13 KiB
13 KiB
Entry-Level SOC Analyst Cheatsheet
Security Monitoring Fundamentals
| Concept | Description | Examples |
|---|---|---|
| Security Incident | Any event that potentially threatens security | Malware infection, unauthorized access, data breach |
| Alert Triage | Process of evaluating and prioritizing alerts | Critical (1), High (2), Medium (3), Low (4) |
| False Positive | Alert that incorrectly indicates malicious activity | Legitimate admin activity flagged as suspicious |
| False Negative | Failure to detect actual malicious activity | Intrusion not generating alerts |
| IOC (Indicator of Compromise) | Evidence of potential security breach | Malicious IP, hash, domain, unusual behavior |
| TTP (Tactics, Techniques, Procedures) | Patterns of adversary behavior | MITRE ATT&CK framework behaviors |
| SIEM (Security Information and Event Management) | Centralized log collection and analysis platform | Splunk, ELK Stack, QRadar, LogRhythm |
| Use Case | Specific detection scenario with defined logic | Detect multiple failed logins across systems |
| Playbook | Step-by-step response procedure | Malware containment playbook |
Log Analysis Fundamentals
| Log Type | Key Information | Important Fields |
|---|---|---|
| Windows Event Logs | Windows system and security events | EventID, Account Name, Process ID, Logon Type |
| Authentication Logs | Login attempts and session data | Username, Source IP, Timestamp, Success/Failure |
| Firewall Logs | Network traffic allowed/blocked | Source/Destination IP, Port, Action, Protocol |
| Web Server Logs | HTTP/HTTPS request details | Client IP, Request URL, Status Code, User-Agent |
| DNS Logs | Domain resolution requests | Query Name, Query Type, Response, Client IP |
| Proxy Logs | Web traffic details | URL, User, Category, Action, Bytes Transferred |
| VPN Logs | Remote access connections | Username, Source IP, Connection Duration, Bytes |
| Email Logs | Email transaction details | Sender, Recipient, Subject, Attachments, Headers |
Critical Windows Event IDs
| Event ID | Description | Why It Matters |
|---|---|---|
| 4624 | Successful logon | Establish access patterns & identify unusual logins |
| 4625 | Failed logon | May indicate brute force attempts |
| 4720 | User account created | Potential unauthorized account creation |
| 4722 | User account enabled | Account status changes |
| 4724 | Password reset attempt | Potential credential compromise |
| 4728/4732/4756 | User added to security group | Privilege escalation |
| 4776 | Successful/failed account authentication | Credential validation activity |
| 7045 | Service installed | Potential persistence mechanism |
| 4688 | Process creation | Command execution monitoring |
| 4698 | Scheduled task created | Potential persistence technique |
| 1102 | Audit log cleared | Potential evidence tampering |
| 4672 | Special privileges assigned to new logon | Admin or sensitive privilege assignment |
Linux Logs to Monitor
| Log File | Content | Suspicious Signs |
|---|---|---|
/var/log/auth.log or /var/log/secure |
Authentication attempts | Multiple failed logins, unusual login times |
/var/log/syslog |
General system logs | Unexpected service restarts, errors |
/var/log/messages |
General system messages | System errors, hardware failures |
/var/log/apache2/access.log |
Web server access | Directory traversal, unusual user agents |
/var/log/apache2/error.log |
Web server errors | SQL injection attempts, execution errors |
/var/log/cron |
Scheduled task execution | Unauthorized cron jobs |
/var/log/lastlog |
Last login information | Login from unusual locations |
/var/log/wtmp & /var/log/btmp |
Login records & failed attempts | Multiple failed logins |
~/.bash_history |
Command history | Suspicious commands, data exfiltration |
SIEM Query Examples (Splunk SPL)
| Use Case | Example Query | Purpose |
|---|---|---|
| Failed Logins | index=windows EventCode=4625 | stats count by src_ip, user |
Detect potential brute force |
| Suspicious PowerShell | index=windows EventCode=4688 process="*powershell*" "-enc*" | table Computer, user, process, CommandLine |
Find encoded PowerShell commands |
| Account Creation | index=windows EventCode=4720 | table _time, user, Account_Name |
Monitor user creation |
| Privilege Escalation | index=windows (EventCode=4728 OR EventCode=4732 OR EventCode=4756) Group_Name="*admin*" | table _time, user, Account_Name, Group_Name |
Detect admin group additions |
| Lateral Movement | index=windows EventCode=4624 Logon_Type=3 | stats count by dest, src, user |
Identify network logons |
| Suspicious DNS | index=dns query_type=A | stats count by query, answer | where count < 5 |
Find rare DNS queries |
| Persistence | index=windows (EventCode=4698 OR EventCode=7045) | table _time, Computer, user, Service_Name, Service_File_Name |
Detect scheduled tasks or services |
| C2 Traffic | index=proxy method=POST | stats sum(bytes_out) as outbound by url, src_ip | where outbound > 1000000 |
Find large data uploads |
Common SOC Tools
| Tool Type | Examples | Use Cases |
|---|---|---|
| SIEM | Splunk, ELK Stack, QRadar | Centralized log analysis, alert generation |
| EDR | CrowdStrike, SentinelOne, Microsoft Defender for Endpoint | Endpoint protection and response |
| Network Monitoring | Wireshark, Zeek, Suricata | Packet analysis, network IDS |
| Threat Intelligence | VirusTotal, OTX, MISP | IOC lookup, threat data correlation |
| Sandbox | Cuckoo, ANY.RUN, Hybrid Analysis | Malware analysis in isolated environment |
| Vulnerability Scanner | Nessus, OpenVAS, Qualys | Identify system vulnerabilities |
| Case Management | TheHive, RTIR, ServiceNow | Track and manage incidents |
| Phishing Analysis | PhishTool, URL2PNG, Email Header Analyzer | Analyze suspicious emails |
Incident Response Steps
| Phase | Actions | Documentation |
|---|---|---|
| 1. Preparation | Develop IR plans, implement security controls | IR policy, playbooks, contact lists |
| 2. Identification | Detect and validate security incidents | Alert data, initial findings report |
| 3. Containment | Isolate affected systems to prevent spread | Containment actions report |
| 4. Eradication | Remove malware/compromise from systems | Cleanup procedures performed |
| 5. Recovery | Restore systems to normal operation | Recovery validation checklist |
| 6. Lessons Learned | Document findings and improve process | Post-incident report |
Common Attack Vectors & Detection Methods
| Attack Type | Indicators | Detection Methods |
|---|---|---|
| Phishing | Suspicious emails, malicious links/attachments | Email filtering logs, user reports, URL analysis |
| Malware | Unusual processes, network connections, file modifications | AV/EDR alerts, file hash analysis, behavioral analysis |
| Brute Force | Multiple failed authentication attempts | Auth logs, threshold alerting, account lockouts |
| Credential Stuffing | Successful logins from various locations/devices | Auth logs, impossible travel detection |
| Web Application Attacks | SQL injection, XSS, path traversal in web logs | WAF logs, web server logs, error patterns |
| Privilege Escalation | Unexpected admin actions, permission changes | User permission auditing, process monitoring |
| Data Exfiltration | Large outbound transfers, unusual destinations | Proxy/firewall logs, DLP alerts, NetFlow analysis |
| Living Off The Land | Abuse of legitimate tools (PowerShell, WMI, etc.) | Command-line logging, script block logging, behavioral analysis |
Network Traffic Analysis Basics
| Protocol | Port | Suspicious Indicators |
|---|---|---|
| HTTP/HTTPS | 80/443 | Unusual user-agents, base64 in URLs, unusual domains/paths |
| DNS | 53 | Domain generation algorithms, DNS tunneling, unusual TXT records |
| SMB | 445 | Unauthorized access attempts, unusual file operations |
| RDP | 3389 | Brute force attempts, unauthorized connections |
| SSH | 22 | Brute force attempts, connections from unusual locations |
| FTP | 21 | Anonymous access, unauthorized file transfers |
| SMTP/POP3/IMAP | 25, 110, 143 | Unusual volume, unauthorized relay attempts |
| NetFlow Indicators | N/A | Unusual data volume, beaconing, scan patterns |
Malware Types & Characteristics
| Malware Type | Behavior | Common Indicators |
|---|---|---|
| Virus | Self-replicating, infects other files | Modified system files, integrity failures |
| Worm | Self-propagating across networks | Unusual network traffic, port scanning |
| Trojan | Disguised as legitimate software | Unexpected network connections, hidden processes |
| Ransomware | Encrypts data for ransom | File encryption, ransom notes, destruction of backups |
| Rootkit | Hides deep in system to avoid detection | Hidden processes, modified system calls |
| Backdoor | Provides persistent remote access | Unexpected listening ports, unusual connections |
| Keylogger | Records keystrokes | Unusual process access to input devices, suspicious files |
| Fileless Malware | Operates in memory without files | PowerShell/WMI activity, unusual registry changes |
| Cryptominer | Uses resources to mine cryptocurrency | High CPU usage, mining pool connections |
Basic Threat Hunting Concepts
| Concept | Description | Example Implementation |
|---|---|---|
| Threat Hunting Hypothesis | Question-based approach to investigate potential compromise | "Are users running unsigned PowerShell scripts?" |
| IOC Searching | Hunting for known indicators | Search for known malicious hashes or domains |
| TTP Hunting | Hunting for attack techniques regardless of tools | Search for any evidence of credential dumping behavior |
| Baselining | Establishing normal to find abnormal | Document normal authentication patterns to spot anomalies |
| Stacking | Analyzing frequency distributions to find outliers | Stack process names to find rare processes |
| Clustering | Grouping similar events to spot anomalies | Cluster login times to find unusual access patterns |
MITRE ATT&CK Framework Fundamentals
| Tactic | Description | Example Techniques |
|---|---|---|
| Initial Access | How attackers get in | Phishing, exploitation of public-facing application |
| Execution | Running malicious code | Command line interface, PowerShell, scripts |
| Persistence | Maintaining access | Registry Run keys, scheduled tasks, startup items |
| Privilege Escalation | Getting higher permissions | Access token manipulation, bypass UAC |
| Defense Evasion | Avoiding detection | File deletion, clearing logs, obfuscation |
| Credential Access | Stealing credentials | Credential dumping, keylogging, brute force |
| Discovery | Learning the environment | Network/account/system discovery |
| Lateral Movement | Moving through environment | Pass the hash, remote services |
| Collection | Gathering data of interest | Input capture, screen capture, data from local system |
| Command and Control | Communicating with victims | Encrypted communications, web protocols |
| Exfiltration | Stealing data | Data compressed, encrypted, transferred |
| Impact | Disrupting business/operations | Data encryption, system shutdown, defacement |
Useful CLI Commands for Incident Response
| OS | Command | Purpose |
|---|---|---|
| Windows | Get-Process | Where-Object {$_.Company -eq $null} |
Find processes with no company name |
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624} -MaxEvents 10 |
View recent successful logons | |
netstat -ano | findstr ESTABLISHED |
View established connections | |
schtasks /query /fo LIST /v |
List all scheduled tasks with details | |
wmic startup list full |
List all startup items | |
wmic process get caption,commandline,processid |
List running processes with command lines | |
| Linux | ps auxf |
Show process tree |
netstat -tulpn |
Show active connections and listening ports | |
lsof -i |
List open files and network connections | |
grep -i "failed password" /var/log/auth.log |
Find failed login attempts | |
find / -mtime -1 -ls |
Find files modified in the last day | |
cat /var/log/auth.log | grep -E 'session opened|session closed' |
Find user sessions |
Cyber Threat Intelligence Resources
| Resource Type | Examples | Use Cases |
|---|---|---|
| Open Source Feeds | AlienVault OTX, MISP, ThreatFox | Collect IOCs, research campaigns |
| Vendor Blogs | Mandiant, CrowdStrike, Microsoft Security | Technical analysis of threats |
| Government Resources | US-CERT, MS-ISAC, CISA Advisories | Vulnerability and threat alerts |
| Malware Databases | VirusTotal, Hybrid Analysis, MalwareBazaar | File reputation, malware analysis |
| IP/Domain Reputation | AbuseIPDB, Cisco Talos, URLhaus | Check for known malicious addresses |
| Sandbox Analysis | ANY.RUN, Joe Sandbox, Cuckoo | Dynamic malware analysis |