LetsDefend

ARP 101

SIEM Logs

Is 2026 a good time to live?

⚠️ New Challenge: Koredos During an incident response engagement, the SOC team recovered a DLL file from the system32 directory of a compromised Windows host.

⚠️ New SOC Alert: Suspicious Rundll32 Execution Detected Attackers use suspicious Rundll32 execution to proxy malicious DLL/code via a trusted Windows process, evading detection, blending with legit activity, and bypassing app controls (e.g., for credential theft). 👥 Role: Incident Responder 🛠️ Type: Generic 💪 Difficulty: Medium 🔢 Event ID: 285

Can you?

💯 Do you want to be a SOC Manager? The FIRST SOC Manager course: Exploring the Cyber Threat Landscape

Thanks. 🫡

Public key vs Private key

⚠️ New SOC Alert: Critical System File Deletion Attackers use Critical System File Deletion to erase logs, disable defenses, or trigger privilege escalation (e.g., via Windows Installer abuse), evading detection and causing DoS. This hides tracks and disrupts recovery. 🛠️ Type: Persistence 👥 Role: Incident Responder 💪 Difficulty: Medium 🔢 Event ID: 283

SIEM Alert Investigation

🥳 The MOST wanted learning path: Threat Hunting 📚️ 20 Courses 🔬 Tons of labs 🎓️ Certificate

Ran somewhere

Popular ports for security teams

⚠️ New Challenge: Remote Access Regret

⚠️ New SOC Alert: Event Log Cleared Attackers clear event logs (e.g., via wevtutil cl Security) to erase traces of intrusion like logins, malware execution, or privilege escalation, evading forensics and detection. 👥 Role: Incident Responder 💪 Difficulty: Persistence 🛠️ Type: Medium 🔢 Event ID: 282

Phishing emails 🐟️

⚠️ New Course: Malware Obfuscation Techniques

SIEM vs SOAR

Respect.