Real Time SOC Analyst Simulation| TryHackMe SOC Simulator | Phishing Unfolding

This post introduces the TryHackMe SOC (Security Operations Center) Simulator, focusing on its real-world attack simulation capabilities. The tutorial walks through handling alerts, investigating cyberattacks, analyzing events, and writing case reports. This session specifically covers the “Phishing Unfolding” challenge, with promises of more challenges in later videos.

SOC Simulator

Documentation and Tools:

• Scenario Overview: Detailed explanation of scenarios.
• Tool Documentation: Overview of tools like Splunk and Analyst VM.
• Step-by-Step Guidance: Recommendations for analyzing incidents.
• SOC Components:SIEM (Splunk): Centralized log management and alert correlation.Analyst Workstation: Handling email alerts and system access.

Dashboard Overview:

• Provides metrics like the total, closed, and open alerts categorized by severity.
• Visualization of alert types and priorities.

Alert Investigation Workflow:

• Filter Alerts: Prioritize by severity (critical, high, medium, low).
• Analysis Steps: Start with critical alerts, review descriptions, and correlate parent-child process relationships.

Overview of SOC Dashboard

Alert Overview:

• The SOC dashboard displays 34 unresolved alerts.
• Alerts are categorized by severity: critical, high, medium, and low.
• Sorting is done to prioritize investigation.

Medium Alerts:

• Two alerts investigated:
• Network drive mapping and disconnection: A process using PowerShell mapped and then removed a network drive. This mirrored activity from a previous investigation involving reverse shell detection.

Low Alerts:

• Example alert: Suspicious email from an external sender with an unusual domain.
• The detection rule flagged the sender based on an unusual domain, which might be a false positive.

SOC Incident Investigation Case Study

Example Incident Investigation:

1. Alert Details:Suspicious Parent-Child Relationship:Parent Process: PowerShell.Child Process: NSLookup performing DNS queries.The DNS queries targeted encoded subdomains, triggering suspicion.
2. Analysis in Splunk:Investigated process IDs and correlated events.Identified a pattern of activity involving PowerShell.
3. Uncovered Malicious Activity:PowerShell was used to download PowerCat, a known tool for privilege escalation and data exfiltration.Established a Command and Control (C2) server via Ngrok.System enumeration and mapping of financial record shares.Data exfiltration via DNS queries.
4. Case Report:Documented findings:Use of malicious tools.Detailed attack sequence.Recommendations for detection improvements and domain investigations.

Creating SOC Case Report

Report Submission:

• The incident was classified as a “True Positive.”
• A case report was drafted and submitted through the SOC Simulator.

Simulator Exploration:

• Users can revisit closed alerts and edit reports.
• Upcoming features like playbooks are hinted at for future updates.

SOC Incident Investigation Case Study 2 | Email Phishing

Email Characteristics:

• Sender: A legitimate-looking domain (e.g., yahoo.com).
• Email content and attachment:
• Attachments, like a PowerShell script (force_update) and an invoice, are downloaded to an analyst VM for examination.

Steps in Investigation:

• Analyze the Sender: Verified the email originated from a valid domain using DNS checks.
• Attachment Analysis:
• Opened attachments in a sandbox environment for safety.
• Confirmed one of the attachments matched a detected alert.

Detecting False Positives:

• Alerts are marked as false positives when the domain or email content is verified as legitimate and contains no malicious indicators.

Video Walkthrough P1