1/96
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
OSI Model
Definition: A seven-layer framework that describes how data travels across a network.
Purpose: Standardizes network communication between devices and applications.
SOC Relevance: Helps identify where communication problems or attacks occur.
Common Attack/Abuse: Attacks can target different OSI layers.
Remember: Seven layers from Physical to Application.
TCP/IP
Definition: A suite of networking protocols used for communication over modern networks and the Internet.
Purpose: Provides the rules for addressing, transmitting, routing, and receiving data.
SOC Relevance: Most network traffic, logs, and investigations involve TCP/IP.
Common Attack/Abuse: IP spoofing, SYN floods, and session hijacking.
Remember: Foundation of modern networking.
TCP
Definition: A connection-oriented transport protocol that provides reliable data delivery.
Purpose: Ensures data arrives completely and in the correct order.
SOC Relevance: Used by many important services such as HTTPS, SSH, SMB, and RDP.
Common Attack/Abuse: SYN flood attacks and TCP session hijacking.
Remember: Reliable communication.
UDP
Definition: A connectionless transport protocol that sends data without guaranteeing delivery.
Purpose: Provides fast communication with minimal overhead.
SOC Relevance: Commonly used for DNS, streaming, and voice communications.
Common Attack/Abuse: UDP flood and amplification attacks.
Remember: Fast communication.
IPv4
Definition: A 32-bit addressing system used to identify devices on a network.
Purpose: Provides logical addresses for network communication.
SOC Relevance: Most enterprise environments still use IPv4 extensively.
Common Attack/Abuse: IP spoofing and network scanning.
Remember: Four decimal numbers separated by periods.
IPv6
Definition: A 128-bit addressing system designed to replace IPv4.
Purpose: Supports a much larger number of unique IP addresses.
SOC Relevance: Increasingly common in enterprise and cloud environments.
Common Attack/Abuse: Misconfigured IPv6 networks can bypass security controls.
Remember: Eight groups of hexadecimal values.
MAC Address
Definition: A unique hardware address assigned to a network interface.
Purpose: Identifies devices on a local network.
SOC Relevance: Used to identify devices within the same LAN.
Common Attack/Abuse: MAC spoofing.
Remember: Physical hardware address.
ARP
Definition: A protocol that maps IPv4 addresses to MAC addresses.
Purpose: Allows devices to locate one another on a local network.
SOC Relevance: Useful when investigating local network communications.
Common Attack/Abuse: ARP spoofing (ARP poisoning).
Remember: Resolves IP addresses to MAC addresses.
DNS
Definition: A service that translates domain names into IP addresses.
Purpose: Allows users to access resources using names instead of numeric addresses.
SOC Relevance: DNS logs often reveal malicious domains and command-and-control activity.
Common Attack/Abuse: DNS tunneling, cache poisoning, domain generation algorithms.
Remember: Port 53.
DHCP
Definition: A protocol that automatically assigns network configuration to devices.
Purpose: Dynamically provides IP addresses and network settings.
SOC Relevance: DHCP logs help identify which device was assigned an IP address.
Common Attack/Abuse: Rogue DHCP servers and DHCP starvation attacks.
Remember: Automatically assigns IP addresses.
NAT
Definition: A process that translates private IP addresses into public IP addresses.
Purpose: Conserves public IP addresses and hides internal networks.
SOC Relevance: Helps analysts understand why multiple devices share one public IP.
Common Attack/Abuse: Can obscure the true source of network traffic.
Remember: Private to public address translation.
VLAN
Definition: A logical network that separates devices into different broadcast domains.
Purpose: Improves network organization, performance, and security.
SOC Relevance: Limits communication between network segments.
Common Attack/Abuse: VLAN hopping.
Remember: Logical network segmentation.
VPN
Definition: An encrypted connection between a device and a remote network.
Purpose: Protects data while accessing networks over the Internet.
SOC Relevance: VPN logs are important during remote access investigations.
Common Attack/Abuse: Credential theft and session hijacking.
Remember: Secure remote access.
Proxy
Definition: A server that forwards requests between a client and another server.
Purpose: Filters, caches, or monitors network traffic.
SOC Relevance: Proxy logs help track user web activity.
Common Attack/Abuse: Attackers may use proxies to hide their location.
Remember: Acts as an intermediary.
Firewall
Definition: A security device or software that filters network traffic based on predefined rules.
Purpose: Allows or blocks traffic entering or leaving a network.
SOC Relevance: Firewall logs are a primary source during network investigations.
Common Attack/Abuse: Rule misconfigurations and firewall evasion techniques.
Remember: Controls network traffic.
IDS
Definition: An Intrusion Detection System monitors network or system activity for suspicious behavior.
Purpose: Detects potential security threats.
SOC Relevance: Generates alerts for analysts to investigate.
Common Attack/Abuse: Evasion through encrypted or fragmented traffic.
Remember: Detects suspicious activity.
IPS
Definition: An Intrusion Prevention System monitors and automatically blocks malicious activity.
Purpose: Prevents known attacks before they reach systems.
SOC Relevance: Helps stop attacks while generating investigation logs.
Common Attack/Abuse: Evasion through encrypted or obfuscated traffic.
Remember: Detects and blocks malicious activity.
HTTP
Definition: Hypertext Transfer Protocol used for transmitting web pages and web application data.
Purpose: Allows communication between web browsers and web servers.
SOC Relevance: Frequently analyzed during web traffic investigations.
Common Attack/Abuse: Man-in-the-Middle (unencrypted), session hijacking, web application attacks.
Remember: Port 80 and not encrypted.
HTTPS
Definition: Hypertext Transfer Protocol Secure that uses TLS to encrypt web traffic.
Purpose: Protects the confidentiality and integrity of web communications.
SOC Relevance: Most web traffic today uses HTTPS.
Common Attack/Abuse: SSL stripping, certificate abuse, malicious traffic hidden inside encrypted sessions.
Remember: Port 443 and encrypted with TLS.
FTP
Definition: File Transfer Protocol used to transfer files between computers.
Purpose: Uploads and downloads files across a network.
SOC Relevance: Legacy protocol still found in some environments.
Common Attack/Abuse: Credential theft because usernames and passwords are sent in plaintext.
Remember: Ports 20 and 21.
SFTP
Definition: SSH File Transfer Protocol used for secure file transfers.
Purpose: Transfers files through an encrypted SSH connection.
SOC Relevance: Common replacement for FTP.
Common Attack/Abuse: Stolen SSH credentials.
Remember: Port 22.
SSH
Definition: Secure Shell protocol for encrypted remote administration.
Purpose: Securely connects to remote systems.
SOC Relevance: Used by administrators to manage Linux and network devices.
Common Attack/Abuse: Brute-force attacks, stolen SSH keys.
Remember: Port 22.
Telnet
Definition: Remote access protocol that sends data in plaintext.
Purpose: Allows command-line access to remote systems.
SOC Relevance: Considered insecure and rarely used in modern environments.
Common Attack/Abuse: Credential interception.
Remember: Port 23.
SMTP
Definition: Simple Mail Transfer Protocol used to send email.
Purpose: Transfers outgoing email between clients and mail servers.
SOC Relevance: Important during phishing and email investigations.
Common Attack/Abuse: Email spoofing, phishing campaigns.
Remember: Port 25.
POP3
Definition: Post Office Protocol version 3 retrieves email from a mail server.
Purpose: Downloads email to a client device.
SOC Relevance: Seen in legacy email environments.
Common Attack/Abuse: Credential theft if encryption is not used.
Remember: Port 110.
IMAP
Definition: Internet Message Access Protocol retrieves and manages email stored on a mail server.
Purpose: Synchronizes email across multiple devices.
SOC Relevance: Common protocol used by modern email clients.
Common Attack/Abuse: Credential theft and unauthorized mailbox access.
Remember: Port 143.
DNS
Definition: Domain Name System translates domain names into IP addresses.
Purpose: Allows users to locate network resources using names instead of IP addresses.
SOC Relevance: DNS logs are commonly reviewed during investigations.
Common Attack/Abuse: DNS tunneling and cache poisoning.
Remember: Port 53.
LDAP
Definition: Lightweight Directory Access Protocol used to access and manage directory services.
Purpose: Retrieves user, group, and device information.
SOC Relevance: Commonly used with Active Directory authentication.
Common Attack/Abuse: LDAP injection and unauthorized directory enumeration.
Remember: Port 389.
LDAPS
Definition: LDAP secured with TLS encryption.
Purpose: Protects directory communications.
SOC Relevance: Preferred over standard LDAP.
Common Attack/Abuse: Certificate misconfiguration.
Remember: Port 636.
SMB
Definition: Server Message Block protocol used for file and printer sharing.
Purpose: Allows systems to share files and network resources.
SOC Relevance: Frequently involved in lateral movement and ransomware investigations.
Common Attack/Abuse: Pass-the-Hash, ransomware propagation, EternalBlue.
Remember: Port 445.
RDP
Definition: Remote Desktop Protocol provides graphical remote access to Windows systems.
Purpose: Allows users to remotely control a computer.
SOC Relevance: Common entry point during account compromise investigations.
Common Attack/Abuse: Brute-force attacks, credential theft.
Remember: Port 3389.
SNMP
Definition: Simple Network Management Protocol monitors and manages network devices.
Purpose: Collects status and performance information from devices.
SOC Relevance: Useful for monitoring routers, switches, and firewalls.
Common Attack/Abuse: Default community strings and unauthorized device enumeration.
Remember: Ports 161 and 162.
NTP
Definition: Network Time Protocol synchronizes system clocks.
Purpose: Keeps devices using the same accurate time.
SOC Relevance: Accurate timestamps are critical for incident investigations and log correlation.
Common Attack/Abuse: NTP amplification attacks.
Remember: Port 123.
Kerberos
Definition: A network authentication protocol that uses tickets to verify user identities.
Purpose: Provides secure authentication in Active Directory environments.
SOC Relevance: Commonly appears in Windows authentication logs.
Common Attack/Abuse: Kerberoasting, Golden Ticket, Silver Ticket.
Remember: Port 88.
DHCP
Definition: Dynamic Host Configuration Protocol automatically assigns IP addresses and network settings.
Purpose: Simplifies network configuration.
SOC Relevance: DHCP logs help identify which device used an IP address at a specific time.
Common Attack/Abuse: Rogue DHCP servers and DHCP starvation.
Remember: Ports 67 and 68.
Active Directory (AD)
Definition: A directory service developed by Microsoft that stores and manages users, computers, groups, and other network resources within a Windows domain.
Purpose: Centralizes authentication, authorization, and management of network resources.
SOC Relevance: Most enterprise environments use Active Directory, making it a common target during investigations.
Common Attack/Abuse: Credential theft, privilege escalation, Kerberoasting, Pass-the-Hash, Golden Ticket attacks.
Remember: The central identity management system for Windows domains.
Kerberos
Definition: A network authentication protocol that verifies identities using encrypted tickets.
Purpose: Securely authenticates users and services without repeatedly sending passwords.
SOC Relevance: Used as the default authentication protocol in Active Directory.
Common Attack/Abuse: Kerberoasting, Golden Ticket, Silver Ticket attacks.
Remember: Uses tickets, not passwords, after initial authentication.
NTLM
Definition: A legacy Microsoft authentication protocol that verifies user credentials.
Purpose: Provides authentication when Kerberos cannot be used.
SOC Relevance: Still appears in Windows environments and authentication logs.
Common Attack/Abuse: Pass-the-Hash, NTLM relay attacks.
Remember: Older and less secure than Kerberos.
LDAP
Definition: Lightweight Directory Access Protocol used to access and manage directory services.
Purpose: Allows applications and users to query and modify directory information.
SOC Relevance: Commonly used with Active Directory for user and group lookups.
Common Attack/Abuse: LDAP injection and unauthorized directory enumeration.
Remember: Standard protocol for directory services.
SAML
Definition: Security Assertion Markup Language is an XML-based authentication standard used for Single Sign-On (SSO).
Purpose: Allows users to authenticate once and access multiple applications.
SOC Relevance: Common in enterprise cloud applications and identity providers.
Common Attack/Abuse: Stolen or forged SAML assertions.
Remember: Used for Single Sign-On (SSO).
OAuth
Definition: An authorization framework that allows applications to access resources on a user's behalf without exposing the user's password.
Purpose: Grants limited access to protected resources using access tokens.
SOC Relevance: Frequently investigated when reviewing cloud application permissions.
Common Attack/Abuse: Token theft and malicious OAuth application consent.
Remember: Authorization, not authentication.
Multi-Factor Authentication (MFA)
Definition: A security method that requires two or more authentication factors to verify a user's identity.
Purpose: Reduces the risk of unauthorized access caused by stolen credentials.
SOC Relevance: One of the most effective defenses against account compromise.
Common Attack/Abuse: MFA fatigue attacks, SIM swapping, phishing proxies.
Remember: Something you know, have, or are.
Public Key Infrastructure (PKI)
Definition: A framework of hardware, software, policies, and procedures used to create, manage, distribute, and revoke digital certificates.
Purpose: Establishes trust and supports secure communications.
SOC Relevance: Used for HTTPS, VPNs, email encryption, and digital signatures.
Common Attack/Abuse: Certificate theft and compromised certificate authorities.
Remember: Manages digital trust.
Digital Certificate
Definition: An electronic credential that binds a public key to the identity of a person, device, or organization.
Purpose: Verifies identity and enables encrypted communication.
SOC Relevance: Used in HTTPS, VPNs, email security, and device authentication.
Common Attack/Abuse: Expired, forged, or stolen certificates.
Remember: Proves identity.
Certificate Authority (CA)
Definition: A trusted organization or system that issues and signs digital certificates.
Purpose: Confirms the identity of certificate owners.
SOC Relevance: Trust in secure communications depends on trusted CAs.
Common Attack/Abuse: Compromised or rogue certificate authorities issuing fraudulent certificates.
Remember: Trusted issuer of certificates.
Single Sign-On (SSO)
Definition: An authentication process that allows users to log in once and access multiple applications.
Purpose: Simplifies authentication and improves user experience.
SOC Relevance: Frequently used with SAML, OpenID Connect, and enterprise identity providers.
Common Attack/Abuse: Stolen SSO sessions and token theft.
Remember: One login, many applications.
Identity Provider (IdP)
Definition: A service that authenticates users and provides identity information to applications.
Purpose: Centralizes user authentication.
SOC Relevance: Common identity providers include Microsoft Entra ID, Okta, and Ping Identity.
Common Attack/Abuse: Credential theft, token theft, phishing attacks.
Remember: Verifies who the user is.
Service Provider (SP)
Definition: An application or service that relies on an Identity Provider to authenticate users.
Purpose: Provides services after receiving proof of authentication.
SOC Relevance: Enterprise cloud applications often function as Service Providers.
Common Attack/Abuse: Trust relationship abuse and session hijacking.
Remember: Provides the application or service.
Hash
Definition: A one-way mathematical function that converts data into a fixed-length value.
Purpose: Verifies data integrity and securely stores passwords.
SOC Relevance: Used to identify malware, verify file integrity, and store passwords.
Common Attack/Abuse: Rainbow table attacks against weak or unsalted hashes, hash collisions (rare).
Remember: Cannot be reversed.
Salt
Definition: Random data added to a password before hashing.
Purpose: Makes identical passwords produce different hashes and protects against rainbow table attacks.
SOC Relevance: Indicates whether password storage follows security best practices.
Common Attack/Abuse: Weak or missing salts make password cracking easier.
Remember: A salt is added before hashing.
AES (Advanced Encryption Standard)
Definition: A symmetric encryption algorithm used to encrypt data.
Purpose: Protects the confidentiality of data at rest and in transit.
SOC Relevance: Commonly used in HTTPS, VPNs, wireless networks, and disk encryption.
Common Attack/Abuse: Attackers usually target the encryption keys rather than AES itself.
Remember: Symmetric encryption standard.
RSA
Definition: An asymmetric encryption algorithm that uses a public and private key pair.
Purpose: Encrypts data, exchanges keys, and creates digital signatures.
SOC Relevance: Widely used in TLS, certificates, and secure communications.
Common Attack/Abuse: Private key theft or weak key sizes.
Remember: Public key encrypts, private key decrypts.
ECC (Elliptic Curve Cryptography)
Definition: An asymmetric encryption algorithm that provides strong security using smaller key sizes.
Purpose: Encrypts data and creates digital signatures efficiently.
SOC Relevance: Common in mobile devices, VPNs, and modern TLS implementations.
Common Attack/Abuse: Private key compromise.
Remember: Strong security with smaller keys.
SHA-256
Definition: A cryptographic hash function that produces a 256-bit hash value.
Purpose: Verifies file integrity and securely stores password hashes.
SOC Relevance: Used to identify malware and verify downloaded files.
Common Attack/Abuse: Brute-force attacks against weak passwords.
Remember: Produces a 256-bit hash.
SHA-512
Definition: A cryptographic hash function that produces a 512-bit hash value.
Purpose: Verifies integrity and securely stores sensitive data.
SOC Relevance: Used where stronger hashing is required.
Common Attack/Abuse: Password cracking against weak passwords.
Remember: Produces a 512-bit hash.
TLS (Transport Layer Security)
Definition: A cryptographic protocol that encrypts communications between devices.
Purpose: Protects data confidentiality and integrity during transmission.
SOC Relevance: Used by HTTPS, email, VPNs, and many secure applications.
Common Attack/Abuse: SSL stripping, certificate abuse, downgrade attacks.
Remember: Replaced SSL.
Digital Signature
Definition: A cryptographic value used to verify the authenticity and integrity of data.
Purpose: Confirms that data has not been altered and verifies the sender's identity.
SOC Relevance: Used to validate software, documents, and email.
Common Attack/Abuse: Stolen signing certificates and private keys.
Remember: Provides authentication, integrity, and non-repudiation.
Symmetric Encryption
Definition: An encryption method that uses the same key for encryption and decryption.
Purpose: Protects data quickly and efficiently.
SOC Relevance: Used for encrypting large amounts of data.
Common Attack/Abuse: Key theft or unauthorized key sharing.
Remember: One key.
Asymmetric Encryption
Definition: An encryption method that uses a public key and a private key.
Purpose: Enables secure communication and digital signatures.
SOC Relevance: Used for certificates, TLS, VPNs, and secure authentication.
Common Attack/Abuse: Private key compromise.
Remember: Two keys.
Encryption
Definition: The process of converting readable data into unreadable ciphertext using an encryption algorithm.
Purpose: Protects the confidentiality of information.
SOC Relevance: Used to secure sensitive files, communications, and databases.
Common Attack/Abuse: Key theft and weak encryption implementations.
Remember: Protects confidentiality.
Ciphertext
Definition: Data that has been encrypted into an unreadable format.
Purpose: Prevents unauthorized users from reading sensitive information.
SOC Relevance: Analysts may encounter encrypted files or communications during investigations.
Common Attack/Abuse: Attackers attempt to steal encryption keys rather than read ciphertext directly.
Remember: Encrypted data.
Plaintext
Definition: Readable, unencrypted data.
Purpose: Represents the original information before encryption or after decryption.
SOC Relevance: Sensitive plaintext data should never be transmitted over insecure channels.
Common Attack/Abuse: Data interception when transmitted without encryption.
Remember: Human-readable data.
Phishing
Definition: A social engineering attack that tricks users into revealing sensitive information or performing harmful actions.
Purpose: Steals credentials, financial information, or delivers malware.
SOC Relevance: One of the most common initial access methods investigated by SOC analysts.
Common Attack/Abuse: Fake login pages, malicious links, and infected attachments.
Remember: Broad attack targeting many users.
Spear Phishing
Definition: A phishing attack targeted at a specific individual or organization.
Purpose: Increases the chance of success by using personalized information.
SOC Relevance: Frequently used against employees with access to sensitive data.
Common Attack/Abuse: Business email compromise (BEC), credential theft.
Remember: Personalized phishing.
Whaling
Definition: A phishing attack specifically targeting high-profile individuals such as executives.
Purpose: Steals sensitive information or authorizes fraudulent transactions.
SOC Relevance: Often involved in Business Email Compromise investigations.
Common Attack/Abuse: CEO fraud, wire transfer scams.
Remember: Targets executives.
Smishing
Definition: A phishing attack delivered through SMS text messages.
Purpose: Tricks users into clicking malicious links or revealing information.
SOC Relevance: Increasingly common in credential theft campaigns.
Common Attack/Abuse: Fake delivery notifications, banking scams.
Remember: SMS phishing.
Vishing
Definition: A phishing attack conducted through phone calls or voice messages.
Purpose: Tricks victims into revealing sensitive information.
SOC Relevance: Often used to bypass technical security controls.
Common Attack/Abuse: Fake IT support, bank impersonation.
Remember: Voice phishing.
Password Spraying
Definition: An attack that attempts one common password against many user accounts.
Purpose: Avoids account lockout policies while trying to gain access.
SOC Relevance: Common authentication alert investigated in SOCs.
Common Attack/Abuse: Uses weak or commonly used passwords.
Remember: One password, many accounts.
Credential Stuffing
Definition: An attack that uses stolen username and password combinations from previous data breaches.
Purpose: Gains unauthorized access to accounts where users reused passwords.
SOC Relevance: Common in cloud and web application investigations.
Common Attack/Abuse: Automated login attempts using breached credentials.
Remember: Stolen credentials from another breach.
Brute Force Attack
Definition: An attack that repeatedly guesses passwords until the correct one is found.
Purpose: Gains unauthorized access to an account or system.
SOC Relevance: Often detected through multiple failed login attempts.
Common Attack/Abuse: Password guessing against RDP, VPN, SSH, and web logins.
Remember: Many guesses against one account.
Pass-the-Hash
Definition: An attack that authenticates using a stolen password hash instead of the actual password.
Purpose: Moves laterally through Windows environments.
SOC Relevance: Common technique during Active Directory compromises.
Common Attack/Abuse: Uses stolen NTLM hashes.
Remember: Hash instead of password.
SQL Injection (SQLi)
Definition: An attack that inserts malicious SQL commands into an application's database query.
Purpose: Reads, modifies, or deletes database information.
SOC Relevance: Common web application attack investigated by security teams.
Common Attack/Abuse: Database theft and authentication bypass.
Remember: Targets databases.
Cross-Site Scripting (XSS)
Definition: An attack that injects malicious JavaScript into a trusted website.
Purpose: Executes code in a victim's web browser.
SOC Relevance: Common vulnerability affecting web applications.
Common Attack/Abuse: Session cookie theft and website defacement.
Remember: Runs in the user's browser.
Cross-Site Request Forgery (CSRF)
Definition: An attack that tricks an authenticated user into submitting an unwanted request.
Purpose: Performs actions without the user's knowledge.
SOC Relevance: Targets authenticated web sessions.
Common Attack/Abuse: Changing passwords or transferring funds while the user is logged in.
Remember: Exploits user trust.
Command Injection
Definition: An attack that causes an application to execute unauthorized operating system commands.
Purpose: Allows attackers to control or compromise a server.
SOC Relevance: Can lead to remote code execution.
Common Attack/Abuse: Running system commands through vulnerable applications.
Remember: Executes operating system commands.
DNS Tunneling
Definition: A technique that uses DNS queries to transfer unauthorized data.
Purpose: Bypasses network security controls and communicates with attacker-controlled systems.
SOC Relevance: Common indicator of command-and-control activity.
Common Attack/Abuse: Data exfiltration and malware communication.
Remember: Abuse of DNS traffic.
Denial-of-Service (DoS)
Definition: An attack that overwhelms a system or service until it becomes unavailable.
Purpose: Disrupts normal operations.
SOC Relevance: Causes service outages and performance issues.
Common Attack/Abuse: SYN floods and UDP floods.
Remember: One attacker, one source.
Distributed Denial-of-Service (DDoS)
Definition: A denial-of-service attack launched from many compromised devices simultaneously.
Purpose: Overwhelms a target with massive amounts of traffic.
SOC Relevance: Common attack against public-facing websites.
Common Attack/Abuse: Botnet-driven flooding attacks.
Remember: Many attackers, one target.
Man-in-the-Middle (MitM)
Definition: An attack where an attacker secretly intercepts communications between two parties.
Purpose: Steals or modifies transmitted information.
SOC Relevance: Common on insecure wireless networks.
Common Attack/Abuse: ARP spoofing and rogue Wi-Fi access points.
Remember: Attacker sits between two devices.
Replay Attack
Definition: An attack that captures and retransmits legitimate authentication data.
Purpose: Gains unauthorized access without knowing the password.
SOC Relevance: Targets authentication protocols lacking replay protection.
Common Attack/Abuse: Reusing captured authentication tokens.
Remember: Reuses valid communications.
Privilege Escalation
Definition: An attack that gains higher levels of system permissions.
Purpose: Allows attackers to perform unauthorized actions.
SOC Relevance: Frequently follows initial compromise.
Common Attack/Abuse: Exploiting software vulnerabilities or misconfigurations.
Remember: Gains more permissions.
Lateral Movement
Definition: The process of moving from one compromised system to another within a network.
Purpose: Expands attacker access.
SOC Relevance: Common during ransomware and Active Directory attacks.
Common Attack/Abuse: Pass-the-Hash, stolen credentials, PsExec.
Remember: Moves across the network.
Virus
Definition: Malicious software that attaches itself to a legitimate file or program and spreads when the infected file is executed.
Purpose: Disrupts systems, damages data, or delivers additional malware.
SOC Relevance: Can be identified through antivirus, EDR, and file analysis.
Common Attack/Abuse: Infects executable files and spreads through user interaction.
Remember: Requires user action to spread.
Worm
Definition: Malicious software that spreads automatically across networks without user interaction.
Purpose: Rapidly infects vulnerable systems.
SOC Relevance: Can generate widespread network activity and multiple endpoint alerts.
Common Attack/Abuse: Exploits network vulnerabilities to self-propagate.
Remember: Spreads by itself.
Trojan
Definition: Malicious software disguised as legitimate software.
Purpose: Tricks users into installing malware.
SOC Relevance: Often used as the initial malware delivered through phishing.
Common Attack/Abuse: Downloads additional malware or provides unauthorized access.
Remember: Looks legitimate but is malicious.
Remote Access Trojan (RAT)
Definition: Malware that gives an attacker remote control of an infected system.
Purpose: Allows attackers to monitor, control, and steal data from a victim.
SOC Relevance: Often detected through unusual outbound connections or EDR alerts.
Common Attack/Abuse: Remote command execution, surveillance, data theft.
Remember: Remote control malware.
Rootkit
Definition: Malware designed to hide itself and other malicious activity from the operating system and security tools.
Purpose: Maintains persistent, hidden access.
SOC Relevance: Makes malware difficult to detect and remove.
Common Attack/Abuse: Hides files, processes, registry keys, or network connections.
Remember: Hides malicious activity.
Ransomware
Definition: Malware that encrypts files or systems and demands payment for their recovery.
Purpose: Extorts victims for financial gain.
SOC Relevance: One of the most common and damaging incidents handled by SOC teams.
Common Attack/Abuse: Encrypts data and may also steal information before encryption.
Remember: Encrypts files for ransom.
Spyware
Definition: Malware that secretly collects information about a user or system.
Purpose: Steals credentials, browsing history, or sensitive information.
SOC Relevance: May be detected through unusual outbound traffic or EDR alerts.
Common Attack/Abuse: Credential theft and user monitoring.
Remember: Secretly gathers information.
Adware
Definition: Software that displays unwanted advertisements to users.
Purpose: Generates advertising revenue for the attacker or developer.
SOC Relevance: May indicate unwanted software or bundled malware.
Common Attack/Abuse: Displays pop-ups, redirects browsers, tracks user activity.
Remember: Shows unwanted advertisements.
Logic Bomb
Definition: Malicious code that activates when a specific condition or event occurs.
Purpose: Delays malicious activity until triggered.
SOC Relevance: Difficult to detect before activation.
Common Attack/Abuse: Activates on a specific date, time, or user action.
Remember: Triggered by a condition.
Botnet
Definition: A network of compromised devices controlled by an attacker.
Purpose: Performs coordinated malicious activities.
SOC Relevance: Used in DDoS attacks, spam campaigns, and malware distribution.
Common Attack/Abuse: Distributed Denial-of-Service (DDoS), credential attacks, cryptocurrency mining.
Remember: Many infected devices under one attacker's control.
Keylogger
Definition: Malware that records keystrokes entered by a user.
Purpose: Steals usernames, passwords, and other sensitive information.
SOC Relevance: Often discovered during endpoint investigations.
Common Attack/Abuse: Credential theft.
Remember: Records everything typed.
Backdoor
Definition: A hidden method of bypassing normal authentication to access a system.
Purpose: Maintains unauthorized access after a compromise.
SOC Relevance: Common persistence mechanism used by attackers.
Common Attack/Abuse: Remote access and malware persistence.
Remember: Hidden access into a system.
Fileless Malware
Definition: Malware that operates primarily in memory without writing files to disk.
Purpose: Avoids traditional antivirus detection.
SOC Relevance: Frequently detected by EDR solutions through behavioral analysis.
Common Attack/Abuse: Uses PowerShell, WMI, or legitimate system tools.
Remember: Runs in memory.
Dropper
Definition: Malware designed to install or deliver additional malware onto a system.
Purpose: Bypasses security controls to deploy malicious payloads.
SOC Relevance: Often the first malware identified during an infection.
Common Attack/Abuse: Downloads ransomware, RATs, or spyware.
Remember: Delivers other malware.
Downloader
Definition: Malware whose primary function is to download additional malicious software.
Purpose: Retrieves payloads from attacker-controlled servers.
SOC Relevance: Often generates suspicious outbound network traffic.
Common Attack/Abuse: Downloads secondary malware after infection.
Remember: Downloads more malware.