book

Effective Threat Investigation for SOC Analysts

Name: Effective Threat Investigation for SOC Analysts
Author: Mostafa Yahia
ISBN: 9781837634781

by Mostafa Yahia

August 2023

Intermediate to advanced

314 pages

8h 6m

English

Packt Publishing

Read now

Unlock full access

Effective Threat Investigation for SOC Analysts
ContributorsAbout the authorAbout the reviewers
Preface
Who this book is for What this book coversTo get the most out of this bookConventions usedDisclaimerGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Part 1: Email Investigation Techniques
Chapter 1: Investigating Email Threats
Top infection vectorsWhy do attackers prefer phishing emails to gain initial access?Email threat typesSpearphishing attachmentsSpearphishing LinkBlackmail emailBusiness Email Compromise (BEC)Attacker techniques to evade email security detectionSocial engineering techniques to trick the victimThe anatomy of secure email gateway logsInvestigating suspicious emailsInvestigating the email sender domain and SMTP server reputationSpoofing validationEmail sender behaviorEmail subject and attached filenameInvestigating suspicious email contentSummary
Chapter 2: Email Flow and Header Analysis
Email flowEmail header analysisEmail message content and metadataEmail X-headersThe header that was added by the hop serversEmail authenticationInvestigating the email header of a spoofed messageSummary
Part 2: Investigating Windows Threats by Using Event Logs
Chapter 3: Introduction to Windows Event Logs
Windows event typesSecurity event log typesSystem event log typesApplication event log typesOther event log typesWindows event log analysis toolsThe investigative approach for this part of the bookHELK installationSummary
Chapter 4: Tracking Accounts Login and Management
Account login trackingWindows accountsTracking successful loginsTracking successful administrator loginsTracking logon sessionsTracking failed loginsLogin validation eventsLogin validation Event IDs (NTLM protocol)Login validation Event IDs (Kerberos protocol)Account and group management trackingTracking account creation, deletion, and change activitiesTracking creation and account adding to security groupsSummary
Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs
Introduction to Windows processesWindows process typesCommon standard Windows processesWindows Process Tracking eventsCreator SubjectTarget SubjectProcess InformationInvestigating suspicious process executionsHiding in plain sightLiving Off The Land (LOTL)Suspicious parent-child process relationshipsSuspicious process pathsSummary
Chapter 6: Investigating PowerShell Event Logs
Introducing PowerShellWhy do attackers prefer PowerShell?PowerShell usage in different attack phasesPowerShell execution tracking eventsInvestigating PowerShell attacksFileless PowerShell malwareSuspicious PowerShell commands and cmdletsSummary

Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs
Understanding and investigating persistence techniquesRegistry run keysWindows scheduled tasksWindows servicesWMI event subscriptionUnderstanding and investigating lateral movement techniquesRemote Desktop connectionWindows admin sharesPsExec – a Sysinternals toolPowerShell remotingSummary
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
Chapter 8: Network Firewall Logs Analysis
Firewall logs valueFirewall logs anatomyLog TimestampSource IPSource PortDestination IPDestination PortSource Interface ZoneDestination Interface ZoneDevice ActionSent BytesReceived BytesSent PacketsReceived PacketsSource Geolocation countryDestination Geolocation countrySummary
Chapter 9: Investigating Cyber Threats by Using the Firewall Logs
Investigating reconnaissance attacksPublic-facing IPs and port scanningInternal network service discoveryInvestigating lateral movement attacksRemote desktop application (RDP)Windows admin sharesPowerShell RemotingInvestigating C&C and exfiltration attacksInvestigating suspicious traffic to external IPsInvestigating DNS tunnelingInvestigating data exfiltrationInvestigating DoS attacksSummary
Chapter 10: Web Proxy Logs Analysis
Understanding the value of proxy logsThe significance of proxy log investigationThe anatomy of proxy logsThe source IP (src)The source port (srcport)The destination IP (dst)The destination port (dstport)The username (username)The log timestamp (devicetime)The device action (s-action)The response status code (sc-status)The HTTP method (cs-method)The received bytes from the server by the client (sc-bytes)The sent bytes from the client to the server (cs-bytes)The web domain (cs-host)The MIME type (Content-Type)The user agent (cs(User-Agent))The referrer URL (cs(Referer))The website category (filter-category)The accessed URL (cs-uri)Summary
Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
Suspicious outbound communications alertsInvestigating suspicious outbound communications (C&C communications)Investigating the web domain reputationInvestigating suspicious target web domain namesInvestigating the requested web resourcesInvestigating the referrer URLInvestigating the communications user agentInvestigating the communications' destination portInvestigating the received and sent bytes, the HTTP method, and the Content-TypeInvestigating command and control techniquesSummary
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
Chapter 12: Investigating External Threats
Investigating web attacksThe command injection vulnerabilityThe SQL injection vulnerabilityPath traversal vulnerabilityXSS vulnerabilityInvestigating WAF logsInvestigating suspicious external access to the remote servicesInvestigating unauthorized VPN and RDP accessInvestigating compromised mailboxesInvestigating suspicious authentications to web servicesSummary
Chapter 13: Investigating Network Flows and Security Solutions Alerts
Investigating network flowsInvestigating IPS/IDS alertsInvestigating endpoint security solutions alertsInvestigating AV alertsInvestigating EDR alertsInvestigating network sandbox and AV alertsSummary
Chapter 14: Threat Intelligence in a SOC Analyst’s Day
Introduction to threat intelligenceStrategic levelOperational levelTactical levelThe role of threat intelligence in SOCsInvestigating threats using VirusTotalInvestigating suspicious filesInvestigating suspicious domains and URLsInvestigating suspicious outbound IPsInvestigating threats using IBM X-Force ExchangeInvestigating suspicious domainsInvestigating suspicious IPsInvestigating the file hashInvestigating suspicious inbound IPs using AbuseIPDBInvestigating threats using GoogleSummary
Chapter 15: Malware Sandboxing – Building a Malware Sandbox
Introducing the sandbox technologySandbox typesSandbox installation requirementsRequired tools for analysisStatic analysis toolsDynamic analysis toolsPreparing the guest VMGuest preparation stepsTips to evade the sandbox’s detectionAnalysis tools in actionStatic analysis phaseDynamic analysis phaseHands-on demo labScanning the file using YARAConducting static analysisConducting dynamic analysisAnalyzing the outputsSummary
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Content preview from Effective Threat Investigation for SOC Analysts

7 Investigating Persistence and Lateral Movement Using Windows Event Logs

Attackers must maintain their foothold in the victim's environment to not repeat all infection phases again and they must keep pivoting in the victim's environment to search for sensitive data and high-value systems. As an SOC analyst and incident responder, you must be aware of the common persistence and lateral movement techniques used by attackers and be able to detect and investigate them by analyzing the event logs provided by Microsoft.

The objective of this chapter is to teach you common persistence and lateral movement techniques. You will also be able to investigate such activities by analyzing the recorded event logs on both the source and the target systems. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Practical Cyber Forensics: An Incident-Based Approach to Forensic Investigations

Publisher Resources

ISBN: 9781837634781

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Effective Threat Investigation for SOC Analysts

by Mostafa Yahia

7

Investigating Persistence and Lateral Movement Using Windows Event Logs

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.