Format per step: Attacker Action → Your Move (respond) → Example SOC Play
1) Initial Access — Spearphishing Attachment (TA0001 • T1566.001)
Attacker action: Finance user opens Q3_Report.xlsm
, enables macros. Macro drops a loader and reaches out to [C2_DOMAIN]
.
Artifacts to expect:
-
Mail gateway alert on macro doc; attachment hash
[HASH]
. -
Security 4688:
EXCEL.EXE
→powershell.exe
. -
PowerShell 4104/4103: suspicious download/
IEX
strings. -
Sysmon 1/3:
powershell.exe
spawned + outbound to[C2_IP]:443
.
Your move: What do you triage first, and what do you block/contain?
Example SOC play (peek after you reply):
-
Quarantine the email campaign; block
[HASH]
,[C2_DOMAIN]
,[C2_IP]
. -
Isolate endpoint
[HOST-A]
. -
Pull mailbox from Finance user + same campaign recipients.
-
Start timeline on
[HOST-A]
(proc tree around 4688/4104/Sysmon 1). -
Create SIEM rule:
EXCEL.EXE
→powershell.exe
with network.
2) Execution — PowerShell (TA0002 • T1059.001 / User Execution T1204.002)
Attacker action: Loader runs obfuscated PowerShell to stage an in-memory beacon.
Artifacts:
-
PS 4104: base64/obf content; AMSI hits (if enabled).
-
Sysmon 3: unusual connections from
powershell.exe
. -
EDR: LOLBins + AMSI bypass attempts.
Your move: What queries do you run, what do you capture (memory/disk), and how do you verify in-memory execution?
Example SOC play:
-
Block PS with network if policy allows; kill offending process.
-
Memory capture of
[HOST-A]
(EDR live response) to confirm injected module. -
SIEM hunt:
Image=*\\powershell.exe AND (CommandLine=*FromBase64* OR *IEX* OR *DownloadString*)
.
3) Persistence — Run Keys / Scheduled Task (TA0003 • T1547.001 / T1053.005)
Attacker action: Adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater
→ [path]\beacon.exe
and/or creates schtasks /create /sc minute /tn Updater
.
Artifacts:
-
Sysmon 13: Registry value set.
-
Security 4698: Scheduled task created.
-
Autoruns delta shows new entry.
Your move: How do you enumerate + remove persistence safely?
Example SOC play:
-
Export autoruns/registry keys; remove entries post-snapshot.
-
Disable and delete suspicious scheduled tasks.
-
Add detection: alert on new Run keys + 4698 unknown task names.
4) Privilege Escalation — Exploit/Token Abuse (TA0004 • T1068 / T1134.001)
Attacker action: Attempts SYSTEM via vulnerable service/driver or token impersonation on [HOST-A]
.
Artifacts:
-
Security 4672: Special privileges.
-
Sysmon 1: low-priv → high-priv proc chain (e.g.,
cmd.exe
as SYSTEM). -
EDR exploit/tamper alerts.
Your move: What indicators confirm elevation, and what containment/escalation do you perform?
Example SOC play:
-
Snapshot access tokens/process owners; block exploit tool hash.
-
Isolate host if not already; push hotfixes/EDR hardening policy.
-
Hunt for
SeDebugPrivilege
processes from non-system parents.
5) Defense Evasion — Disable Security Tools / Obfuscation (TA0005 • T1562.001 / T1027)
Attacker action: Tries Set-MpPreference -DisableRealtimeMonitoring $true
and drops packed binaries.
Artifacts:
-
Microsoft Defender 5007 config change logs.
-
EDR tamper protection alerts.
-
New packed binaries with low reputation.
Your move: What immediate protections do you re-enable and how do you harden?
Example SOC play:
-
Force re-enable AV/EDR, rotate tamper protection password (if applicable).
-
Block
powershell.exe
child procs for standard users temporarily. -
Add SIEM alert: Defender setting changes + non-admin callers.
6) Credential Access — LSASS Dump (TA0006 • T1003.001)
Attacker action: Attempts to read LSASS memory from a tool on [HOST-A]
.
Artifacts:
-
Sysmon 10:
lsass.exe
access from non-system process. -
EDR: Credential theft heuristic.
-
Security 4688:
rundll32
,procdump
, suspicious signed binaries.
Your move: What forensics do you grab, and how do you protect accounts?
Example SOC play:
-
Kill offending proc; block tool hashes/signers.
-
Reset passwords + revoke tokens for logged-on users on
[HOST-A]
. -
Detections: alert on Sysmon 10 to
lsass.exe
excluding known AV paths.
7) Discovery — AD & Network Recon (TA0007 • T1087/T1018/T1046)
Attacker action: Runs whoami /all
, nltest /dclist
, net group "Domain Admins" /domain
, network scans.
Artifacts:
-
Security 4688:
cmd.exe
,net.exe
,nltest.exe
,dsquery.exe
. -
Lateral enumeration spikes in Windows event/network telemetry.
Your move: How do you distinguish benign admin activity vs recon, and what do you scope?
Example SOC play:
-
Baseline admin tool usage; flag tool use from non-admin workstations.
-
Correlate enumeration → subsequent auth attempts to servers.
-
Suppress noise; raise on sequences (
whoami
→nltest
→net group
).
8) Lateral Movement — SMB Admin Shares / PsExec (TA0008 • T1021.002)
Attacker action: Uses stolen creds to push service over \\[TARGET]\ADMIN$
, or PsExec to [SERVER-1]
.
Artifacts:
-
Security 4624 (Type 3) from
[HOST-A]
to[SERVER-1]
with uncommon account. -
Service creation 7045 / PsExec service artifacts.
-
Sysmon 3: SMB bursts; Sysmon 1:
psexesvc.exe
.
Your move: What blocks do you place and how do you trace blast radius?
Example SOC play:
-
Disable account used; block host-to-host SMB temporarily where feasible.
-
Isolate
[SERVER-1]
; pull service creation/event logs. -
Hunt for same creds against other servers (pivot map).
9) Command & Control — HTTPS Beacon (TA0011 • T1071.001)
Attacker action: Beacon over HTTPS with jitter/SNI to [C2_DOMAIN]
(fronted).
Artifacts:
-
Proxy/TLS: unusual JA3/JA3S, rare SNI, short periodic beacons.
-
DNS: rare domain, high NXDOMAIN siblings, newly registered domain.
-
EDR: long-lived process with periodic network.
Your move: How do you detect/contain C2 without burning all evidence?
Example SOC play:
-
Block destination at DNS/Proxy; sinkhole if available.
-
Capture PCAP before/after block; tag affected assets.
-
Retro hunt: same SNI/JA3 across fleet; add rare-domain model.
10) Collection & Exfiltration — Archive & Upload (TA0009/TA0010 • T1560.001 / T1567.002)
Attacker action: Stages 7z a C:\Users\[USER]\AppData\Local\Temp\docs.7z
→ uploads to C2/cloud.
Artifacts:
-
Security 4688:
7z.exe
/tar.exe
create archive in temp paths. -
DLP/proxy: large POST/PUT to rare external host.
-
File creation spikes of
.zip/.7z
in user profile.
Your move: What do you block and how do you prove what left?
Example SOC play:
-
Block outbound to
[C2_DOMAIN]
and cloud storage destination. -
Grab proxy/DLP logs; compare bytes sent vs staged archive size.
-
Contain user account; collect the staging dir for evidence.
11) Impact — Ransomware Prep/Execution (TA0040 • T1486)
Attacker action: Drops encryptor; shadow copy deletion; mass file writes.
Artifacts:
-
vssadmin delete shadows /all /quiet
(4688). -
EDR: high file rename/write rate; ransom note creation per directory.
-
SMB: unusual write storms to file shares.
Your move: What pre-encryption controls and last-mile containment do you apply?
Example SOC play:
-
Preemptive: block
vssadmin
/wbadmin
abuse; enable canary files & rate-limit share writes. -
Immediate: isolate infected machines; disable affected AD accounts.
-
Restore from offline backups; forensics on initial vector; exec briefing.
Quick-use Detection Snippets (adapt to your SIEM)
-
Splunk – PS suspicious:
index=win* (EventCode=4104 OR EventCode=4688) (Image="*\\powershell.exe" OR ScriptBlockText="*FromBase64*" OR CommandLine="*IEX*") | stats count by host, user, CommandLine
-
Elastic – LSASS access (Sysmon 10):
event.code:10 and process.pe.original_file_name:lsass.exe and not process.executable:("C:\\Program Files\\Windows Defender\\*" "C:\\Program Files\\*.exe")
-
Windows service creation:
EventCode=7045 OR (EventCode=4697) | stats count by ServiceName, ServiceFileName, ComputerName
No comments:
Post a Comment