special privileges.

• Sysmon 1: low-priv → high-priv proc chain (e.g., cmd.exe as SYSTEM).

• EDR exploit/tamper alerts.

 Your move: What indicators confirm elevation, and what containment/escalation do you perform?

Example SOC play:

• Snapshot access tokens/process owners; block exploit tool hash.

• Isolate host if not already; push hotfixes/EDR hardening policy.

• Hunt for SeDebugPrivilege processes from non-system parents.

---

5) Defense Evasion — Disable Security Tools / Obfuscation (TA0005 • T1562.001 / T1027)

Attacker action: Tries Set-MpPreference -DisableRealtimeMonitoring $true and drops packed binaries.

Artifacts:

• Microsoft Defender 5007 config change logs.

• EDR tamper protection alerts.

• New packed binaries with low reputation.

 Your move: What immediate protections do you re-enable and how do you harden?

Example SOC play:

• Force re-enable AV/EDR, rotate tamper protection password (if applicable).

• Block powershell.exe child procs for standard users temporarily.

• Add SIEM alert: Defender setting changes + non-admin callers.

---

6) Credential Access — LSASS Dump (TA0006 • T1003.001)

Attacker action: Attempts to read LSASS memory from a tool on [HOST-A].

Artifacts:

• Sysmon 10: lsass.exe access from non-system process.

• EDR: Credential theft heuristic.

• Security 4688: rundll32, procdump, suspicious signed binaries.

 Your move: What forensics do you grab, and how do you protect accounts?

Example SOC play:

• Kill offending proc; block tool hashes/signers.

• Reset passwords + revoke tokens for logged-on users on [HOST-A].

• Detections: alert on Sysmon 10 to lsass.exe excluding known AV paths.

---

7) Discovery — AD & Network Recon (TA0007 • T1087/T1018/T1046)

Attacker action: Runs whoami /all, nltest /dclist, net group "Domain Admins" /domain, network scans.

Artifacts:

• Security 4688: cmd.exe, net.exe, nltest.exe, dsquery.exe.

• Lateral enumeration spikes in Windows event/network telemetry.

 Your move: How do you distinguish benign admin activity vs recon, and what do you scope?

Example SOC play:

• Baseline admin tool usage; flag tool use from non-admin workstations.

• Correlate enumeration → subsequent auth attempts to servers.

• Suppress noise; raise on sequences (whoami→nltest→net group).

---

8) Lateral Movement — SMB Admin Shares / PsExec (TA0008 • T1021.002)

Attacker action: Uses stolen creds to push service over \\[TARGET]\ADMIN$, or PsExec to [SERVER-1].

Artifacts:

• Security 4624 (Type 3) from [HOST-A] to [SERVER-1] with uncommon account.

• Service creation 7045 / PsExec service artifacts.

• Sysmon 3: SMB bursts; Sysmon 1: psexesvc.exe.

 Your move: What blocks do you place and how do you trace blast radius?

Example SOC play:

• Disable account used; block host-to-host SMB temporarily where feasible.

• Isolate [SERVER-1]; pull service creation/event logs.

• Hunt for same creds against other servers (pivot map).

---

9) Command & Control — HTTPS Beacon (TA0011 • T1071.001)

Attacker action: Beacon over HTTPS with jitter/SNI to [C2_DOMAIN] (fronted).

Artifacts:

• Proxy/TLS: unusual JA3/JA3S, rare SNI, short periodic beacons.

• DNS: rare domain, high NXDOMAIN siblings, newly registered domain.

• EDR: long-lived process with periodic network.

 Your move: How do you detect/contain C2 without burning all evidence?

Example SOC play:

• Block destination at DNS/Proxy; sinkhole if available.

• Capture PCAP before/after block; tag affected assets.

• Retro hunt: same SNI/JA3 across fleet; add rare-domain model.

---

10) Collection & Exfiltration — Archive & Upload (TA0009/TA0010 • T1560.001 / T1567.002)

Attacker action: Stages 7z a C:\Users\[USER]\AppData\Local\Temp\docs.7z → uploads to C2/cloud.

Artifacts:

• Security 4688: 7z.exe / tar.exe create archive in temp paths.

• DLP/proxy: large POST/PUT to rare external host.

• File creation spikes of .zip/.7z in user profile.

 Your move: What do you block and how do you prove what left?

Example SOC play:

• Block outbound to [C2_DOMAIN] and cloud storage destination.

• Grab proxy/DLP logs; compare bytes sent vs staged archive size.

• Contain user account; collect the staging dir for evidence.

---

11) Impact — Ransomware Prep/Execution (TA0040 • T1486)

Attacker action: Drops encryptor; shadow copy deletion; mass file writes.

Artifacts:

• vssadmin delete shadows /all /quiet (4688).

• EDR: high file rename/write rate; ransom note creation per directory.

• SMB: unusual write storms to file shares.

 Your move: What pre-encryption controls and last-mile containment do you apply?

Example SOC play:

• Preemptive: block vssadmin/wbadmin abuse; enable canary files & rate-limit share writes.

• Immediate: isolate infected machines; disable affected AD accounts.

• Restore from offline backups; forensics on initial vector; exec briefing.

---

Quick-use Detection Snippets (adapt to your SIEM)

• Splunk – PS suspicious:

  index=win* (EventCode=4104 OR EventCode=4688)
  (Image="*\\powershell.exe" OR ScriptBlockText="*FromBase64*" OR CommandLine="*IEX*")
  | stats count by host, user, CommandLine
  

• Elastic – LSASS access (Sysmon 10):

  event.code:10 and process.pe.original_file_name:lsass.exe and not process.executable:("C:\\Program Files\\Windows Defender\\*" "C:\\Program Files\\*.exe")
  

• Windows service creation:

  EventCode=7045 OR (EventCode=4697) | stats count by ServiceName, ServiceFileName, ComputerName