Before diving into specific techniques and tools, these foundational principles shape every security decision. A CSOC analyst who internalises these principles can reason about novel threats and make better triage decisions — even without a specific rule or runbook for the situation.

Two critical thinking frameworks for every CSOC analyst. The first corrects dangerous assumptions that lead to missed detections — knowing what security controls do not guarantee is as important as knowing what they do. The second builds pattern recognition: the ability to look at a log line and immediately know what attacker behaviour it suggests.

The foundational model for classifying the three core properties of information security. Every security control maps to at least one of these pillars.

Developed by Lockheed Martin. Defenders should aim to interrupt the chain as early as possible — ideally at Reconnaissance or Delivery. Later stages indicate deeper compromise.

A globally accessible knowledge base of adversary TTPs based on real-world observations. ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge. The Enterprise matrix covers 14 tactics.

Effective detection requires understanding how attackers think and operate. Attackers follow predictable patterns — they seek the path of least resistance, reuse tools and infrastructure, and blend with legitimate activity. This section covers the core techniques every analyst should recognise on sight.

A reference index of the most common offensive techniques mapped to their detection methods and defensive controls. Use this section during investigation to quickly look up how a suspected technique works, what evidence it leaves, and what controls should have caught it. Pair with MITRE ATT&CK for technique IDs.

A taxonomy of malware families by their behaviour and goals. Understanding malware types enables faster triage — a fileless implant requires memory forensics, ransomware requires VSS investigation, a RAT requires C2 traffic analysis. Use this to scope the right response actions for each malware class.

The 7-layer model defines how communication occurs between systems. Each layer attacks are mapped to aid SOC analysts in identifying where a threat operates.

TCP and UDP behave fundamentally differently — TCP is connection-oriented (traceable), UDP is connectionless (harder to attribute). Use this to understand why certain attacks prefer UDP (DDoS amplification), why C2 may use HTTPS (TCP/443), and how to interpret connection state in firewall and netflow logs.

Ports 0–1023 are Well-Known (IANA-assigned). 1024–49151 are Registered. 49152–65535 are Dynamic/Ephemeral. Attackers frequently use non-standard ports or tunnel over common ports (80/443) to evade detection.

IPv4 subnetting determines which IP addresses belong together on a network segment. Use this section to quickly determine a host's network boundary, identify mis-routed traffic, or validate whether lateral movement crossed subnet boundaries — which is a significant escalation indicator.

Private IP ranges are reserved for internal networks and should never appear as source/destination in internet-routed traffic. Use this to identify RFC 1918 addresses in logs, spot traffic that should not be leaving your network, and detect potential NAT misconfigurations or tunneling attempts.

DNS is a hierarchical, distributed naming system. It's also a top C2 channel — DNS tunneling, DGA domains, and fast-flux are common attacker techniques.

Email is the #1 initial access vector. SPF, DKIM, and DMARC are the three DNS-based controls that together prevent spoofing and unauthorised sending. Understanding these helps you triage phishing emails, investigate mail headers, and validate whether an email claiming to be from a domain is legitimate.

example.com TXT "v=spf1 mx ip4:203.0.113.0/24 include:_spf.google.com -all"
# Reading left to right: check MX records, then the /24, then Google's SPF.
# If none match: FAIL (hard fail) — reject the email.

v=spf1 -all    → Domain sends NO email (null sender, bounce addresses)
v=spf1 +all    → ⚠️ Anyone can send — never use this in production

selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUA..."
# DNS lookup path: {selector}._domainkey.{d= domain}
# p= is the base64-encoded RSA or ed25519 public key
# Rotate selectors periodically — old selector can be retired by removing the DNS record

_dmarc.example.com TXT "v=DMARC1; p=reject; sp=reject; pct=100; aspf=r; adkim=r; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-fail@example.com"

# Alignment modes:
# relaxed (r): subdomain match allowed — mail.example.com aligns with example.com
# strict (s):  exact match required   — mail.example.com does NOT align with example.com

HTTP status codes are the fastest way to triage web traffic anomalies in proxy and firewall logs. Use this section during threat hunting to spot reconnaissance (4xx spikes), exploitation attempts (500s), and redirect chains. Patterns in status codes across time often indicate scanners, fuzzing tools, or successful exploitation.

DHCP automatically assigns IP addresses and network configuration to hosts. Without it, every device would need manual IP configuration. From a blue team perspective, rogue DHCP servers are a classic attack vector — a malicious DHCP server can redirect DNS and default gateway traffic before a single packet leaves the host.

NAT translates private IP addresses to public IPs at the network boundary, enabling many devices to share a single public IP. It is the reason the IPv4 address space has not been exhausted — and a key reason why tracking internet-sourced attacks back to individual internal hosts requires log correlation, not just looking at the source IP.

Routing is the process of selecting the path for traffic to travel from source to destination across networks. Routers maintain routing tables — maps of which network prefixes are reachable via which next-hop. Understanding routing helps analysts interpret firewall logs, identify unexpected traffic paths, and recognise routing-based attacks.

Network segmentation divides a network into smaller, isolated zones. It is a foundational defence-in-depth control — an attacker who gains access to one segment cannot freely reach systems in others. Segmentation limits blast radius, contains lateral movement, and enables granular access control. It is the architectural implementation of least privilege at the network layer.

VLANs implement logical network segmentation at Layer 2, within the same physical switch infrastructure. Instead of buying separate switches for each network segment, VLANs partition a single switch into multiple isolated broadcast domains. Traffic between VLANs must pass through a router or Layer 3 switch — giving you a control point for firewall rules and monitoring.

A DMZ is a network segment that sits between the internet and the internal network — a controlled buffer zone. Internet-facing services live here so that if they are compromised, the attacker has not reached the internal network directly. Traffic to and from the DMZ passes through firewalls in both directions. From a CSOC perspective, the DMZ is one of the highest-priority monitoring zones — it is both the most exposed and the most likely path toward internal resources.

Proxies are intermediary servers that sit between two communicating parties. The direction of the relationship determines the type. Both have distinct security roles — forward proxies control outbound user traffic; reverse proxies protect inbound server traffic. Confusing the two is a common source of misconfigured security controls.

Load balancers distribute incoming traffic across multiple backend servers to prevent any single server from becoming a bottleneck. They provide scalability, redundancy, and high availability. For CSOC analysts, load balancers complicate incident response because a single client IP may have touched multiple backend servers — and the true client IP is tracked via the X-Forwarded-For header — and a single backend server may have served thousands of clients.

A Content Delivery Network (CDN) is a geographically distributed network of edge servers that cache and serve content from locations physically close to users. Instead of all requests traversing the internet to a single origin server, users are served from the nearest edge node — reducing latency, absorbing traffic spikes, and providing a first line of defence against DDoS. For CSOC analysts, CDNs mean that origin server IPs are hidden behind CDN IPs, and that attack traffic is absorbed at the edge before it reaches your infrastructure.

A VPN (Virtual Private Network) creates an encrypted tunnel over an untrusted network (typically the internet), allowing remote users or sites to communicate as if they were on the same private network. VPN concentrators are high-value targets — a compromised VPN gives an attacker legitimate-looking internal network access. VPN logs are among the first places to check in any suspected intrusion investigation.

Active Directory is the identity backbone of most enterprise environments — and the primary target in domain attacks. Understanding its components (Forest, Domain, OU, GPO, Trust) is essential for interpreting AD-related alerts and understanding the blast radius of compromised accounts. Use this as a reference when investigating AD enumeration, privilege escalation, or domain-level compromise.

NT LAN Manager — Microsoft's legacy challenge-response authentication. Still prevalent for backwards compatibility but vulnerable to multiple attack classes.

Ticket-based network authentication protocol. Passwords never travel over the wire. The KDC (Key Distribution Center) runs on the Domain Controller and combines the Authentication Service (AS) and Ticket Granting Service (TGS).

Windows Event Logs are the backbone of SIEM detection. Ensure these event IDs are forwarded to your SIEM. Enable advanced audit policy via GPO (auditpol).

IOCs are artifacts that indicate potential malicious activity. Prioritize behavioral IOCs (TTPs) over atomic IOCs (hashes, IPs) — adversaries rotate hashes and IPs but TTPs are harder to change.

Sigma is a generic, open SIEM rule format — write once, convert to Splunk, Elastic, QRadar, Microsoft Sentinel, etc. via sigma-cli or pySigma.

title: Suspicious PowerShell Download Cradle
id: 3b6ab547-8ec2-4991-b9d2-2b06702a010d
status: experimental
description: Detects PowerShell download cradles commonly used by attackers for payload delivery
author: ThreatHunter
date: 2025/01/01
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'Invoke-Expression'
            - 'IEX'
            - 'DownloadString'
            - 'DownloadFile'
            - 'Net.WebClient'
            - 'WebRequest'
            - 'Start-BitsTransfer'
    filter_admin:
        User|contains: 'Administrator'    # Tune based on environment
    condition: selection and not filter_admin
falsepositives:
    - Legitimate admin scripts (tune filter_admin)
    - SCCM / Endpoint management tools
level: high
fields:
    - Image
    - CommandLine
    - User
    - ParentImage

YARA is the standard for malware classification — write rules that match on file content, binary patterns, or metadata. Used by threat intel teams, AV engines, EDR tools, and incident responders to hunt for malware families across endpoints and network captures. Use this when writing custom detection rules or analysing threat intel rule sets.

rule Ransomware_WannaCry_Generic {
    meta:
        description  = "Detects WannaCry ransomware variants"
        author       = "ThreatHunter"
        severity     = "critical"
        tlp          = "WHITE"
        mitre_attack = "T1486"

    strings:
        $ransom_note  = "Wana Decrypt0r" nocase wide ascii
        $killswitch   = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" nocase
        $svc_name     = "mssecsvc2.0" wide ascii
        $hex_eternalblue = { 45 52 52 4F 52 3A 20 43 61 6E }

    condition:
        uint16(0) == 0x5A4D and       // MZ header (PE file)
        filesize < 10MB and
        (2 of ($ransom_note, $killswitch, $svc_name) or $hex_eternalblue)
}

rule Suspicious_PowerShell_Encoded {
    meta:
        description = "Detects PE files dropping base64-encoded PowerShell commands"
        severity    = "high"

    strings:
        $enc1 = "-EncodedCommand" nocase wide ascii
        $enc2 = "-Enc " nocase wide ascii
        $enc3 = "FromBase64String" nocase wide ascii
        $ps   = "powershell" nocase wide ascii

    condition:
        uint16(0) == 0x5A4D and
        $ps and any of ($enc1, $enc2, $enc3)
}

Wireshark display filters allow you to isolate specific traffic patterns in packet captures. Use this section during network forensics to quickly surface C2 communication, credential interception, lateral movement, or exfiltration. Pair with the protocol reference to understand what normal traffic should look like before identifying anomalies.

## BASIC FILTERS
ip.addr == 192.168.1.100              # Traffic to/from specific IP
ip.src == 10.0.0.5                    # From source IP
ip.dst == 8.8.8.8                     # To destination IP
tcp.port == 443                       # TCP port 443
udp.port == 53                        # UDP port 53 (DNS)
not arp and not icmp                  # Exclude noise

## HTTP / WEB
http.request.method == "POST"         # POST requests only
http.response.code == 200             # Successful responses
http.user_agent contains "curl"       # Suspicious User-Agents
http contains "password"              # Credential exposure (cleartext HTTP)

## DNS THREAT HUNTING
dns.qry.name contains ".onion"        # Tor DNS queries (unusual)
dns.qry.type == 16                    # TXT record queries (tunneling indicator)
dns.flags.rcode == 3                  # NXDOMAIN responses (DGA hunting)
dns.qry.name.len > 50                 # Long subdomain = tunneling indicator

## SMB / LATERAL MOVEMENT
smb2.cmd == 5                         # SMB2 Create (file open/create)
smb.cmd == 0x72                       # SMB Negotiate Protocol
tcp.port == 445 and tcp.flags.syn==1  # New SMB connections

## SUSPICIOUS BEACONING
frame.time_delta < 0.001              # Too-fast retransmit (exploit traffic)
tcp.analysis.retransmission           # Retransmitted packets
ip.dst == [C2 IP] and tcp.len > 0    # Data to known C2

## CREDENTIAL / AUTH
ntlmssp.auth.username                 # NTLM usernames in traffic
kerberos.CNameString                  # Kerberos principal names
ftp.request.command == "PASS"         # FTP passwords (cleartext!)

## TLS INSPECTION
tls.handshake.type == 1               # TLS Client Hello
tls.handshake.extensions_server_name # SNI (Server Name Indication)
tls.record.version == 0x0300          # SSLv3 (deprecated — alert!)

Understanding legitimate parent-child relationships is the #1 skill for process anomaly detection. Any deviation from this tree — wrong parent, wrong path, or wrong SID — is a red flag requiring investigation.

svchost.exe is the most impersonated process in Windows malware. Each instance should host known services with a documented parent of services.exe. Deviations — wrong parent, wrong path, no services, or network connections — are high-fidelity indicators of process injection or masquerading. Use this to investigate suspicious svchost behaviour in EDR telemetry.

svchost.exe -k UnistackSvcGroup               :: Load all services in group
svchost.exe -k UnistackSvcGroup -s WpnUserService :: Load single service from group
:: Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

The Windows Registry contains the most commonly abused persistence and configuration locations. Attackers write to Run keys, install services, and modify security providers to survive reboots. Use this section when hunting for persistence mechanisms — these are the first registry paths to check after detecting a suspicious process or binary.

Windows privileges control what actions processes and users can perform beyond standard file/object access. Several privileges are directly exploitable for privilege escalation or credential access. Use this section to understand why SeDebugPrivilege is so dangerous, what an attacker can do with each privilege, and how to audit privilege assignments.

File extensions appended by ransomware. Alert on file rename events matching these patterns — especially mass renames of common file types.

Attackers establish persistence to survive reboots and re-entry after credential changes. These are the most commonly abused locations — baseline them and alert on changes.

Legitimate Windows binaries abused by attackers to execute code, download files, bypass defenses, or establish persistence — without dropping new executables. Reference: lolbas-project.github.io

Structured triage steps for investigating a suspicious endpoint alert. Work through each phase before concluding scope and severity.

Understanding what each security tool does — and where it sits in the stack — is critical for knowing what data is available during an investigation, and for identifying gaps in your detection coverage. This section maps tools to their function, typical data outputs, and detection blind spots.

DDoS (Distributed Denial of Service) attacks flood systems to deny legitimate access. This section covers L3/L4 volumetric attacks, L7 application-layer attacks, and the platforms used to detect and absorb them. Use this to understand the distinction between network-level and application-level protection, and to identify the right mitigation layer during an incident.

Production web applications sit behind multiple layers of edge infrastructure. Each layer has a distinct role, a distinct threat surface, and distinct metrics a CSOC analyst should watch. Understanding this stack prevents misclassifying normal failover behaviour as attacks — and vice versa.

Command & Control frameworks manage compromised hosts post-exploitation. These are legitimate red team tools — but cracked and leaked versions are heavily used by ransomware groups and APTs. Knowing their default signatures, IOCs, and evasion techniques is critical for detection engineering. Note: "Sliver" (BishopFox) is a separate framework — not a component of Cobalt Strike.

Incident Response follows a structured lifecycle. The NIST SP 800-61r2 model is the most widely adopted; SANS PICERL is more granular. All frameworks share the same core loop: detect → contain → eradicate → recover → improve.

A structured playbook for responding to ransomware incidents. Do not follow steps in isolation — run detection, isolation, and preservation in parallel where possible. Evidence preservation is time-critical.

PowerShell is the primary tool for both AD administration and AD enumeration/exploitation. These cmdlets cover legitimate admin tasks and the exact commands attackers run for reconnaissance. Knowing both sides lets you distinguish admin activity from attacker activity in PowerShell logs and SIEM alerts.

# ── USER QUERIES ──
Get-ADUser -Identity $user -Properties *
Get-ADUser -Filter {Enabled -eq $false} | Select Name, SamAccountName
Get-ADUser -Filter {PasswordNeverExpires -eq $true} | Select Name
Get-ADUser -Identity $user -Properties PasswordLastSet, LastLogonDate

# ── LOCKED / DISABLED ──
Search-ADAccount -LockedOut | Select Name, LockedOut, LastLogonDate
Search-ADAccount -AccountDisabled -UsersOnly | Select Name, SamAccountName
Unlock-ADAccount -Identity $user

# ── GROUP QUERIES ──
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name, SamAccountName
Get-ADPrincipalGroupMembership -Identity $user | Select Name
Get-ADGroup -Filter {Name -like "Admin*"} | Select Name

# ── COMPUTER QUERIES ──
Get-ADComputer -Identity $hostname -Properties *
Get-ADComputer -Filter {OperatingSystem -Like "*Server*"} | Select Name, OperatingSystem
Test-ComputerSecureChannel -ComputerName $hostname

# ── DOMAIN INFO ──
Get-ADDomain
Get-ADDomainController -Filter * | Select Name, IPV4Address, IsGlobalCatalog
Get-ADForest

# ── DETECT KERBEROASTABLE ACCOUNTS ──
Get-ADUser -Filter {ServicePrincipalName -ne "$null" -and Enabled -eq $true} `
  -Properties ServicePrincipalName | Select Name, ServicePrincipalName

# ── DETECT AS-REP ROASTABLE ACCOUNTS ──
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true -and Enabled -eq $true} | Select Name

# ── GPO ──
Get-GPO -All | Select DisplayName, GpoStatus
Invoke-GPUpdate -Computer $hostname -Force

Linux command-line proficiency is essential for investigating Linux endpoints, containers, and servers. This section covers the commands used for triage, log analysis, process investigation, and network inspection on Linux systems. Use during live response on Linux hosts or when reviewing bash history and audit logs.

uname -a                          # Kernel + system info
whoami && id                      # Current user and groups
cat /etc/passwd | grep -v nologin # Users with login shells
w && last                         # Who is logged in / login history
ps auxf                           # Process tree
pstree -p                         # Visual process tree with PIDs
lsof -i                           # Open network connections by process
ss -tulnp                         # Listening ports + PIDs (modern)
netstat -tulnp                    # Listening ports (legacy)
find / -perm -4000 2>/dev/null    # SUID binaries (priv esc vectors)
crontab -l && cat /etc/cron*      # Scheduled tasks (persistence)

tail -f /var/log/auth.log                          # Live auth events
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn  # Brute force IPs
grep "Accepted publickey\|Accepted password" /var/log/auth.log  # Successful logins
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head  # Top IPs in access log
grep -E "40[0-9]|50[0-9]" access.log | awk '{print $7}' | sort | uniq -c | sort -rn  # Error URLs
journalctl -u ssh --since "1 hour ago"            # SSH events (systemd)
ausearch -m USER_LOGIN -ts recent                 # Audit log logins

Windows command-line tools are essential for triage, lateral movement investigation, and live response on Windows endpoints. These commands cover process enumeration, network state, service inspection, and registry queries — the same tools both administrators and attackers use. Pair with Sysmon Event 4688 process creation logs.

:: System info
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Domain"
whoami /all                          :: User, groups, privileges
net user %USERNAME% /domain          :: AD user details
wmic product get name,version        :: Installed software

:: Network
netstat -ano                         :: Connections with PIDs
netstat -ano | findstr ESTABLISHED   :: Active connections only
ipconfig /all                        :: Network config with MAC

:: Processes
tasklist /svc                        :: Processes with hosted services
wmic process get name,processid,parentprocessid,commandline  :: Full process info
Get-WmiObject Win32_Process | Select Name,ProcessId,ParentProcessId,CommandLine

:: Event log (PowerShell)
Get-WinEvent -LogName Security -MaxEvents 100 | Where-Object {$_.Id -in 4624,4625,4648,4672}
Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.LevelDisplayName -eq "Error"}

:: Autoruns / persistence
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
schtasks /query /fo LIST /v | findstr /i "task name\|status\|run as"

Regular expressions are used across SIEM queries, log parsers, EDR rules, YARA signatures, and Sigma rules. This cheat sheet covers the most common patterns needed for writing detection rules and parsing log data. Use it when building custom detection logic or extracting indicators from unstructured log output.

# IPv4 address
\b(?:\d{1,3}\.){3}\d{1,3}\b

# MD5 hash
\b[a-fA-F0-9]{32}\b

# SHA256 hash
\b[a-fA-F0-9]{64}\b

# Windows file path
[A-Za-z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*

# Email address
[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}

# Base64 encoded string (common in C2/malware)
(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})

# PowerShell encoded command (threat hunting)
-[Ee][Nn][Cc][Oo][Dd][Ee][Dd][Cc][Oo][Mm][Mm][Aa][Nn][Dd]

DNS cache poisoning and stale records can cause resolution failures or redirect traffic to attacker infrastructure. These commands flush local and system DNS caches across platforms. Use during incident response when investigating DNS-based C2, cache poisoning attempts, or after blocking malicious domains to ensure resolution changes take effect immediately.

ipconfig /flushdns       :: Flush DNS resolver cache
ipconfig /release        :: Release current DHCP lease
ipconfig /renew          :: Request new DHCP lease
arp -d *                 :: Clear ARP cache (Windows)
netsh winsock reset      :: Reset Winsock catalog (requires reboot)
netsh int ip reset       :: Reset TCP/IP stack (requires reboot)

# Linux equivalents
sudo systemd-resolve --flush-caches   # systemd-resolved
sudo service nscd restart             # nscd
sudo killall -HUP mDNSResponder       # macOS