The foundational model for classifying the three core properties of information security. Every security control maps to at least one of these pillars.

Ports 0–1023 are Well-Known (IANA-assigned). 1024–49151 are Registered. 49152–65535 are Dynamic/Ephemeral. Attackers frequently use non-standard ports or tunnel over common ports (80/443) to evade detection.

Developed by Lockheed Martin. Defenders should aim to interrupt the chain as early as possible — ideally at Reconnaissance or Delivery. Later stages indicate deeper compromise.

A globally accessible knowledge base of adversary TTPs based on real-world observations. ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge. The Enterprise matrix covers 14 tactics.

DDoS (Distributed Denial of Service) attacks flood systems to deny legitimate access. This section covers L3/L4 volumetric attacks, L7 application-layer attacks, and the platforms used to detect and absorb them. Use this to understand the distinction between network-level and application-level protection, and to identify the right mitigation layer during an incident.

DNS is a hierarchical, distributed naming system. It's also a top C2 channel — DNS tunneling, DGA domains, and fast-flux are common attacker techniques.

Email is the #1 initial access vector. SPF, DKIM, and DMARC are the three DNS-based controls that together prevent spoofing and unauthorised sending. Understanding these helps you triage phishing emails, investigate mail headers, and validate whether an email claiming to be from a domain is legitimate.

example.com TXT "v=spf1 mx ip4:203.0.113.0/24 include:_spf.google.com -all"
# Reading left to right: check MX records, then the /24, then Google's SPF.
# If none match: FAIL (hard fail) — reject the email.

v=spf1 -all    → Domain sends NO email (null sender, bounce addresses)
v=spf1 +all    → ⚠️ Anyone can send — never use this in production

selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUA..."
# DNS lookup path: {selector}._domainkey.{d= domain}
# p= is the base64-encoded RSA or ed25519 public key
# Rotate selectors periodically — old selector can be retired by removing the DNS record

_dmarc.example.com TXT "v=DMARC1; p=reject; sp=reject; pct=100; aspf=r; adkim=r; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-fail@example.com"

# Alignment modes:
# relaxed (r): subdomain match allowed — mail.example.com aligns with example.com
# strict (s):  exact match required   — mail.example.com does NOT align with example.com

HTTP status codes are the fastest way to triage web traffic anomalies in proxy and firewall logs. Use this section during threat hunting to spot reconnaissance (4xx spikes), exploitation attempts (500s), and redirect chains. Patterns in status codes across time often indicate scanners, fuzzing tools, or successful exploitation.

IPv4 subnetting determines which IP addresses belong together on a network segment. Use this section to quickly determine a host's network boundary, identify mis-routed traffic, or validate whether lateral movement crossed subnet boundaries — which is a significant escalation indicator.

Private IP ranges are reserved for internal networks and should never appear as source/destination in internet-routed traffic. Use this to identify RFC 1918 addresses in logs, spot traffic that should not be leaving your network, and detect potential NAT misconfigurations or tunneling attempts.

The 7-layer model defines how communication occurs between systems. Each layer attacks are mapped to aid SOC analysts in identifying where a threat operates.

Active Directory is the identity backbone of most enterprise environments — and the primary target in domain attacks. Understanding its components (Forest, Domain, OU, GPO, Trust) is essential for interpreting AD-related alerts and understanding the blast radius of compromised accounts. Use this as a reference when investigating AD enumeration, privilege escalation, or domain-level compromise.

NT LAN Manager — Microsoft's legacy challenge-response authentication. Still prevalent for backwards compatibility but vulnerable to multiple attack classes.

Ticket-based network authentication protocol. Passwords never travel over the wire. The KDC (Key Distribution Center) runs on the Domain Controller and combines the Authentication Service (AS) and Ticket Granting Service (TGS).

TCP and UDP behave fundamentally differently — TCP is connection-oriented (traceable), UDP is connectionless (harder to attribute). Use this to understand why certain attacks prefer UDP (DDoS amplification), why C2 may use HTTPS (TCP/443), and how to interpret connection state in firewall and netflow logs.

A reference index of the most common offensive techniques mapped to their detection methods and defensive controls. Use this section during investigation to quickly look up how a suspected technique works, what evidence it leaves, and what controls should have caught it. Pair with MITRE ATT&CK for technique IDs.

A taxonomy of malware families by their behaviour and goals. Understanding malware types enables faster triage — a fileless implant requires memory forensics, ransomware requires VSS investigation, a RAT requires C2 traffic analysis. Use this to scope the right response actions for each malware class.

DNS cache poisoning and stale records can cause resolution failures or redirect traffic to attacker infrastructure. These commands flush local and system DNS caches across platforms. Use during incident response when investigating DNS-based C2, cache poisoning attempts, or after blocking malicious domains to ensure resolution changes take effect immediately.

ipconfig /flushdns       :: Flush DNS resolver cache
ipconfig /release        :: Release current DHCP lease
ipconfig /renew          :: Request new DHCP lease
arp -d *                 :: Clear ARP cache (Windows)
netsh winsock reset      :: Reset Winsock catalog (requires reboot)
netsh int ip reset       :: Reset TCP/IP stack (requires reboot)

# Linux equivalents
sudo systemd-resolve --flush-caches   # systemd-resolved
sudo service nscd restart             # nscd
sudo killall -HUP mDNSResponder       # macOS

PowerShell is the primary tool for both AD administration and AD enumeration/exploitation. These cmdlets cover legitimate admin tasks and the exact commands attackers run for reconnaissance. Knowing both sides lets you distinguish admin activity from attacker activity in PowerShell logs and SIEM alerts.

# ── USER QUERIES ──
Get-ADUser -Identity $user -Properties *
Get-ADUser -Filter {Enabled -eq $false} | Select Name, SamAccountName
Get-ADUser -Filter {PasswordNeverExpires -eq $true} | Select Name
Get-ADUser -Identity $user -Properties PasswordLastSet, LastLogonDate

# ── LOCKED / DISABLED ──
Search-ADAccount -LockedOut | Select Name, LockedOut, LastLogonDate
Search-ADAccount -AccountDisabled -UsersOnly | Select Name, SamAccountName
Unlock-ADAccount -Identity $user

# ── GROUP QUERIES ──
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name, SamAccountName
Get-ADPrincipalGroupMembership -Identity $user | Select Name
Get-ADGroup -Filter {Name -like "Admin*"} | Select Name

# ── COMPUTER QUERIES ──
Get-ADComputer -Identity $hostname -Properties *
Get-ADComputer -Filter {OperatingSystem -Like "*Server*"} | Select Name, OperatingSystem
Test-ComputerSecureChannel -ComputerName $hostname

# ── DOMAIN INFO ──
Get-ADDomain
Get-ADDomainController -Filter * | Select Name, IPV4Address, IsGlobalCatalog
Get-ADForest

# ── DETECT KERBEROASTABLE ACCOUNTS ──
Get-ADUser -Filter {ServicePrincipalName -ne "$null" -and Enabled -eq $true} `
  -Properties ServicePrincipalName | Select Name, ServicePrincipalName

# ── DETECT AS-REP ROASTABLE ACCOUNTS ──
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true -and Enabled -eq $true} | Select Name

# ── GPO ──
Get-GPO -All | Select DisplayName, GpoStatus
Invoke-GPUpdate -Computer $hostname -Force

Regular expressions are used across SIEM queries, log parsers, EDR rules, YARA signatures, and Sigma rules. This cheat sheet covers the most common patterns needed for writing detection rules and parsing log data. Use it when building custom detection logic or extracting indicators from unstructured log output.

# IPv4 address
\b(?:\d{1,3}\.){3}\d{1,3}\b

# MD5 hash
\b[a-fA-F0-9]{32}\b

# SHA256 hash
\b[a-fA-F0-9]{64}\b

# Windows file path
[A-Za-z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*

# Email address
[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}

# Base64 encoded string (common in C2/malware)
(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})

# PowerShell encoded command (threat hunting)
-[Ee][Nn][Cc][Oo][Dd][Ee][Dd][Cc][Oo][Mm][Mm][Aa][Nn][Dd]

Linux command-line proficiency is essential for investigating Linux endpoints, containers, and servers. This section covers the commands used for triage, log analysis, process investigation, and network inspection on Linux systems. Use during live response on Linux hosts or when reviewing bash history and audit logs.

uname -a                          # Kernel + system info
whoami && id                      # Current user and groups
cat /etc/passwd | grep -v nologin # Users with login shells
w && last                         # Who is logged in / login history
ps auxf                           # Process tree
pstree -p                         # Visual process tree with PIDs
lsof -i                           # Open network connections by process
ss -tulnp                         # Listening ports + PIDs (modern)
netstat -tulnp                    # Listening ports (legacy)
find / -perm -4000 2>/dev/null    # SUID binaries (priv esc vectors)
crontab -l && cat /etc/cron*      # Scheduled tasks (persistence)

tail -f /var/log/auth.log                          # Live auth events
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn  # Brute force IPs
grep "Accepted publickey\|Accepted password" /var/log/auth.log  # Successful logins
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head  # Top IPs in access log
grep -E "40[0-9]|50[0-9]" access.log | awk '{print $7}' | sort | uniq -c | sort -rn  # Error URLs
journalctl -u ssh --since "1 hour ago"            # SSH events (systemd)
ausearch -m USER_LOGIN -ts recent                 # Audit log logins

Windows command-line tools are essential for triage, lateral movement investigation, and live response on Windows endpoints. These commands cover process enumeration, network state, service inspection, and registry queries — the same tools both administrators and attackers use. Pair with Sysmon Event 4688 process creation logs.

:: System info
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Domain"
whoami /all                          :: User, groups, privileges
net user %USERNAME% /domain          :: AD user details
wmic product get name,version        :: Installed software

:: Network
netstat -ano                         :: Connections with PIDs
netstat -ano | findstr ESTABLISHED   :: Active connections only
ipconfig /all                        :: Network config with MAC

:: Processes
tasklist /svc                        :: Processes with hosted services
wmic process get name,processid,parentprocessid,commandline  :: Full process info
Get-WmiObject Win32_Process | Select Name,ProcessId,ParentProcessId,CommandLine

:: Event log (PowerShell)
Get-WinEvent -LogName Security -MaxEvents 100 | Where-Object {$_.Id -in 4624,4625,4648,4672}
Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.LevelDisplayName -eq "Error"}

:: Autoruns / persistence
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
schtasks /query /fo LIST /v | findstr /i "task name\|status\|run as"

Understanding legitimate parent-child relationships is the #1 skill for process anomaly detection. Any deviation from this tree — wrong parent, wrong path, or wrong SID — is a red flag requiring investigation.

File extensions appended by ransomware. Alert on file rename events matching these patterns — especially mass renames of common file types.

svchost.exe is the most impersonated process in Windows malware. Each instance should host known services with a documented parent of services.exe. Deviations — wrong parent, wrong path, no services, or network connections — are high-fidelity indicators of process injection or masquerading. Use this to investigate suspicious svchost behaviour in EDR telemetry.

svchost.exe -k UnistackSvcGroup               :: Load all services in group
svchost.exe -k UnistackSvcGroup -s WpnUserService :: Load single service from group
:: Registry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

Sigma is a generic, open SIEM rule format — write once, convert to Splunk, Elastic, QRadar, Microsoft Sentinel, etc. via sigma-cli or pySigma.

title: Suspicious PowerShell Download Cradle
id: 3b6ab547-8ec2-4991-b9d2-2b06702a010d
status: experimental
description: Detects PowerShell download cradles commonly used by attackers for payload delivery
author: ThreatHunter
date: 2025/01/01
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'Invoke-Expression'
            - 'IEX'
            - 'DownloadString'
            - 'DownloadFile'
            - 'Net.WebClient'
            - 'WebRequest'
            - 'Start-BitsTransfer'
    filter_admin:
        User|contains: 'Administrator'    # Tune based on environment
    condition: selection and not filter_admin
falsepositives:
    - Legitimate admin scripts (tune filter_admin)
    - SCCM / Endpoint management tools
level: high
fields:
    - Image
    - CommandLine
    - User
    - ParentImage

YARA is the standard for malware classification — write rules that match on file content, binary patterns, or metadata. Used by threat intel teams, AV engines, EDR tools, and incident responders to hunt for malware families across endpoints and network captures. Use this when writing custom detection rules or analysing threat intel rule sets.

rule Ransomware_WannaCry_Generic {
    meta:
        description  = "Detects WannaCry ransomware variants"
        author       = "ThreatHunter"
        severity     = "critical"
        tlp          = "WHITE"
        mitre_attack = "T1486"

    strings:
        $ransom_note  = "Wana Decrypt0r" nocase wide ascii
        $killswitch   = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" nocase
        $svc_name     = "mssecsvc2.0" wide ascii
        $hex_eternalblue = { 45 52 52 4F 52 3A 20 43 61 6E }

    condition:
        uint16(0) == 0x5A4D and       // MZ header (PE file)
        filesize < 10MB and
        (2 of ($ransom_note, $killswitch, $svc_name) or $hex_eternalblue)
}

rule Suspicious_PowerShell_Encoded {
    meta:
        description = "Detects PE files dropping base64-encoded PowerShell commands"
        severity    = "high"

    strings:
        $enc1 = "-EncodedCommand" nocase wide ascii
        $enc2 = "-Enc " nocase wide ascii
        $enc3 = "FromBase64String" nocase wide ascii
        $ps   = "powershell" nocase wide ascii

    condition:
        uint16(0) == 0x5A4D and
        $ps and any of ($enc1, $enc2, $enc3)
}

Windows privileges control what actions processes and users can perform beyond standard file/object access. Several privileges are directly exploitable for privilege escalation or credential access. Use this section to understand why SeDebugPrivilege is so dangerous, what an attacker can do with each privilege, and how to audit privilege assignments.

The Windows Registry contains the most commonly abused persistence and configuration locations. Attackers write to Run keys, install services, and modify security providers to survive reboots. Use this section when hunting for persistence mechanisms — these are the first registry paths to check after detecting a suspicious process or binary.

Wireshark display filters allow you to isolate specific traffic patterns in packet captures. Use this section during network forensics to quickly surface C2 communication, credential interception, lateral movement, or exfiltration. Pair with the protocol reference to understand what normal traffic should look like before identifying anomalies.

## BASIC FILTERS
ip.addr == 192.168.1.100              # Traffic to/from specific IP
ip.src == 10.0.0.5                    # From source IP
ip.dst == 8.8.8.8                     # To destination IP
tcp.port == 443                       # TCP port 443
udp.port == 53                        # UDP port 53 (DNS)
not arp and not icmp                  # Exclude noise

## HTTP / WEB
http.request.method == "POST"         # POST requests only
http.response.code == 200             # Successful responses
http.user_agent contains "curl"       # Suspicious User-Agents
http contains "password"              # Credential exposure (cleartext HTTP)

## DNS THREAT HUNTING
dns.qry.name contains ".onion"        # Tor DNS queries (unusual)
dns.qry.type == 16                    # TXT record queries (tunneling indicator)
dns.flags.rcode == 3                  # NXDOMAIN responses (DGA hunting)
dns.qry.name.len > 50                 # Long subdomain = tunneling indicator

## SMB / LATERAL MOVEMENT
smb2.cmd == 5                         # SMB2 Create (file open/create)
smb.cmd == 0x72                       # SMB Negotiate Protocol
tcp.port == 445 and tcp.flags.syn==1  # New SMB connections

## SUSPICIOUS BEACONING
frame.time_delta < 0.001              # Too-fast retransmit (exploit traffic)
tcp.analysis.retransmission           # Retransmitted packets
ip.dst == [C2 IP] and tcp.len > 0    # Data to known C2

## CREDENTIAL / AUTH
ntlmssp.auth.username                 # NTLM usernames in traffic
kerberos.CNameString                  # Kerberos principal names
ftp.request.command == "PASS"         # FTP passwords (cleartext!)

## TLS INSPECTION
tls.handshake.type == 1               # TLS Client Hello
tls.handshake.extensions_server_name # SNI (Server Name Indication)
tls.record.version == 0x0300          # SSLv3 (deprecated — alert!)

Windows Event Logs are the backbone of SIEM detection. Ensure these event IDs are forwarded to your SIEM. Enable advanced audit policy via GPO (auditpol).

IOCs are artifacts that indicate potential malicious activity. Prioritize behavioral IOCs (TTPs) over atomic IOCs (hashes, IPs) — adversaries rotate hashes and IPs but TTPs are harder to change.

Legitimate Windows binaries abused by attackers to execute code, download files, bypass defenses, or establish persistence — without dropping new executables. Reference: lolbas-project.github.io

Attackers establish persistence to survive reboots and re-entry after credential changes. These are the most commonly abused locations — baseline them and alert on changes.

Structured triage steps for investigating a suspicious endpoint alert. Work through each phase before concluding scope and severity.

Production web applications sit behind multiple layers of edge infrastructure. Each layer has a distinct role, a distinct threat surface, and distinct metrics a CSOC analyst should watch. Understanding this stack prevents misclassifying normal failover behaviour as attacks — and vice versa.

Command & Control frameworks manage compromised hosts post-exploitation. These are legitimate red team tools — but cracked and leaked versions are heavily used by ransomware groups and APTs. Knowing their default signatures, IOCs, and evasion techniques is critical for detection engineering. Note: "Sliver" (BishopFox) is a separate framework — not a component of Cobalt Strike.

Incident Response follows a structured lifecycle. The NIST SP 800-61r2 model is the most widely adopted; SANS PICERL is more granular. All frameworks share the same core loop: detect → contain → eradicate → recover → improve.

A structured playbook for responding to ransomware incidents. Do not follow steps in isolation — run detection, isolation, and preservation in parallel where possible. Evidence preservation is time-critical.