Pages

Sunday, September 7, 2025

Step-by-Step Red Team vs SOC interactive drill

 Format per step: Attacker Action → Your Move (respond) → Example SOC Play

1) Initial Access — Spearphishing Attachment (TA0001 • T1566.001)

Attacker action: Finance user opens Q3_Report.xlsm, enables macros. Macro drops a loader and reaches out to [C2_DOMAIN].

Artifacts to expect:

  • Mail gateway alert on macro doc; attachment hash [HASH].

  • Security 4688: EXCEL.EXEpowershell.exe.

  • PowerShell 4104/4103: suspicious download/IEX strings.

  • Sysmon 1/3: powershell.exe spawned + outbound to [C2_IP]:443.

Your move: What do you triage first, and what do you block/contain?

Example SOC play (peek after you reply):

  • Quarantine the email campaign; block [HASH], [C2_DOMAIN], [C2_IP].

  • Isolate endpoint [HOST-A].

  • Pull mailbox from Finance user + same campaign recipients.

  • Start timeline on [HOST-A] (proc tree around 4688/4104/Sysmon 1).

  • Create SIEM rule: EXCEL.EXEpowershell.exe with network.


2) Execution — PowerShell (TA0002 • T1059.001 / User Execution T1204.002)

Attacker action: Loader runs obfuscated PowerShell to stage an in-memory beacon.

Artifacts:

  • PS 4104: base64/obf content; AMSI hits (if enabled).

  • Sysmon 3: unusual connections from powershell.exe.

  • EDR: LOLBins + AMSI bypass attempts.

Your move: What queries do you run, what do you capture (memory/disk), and how do you verify in-memory execution?

Example SOC play:

  • Block PS with network if policy allows; kill offending process.

  • Memory capture of [HOST-A] (EDR live response) to confirm injected module.

  • SIEM hunt: Image=*\\powershell.exe AND (CommandLine=*FromBase64* OR *IEX* OR *DownloadString*).


3) Persistence — Run Keys / Scheduled Task (TA0003 • T1547.001 / T1053.005)

Attacker action: Adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater[path]\beacon.exe and/or creates schtasks /create /sc minute /tn Updater.

Artifacts:

  • Sysmon 13: Registry value set.

  • Security 4698: Scheduled task created.

  • Autoruns delta shows new entry.

 Your move: How do you enumerate + remove persistence safely?

Example SOC play:

  • Export autoruns/registry keys; remove entries post-snapshot.

  • Disable and delete suspicious scheduled tasks.

  • Add detection: alert on new Run keys + 4698 unknown task names.


4) Privilege Escalation — Exploit/Token Abuse (TA0004 • T1068 / T1134.001)

Attacker action: Attempts SYSTEM via vulnerable service/driver or token impersonation on [HOST-A].

Artifacts:

  • Security 4672: Special privileges.

  • Sysmon 1: low-priv → high-priv proc chain (e.g., cmd.exe as SYSTEM).

  • EDR exploit/tamper alerts.

 Your move: What indicators confirm elevation, and what containment/escalation do you perform?

Example SOC play:

  • Snapshot access tokens/process owners; block exploit tool hash.

  • Isolate host if not already; push hotfixes/EDR hardening policy.

  • Hunt for SeDebugPrivilege processes from non-system parents.


5) Defense Evasion — Disable Security Tools / Obfuscation (TA0005 • T1562.001 / T1027)

Attacker action: Tries Set-MpPreference -DisableRealtimeMonitoring $true and drops packed binaries.

Artifacts:

  • Microsoft Defender 5007 config change logs.

  • EDR tamper protection alerts.

  • New packed binaries with low reputation.

 Your move: What immediate protections do you re-enable and how do you harden?

Example SOC play:

  • Force re-enable AV/EDR, rotate tamper protection password (if applicable).

  • Block powershell.exe child procs for standard users temporarily.

  • Add SIEM alert: Defender setting changes + non-admin callers.


6) Credential Access — LSASS Dump (TA0006 • T1003.001)

Attacker action: Attempts to read LSASS memory from a tool on [HOST-A].

Artifacts:

  • Sysmon 10: lsass.exe access from non-system process.

  • EDR: Credential theft heuristic.

  • Security 4688: rundll32, procdump, suspicious signed binaries.

 Your move: What forensics do you grab, and how do you protect accounts?

Example SOC play:

  • Kill offending proc; block tool hashes/signers.

  • Reset passwords + revoke tokens for logged-on users on [HOST-A].

  • Detections: alert on Sysmon 10 to lsass.exe excluding known AV paths.


7) Discovery — AD & Network Recon (TA0007 • T1087/T1018/T1046)

Attacker action: Runs whoami /all, nltest /dclist, net group "Domain Admins" /domain, network scans.

Artifacts:

  • Security 4688: cmd.exe, net.exe, nltest.exe, dsquery.exe.

  • Lateral enumeration spikes in Windows event/network telemetry.

 Your move: How do you distinguish benign admin activity vs recon, and what do you scope?

Example SOC play:

  • Baseline admin tool usage; flag tool use from non-admin workstations.

  • Correlate enumeration → subsequent auth attempts to servers.

  • Suppress noise; raise on sequences (whoaminltestnet group).


8) Lateral Movement — SMB Admin Shares / PsExec (TA0008 • T1021.002)

Attacker action: Uses stolen creds to push service over \\[TARGET]\ADMIN$, or PsExec to [SERVER-1].

Artifacts:

  • Security 4624 (Type 3) from [HOST-A] to [SERVER-1] with uncommon account.

  • Service creation 7045 / PsExec service artifacts.

  • Sysmon 3: SMB bursts; Sysmon 1: psexesvc.exe.

 Your move: What blocks do you place and how do you trace blast radius?

Example SOC play:

  • Disable account used; block host-to-host SMB temporarily where feasible.

  • Isolate [SERVER-1]; pull service creation/event logs.

  • Hunt for same creds against other servers (pivot map).


9) Command & Control — HTTPS Beacon (TA0011 • T1071.001)

Attacker action: Beacon over HTTPS with jitter/SNI to [C2_DOMAIN] (fronted).

Artifacts:

  • Proxy/TLS: unusual JA3/JA3S, rare SNI, short periodic beacons.

  • DNS: rare domain, high NXDOMAIN siblings, newly registered domain.

  • EDR: long-lived process with periodic network.

 Your move: How do you detect/contain C2 without burning all evidence?

Example SOC play:

  • Block destination at DNS/Proxy; sinkhole if available.

  • Capture PCAP before/after block; tag affected assets.

  • Retro hunt: same SNI/JA3 across fleet; add rare-domain model.


10) Collection & Exfiltration — Archive & Upload (TA0009/TA0010 • T1560.001 / T1567.002)

Attacker action: Stages 7z a C:\Users\[USER]\AppData\Local\Temp\docs.7z → uploads to C2/cloud.

Artifacts:

  • Security 4688: 7z.exe / tar.exe create archive in temp paths.

  • DLP/proxy: large POST/PUT to rare external host.

  • File creation spikes of .zip/.7z in user profile.

 Your move: What do you block and how do you prove what left?

Example SOC play:

  • Block outbound to [C2_DOMAIN] and cloud storage destination.

  • Grab proxy/DLP logs; compare bytes sent vs staged archive size.

  • Contain user account; collect the staging dir for evidence.


11) Impact — Ransomware Prep/Execution (TA0040 • T1486)

Attacker action: Drops encryptor; shadow copy deletion; mass file writes.

Artifacts:

  • vssadmin delete shadows /all /quiet (4688).

  • EDR: high file rename/write rate; ransom note creation per directory.

  • SMB: unusual write storms to file shares.

 Your move: What pre-encryption controls and last-mile containment do you apply?

Example SOC play:

  • Preemptive: block vssadmin/wbadmin abuse; enable canary files & rate-limit share writes.

  • Immediate: isolate infected machines; disable affected AD accounts.

  • Restore from offline backups; forensics on initial vector; exec briefing.


Quick-use Detection Snippets (adapt to your SIEM)

  • Splunk – PS suspicious:

    index=win* (EventCode=4104 OR EventCode=4688)
    (Image="*\\powershell.exe" OR ScriptBlockText="*FromBase64*" OR CommandLine="*IEX*")
    | stats count by host, user, CommandLine
    
  • Elastic – LSASS access (Sysmon 10):

    event.code:10 and process.pe.original_file_name:lsass.exe and not process.executable:("C:\\Program Files\\Windows Defender\\*" "C:\\Program Files\\*.exe")
    
  • Windows service creation:

    EventCode=7045 OR (EventCode=4697) | stats count by ServiceName, ServiceFileName, ComputerName
    

No comments:

Post a Comment