Introduction The main goal of this project is to gain a deeper understanding of the Tactics, Techniques, and Procedures (TTPs) that threat actors use to exploit their targets. Additionally, this project aims to develop and leverage detection rules to alert our Security Information and Event Management (SIEM) system, increasing visibility across our network and reducing response time to potential security incidents. What is a SIEM? A SIEM is a centralized system that ingests logs from any source where an agent is installed.

Scenario: Your organization uses AWS for hosting critical data and applications. An incident has been reported involving unauthorized data access and potential exfiltration. The organization’s security team has detected unusual activities and needs to investigate the incident to understand the scope, identify the attacker, and prevent further data breaches. Q1) Knowing which user account was compromised is essential for understanding the attacker’s initial entry point into the environment. What is the username of the compromised user?

Description: As a SOC analyst, you aim to investigate a security breach in an Active Directory network using Splunk SIEM (Security information and event management) solution to uncover the attacker’s steps and techniques while creating a timeline of their activities. The investigation begins with network enumeration to identify potential vulnerabilities. Using a specialized privilege escalation tool, the attacker exploited an unquoted service path vulnerability in a specific process. Once the attacker had elevated access, the attacker launched a DCsync attack to extract sensitive data from the Active Directory domain controller, compromising user accounts.

Tools: volatility2 volatility3 Autospy Capa-Explorer Outlook Forensics Wizard oletools wireshark scdbg event log explorer Registry Explorer Strings CFF Explorer Description: An ActiveDirectory compromise case: adversaries were able to take over the corporate domain controller. As a soc analyst, Investigate the case and reveal the Who, When, What, Where, Why, and How. Q1) What is the name of the first malware detected by Windows Defender? I first used autopsy to extract the eventlogs of importance namely, Security, System, Powershell, Application, TaskScheduler, and Windows Defender Ops.

Tools: Volatility2 Volatility3 Description: An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the SOC analysts team figure out what happened! Q1) Machine:Target1 What email address tricked the front desk employee into installing a security update? After unzipping the file, I began the investigation by running imageinfo to gather the OS information that will be needed for the profile parameter.

Tools: Wireshark Description: Our SOC team has detected suspicious activity on one of the web servers within the company’s intranet. To gain a deeper understanding of the situation, the team has captured network traffic for analysis. This pcap file potentially contains a series of malicious activities that have resulted in the compromise of the Apache Tomcat web server. We need to investigate this incident further. Q1) Given the suspicious activity detected on the web server, the pcap analysis shows a series of requests across various ports, suggesting a potential scanning behavior.