Effective Threat Investigation For Soc Analysts Pdf Patched -

Inspect running processes, parent-child process trees (e.g., cmd.exe spawned by wscript.exe ), registry modifications, and local file changes.

When an alert fires, you must quickly establish the boundaries of the potential breach. Essential Data Points Collect these core attributes immediately:

Relying on standard frameworks ensures investigations are structured, repeatable, and thorough. The Cyber Kill Chain (Lockheed Martin) effective threat investigation for soc analysts pdf

: Trace the parent process of the malware execution. Look for standard living-of-the-land techniques, such as the deletion of Volume Shadow Copies ( vssadmin delete shadows ), disabling of local defenses, or rapid encryption of local file paths. Insider Threats and Data Exfiltration

: Sudden spikes in outbound data transfers to external, foreign, or unclassified IP addresses often pinpoint exfiltration phases. Inspect running processes, parent-child process trees (e

The SIEM says: "Process executed from temp directory by wscript.exe."

Master Guide: Effective Threat Investigation for SOC Analysts The Cyber Kill Chain (Lockheed Martin) : Trace

: Check user download directories, temporary folders ( C:\Windows\Temp or /tmp ), and prefetch files for signs of unauthorized binary execution. Network Traffic and Protocol Analysis

Determine if the machine communicated with external IP addresses listed in threat intelligence databases.

Identify user roles, normal working hours, access privileges, and recent authentication patterns.

Map actions to known frameworks to understand the attacker's goals. 3. Mapping to Frameworks: MITRE ATT&CK and Cyber Kill Chain