Comprehensive Defender Reference

Blue Team Mapper

End-to-end defensive operations covering detection engineering, incident response, threat hunting, identity hardening, cloud security, and SOC operations. Built for analysts who need actionable depth, not surface-level checklists.

MITRE ATT&CK Aligned Detection Engineering Incident Response Threat Hunting Hardening SOAR Playbooks

Architecture

Defense Lifecycle

The seven phases of modern defense — each phase feeds the next. Gaps in any phase degrade all downstream capabilities.

👁️

Visibility

SIEM · EDR
NDR · DNS
Identity · Cloud

🎯

Detection

SIGMA · YARA
UEBA · IOC
Behavioral

🔍

Triage

Enrich · Scope
Process Trees
Memory / Disk

⚡

Response

Contain · Hunt
Eradicate
SOAR / Playbooks

🛡️

Hardening

Patch · LAPS
ASR · ADCS
MFA · Baselines

🔬

Intel / Hunt

CTI · Actors
Malware Analysis
Atomic Tests

🔄

Recovery

Rebuild · RCA
Lessons Learned
New Rules

Workflows

Defense Flow Chains

End-to-end response workflows for common attack scenarios. Each step must be executed in order — skipping containment before scoping is a common and costly mistake.

Phishing → Detection → Block → Hunt

Email received

›

Gateway / Proofpoint scan

›

SIEM alert → analyst triage

›

Block sender + URL + hash

›

Hunt all recipients org-wide

›

Purge from all mailboxes

EDR Alert → Triage → Contain → Forensics → Eradicate

EDR behavioral alert

›

Process tree + memory check

›

Network isolate endpoint

›

Memory + disk forensics

›

Scope lateral movement

›

Reimage + rules updated

Credential Compromise → Lock → Scope → Reset All

Impossible travel alert

›

Disable + kill all sessions

›

Enumerate access + OAuth apps

›

Revoke all tokens + passkeys

›

New creds + re-enroll MFA

Ransomware → Emergency Segment → Scope → BC/DR → Rebuild

Mass file rename alert

›

Emergency network segment

›

Patient zero + spread scope

›

Validate backups integrity

›

Activate BC/DR plan

›

Restore from clean backups

DCSync Alert → Verify → Lock Account → AD Reset

Event 4662 DRS replication

›

Confirm source is not a DC

›

Disable compromised account

›

Audit DCSync-capable accounts

›

krbtgt ×2 + all DA creds

Cloud Token Theft → Revoke → CAP Fix → App Audit

Anomalous Graph API access

›

Revoke all user tokens

›

Audit app registrations + consent

›

Tighten Conditional Access

›

Enhanced Graph audit logging

ADCS ESC Exploitation → Revoke → Fix Templates → Audit

Certificate misuse detected

›

Revoke issued certs

›

Fix vulnerable template perms

›

Locksmith scan all templates

›

ADCS audit logging enabled

Data Exfil Alert → Kill Channel → DLP Review → Scope

Large DNS/HTTPS transfer alert

›

Block endpoint + egress path

›

Review DLP logs + proxy

›

Determine data touched

›

Legal / breach notification

Visibility Layer

SIEM & Log Management

The foundation of detection. Without comprehensive, quality logging you are flying blind. Invest in log coverage and normalization before adding more tools.

Log Source Priority Matrix

TIER 1 — CRITICAL  (must have before anything else)
├── Windows Security Event Log      4624/4625 · 4688+cmdline · 4698 · 4662 · 4769
├── Windows Sysmon                  Process · network · registry · file · DNS · pipe · WMI
├── EDR Telemetry                   Behavioral events · process injection · memory anomalies
├── Network Firewall / IDS           Allowed + denied flows · lateral movement patterns
├── DNS Logs                         All queries with requesting process (Sysmon 22)
└── Identity Provider               Entra ID / Okta — sign-ins · MFA · CA · risk signals

TIER 2 — HIGH VALUE
├── Proxy / Web Filter              HTTP/S · new domains · large uploads · User-Agent
├── Email Security Gateway          Phishing · attachment detonation · link clicks
├── VPN / Remote Access             Auth · unusual hours · geo anomalies
├── Active Directory                Replication · group changes · LDAP queries · ADCS
├── PowerShell ScriptBlock (4104)   Script content before execution · AMSI data
└── Exchange / M365 Audit           Mailbox access · forwarding rules · consent grants

TIER 3 — SITUATIONAL
├── WMI Activity Log                WMI subscriptions · remote execution artifacts
├── NetFlow / IPFIX                 East-west baselines · beaconing patterns
├── DHCP / RADIUS                   IP-to-hostname mapping · NAC bypass attempts
├── Cloud API Logs                  CloudTrail · Defender MCAS · GCP audit log
└── Application / WAF Logs          Web shell indicators · injection attempts

RETENTION GUIDANCE
├── Hot (searchable)   90 days minimum — 1 year preferred for enterprise
├── Warm (archived)    1–3 years — regulatory and legal hold requirements
└── Cold (tape/object) 3–7 years — compliance-dependent, restore on demand

SIEM

Splunk Detection Engineering

SPL queries, Risk-Based Alerting, and operational tuning for enterprise Splunk

Risk-Based Alerting (RBA) — assign risk scores per event; alert on cumulative risk threshold crossing. Dramatically reduces alert fatigue vs rule-per-event approach. Risk objects: user, system, IP. Score threshold typically 100–200 before incident opens.
tstats acceleration — use | tstats over index= for high-volume searches. 10–100× faster on summarized data. | tstats count WHERE index=winevent by host _time span=1m
Asset & Identity framework — normalize hostnames, IPs, users. Enables pivot-based investigation and automatic enrichment.
Adaptive Response — trigger SOAR playbooks, EDR isolation, or firewall blocks directly from an alert action. Connects detection to response.
Hunt with eventstats/streamstats — | eventstats for fleet baselines; | streamstats for sequential/time-window analysis.
OPSEC for analysts — attackers living in Splunk will search your hunting activity. Audit search logs. Use role-based search head separation for IR hunts.

SIEM

Microsoft Sentinel

Cloud-native SIEM — KQL-based, deep M365/Azure integration, UEBA built-in

KQL foundations — master | where | summarize | join | render before writing analytics rules. Use let statements to stage subqueries for readability and reuse.
Analytics rule types — Scheduled (periodic query), NRT Near-Real-Time (streaming, <5 min latency), Fusion (ML cross-signal correlation).
Watchlists — import threat intel IOCs, asset inventory, or known-good baselines as lookup tables. Use _GetWatchlist() in rules for enrichment.
UEBA + Anomaly rules — built-in baseline engine. Anomaly insights feed into Fusion rule engine for low-and-slow detection without manual baselines.
Automation rules + Playbooks — Logic Apps trigger on incident creation. Auto-enrich, auto-close FPs, auto-notify, auto-isolate via MDE action.
Cost control via DCR — Data Collection Rules filter at ingestion time. Drop noisy sources (Defender endpoint verbose logs, raw NetFlow) before billing.

SIEM

Sysmon Deployment

Essential endpoint telemetry for Windows — process, network, memory, registry in one agent

Key event IDs — 1 process · 3 network · 7 DLL load · 8 RemoteThread · 10 ProcessAccess (LSASS) · 11 file · 12/13 registry · 15 ADS · 17/18 pipe · 22 DNS · 25 process tamper
LSASS detection (Event 10) — GrantedAccess 0x1FFFFF or 0x1010 = LSASS dump attempt. Exclude known AV/EDR by process hash not just name.
Config baseline — start with SwiftOnSecurity config; upgrade to Olaf Hartong's modular config for mature environments. Both on GitHub.
Network Event 3 — captures process→IP correlation. Enables C2 beacon detection even over standard ports (80/443).
DNS Event 22 — captures DNS query + requesting process. Crucial for C2-over-DNS where HTTP logs alone miss it.
Performance tuning — filter aggressively. Ship all Sysmon raw = expensive and noisy. Filter known-good processes per event type.

SIEM

Elastic Security

Open-source ELK stack with commercial security features — scalable and detection-as-code friendly

ECS normalization — Elastic Common Schema maps all source fields to standard names. Detection rules become portable across log sources.
Detection Engine rule types — EQL (Event Query Language for sequence detection), ESQL (new analytical), ML anomaly, threshold, indicator match.
Prebuilt rules — 900+ MITRE-aligned at github.com/elastic/detection-rules. Always validate and tune FP rate before enabling in production.
Fleet + Elastic Agent — unified collection agent replacing multiple Beats. Manages policies centrally, supports endpoint protection and network capture.
Timeline investigation — visual investigation interface. Attach findings to cases for IR documentation and evidence chain.
ESQL for hunting — new query language optimized for large analytical scans. Faster than EQL for fleet-wide baseline analysis.

Endpoint Layer

EDR & Endpoint Detection

Modern EDRs are the primary detection surface for endpoint attacks. Understanding what they see — and where they're blind — is critical for both tuning and incident response.

EDR Detection Layers — Signal Fidelity vs. Attacker Bypass Difficulty

KERNEL CALLBACKS  (highest fidelity — attacker CANNOT bypass without BYOVD)
├── PsSetCreateProcessNotifyRoutine  Every process creation visible — no hiding new processes
├── PsSetCreateThreadNotifyRoutine   Remote thread injection alert — cross-process detection
├── PsSetLoadImageNotifyRoutine      DLL loads — image path · signed status · memory-backed check
└── ObRegisterCallbacks              Process handle access → LSASS access attempt detection

ETW TELEMETRY  (rich but in-process patchable — Cobalt Strike patches ntdll ETW)
├── Microsoft-Windows-Threat-Intelligence   Kernel-sourced inject/read/write process memory events
├── .NET CLR ETW                              Assembly loads, JIT compilation, AppDomain creation
├── PowerShell ETW (4104)                     Script block content before execution · AMSI data
└── WMI-Activity Operational                  WMI provider loads and subscription firing

MEMORY SCANNING  (periodic — gaps exist between scan cycles)
├── MZ/PE header in executable regions    Injected DLLs and reflective loaders
├── Unbacked executable memory            VirtualAlloc shellcode with no backing file
├── Known shellcode signatures            CS/Sliver/Metasploit stager patterns
└── RWX memory regions                   Suspicious when combined with network activity

BEHAVIORAL ANALYTICS  (ML + heuristics — tuned per vendor)
├── Call stack analysis          Shellcode detection via anomalous return addresses
├── Parent-child anomalies       Word spawning PowerShell · Office spawning cmd.exe
├── Credential access patterns   LSASS reads · SAM access · DPAPI operations
└── Lateral movement patterns    PsExec · WMI · service creation across host fleet

BLIND SPOTS  (common bypass techniques that reduce EDR visibility)
├── BYOVD                  Bring Your Own Vulnerable Driver — kills EDR kernel callbacks
├── ETW patching           Overwrites ntdll ETW function in-process memory (null-byte patch)
├── Direct syscalls        Bypasses user-mode API hooks — EDR never sees the call
├── Process ghosting       Deletes PE from disk before execution — no file on disk to scan
└── Fork & run            Spawns sacrificial process for post-ex — no memory in Beacon

EDR

Microsoft Defender for Endpoint

Deeply integrated Windows telemetry, ASR rules, cloud-ML, and native response

Attack Surface Reduction (ASR) — 16 rules blocking specific behaviors. Enable audit mode first; transition to block after 2–4 weeks. Critical: block Office child processes, block LSASS credential theft.
Tamper Protection — prevents local disable of Defender settings. Enforce via Intune. Without this, malware can trivially disable AV before payload drop.
Advanced Hunting (KQL) — DeviceProcessEvents · DeviceNetworkEvents · DeviceRegistryEvents · DeviceFileEvents. Write custom hunts in security.microsoft.com portal.
Live Response — remote shell on any enrolled device. Run scripts, collect files, kill processes without VPN tunnel.
Smart App Control (SAC) — Windows 11 feature blocking unsigned/uncredentialed binaries. Complement with WDAC policies for enterprise coverage.
Credential Guard — hypervisor-isolated LSASS prevents credential extraction even with LSASS handle access.

EDR

CrowdStrike Falcon

Industry-leading behavioral EDR — kernel sensor, cloud ML, and Overwatch managed detection

Prevention policies — enable "Extra Paranoid" protection mode for Tier 0 assets (DCs, PAWs, executive devices) where false positives are acceptable.
Custom IOA rules — behavioral detection based on process lineage, command line patterns, and network behavior. Not signature-based — survives malware recompilation.
Spotlight VM — vulnerability management prioritized by active exploitation in the wild. Bridges EDR telemetry with vulnerability data for real-world risk scoring.
RTR (Real Time Response) — live remote shell. Run scripts, kill processes, network isolate from Falcon console without agent reinstall.
Overwatch — CrowdStrike's managed threat hunting team layered on your telemetry. Worth the cost for organizations without a 24/7 SOC.
Event Search — query raw sensor telemetry with Splunk-like syntax. Pivot from any IOC across the entire fleet in minutes.

EDR

Velociraptor

Open-source DFIR platform — hunt and collect at scale across thousands of endpoints simultaneously

VQL (Velociraptor Query Language) — SQL-like language for endpoint queries. Collect artifacts, parse registry hives, hunt IOC patterns fleet-wide in real time.
Artifact library — pre-built collection templates: Windows.KapeFiles (KAPE triage), Windows.Network.Netstat, Windows.System.Pslist, Windows.Detection.Autoruns.
Live hunt queries — push VQL to every endpoint simultaneously. Results stream back in seconds for 10,000+ endpoint fleets.
Offline collection — standalone collector for air-gapped or isolated hosts. Run from USB, results saved locally, import to server.
Timeline correlation — correlate collected artifacts across hosts into attack timelines automatically with built-in analysis.
Cost — completely free, self-hosted on PostgreSQL or MySQL. Cost-effective alternative for orgs without commercial EDR budget.

EDR

SentinelOne Singularity

Autonomous AI-driven EDR with rollback capability — can respond without human intervention

Storyline — contextual process tree linking every event (process, file, network, registry) into coherent attack narratives. Dramatically accelerates triage.
Autonomous response — kill, quarantine, rollback without analyst approval. Configure carefully — autonomous kill decisions need policy review before enabling.
VSS Rollback — uses Windows Volume Shadow Copy to restore ransomware-encrypted files automatically. Can recover entire encrypted drives in minutes.
Deep Visibility — raw telemetry query interface. Pivot on any observable (hash, IP, cmdline, registry key) across the entire fleet.
Ranger — network discovery via sensor telemetry to identify unmanaged devices. No additional scanner needed for internal asset discovery.
RemoteOps — live remote investigation session without VPN. Scripts, file collection, process kill from SentinelOne console.

Detection Layer

Detection Engineering

Building, testing, and maintaining detections that analysts trust. Coverage over the MITRE ATT&CK framework, rule lifecycle management, and false-positive reduction are the core disciplines.

⚠️

Detection Quality Rule

A detection that fires constantly and gets ignored is worse than no detection. Alert fatigue kills SOC effectiveness. Measure false-positive rate per rule weekly and tune ruthlessly — the goal is trust, not coverage theater.

DETECT

SIGMA Rules

Vendor-agnostic detection rule format — write once, deploy to any SIEM via sigma-cli

Format — YAML-based. Key fields: logsource (category + product), detection (selection + filter conditions), level (informational → critical). Compile with: sigma convert -t splunk -p splunk_windows rule.yml
SigmaHQ repository — 3,000+ rules at github.com/SigmaHQ/sigma. MITRE ATT&CK tagged. Pull relevant rules, validate FP rate in your environment before production.
Detection-as-Code — store rules in Git with CI/CD pipeline that validates YAML syntax, compiles to SIEM query, and deploys on merge. Version-controlled, reviewable detections.
Rule lifecycle — Test in audit mode → measure FP rate over 2 weeks → add filter conditions for known-good → enable in block/alert → monitor regression monthly.
Tuning with filters — add filter_main_legit: condition blocks to suppress known benign processes. Never suppress by process name alone — use hash + path + parent combination.
Uncoder.io — online translator for Sigma rules to Splunk/KQL/EQL/QRadar without local sigma-cli install. Good for ad-hoc rule development.

DETECT

YARA Rules

Pattern-based file and memory scanning for malware family detection

Rule anatomy — strings section (byte patterns, text, hex sequences) + condition (boolean logic combining string matches with file properties like PE headers, entropy, size).
PE module — access import tables, exports, sections, authenticode. pe.imports("kernel32.dll", "VirtualAlloc") detects shellcode loaders.
Entropy detection — math.entropy(0, filesize) > 7 catches packed/encrypted payloads. Combine with PE section checks to reduce FPs.
Memory scanning — yara64 -p 4 rule.yar PID for live process memory. Most EDRs support YARA rules natively for periodic memory scans.
VirusTotal retrohunt — upload rule to VT Intelligence for retroactive corpus scan. Identify related samples for threat actor attribution and infrastructure mapping.
Performance — anchor rules with rare, specific byte sequences first. Broad rules (entropy only, single string) are too slow for production scanning at scale.

DETECT

Behavioral Analytics & UEBA

Detect anomalies when signatures won't help — user and entity baseline deviation

Baseline period — collect 30–90 days of normal behavior before enabling anomaly alerts. Shorter baselines = more noise. Major organizational changes reset baselines.
High-value UEBA use cases — impossible travel · off-hours privileged access · data staging before exfil · peer group deviations · new admin tool usage.
Peer group analysis — compare user behavior to their role-based peer group. Developer accessing finance systems is anomalous; IT admin accessing DC is normal.
Entity risk scoring — aggregate risk signals per user/host over a rolling 7-day window. Alert on cumulative score crossing threshold, not individual events.
ML model drift — normal behavior changes (role change, project, seasonal variation). Build supervised feedback loop — analyst feedback retrains models.
Tools — Splunk UBA · Microsoft Sentinel UEBA · Securonix · Exabeam · Elastic ML anomaly detection jobs.

DETECT

Network Detection & Response

Network-layer visibility for C2, lateral movement, and data exfiltration detection

Zeek (Bro) — network security monitor generating structured logs: conn.log · http.log · dns.log · ssl.log · kerberos.log · smb.log · weird.log for anomalies.
Suricata rules — IDS/IPS with Emerging Threats Open rules. ET Open covers 40,000+ signatures for C2 frameworks, exploit kits, malware callbacks.
JA3/JA3S fingerprinting — TLS client/server fingerprints. Cobalt Strike has a well-known default JA3. Use custom C2 profiles to modify — then detect the profile not the default.
JARM scanning — active TLS server fingerprinting. Scan internal hosts to identify C2 team servers by their TLS handshake response characteristics.
RITA — automated beaconing detection via Zeek conn.log statistical analysis. Scores connections by beacon probability, connection regularity, and bytes consistency.
DNS analytics — long subdomain strings (DGA/exfil), high-entropy labels, unusual query types (TXT for C2), NXDomain storms from DGA malware.

DETECT

ATT&CK Coverage Mapping

Map detection coverage to adversary TTPs — find and fill gaps before attackers exploit them

ATT&CK Navigator — visual heatmap of technique coverage. Color-code by: alert (detected), logged (visible, no alert), blind (no visibility). Export as JSON for tracking.
Coverage tiers — Alert > Logged > Blind. Know your coverage depth per technique, not just binary present/absent.
Threat-actor prioritization — use CTI to identify which techniques actors targeting your sector use. Cover those techniques first before broad ATT&CK coverage.
Atomic Red Team validation — tests map 1:1 to ATT&CK. Run atomic test, check SIEM for alert. If no alert → fix detection → document in Navigator.
D3FEND mapping — MITRE D3FEND maps countermeasures to techniques. Use to identify which defensive controls address your coverage gaps.
Purple team cadence — monthly atomic runs on critical techniques; quarterly full-chain emulations with red team. Document delta in ATT&CK Navigator version control.

DETECT

Detection Rule Development Process

Building high-fidelity, low-noise detections that analysts will trust and act on

Start with attack simulation — execute technique via Atomic Red Team, observe what data sources fire, build rule from observed real data not documentation assumptions.
Specificity vs. sensitivity tradeoff — broad rules catch more variants but generate FPs that kill analyst trust. Layer multiple narrow rules instead of one broad rule.
Baseline first — understand normal before writing anomaly rules. What does legitimate PsExec use look like in your environment? What cmdlines are normal for certutil?
FP tracking system — log every false positive with source system, rule ID, and suppression action taken. Build institutional knowledge base to prevent re-creating known FPs.
Detection retirement — rules that never fire in 6 months need review. Either logging gap prevents detection OR the rule is broken. Both need fixing.
Rule aging policy — rules should be reviewed quarterly. Detection gaps change as attacker TTPs evolve. Old rules for retired techniques consume analyst attention.

Detection Reference

Technique Detection Matrix

Attacker technique mapped to primary detection source and immediate response action. Use this as a first-response reference card.

ATT&CK Technique → Detection Source → Response Action

Technique	Primary Detection	Severity	Immediate Response
Spear phishing (HTML smuggling)	Email gateway + browser telemetry	HIGH	Block sender/domain · hunt all recipients · check for execution
LNK / ISO file delivery	Email attachment scan · Sysmon Event 1	HIGH	Block file type at gateway · hunt org-wide for execution
Shellcode loader (custom)	EDR behavioral + AMSI if PowerShell-staged	CRIT	Isolate host · memory forensics before reboot
Process injection	Sysmon 8/10 · ETW-TI · EDR behavioral	CRIT	Isolate · terminate injected process · investigate parent
DLL sideloading	Sysmon 7 (DLL load) · PE signature check	HIGH	Block sideload path · hunt similar DLL pairs fleet-wide
LSASS credential dump	Sysmon 10 GrantedAccess 0x1FFFFF · EDR	CRIT	Full cred scope → reset ALL exposed credentials immediately
Kerberoasting	Event 4769 etype=0x17 (RC4)	HIGH	Rotate SPN passwords · enforce AES on all service accounts
DCSync	Event 4662 + DRS rights + non-DC source	CRIT	Full DA scope · krbtgt ×2 · all Domain Admin creds reset
Pass-the-Hash	Event 4624 Type 3 NTLM without prior 4648	CRIT	Scope impacted account · rotate · enable Credential Guard
Golden Ticket	Event 4769 anomalous PAC data · unusual lifetimes	CRIT	krbtgt ×2 (48hr apart) · re-scope all access
PsExec lateral movement	Event 7045 (service install) · Sysmon 1/17/18	HIGH	Block at other hosts · trace source creds · scope spread
WMI remote execution	WMI-Activity log · WmiPrvSE child processes	HIGH	Investigate source credentials · scope lateral reach
Scheduled task persistence	Event 4698 · Sysmon 1 (schtasks.exe)	HIGH	Delete task · investigate creator account · hunt fleet
Registry Run key persistence	Sysmon 13 · Autoruns baseline diff	MED	Remove key · hunt similar on all hosts · investigate parent
DNS exfiltration	Sysmon 22 · Zeek dns.log · volume anomaly	HIGH	Block domain · sinkhole · investigate originating host
HTTPS C2 beaconing	Beaconing detection (RITA) · JA3 · Zeek	CRIT	Block C2 domain/IP · isolate host · full memory forensics
Cloud token theft / device code	Sign-in risk · Entra ID Protection · IP mismatch	CRIT	Revoke all tokens · CAP review · audit app registrations
ADCS ESC1 exploitation	ADCS audit log Event 4887 · SAN for DA UPN	CRIT	Revoke cert · fix template perms · Locksmith full audit
Ransomware encryption	Controlled Folder Access · mass file rename pattern	CRIT	EMERGENCY — activate BC/DR · segment network · validate backups
BYOVD vulnerable driver	Sysmon 6 (driver load) · WDAC block	CRIT	Block driver hash · update WDAC policy · isolate host
ClickFix / clipboard paste	PowerShell ScriptBlock 4104 · Run dialog	HIGH	Block execution · user education campaign · hunt recipients
AS-REP Roasting	Event 4768 with pre-auth disabled accounts	MED	Enable pre-auth on all accounts · rotate exposed passwords

Quick Reference

Event ID Reference

Critical Windows Security Event IDs and Sysmon events every SOC analyst should know by memory. These form the backbone of Windows detection.

Windows Security Events — Authentication & Privilege

LOGON EVENTS
  4624  Successful logon       Type 2=interactive · Type 3=network · Type 9=runas · Type 10=RDP
  4625  Failed logon           Password spray · brute force identification
  4648  Explicit credential    runas / Pass-the-Hash preparation indicator
  4634  Logoff                 Session end — use to calculate session duration
  4647  User initiated logoff  Explicit logout vs. session timeout
  4672  Special privileges     Admin logon → track all Domain Admin interactive sessions
  4776  NTLM auth validation   Should be rare if Kerberos enforced — NTLM use is suspicious

ACCOUNT & PRIVILEGE EVENTS
  4720  Account created            Unauthorized new user account creation
  4728  Member added to global grp Domain Admins membership change — always alert
  4756  Member added to univ grp  Enterprise Admins / high-priv group membership
  4738  User account changed       Pre-auth disabled (AS-REP roastable) · PwdNotRequired flag
  4765  SID History added          Privilege escalation via SID History injection
  4723  Password change attempt    Self-service reset · verify intent
  4724  Password reset attempt     Admin reset of another account — verify authorization

KERBEROS EVENTS
  4768  Kerberos AS ticket (TGT)   AS-REP roast: accounts with pre-auth disabled
  4769  Kerberos service ticket    Kerberoast: etype 0x17 (RC4) for service accounts
  4770  Kerberos ticket renewed    Anomalous renewal patterns
  4771  Kerberos pre-auth failed   Kerberos equivalent of failed password spray (4625)

ACTIVE DIRECTORY EVENTS
  4662  AD object access           DCSync: mask 0x100 on Domain object from non-DC source
  4741  Computer account created   Unauthorized machine account (resource-based delegation abuse)
  4742  Computer account changed   Service Principal Name changes → potential Kerberoast setup

CERTIFICATE SERVICES
  4886  Certificate issued          Monitor all issuances for privileged account templates
  4887  Certificate issued with SAN ESC1 exploitation: SAN containing privileged UPN
  4899  Certificate template modified ESC4 attack: template modification for exploitation

PROCESS & EXECUTION
  4688  Process created            Must enable + command line audit policy for full value
  4698  Scheduled task created     Attacker persistence — inspect task action and author
  7045  New service installed      PsExec / attacker service drop — review binary path

Sysmon Event IDs — High-Value Detection Events

  1   Process Create      Hashes + full command line + parent process + user context
  2   File time changed   Anti-forensic timestomping detection
  3   Network Connect     Process→IP/domain with port. C2 beacon correlation source
  5   Process terminated  Malware self-delete pattern (short-lived malicious processes)
  7   Image loaded        DLL load with hash and signature status. Detect unsigned DLLs
  8   CreateRemoteThread  Cross-process injection — high confidence IOC when unexpected
  10  ProcessAccess       GrantedAccess 0x1FFFFF / 0x1010 from non-AV = LSASS dump
  11  FileCreate          Malware dropping files to disk — monitor temp and user paths
  12  RegistryCreateKey   Registry key creation — Run keys, services, COM entries
  13  RegistrySetValue    Registry value modification — persistence mechanism monitoring
  15  FileCreateStreamHash NTFS Alternate Data Stream creation — hiding data in streams
  17  PipeCreated         Named pipe creation — Cobalt Strike default pipe names detectable
  18  PipeConnected       Named pipe connection — lateral movement via named pipes (PsExec)
  22  DNSEvent            DNS query + requesting process. C2-over-DNS detection anchor
  23  FileDelete (archive) Malware deleting itself after execution
  25  ProcessTampering    Process image hollowing / herpaderping / doppelgänging

Response Operations

Incident Response

Structured response from first alert to full recovery. Speed and documentation quality determine outcomes. Contain early, but scope fully before eradicating — premature containment of the wrong host leaves attackers active elsewhere.

IR Lifecycle — Phases, Actions & Key Decision Points

PHASE 1: PREPARATION  (done before incidents happen)
  ├── IR Runbooks         Documented procedures per incident type — ransomware · BEC · insider · APT
  ├── Contact lists       Legal · PR · exec · cyber insurance · law enforcement — pre-agreed escalation
  ├── Asset inventory     Know crown jewels BEFORE incident — what matters most to the business?
  ├── Jump bags           IR toolkit ready: Velociraptor agent · winpmem · forensic laptop · USB collectors
  └── Tabletops           Run scenarios quarterly — muscle memory reduces errors under stress

PHASE 2: DETECTION & ANALYSIS
  ├── Initial triage      True positive confirmation · severity classification · scope estimation
  ├── Timeline build      Patient zero → first malicious action → lateral spread → impact
  ├── Avoid tunnel vision  First compromised host ≠ only compromised host. Assume lateral movement
  └── Preserve evidence   Capture memory BEFORE rebooting. Preserve logs before rotation window closes

PHASE 3: CONTAINMENT
  ├── Short-term          Network isolate via EDR isolation or VLAN ACL change
  ├── Account containment  Disable accounts · revoke tokens · kill all active sessions
  ├── Silent containment   Attacker may accelerate (trigger ransomware / exfil) if they notice response
  └── Scope before acting  Containing wrong host = attacker remains active. Scope is mandatory first step

PHASE 4: ERADICATION
  ├── Remove ALL persistence  Sched tasks · services · registry keys · DLL sideloads · WMI subs
  ├── Clean or reimage        For sophisticated attackers: reimage > clean. Trust is hard to restore
  ├── Credential reset scope  EVERY credential that could have been exposed MUST be rotated
  └── AD-wide compromise      krbtgt TWICE (48hr apart) · all DA accounts · DPAPI backup key

PHASE 5: RECOVERY & LESSONS LEARNED
  ├── Validate before reconnect  Confirm clean state before returning to production
  ├── Enhanced monitoring        Monitor closely post-recovery — secondary persistence is common
  ├── Root cause analysis        Which control failed? Why? What prevents recurrence?
  └── Detection updates          Every IR generates at least one new detection rule — enforce this norm

Memory Forensics

Capture and analyze volatile memory — injected code, C2 connections, in-memory credentials

Acquisition tools — winpmem (Windows free) · LiME (Linux kernel module) · osxpmem (macOS). Always hash the dump immediately after capture.
Volatility 3 key plugins — pstree · netscan · cmdline · malfind (injected code) · dlllist · handles
malfind plugin — identifies memory regions with MZ headers + executable + no backing file + RWX permissions. Primary tool for finding injected shellcode and reflective DLL loads.
Credential extraction — pypykatz on memory dump extracts LSASS credentials. Use to determine credential scope in active incidents without rebooting host.
MemProcFS — mount memory image as a filesystem. Browse process memory as files/directories. Search strings across all processes simultaneously.
CRITICAL — capture memory BEFORE rebooting or isolating. Network isolation is fine. Reboot destroys all volatile evidence including C2 in-memory implants.

Disk & Artifact Forensics

Persistent artifacts remain even after malware deletion — the forensic record is deep on Windows

MFT ($MFT) — Master File Table contains timestamps for every file operation. Find deleted malware by MFT entry even if file is deleted from directory listing.
Prefetch — C:\Windows\Prefetch\ records execution with timestamps and loaded files. Confirms if a binary ran even if it was deleted post-execution.
ShimCache / AppCompatCache — registry record of every EXE that touched the filesystem. Persists across reboots. Find malware execution history even without process logs.
AmCache.hve — C:\Windows\appcompat\Programs\Amcache.hve stores SHA1 hashes of recently executed binaries. Enables hash-based threat hunting on historical execution.
Eric Zimmerman tools — EvtxECmd + Timeline Explorer · PECmd (Prefetch) · AmcacheParser · ShimCacheParser. Free and industry-standard.
LNK + Jump Lists — recent file access history. Reveals what files the attacker opened, staged, or exfiltrated. Survives file deletion.

Active Directory IR

AD-wide compromise response — credential reset order, golden ticket invalidation, trust audit

Scope first with BloodHound — collect current AD snapshot, run BloodHound CE. Map all paths reachable from compromised accounts before resetting anything.
krbtgt rotation — MUST rotate TWICE with ≥10 hours between rotations. Single rotation does not invalidate all outstanding golden tickets. Coordinate timing with all sites.
DA reset order — Domain Admins → Enterprise Admins → built-in Administrator → service accounts in that priority order. Reset before notifying end users to prevent reuse.
DPAPI domain backup key — if attacker had DCSync rights, they have the DPAPI backup key. All user DPAPI secrets (browser passwords, credential manager) are compromised and decryptable.
Trust relationships — review all domain trusts for recently added or modified trusts. Attackers add trusts for persistent access that survives password resets.
PingCastle post-IR — run PingCastle after AD remediation for quick security posture score and remaining risk identification.

Cloud IR — Entra ID & M365

Responding to cloud identity compromise — token revocation, app audit, CAP hardening

Revoke all sessions — Revoke-MgUserSignInSession via Microsoft Graph. Kills all active tokens including refresh tokens. Password reset alone does NOT revoke tokens in Entra ID.
App registration audit — check all app registrations and consent grants since compromise window. Attackers register backdoor apps with mail.read permissions that survive password resets.
OAuth consent persistence — delegated permissions survive credential resets. Audit and remove all attacker-granted consent grants via Get-MgOauth2PermissionGrant.
Unified Audit Log scope — review Exchange Online, SharePoint, OneDrive, Teams, Azure AD operations during the compromise window. Map all data accessed.
Newly enrolled authenticators — attacker may have registered their own FIDO2 key or MFA app. Audit all authentication methods per user since compromise date.
CAP gap analysis — every Conditional Access exclusion is a potential bypass path. Map the specific CAP gap the attacker exploited and close it.

Ransomware Response

Ransomware IR is distinct — speed, backup integrity, and legal considerations are paramount

Immediate action — network segment (not full shutdown). Preserve forensic evidence while preventing further spread. Full shutdown destroys evidence and may worsen encryption.
Identify strain first — ID Ransomware at nomoreransom.org. Some variants have free decryptors. Identifying strain also confirms if pre-encryption exfil occurred (double extortion).
Backup validation before recovery — test backup integrity IMMEDIATELY. Ransomware groups target backup infrastructure first (Veeam exploitation is common). Contaminated backups = prolonged recovery.
Pre-encryption activity scope — look 2–6 weeks back for data staging, large transfers, credential harvesting. Double extortion = backup restore doesn't prevent leak publication.
Do NOT pay without legal review — OFAC sanctions apply to some ransomware groups. Payment may be illegal. Notify cyber insurer immediately — policies have strict notification windows.
Patient zero tracing — usually phishing or exposed/unpatched RDP. Trace initial access completely. Rebuilt systems return to same environment and re-compromise without root cause fix.

Evidence & Chain of Custody

Forensic evidence handling for legal proceedings and root cause accuracy

Memory acquisition first — volatile evidence priority: running processes → network connections → memory dump → disk image. Document acquisition timestamps.
Hash everything — SHA256 hash of every collected artifact immediately after collection. Record in chain of custody documentation. Any hash mismatch invalidates evidence.
Write blockers — use hardware write blockers for disk acquisition. Software write blockers acceptable if hardware unavailable. Never mount a disk without write protection.
Documentation requirements — who collected, when, from where (hostname, serial, IP), acquisition method, tool version, hash values, custodian chain.
Log preservation — export logs to immutable storage before rotation. Many orgs lose critical evidence to log rotation during IR when investigation timeline extends.
Tools — FTK Imager (free, disk acquisition) · Autopsy (open-source analysis) · Magnet AXIOM (commercial, full DFIR platform).

Proactive Operations

Threat Hunting

Proactive hunting for adversaries that evaded automated detection. Hypothesis-driven, intelligence-informed, and data-validated. Every hunt either finds something or produces a new detection rule.

🎯

Hunt Outcome Rule

Every threat hunt must produce one of two outcomes: a finding that requires response or a new detection rule that covers the hunted pattern going forward. A hunt that produces neither was a waste of analyst time.

HUNT

Hunt Methodology

Structured approach — intelligence-driven, hypothesis-based, data-validated

1. Intelligence input — what TTPs are actors targeting your sector using? CTI reports · ISAC alerts · recent IR findings · CISA advisories · vendor threat reports.
2. Hypothesis formation — "If APT29 is present, we expect OAuth token theft patterns in sign-in logs with impossible travel." Specific, testable, falsifiable.
3. Data availability check — do we have the log sources to test this hypothesis? If not, the hunt reveals a visibility gap that must be fixed.
4. Hunt execution — run queries, analyze results, document every pivot. Unexplained anomalies warrant investigation even if not the original hypothesis target.
5. Outcome document — finding (escalate to IR) or new detection rule (codify the hunting query as an automated alert for ongoing coverage).
Cadence — weekly structured hunts aligned to threat intel. Ad-hoc after major CVE disclosure, industry breach report, or new attacker technique publication.

HUNT

Hunt: C2 Beaconing

Detect regular callback patterns that signature-based rules miss entirely

Beaconing signature — connections to same destination at regular intervals. Even with jitter, statistical patterns persist across 50+ samples. Low deviation = automated callback.
RITA analysis — processes Zeek conn.log, scores each src/dst pair by beacon probability. Prioritizes by connection count, byte consistency, and interval regularity.
Splunk beacon hunt — | eventstats count avg(bytes) as ab by src dest | where count>20 AND ab<2000 AND ab>50 — small, consistent, frequent = C2 pattern.
Long connection hunting — HTTP/S connections over 60 seconds with low byte count. Interactive C2 keeps connections alive with minimal data transfer between operator actions.
JA3 correlation — Cobalt Strike default JA3 is 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1. Custom C2 profiles change this — hunt for internal JA3 patterns against known-bad databases.
DNS beaconing — regular low-TTL queries to same domain or parent domain. DGA beaconing creates NXDomain storms. Both are detectable via Zeek dns.log analysis.

HUNT

Hunt: Living Off the Land

Find attacker abuse of legitimate Windows tools — LOLBins that evade AV/EDR signatures

LOLBin baseline first — understand which LOLBins are legitimately used in your environment. certutil for certificate management is normal; certutil downloading URLs is not.
PowerShell hunting — encoded commands (-enc) · download cradles (Net.WebClient, IWR) · bypass execution policy flags · -WindowStyle Hidden combinations.
certutil network — any network connection from certutil.exe is high-confidence IOC. No legitimate use case requires certutil to make outbound HTTP connections.
Process lineage chains — Office/PDF reader → PowerShell · Explorer → cmd → PowerShell · mshta.exe → any child · wscript.exe spawning network tools.
WMIC remote execution — creates WmiPrvSE.exe child processes on target. Hunt WmiPrvSE children that aren't normal administrative tools in your environment.
MSBuild / InstallUtil — spawning network connections or executing .NET assemblies from user-writable paths. Both are signed Microsoft binaries that AV typically trusts.

HUNT

Hunt: Persistence Mechanisms

Find attacker-installed persistence that survived initial containment actions

Autoruns baseline diff — collect AutorunsToWinEventLog output fleet-wide. Diff against known-good baseline collected before incident. Any new entry is suspicious.
Scheduled tasks — new tasks with encoded PowerShell in actions, tasks created by unusual authors, tasks with binary paths in user-writable directories.
WMI subscriptions — Get-WMIObject __FilterToConsumerBinding. Any event subscription not in your known-good baseline is attacker persistence. WMI persistence survives reimages if AD objects persist.
COM hijacking — HKCU CLSIDs that shadow HKLM entries. HKCU\Software\Classes\CLSID\ InprocServer32 entries pointing to user-writable paths = DLL persistence.
DLL sideloads — Process Monitor "NAME NOT FOUND" DLL searches in user-writable directories from legitimate signed binaries. Classic persistence technique bypassing AppLocker.
Services pointing to user paths — sc qc on all new services. Services with binary paths in AppData, Temp, or other user-writable directories are almost always malicious.

Sample Hunt Queries — Splunk SPL

// Hunt: Find processes spawning from suspicious parents
index=sysmon EventCode=1
| eval suspicious_parent=if(match(ParentImage,"(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript)"), 1, 0)
| where suspicious_parent=1 AND NOT (Image LIKE "%splunk%" OR Image LIKE "%sysmon%")
| table _time Computer User ParentImage Image CommandLine

// Hunt: LSASS access attempts (non-AV)
index=sysmon EventCode=10 TargetImage="*lsass.exe"
| where GrantedAccess IN ("0x1FFFFF", "0x1010", "0x0410", "0x1438")
| where NOT SourceImage IN ("*CrowdStrike*", "*MsMpEng*", "*Sysmon64*")
| table _time Computer SourceImage GrantedAccess CallTrace

// Hunt: Kerberoasting — RC4 service tickets
index=winevent EventCode=4769
| where TicketEncryptionType="0x17" AND ServiceName!="krbtgt"
| where ServiceName!="$" AND NOT ServiceName LIKE "%$"
| stats count by Account_Name ServiceName Client_Address
| where count > 3

// Hunt: Network connections from unusual processes
index=sysmon EventCode=3
| where match(Image,"(?i)(mshta|wscript|cscript|regsvr32|certutil|bitsadmin)")
| where Initiated="true" AND DestinationPort IN (80,443,8080,8443)
| where NOT DestinationIp LIKE "10.*" AND NOT DestinationIp LIKE "192.168.*"
| table _time Computer Image DestinationIp DestinationPort

// Hunt: New WMI subscriptions (attacker persistence)
index=wmi EventCode=5861
| search NOT Consumer LIKE "*Microsoft*" NOT Consumer LIKE "*SCM*"
| table _time ComputerName Consumer Filter Query

Automation Layer

SOAR Playbooks

Automate enrichment and low-stakes response actions freely. Gate destructive actions (block, disable, isolate) behind analyst approval. Human judgment in the loop for all consequential decisions.

🤖

Automation Principle

Automate what is repeatable and low-risk: enrichment, notification, ticket creation, log retrieval. Require human approval for: account disable, host isolation, firewall block, email deletion. The goal is speed + accuracy, not removing human judgment from consequential actions.

SOAR

Phishing Triage Playbook

Automated phishing response from report to resolution

Trigger — user submits suspicious email via "Report Phishing" button OR email gateway alert fires on incoming message.
Auto step 1 — extract all IOCs: sender, reply-to, sending IP, URLs, attachment hashes. Submit to VirusTotal, URLScan, and internal TIP simultaneously.
Auto step 2 — query SIEM for all users who received messages from same sender in last 30 days. Query EDR for any execution of attachment hashes fleet-wide.
Auto step 3 — if any IOC is known-malicious AND no execution found: auto-block sender + URLs + quarantine similar messages. Create P2 ticket with enriched context.
Human gate — if execution of attachment is found on any endpoint: pause automation, page on-call analyst, create P1 incident with all enrichment pre-populated.
Auto step 4 (post-approval) — bulk-purge matching emails from all mailboxes via Graph API Purge-AIPContent. Notify affected users with guidance.

SOAR

Compromised Account Playbook

Identity incident response from detection to full remediation

Trigger — impossible travel alert · Entra ID Protection high-risk sign-in · multiple MFA push rejections · anomalous Graph API activity.
Auto step 1 — enrich: pull user's manager, department, recent logins (last 30 days), MFA methods registered, app consent grants, recent email forwarding rules.
Auto step 2 — query SIEM for all activity from this account + all IPs used in last 24 hours. Check if IPs appear in threat intel feeds.
Human gate (P1 decision) — analyst reviews enriched context. If confirmed compromise: approve account disable + token revocation.
Auto step 3 (post-approval) — disable account in AD/Entra · revoke all tokens via Revoke-MgUserSignInSession · remove forwarding rules · notify manager and IT.
Auto step 4 — hunt for lateral movement: query all hosts where account authenticated in last 7 days. Check for persistence mechanisms on each host via Velociraptor.

SOAR

IOC Block Playbook

Automated IOC blocking across all defense layers simultaneously

Trigger — analyst submits IOC · CTI feed pushes high-confidence indicator · IR team generates IOCs from active incident.
Auto step 1 — validate IOC format and type (hash/IP/domain/URL). Check against internal whitelist. Query VirusTotal and internal TIP for confidence score.
Auto step 2 — hunt for IOC presence in environment: SIEM historical query (30 days) + EDR fleet hunt + proxy logs + DNS logs. Report any matches immediately.
If IOC confidence > 80% AND no internal hits — auto-block across: DNS sinkhole · proxy URL block · EDR custom IOC · firewall block (IP) · email gateway sender block.
If internal hits found — escalate immediately. Do not block until analyst reviews potential attacker notification risk. Create P1 with affected asset list.
Auto step 3 — add IOC to threat intel platform with context. Set expiry date (IPs: 90 days · domains: 180 days · hashes: permanent). Create JIRA task for periodic review.

SOAR

Critical Alert Enrichment Playbook

Auto-enrich every P1/P2 alert before it reaches an analyst's queue

Trigger — any P1 or P2 alert from SIEM, EDR, identity, or email platforms.
Auto step 1 (host enrichment) — CMDB lookup: asset owner · criticality tier · last patch date · business unit. EDR status: protection enabled · last seen · agent version.
Auto step 2 (user enrichment) — HR system: role · department · manager · employment status. AD: group memberships · last password reset · MFA status · recent logins.
Auto step 3 (IOC enrichment) — submit all IOCs to VT/Shodan/PassiveDNS. Query internal TIP for prior sightings. Check CISA KEV for CVEs if vuln-related.
Auto step 4 (prior incident context) — query case management for prior incidents involving same user/host/IP in last 90 days. Link related cases.
Auto step 5 — create enriched ticket with all context pre-populated. Assign to correct queue based on alert type. Notify asset owner if P1.

Identity Layer

Identity & Access Security

Identity is the new perimeter. Credential compromise bypasses all network controls. Hardening identity systems is the highest-ROI defensive investment for most organizations today.

🔑

MFA is not equal

TOTP/push MFA is bypassable via AitM proxy (EvilGinx, Modlishka). It provides protection against password spray and credential stuffing but NOT against targeted phishing. For privileged accounts, only FIDO2/passkeys provide phishing-resistant MFA. Enforcing TOTP on Domain Admins and calling it "secure" is a false sense of security.

IDENTITY

MFA Strength Hierarchy

Not all MFA is equal — choose the right tier for each use case

FIDO2 / Passkeys ✅ Phishing-resistant — hardware key (YubiKey) or device-bound passkey. Cryptographically bound to domain. Defeats AitM/EvilGinx completely. Required for all Tier 0 accounts. Windows Hello for Business provides device-bound phishing-resistant credentials on Windows endpoints.
Certificate-based Auth ✅ Phishing-resistant — smart card or virtual smart card. Phishing-resistant, device-bound, no shared secret.
Authenticator app push / TOTP ⚠️ AitM bypassable — easily bypassed by reverse proxy. Better than nothing but insufficient for privileged access. Enable number matching + IP context to reduce fatigue attacks.
SMS / voice ❌ Weakest — SIM swap, SS7 attacks, social engineering. Use only as absolute last resort fallback with compensating controls.
MFA fatigue attacks — attackers spam push notifications until the user accidentally accepts. Enable number matching and require additional context to defeat this.
Enforcement priority — Tier 0 accounts with FIDO2 first → all admins → all users via Conditional Access → MFA registration campaign for remaining users.

IDENTITY

Privileged Access Management

Protect, monitor, and govern privileged accounts — the keys to the entire kingdom

Administrative tiering — Tier 0 (DC/CA/PKI/backup), Tier 1 (servers), Tier 2 (workstations). Strict credential isolation — no Tier 0 admin account used on Tier 2 systems.
Privileged Access Workstations (PAW) — dedicated hardened devices for admin tasks. No email, no web browsing, no untrusted software. Connected to management network only.
Just-In-Time (JIT) access — PIM / Azure Privileged Identity Management. Elevate only when needed. Time-boxed (4-8hr max). Requires justification + approval + MFA.
Just-Enough-Access (JEA) — PowerShell constrained runspaces limiting admin to specific cmdlets needed for their role. No interactive shell — no PowerShell.exe access.
Password vaulting — CyberArk · BeyondTrust · Delinea. Auto-rotate privileged passwords. Session recording for all privileged sessions. Dual control for most critical accounts.
LAPS (Local Admin Password Solution) — unique local admin password per machine. Stops lateral movement via shared local admin credentials (common initial spread vector).

IDENTITY

Active Directory Hardening

Reduce the AD attack surface — the primary target in the majority of enterprise breaches

Disable legacy auth — block NTLM where possible, enforce Kerberos. NTLM cannot be MFA-protected and enables PtH attacks. Monitor for RC4 ticket requests (should be AES-only).
Unconstrained delegation — audit and eliminate where possible. Unconstrained delegation on non-DC systems amplifies golden ticket and credential relay attacks significantly.
AdminSDHolder — audit accounts with AdminCount=1. Any unexpected account with AdminCount=1 may have inherited protected group membership through AD's AdminSDHolder propagation.
Kerb pre-authentication — ensure ALL accounts have pre-auth required. Accounts with pre-auth disabled are AS-REP roastable — attackers can request encrypted tickets offline for cracking.
ADCS hardening — run Locksmith to identify ESC1-ESC8 vulnerabilities. ESC1 (SAN in request) is the most exploited. Fix before attackers find it.
Account hygiene — disable unused accounts immediately. Stale service accounts with SPNs are Kerberoasting targets. Enforce password policies and review weekly.

IDENTITY

Conditional Access Policies

Zero trust access control — enforce context for every authentication decision

Baseline policies — require MFA for all users · block all legacy auth protocols (IMAP/POP3/SMTP AUTH/Basic) · require compliant device for sensitive apps.
Sign-in risk integration — Entra ID Protection risk signals: block high-risk sign-ins · require step-up auth for medium-risk · log low-risk for investigation.
Phishing-resistant MFA — enforce FIDO2/WHfB for all admin roles, VPN access, and sensitive applications. Use Authentication Strength policies for fine-grained control.
Device compliance — require Intune-managed and compliant device for access to M365, cloud storage, and sensitive internal applications.
Exclusion hygiene — every CAP exclusion is a potential bypass. Review all exclusions quarterly. Break-glass accounts should be the ONLY permanent exclusion with monitoring.
Report-only mode — always test new CAPs in report-only mode for 2–4 weeks. Measure sign-in impact before enforcing. Blocking users produces IT tickets that undermine security programs.

Hardening Layer

System Hardening

Reduce attack surface through configuration management and defense-in-depth controls. Every unnecessary feature is potential attack surface — the principle of least functionality.

HARDEN

Windows Endpoint Hardening

CIS benchmark, ASR rules, and LOLBin restriction for workstations

Attack Surface Reduction (ASR) rules — enable all 16 ASR rules in audit mode first, then transition to block after 2–4 weeks. Highest-value: block Office spawning processes · block macro downloads · block credential theft from LSASS.
Credential Guard — hypervisor-protected LSASS prevents Pass-the-Hash and DPAPI key extraction even with LSASS handle access. Enable on all Windows 10/11 endpoints via Group Policy.
WDAC (Windows Defender Application Control) — kernel-mode code integrity. Only allow signed code. Kills BYOVD attacks at the kernel driver level. More effective than AppLocker but more complex to deploy.
PowerShell Constrained Language Mode — blocks Add-Type, New-Object, reflection, and other post-exploitation PS capabilities. Enforced via AppLocker or WDAC policy.
Script Block Logging (4104) — captures all PowerShell script content, even when scripts are loaded from memory or base64-decoded at runtime. Crucial for PS-based attacker detection.
AppLocker rules — block execution from user-writable paths: AppData · Temp · Downloads · user profile. Stops majority of commodity malware that writes to user paths.
Disable macros — block all VBA macros or restrict to code-signed only via Group Policy Trust Center settings. Document any legitimate macro use and provide alternative workflows.

HARDEN

ADCS Hardening

Active Directory Certificate Services — most dangerous misconfiguration area in enterprise AD

Locksmith tool — run Locksmith against your ADCS environment. Automatically identifies ESC1–ESC8 vulnerabilities with remediation guidance. Run quarterly.
ESC1 fix — remove ENROLLEE_SUPPLIES_SUBJECT flag from all non-CA certificate templates. This flag allows requesters to specify any SAN including domain admin UPNs.
ESC4 fix — remove Write permissions on certificate templates for non-admin users. Template write access allows modification of template properties to add ESC1-style vulnerabilities.
ESC6 fix — remove EDITF_ATTRIBUTESUBJECTALTNAME2 flag from CA configuration. This flag allows SAN specification on any template, not just those configured for it.
CA audit logging — enable all CA audit events: 4886 cert issued · 4887 cert with SAN · 4899 template modified. None of these are enabled by default. Must be explicitly configured per CA.
CA tier classification — CA servers are Tier 0 assets equal to Domain Controllers. Apply same access controls, monitoring, and physical security as DCs.
Certificate monitoring — alert on certificates issued with SANs containing privileged UPNs · off-hours certificate issuance · unusual templates · certificates with excessive validity periods.

HARDEN

Patch Management

Risk-prioritized vulnerability remediation — focus on what attackers are actually exploiting

CISA KEV first — Known Exploited Vulnerabilities catalog at cisa.gov/kev. Treat as P0. Patch within 2 weeks regardless of CVSS score or internal risk tolerance policy. These are being actively exploited now.
EPSS prioritization — Exploit Prediction Scoring System scores by probability of exploitation within 30 days. Better real-world risk signal than CVSS severity score alone.
Internet-facing multiplier — a CVSS 7.0 on an internet-facing system is higher priority than CVSS 9.8 on an isolated internal host. Exposure context matters more than severity score.
Emergency change process — pre-approved process for critical CVEs. Cannot wait for monthly maintenance windows when a CVSS 9.8 with active exploitation is published.
SLA framework — Critical+internet-facing: 7 days · Critical+internal: 30 days · High: 60 days · Medium: 90 days. Track SLA compliance rates as a security metric.
Third-party software priority — browsers, PDF readers, Office, VPN clients are more frequently targeted than the OS. Automate these via Intune/SCCM software deployment policies.

HARDEN

Backup & Recovery Hardening

Ransomware-resistant backup strategy — the last line of defense when all else fails

3-2-1-1-0 rule — 3 copies · 2 different media · 1 offsite · 1 immutable/offline · 0 errors confirmed by restore testing. All five criteria must be met continuously.
Immutable backups — S3 Object Lock / Azure Blob immutable storage. Ransomware cannot delete or encrypt immutable copies even with storage admin credentials.
Offline backups — air-gapped tapes or offline disks physically disconnected from the network. Cannot be reached by ransomware spreading through network credentials.
Backup credential isolation — backup service accounts in dedicated OU with no regular network access. Attackers specifically target Veeam, Commvault, and backup agents to destroy recovery capability.
Recovery testing — quarterly restore tests across different systems. Test full server restore, not just file recovery. Most orgs discover backup failures during incidents when it's too late.
RTO/RPO documentation — document and test Recovery Time Objective and Recovery Point Objective per system tier. Executives need realistic timelines during incidents, not estimates.

Network Layer

Network Security Controls

Every lateral movement the attacker makes should cross a monitoring point. Segmentation, DNS control, and encrypted traffic inspection are the key network defensive investments.

NETWORK

Network Segmentation

Limit blast radius through logical and physical network separation

VLAN segmentation — User · Server · Management · Guest · IoT · OT each in dedicated VLANs. Firewall rules between segments — not router-only ACLs.
Crown jewel isolation — DCs · CA servers · backup infrastructure in separate management VLAN. Access only via jump hosts. No workstation-to-DC direct connectivity except domain traffic.
Workstation-to-workstation blocking — block TCP 445 (SMB) between workstations. This single rule prevents PsExec lateral movement across the majority of the flat enterprise network.
Micro-segmentation — host-based firewall policies allowing only required application flows. Stops east-west movement even within same VLAN when attackers gain workstation access.
Egress filtering — outbound connections should be explicitly allowed, not default-permit. Block direct-to-internet from servers. Force all traffic through proxy for inspection.
Zero Trust Network Access (ZTNA) — application-layer access control. Verify user + device + context before each connection. Never trust, always verify approach for internal resources.

NETWORK

DNS Security

DNS is used in nearly every attack — logging, filtering, and sinkholing are essential controls

Full DNS logging — log all DNS queries with requesting process (Sysmon Event 22 on endpoints, DNS server query logging internally). Without process-to-query correlation, C2-over-DNS is nearly invisible.
DNS sinkholes — redirect malicious domains to internal sinkhole IP via RPZ. Log and alert on all connections. Identifies infections missed by other controls.
Protective DNS — Cisco Umbrella · Cloudflare Gateway · Quad9. Filter malicious domains at resolver level. Adds threat intelligence-based blocking without endpoint agent.
DoH blocking — block or proxy DNS-over-HTTPS. Attackers use DoH (Cloudflare/Google DoH) to bypass traditional DNS monitoring and filtering. Block port 853 and well-known DoH endpoints.
DGA detection — high-entropy domain names, NXDomain storms, unusual query types (TXT/MX for C2). Detect malware with domain generation algorithm via statistical analysis of query patterns.
Long subdomain alert — DNS queries with subdomains over 50 characters are likely DNS tunneling or DGA exfiltration. Alert on this pattern with low FP rate.

NETWORK

Email Security Hardening

Technical controls to reduce phishing delivery and BEC success rates

SPF — publish strict SPF: v=spf1 include:... -all (hard fail). Reject unauthorized senders. Monitor DMARC reports to identify spoofing attempts.
DKIM — cryptographically sign all outbound email. Validates sender authenticity and prevents header tampering in transit. Use 2048-bit RSA or Ed25519 keys.
DMARC — v=DMARC1; p=reject; rua=mailto:dmarc@domain.com. Enforce rejection and receive aggregate reports. Start with p=none to see traffic before enforcing.
Attachment sandboxing — detonate attachments before delivery. Catches macro-less payloads, LNK files, ISO/IMG files that AV misses on static analysis. Zero-hour detonation coverage.
URL time-of-click scanning — rescan URLs when user actually clicks, not just at delivery. Catches URLs that were clean at delivery but weaponized afterward (common AitM phishing technique).
Anti-spoofing controls — block external emails impersonating internal domains and lookalike domains. BEC relies on this vector. DMARC + anti-spoofing in MDO/Proofpoint blocks the majority.

NETWORK

Web Proxy & TLS Inspection

Inspect encrypted traffic and control egress — required to detect modern attacks

TLS/SSL inspection — decrypt HTTPS traffic for malware scanning, DLP, and C2 detection. Without TLS inspection, approximately 80% of C2 traffic is invisible to proxy and IDS/IPS.
URL categorization — block uncategorized + newly-registered + parked domains. Attackers use freshly-registered domains for C2. Newly-registered domain block catches infrastructure before it appears in threat feeds.
User-Agent filtering — alert or block curl · python-requests · Invoke-WebRequest user-agents from non-developer systems. Automated tool usage is a strong signal.
JA3 fingerprinting — detect known C2 frameworks by TLS client hello fingerprint at the proxy layer. Cobalt Strike's default JA3 is detectable even on port 443.
Egress enforcement — force all endpoint TCP 80/443 through the proxy. Block direct internet egress from endpoints. Without this, C2 channels bypass all proxy-based detection.
Domain age checks — alert on connections to domains registered less than 30 days ago. Freshly-registered domains are a strong signal for C2 and phishing infrastructure.

Cloud Operations

Cloud Defense Operations

Azure/Entra ID, AWS, and GCP defensive controls. Cloud-native detection, identity security, and infrastructure hardening for environments where traditional network controls don't apply.

CLOUD

Microsoft 365 / Entra ID Defense

Detect and respond to cloud identity attacks in Microsoft environments

Entra ID Protection — risk-based sign-in policies. Block high-risk. Require step-up for medium-risk. Risk detections: atypical travel · anonymous IP · malware-linked IP · leaked credentials.
Unified Audit Log (UAL) — enable for all workloads: Exchange · SharePoint · Teams · Azure AD. 90-day retention on E3, 1 year on E5. Must be explicitly enabled — not on by default for all orgs.
Legacy authentication blocking — block IMAP, POP3, SMTP AUTH, Basic Auth, EWS without modern auth via Conditional Access. Legacy auth bypasses MFA entirely — major attack vector for credential stuffing.
OAuth app consent alerts — alert on new OAuth app consent grants for sensitive permissions (mail.read, files.readwrite, mail.send). Attacker registers backdoor app through consent phishing.
Microsoft Graph Activity Logs — enable MicrosoftGraphActivityLogs in Diagnostic Settings. Not enabled by default. Essential for post-compromise investigation of token theft and data access.
Defender for Cloud Apps (MCAS) — SaaS visibility, DLP, and anomaly detection across M365 and third-party apps. OAuth app governance and risky app blocking.

CLOUD

AWS Defense

CloudTrail, GuardDuty, Security Hub — detecting and responding to AWS attacks

CloudTrail — enable organization-wide, multi-region trail to S3 with CloudTrail Insights and log file integrity validation. Foundation of all AWS logging. Disable of CloudTrail = immediate P1 alert.
GuardDuty — enable in every region including regions you don't use. Threat detection for IAM anomalies, network threats, S3 threats. Cost: ~$3/1M events. Enable S3 and EKS protection too.
Security Hub — aggregate GuardDuty + Macie + Inspector + Config findings into centralized view. Run CIS AWS Foundations Benchmark assessment continuously.
SCPs (Service Control Policies) — organization-level guardrails. Deny dangerous actions org-wide: prevent IAM user creation · prevent CloudTrail disable · prevent public S3 bucket creation · restrict regions.
IAM Access Analyzer — detects overly permissive policies and external access to resources. Run continuously. Alert on any resource with external access not on approved list.
CloudTrail Insights — anomaly detection on API call rate and error rate. Detects credential abuse (unusual call volume) and scanning activity (unusual error rate) automatically.

CLOUD

Cloud Posture Management

Continuously assess cloud configuration against benchmarks and detect configuration drift

Defender for Cloud (CSPM) — multi-cloud posture management. CIS benchmark scoring for Azure/AWS/GCP. Attack path analysis shows exploitable chained misconfigurations. Prioritize by attack path risk, not individual finding.
Prowler — open-source multi-cloud assessment. AWS/Azure/GCP. 300+ checks with CIS/PCI/HIPAA/NIST mappings. Run weekly and feed findings to SIEM for trending.
CloudFox — attacker's perspective of your cloud environment. Find exploitable IAM paths, exposed services, and secrets before attackers do. Great for red team exercises and pre-engagement reconnaissance.
Checkov — IaC security scanning for Terraform, CloudFormation, Kubernetes manifests. Shift-left cloud security — catch misconfigurations before deployment in CI/CD pipeline.
Key findings to prioritize — public S3 buckets · overpermissioned IAM roles (wildcard actions) · missing MFA for root/console · unencrypted databases · unrestricted security groups (0.0.0.0/0).
Config rules — AWS Config or Azure Policy enforce compliance continuously. Automated remediation for clear violations (e.g., auto-encrypt unencrypted EBS volumes on creation).

CLOUD

Kubernetes Security

Container and orchestration security — RBAC, network policies, runtime protection

RBAC hardening — least privilege roles. No cluster-admin bindings for application workloads. Audit all ClusterRoleBindings quarterly. Wildcard resource/verb permissions are a critical finding.
Network policies — default-deny ingress and egress, whitelist required pod-to-pod connections. Prevents lateral movement between pods even within the same namespace.
Falco — open-source runtime security using syscall-based detection. Rules for container breakout, privilege escalation, shell execution in containers, and sensitive file access.
Pod Security Standards — enforce restricted policy for all namespaces. Blocks privileged containers, hostPath mounts, hostNetwork, and other escalation primitives.
Secrets management — External Secrets Operator + HashiCorp Vault or AWS Secrets Manager. Never store secrets in ConfigMaps or environment variables in plain text.
Image scanning in CI/CD — Trivy/Grype in pipeline. Block images with critical CVEs before deployment. Sign images with Cosign and enforce signature verification at admission.

Intelligence Layer

Threat Intelligence

Intelligence drives hunting prioritization, detection coverage, and hardening focus. The goal is operationalization — transforming CTI reports into actionable detections and controls, not building an intelligence collection program.

INTEL

TI Platforms

Aggregate, correlate, and operationalize threat intelligence

MISP — open-source TIP with STIX/TAXII. Share and consume IOCs. Community-driven. Self-hosted.
OpenCTI — structured threat actor, campaign, and TTP tracking with ATT&CK integration.
Recorded Future — dark web, paste site, technical data. Real-time risk scoring per IP/domain/hash.
ISAC membership — sector-specific sharing with peers seeing the same threats targeting your industry.
CISA advisories — free, high-quality. AA advisories provide nation-state TTPs with detection guidance.

INTEL

Malware Analysis

Understand threats through sample analysis — extract IOCs, TTPs, and signatures

CAPA — extracts capabilities from PE files, mapped to ATT&CK. Instant TTP analysis without RE skills.
ANY.RUN / VirusTotal — online detonation with full behavior report, network IOCs, process tree.
CAPE Sandbox — self-hosted. Privacy-sensitive samples. Configuration extraction for malware families.
Ghidra / IDA Pro — deep binary analysis. C2 decryption routines, config extraction, variant identification.
FLOSS — Mandiant's tool. Extract obfuscated strings from binaries that regular strings command misses.

INTEL

Dark Web Monitoring

Monitor for credential leaks, data dumps, and attacker targeting

Have I Been Pwned — free domain monitoring. Alert on credential exposure in breach databases.
SpyCloud — infostealer log monitoring. Catches credentials stolen by Redline/Raccoon/Vidar that never appear in public breach databases.
Flare / Cybersixgill — dark web forum posts, marketplace listings, actor communications involving your brand or data.
Brand monitoring — newly registered lookalike domains, typosquatted names. Phishing infrastructure discovery before use.
GitHub scanning — trufflehog · gitleaks. Scan public repos for accidentally committed API keys and credentials.

Deception Layer

Deception Technology

Honeypots, canary tokens, and deceptive credentials give near-zero false positive alerts — any interaction is malicious by definition. The highest signal-to-noise ratio in the defensive toolkit.

🪤

Deception Value Proposition

Canary tokens and honeypots are the only detection class with near-zero false positive rate. No legitimate user accesses a fake admin password document, uses a fake AWS key, or connects to a honeypot server. Any alert from deception technology is a confirmed attacker action and should immediately trigger P1 response.

DECEPTION

Canary Tokens

Tripwires embedded in documents, credentials, and files — instant alert on access

Thinkst Canary Tokens — free at canarytokens.org. Token types: Word/Excel docs · PDFs · web bugs · AWS access keys · DNS tokens · email addresses · Windows folder breadcrumbs.
Word/Excel tokens — embed in documents named "passwords," "network_diagram," "IT_Admin_Creds." Token fires when opened, revealing opener IP/hostname. Near-zero legitimate access.
Fake AWS keys — place in source code, S3 config files, developer documentation. Any AWS API call attempt fires immediate alert regardless of credential validity.
DNS tokens — fake internal hostnames (PROD-DC-02-MGMT) in internal documentation. Any DNS lookup reveals attacker has read internal docs and is mapping infrastructure.
Honey credentials in AD — fake privileged-looking accounts with canary passwords. Login attempt from any source = confirmed attacker conducting internal recon.
Desktop folder canaries — "Company_Passwords_2024.xlsx" and "Network_Topology.pdf" on shared drives. Opened = attacker actively browsing file shares for credential material.

DECEPTION

Honeypots & AD Deception

Fake systems and AD objects that attract and detect internal reconnaissance

Thinkst Canary — commercial hardware/virtual honeypots. Emulates Windows servers, Linux hosts, Cisco devices, and more. Alert fires on any connection attempt. No false positives.
OpenCanary — free open-source. Simulates SSH, HTTP, FTP, SNMP, SMB, and Telnet services. Deploy as hidden internal hosts on each VLAN for lateral movement detection.
Honey AD accounts — fake privileged accounts (svc_backup, IT_Admin, SQLSvcAcct) with real-looking SPNs. Kerberoast attempt or auth attempt reveals active enumeration.
Honey SPNs — service principal names on honey accounts. Any Kerberoasting attempt against them triggers detection without any false positive risk.
Honey computers — fake DC or server computer objects in AD. RPC/SMB connection attempts reveal an attacker has enumerated AD and is attempting lateral movement to these objects.
Deployment strategy — scatter across all VLANs. Use realistic naming conventions matching your environment. There is no legitimate reason for any internal system to connect to a honeypot host.

Risk Reduction

Vulnerability Management

Risk-prioritized vulnerability identification and remediation. CVSS scores alone are insufficient — contextualize with exposure, exploitability, and asset criticality to focus remediation resources.

VULN

Scanning & Prioritization

Credentialed scanning and risk-based prioritization

Tenable Nessus/io — industry standard. Always use credentialed scans — unauthenticated misses 80% of findings.
Nuclei — template-based scanner with massive community template library for specific CVE detection.
CISA KEV priority — Known Exploited Vulnerabilities are P0 regardless of CVSS score.
EPSS scoring — exploitation probability score. Better risk signal than CVSS alone for prioritization decisions.
Scan cadence — weekly credentialed internal · daily internet-facing · continuous for cloud assets.

VULN

Attack Surface Management

Discover and monitor all internet-facing assets continuously

External ASM — Censys/Shodan EASM platforms. Discover all assets exposed to the internet, including shadow IT and forgotten subdomains.
Certificate monitoring — crt.sh / certstream. Monitor CT logs for new certs issued to your domains. Catches phishing and subdomain takeover risks.
Subdomain monitoring — alert on new subdomains especially on cloud providers (S3, Azure Blob, GitHub Pages). Subdomain takeover is a common initial access vector.
Shodan alerting — alerts when new services appear on your IP ranges. Catches exposed RDP, SSH, databases before attackers find them.
Shadow IT — many internet-facing assets are unknown to security. Cloud accounts, dev test environments, forgotten applications.

VULN

Remediation SLAs

Risk-tiered patching timelines that organizations can actually meet

P0 CISA KEV — 7 days. No exceptions. Pre-approved emergency change process required to meet this SLA.
Critical + Internet — 14 days. High business risk. Escalate to CISO if SLA cannot be met.
Critical Internal — 30 days. Standard change process acceptable.
High + Internet — 30 days. Include in next patching cycle.
High Internal — 60 days. Track in VM platform for SLA compliance.
Medium — 90 days. Batched with regular maintenance. Reprioritize if EPSS increases.

Reference

Blue Team Tool Arsenal

Essential defensive tools by function. The best tools are the ones your team uses consistently — invest in training and process, not just purchasing licenses.

Complete Tool Reference by Function Category

SIEM / LOG MANAGEMENT
  Splunk / Splunk ES / Splunk SOAR           Enterprise SIEM, security analytics, and SOAR orchestration
  Microsoft Sentinel / Defender XDR          Cloud-native SIEM with deep M365/Azure integration and KQL
  Elastic Security / ELK Stack              Open-source SIEM with ML anomaly detection and EQL rules
  IBM QRadar / LogRhythm                    Enterprise SIEM platforms with UBA modules
  Graylog / OpenSearch Security             Open-source log management alternatives (lower cost)

EDR / ENDPOINT DETECTION
  Microsoft Defender for Endpoint (MDE)    Native Windows EDR with ASR rules and Advanced Hunting KQL
  CrowdStrike Falcon                       Best-in-class behavioral EDR with custom IOA rules
  SentinelOne Singularity                  Autonomous EDR with ransomware VSS rollback capability
  Cortex XDR (Palo Alto)                   XDR platform with strong network and cloud integration
  Velociraptor                             Open-source DFIR hunt platform — VQL-based, scales to 10k+ hosts
  Sysmon + Sysmon Modular                 Free telemetry enhancement — 25+ event types including DNS and pipes

NETWORK DETECTION & RESPONSE
  Zeek (Bro)                               Network security monitor with rich protocol analyzers
  Suricata                                 IDS/IPS with Emerging Threats Open ruleset (40k+ signatures)
  Arkime (Moloch)                          Full PCAP capture, indexing, and retrospective analysis
  RITA / AC-Hunter                         Automated C2 beaconing detection via Zeek conn.log analysis
  Security Onion                           NSM distribution bundling Zeek + Suricata + Elastic + RITA
  ntopng / NetFlow Analyzer              NetFlow/IPFIX visualization and east-west baseline analysis

IDENTITY & ACCESS
  Microsoft Entra ID Protection            Risk-based identity protection — impossible travel, anomalous tokens
  CyberArk / BeyondTrust / Delinea        Privileged Access Management (PAM) with session recording
  Microsoft LAPS                           Unique local admin passwords per machine — built into Windows
  PingCastle / Purple Knight              Active Directory security assessment and scoring
  Locksmith                               ADCS vulnerability identification and remediation guidance
  BloodHound CE / Adalanche               AD attack path analysis from defender perspective

THREAT INTELLIGENCE
  MISP / OpenCTI                           Open-source TIP with STIX/TAXII and ATT&CK integration
  Recorded Future / ThreatConnect         Commercial CTI platforms with dark web and technical intelligence
  VirusTotal / ANY.RUN                    Online malware analysis, sandbox detonation, and IOC correlation
  CAPA / FLOSS                            Capability extraction and obfuscated string deobfuscation
  Ghidra / IDA Pro                        Reverse engineering and binary analysis for deep malware research
  CAPE Sandbox / Cuckoo                   Self-hosted malware detonation for privacy-sensitive samples

THREAT HUNTING
  Atomic Red Team                         MITRE ATT&CK-mapped technique tests for detection validation
  Caldera                                 MITRE's automated adversary emulation for chained attack scenarios
  Stratus Red Team                        Cloud-specific ATT&CK technique tests for AWS/Azure/GCP
  Hayabusa                                Fast Windows event log threat hunting with Sigma rule support
  ThreatHunter-Playbook (OTRF)            Community hunt playbook library with query templates

FORENSICS & INCIDENT RESPONSE
  Volatility 3                            Memory forensics — process analysis, network connections, malfind
  MemProcFS                               Mount memory images as filesystem — browse process memory as files
  Eric Zimmerman Tools                    EvtxECmd · PECmd · AmcacheParser · ShimCacheParser · MFTECmd
  Plaso / log2timeline                    Super-timeline generation from multiple forensic artifacts
  Autopsy / Sleuth Kit                    Open-source disk forensics platform — free and court-admissible
  FTK / Magnet AXIOM                      Commercial forensics platforms with advanced analysis capabilities
  winpmem / LiME                         Memory acquisition — Windows (free) and Linux (kernel module)
  TheHive / IRIS                          Open-source IR case management with evidence tracking

DECEPTION
  Thinkst Canary                          Commercial honeypot hardware/VMs with realistic service emulation
  canarytokens.org                        Free web-based canary token generator — 20+ token types
  OpenCanary                              Open-source honeypot service emulator — SSH, HTTP, SMB, FTP
  Attivo / SentinelOne Ranger             Enterprise deception platform with automated deception fabric

VULNERABILITY MANAGEMENT
  Tenable Nessus / Tenable.io            Industry standard — credentialed scans, agent-based deployment
  Qualys VMDR / Rapid7 InsightVM         Cloud-based VM platforms with risk-based prioritization scoring
  Nuclei                                  Template-based CVE scanner with massive community template library
  Prowler / ScoutSuite / CloudFox       Cloud security posture assessment — multi-cloud open source
  Trivy / Grype / Checkov               Container and IaC security scanning for CI/CD pipeline integration

DETECTION ENGINEERING
  SigmaHQ / sigma-cli / Uncoder.io      Generic detection rule format, compiler, and online translator
  ATT&CK Navigator                        Coverage visualization, gap analysis, and threat actor overlay
  Detection Lab                           Pre-built lab environment for detection testing and rule development
  MITRE D3FEND                            Countermeasure knowledge base mapped to ATT&CK techniques

SOAR PLATFORMS
  Palo Alto XSOAR                         Leading commercial SOAR — 750+ integrations, marketplace playbooks
  Splunk SOAR                             Deep Splunk integration, visual playbook builder
  Microsoft Sentinel Playbooks            Logic Apps-based automation natively integrated with Sentinel
  Shuffle                                 Open-source SOAR — self-hosted, workflow-based automation
  TheHive + Cortex                        Open-source IR + automated analyzer + SOAR integration