: Delete malicious scheduled tasks, registry keys, and dropped binaries identified during the scope expansion phase. 7. SOC Analyst Reference Workbook
Check hashes of created or modified binaries against threat intelligence databases like VirusTotal. effective threat investigation for soc analysts pdf
Begin every investigation with a clear question. For example: "If this PowerShell script is malicious, what registry changes did it make to stay on the system?" This approach keeps your analysis focused and prevents you from getting lost in massive log files. 2. Phase-by-Phase Investigation Workflow : Delete malicious scheduled tasks, registry keys, and
Integrating threat intelligence feeds helps identify known malicious IP addresses, domains, file hashes, and adversary behaviors. This enables rapid validation of alerts. 3. A Structured Investigation Workflow Begin every investigation with a clear question
Sophisticated adversaries rarely drop noisy, custom malware binaries onto a system. Instead, they use legitimate, pre-installed system tools like PowerShell, WMI, certutil , and vssadmin to carry out attacks. Investigating LotL requires a deep understanding of what normal administrative scripting looks like so you can spot highly subtle, malicious syntax modifications. Memory Forensics and Living RAM Analysis
By moving from a triage mentality to a hunting mentality—and by keeping a structured, offline PDF reference at your desk—you transform your SOC from a noise-filtering machine into a true detection and response engine.
