Listen to this Post

Introduction:
Every network attack, no matter how sophisticated, leaves a digital footprint somewhere in your logs. The difference between a compromised network and a quickly contained incident often comes down to one thing: knowing exactly which log to open first. This article distills an 11-page visual SOC analyst guide into actionable intelligence, mapping eight common attack vectors to their precise log sources and Indicators of Compromise (IOCs)—so you can stop hunting blindly and start catching threats with surgical precision.
Learning Objectives:
- Identify the specific log sources and IOCs associated with eight common attack types, from MITM to phishing.
- Apply MITRE ATT&CK mapping to log data for enhanced threat detection and incident response.
- Implement practical detection commands and configurations across Linux, Windows, and SIEM platforms to hunt for these attacks in your own environment.
You Should Know:
- Man-in-the-Middle (MITM) – ARP Anomalies + Unexpected TLS Certificates
MITM attacks rely on intercepting communication between two parties, often through ARP spoofing or TLS certificate impersonation. The attacker poisons the ARP cache, associating their MAC address with the legitimate gateway’s IP, thereby positioning themselves in the traffic flow.
Step-by-Step Detection Guide:
- Monitor ARP Traffic: On Linux, use `arp -a` to view the ARP table and look for duplicate IP-to-MAC mappings. For continuous monitoring, deploy `arpwatch` to log all ARP activity:
sudo apt-get install arpwatch sudo arpwatch -i eth0
Review `/var/log/arpwatch.log` for suspicious “flip” events where a MAC address changes for a critical IP.
-
Enable Dynamic ARP Inspection (DAI): On Cisco switches, configure DAI to validate ARP packets against a trusted DHCP snooping database:
ip arp inspection vlan 10 ip arp inspection trust interface GigabitEthernet0/1
-
Analyze TLS Certificates: Unexpected or self-signed certificates in your network traffic are a red flag. Use Wireshark to filter TLS handshakes:
tls.handshake.certificate
Look for certificates issued by unknown CAs or with mismatched Common Names.
-
Windows Event Logs: Monitor Event ID 4625 (failed logons) and 5140 (network share access) for anomalies that may indicate credential harvesting during an MITM attack.
2. Rootkits – Sysmon Events + Memory Forensics
Rootkits operate at the kernel or hypervisor level, hiding processes, files, and network connections. Detection requires a combination of endpoint telemetry and memory analysis.
Step-by-Step Detection Guide:
- Deploy Sysmon with a Comprehensive Configuration: Sysmon Event ID 10 (ProcessAccess) is critical for detecting memory injection attempts. Use the following Sysmon config snippet to log suspicious process access:
<ProcessAccess onmatch="include"> <CallTrace condition="contains">NtAllocateVirtualMemory</CallTrace> </ProcessAccess>
-
Memory Forensics with Volatility: Capture a memory dump using `DumpIt` or
WinPMEM, then analyze with Volatility:vol.py -f memory.dump --profile=Win10x64 pslist vol.py -f memory.dump --profile=Win10x64 malfind
Look for hidden processes (psxview) and injected code (malfind).
-
Windows Event Logs: Monitor Event ID 7045 (service installation) for unexpected kernel drivers. Event ID 4657 (registry value changes) can reveal persistence mechanisms.
-
Linux Rootkit Detection: Use `chkrootkit` or
rkhunter:sudo chkrootkit sudo rkhunter --check
Examine `/var/log/syslog` for kernel module loading anomalies (
insmod,modprobe).
3. Botnets – DNS Beaconing + DGA Domains
Botnets communicate with command-and-control (C2) servers using Domain Generation Algorithms (DGA) and beaconing patterns—regular, periodic DNS queries to algorithmically generated domains.
Step-by-Step Detection Guide:
- Analyze DNS Logs for Beaconing: Use Zeek (formerly Bro) to parse DNS logs and identify periodic queries:
zeek -r traffic.pcap dns.log cat dns.log | zeek-cut query | sort | uniq -c | sort -1r
Look for domains queried at fixed intervals (e.g., every 60 seconds).
-
Detect DGA Domains: Use entropy analysis to flag domains with high randomness. Python script snippet:
import math def entropy(s): return -sum((s.count(c)/len(s)) math.log2(s.count(c)/len(s)) for c in set(s)) Flag domains with entropy > 4.5
-
SIEM Correlation: Create a rule in your SIEM (Splunk, QRadar, or Elastic) that triggers on:
- High NXDOMAIN response rate from a single source IP.
-
First-seen domains with low reputation scores (integrate Threat Intelligence feeds).
-
Network-Level Blocking: Configure DNS sinkholes using Pi-hole or a custom BIND response policy zone (RPZ) to block known DGA domains.
- IP Spoofing – TTL Mismatches in Firewall Logs
IP spoofing involves forging the source IP address to impersonate a trusted host. Detection relies on analyzing Time-To-Live (TTL) values—spoofed packets often have TTLs inconsistent with the expected hop count.
Step-by-Step Detection Guide:
- Analyze Firewall Logs for TTL Anomalies: On Linux, use `tcpdump` to capture and inspect TTL values:
sudo tcpdump -i eth0 -1 -v 'ip and src host 192.168.1.100'
Compare the observed TTL against known OS initial TTL values (Linux: 64, Windows: 128, Cisco: 255).
-
Configure iptables to Log TTL: Add a logging rule that captures packets with suspicious TTLs:
sudo iptables -A INPUT -m ttl --ttl-lt 64 -j LOG --log-prefix "Spoofed TTL: "
-
Windows Firewall with Advanced Security: Enable logging for dropped packets and review `%SystemRoot%\System32\LogFiles\Firewall\pfirewall.log` for source IPs with inconsistent TTL patterns.
-
SIEM Use Case: Create a detection rule that correlates inbound packets with TTL values that don’t match the expected hop count based on geographic or network topology data.
- DNS Spoofing – NXDOMAIN Spikes + Fake Responses
DNS spoofing (cache poisoning) injects false DNS records into a resolver’s cache, redirecting users to malicious sites. Detection focuses on anomalous response patterns.
Step-by-Step Detection Guide:
- Monitor NXDOMAIN Spikes: A sudden increase in NXDOMAIN responses often indicates DGA activity or DNS tunneling. Use `dnstop` to monitor live DNS traffic:
sudo dnstop -s eth0
Look for a high percentage of NXDOMAIN responses.
- Analyze DNS Response TTLs: Legitimate DNS records have consistent TTLs. Spoofed responses may have unusually low or high TTLs. Use `dig` to query and compare:
dig google.com +nostats +nocomments +noquestion +noanswer +noadditional
-
Deploy DNSSEC Validation: Ensure your DNS resolvers validate DNSSEC signatures. On BIND, set:
dnssec-validation auto;
-
Windows DNS Logging: Enable debug logging on Windows DNS servers to capture all queries and responses. Review Event IDs 256 (query) and 257 (response) for anomalies.
6. DDoS – Connection-Rate Spikes + Multi-Source IPs
Distributed Denial-of-Service attacks flood network resources with traffic from multiple sources. Detection requires real-time traffic analysis and rate-based alerting.
Step-by-Step Detection Guide:
- Monitor Connection Rates with Netstat: On Linux, use `ss` to track connection states:
watch -1 1 'ss -s | grep -i tcp'
Look for a sudden spike in `TIME-WAIT` or `SYN-RECV` connections.
-
Configure Suricata for DDoS Detection: Enable the `ddos` ruleset in
/etc/suricata/suricata.yaml:default-rule-path: /etc/suricata/rules rule-files:</p></li> <li><p>ddos.rules
-
Windows Performance Monitor: Create a Data Collector Set tracking `TCPv4 Connections Established` and
Segments/sec. Set alerts for thresholds exceeding baseline averages by 300%. -
Cloud-Based Mitigation: If using AWS, enable AWS Shield Advanced and configure WAF rate-based rules:
{ "Name": "RateLimit", "Priority": 0, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true }, "Statement": { "RateBasedStatement": { "Limit": 2000, "AggregateKeyType": "IP" } } }
7. Malware – EDR Alerts + Registry Persistence
Malware establishes persistence through registry modifications, scheduled tasks, or service creation. Endpoint Detection and Response (EDR) tools provide the first line of defense.
Step-by-Step Detection Guide:
- Monitor Windows Registry for Persistence: Key paths to watch:
– `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
– `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
– `HKLM\System\CurrentControlSet\Services`
Use PowerShell to audit:
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object
- Enable EDR Telemetry: Configure your EDR (CrowdStrike, SentinelOne, Microsoft Defender) to log all process creations, network connections, and file modifications. Review alerts for:
- Unsigned executables running from `%TEMP%` or
%APPDATA%. - Processes making outbound connections to known-bad IPs.
-
Linux Malware Detection: Use `clamav` and `rkhunter` for file system scans. Monitor `/var/log/auth.log` for unauthorized `sudo` or `cron` entries.
-
SIEM Correlation Rule: Trigger an alert when a new registry run key is created followed by an outbound connection to an external IP within 5 minutes.
8. Phishing – Auth Logs + Impossible Travel
Phishing attacks often lead to credential theft and subsequent account takeovers. Detection hinges on analyzing authentication logs for anomalous behavior.
Step-by-Step Detection Guide:
- Monitor Failed Logons: Windows Event ID 4625 (failed logon) with a high frequency from a single source IP indicates a brute-force or password spray attack.
-
Detect Impossible Travel: In your SIEM, create a rule that flags a single user account logging in from geographically distant locations within an unrealistic time frame (e.g., New York and London within 1 hour). Use IP geolocation data to calculate travel time.
-
Azure AD / Office 365: Enable Unified Audit Logging and monitor for:
– `UserLoggedIn` events with `ClientIP` from high-risk countries.
– `MailboxLogin` events outside business hours. -
Linux SSH Logs: Monitor `/var/log/auth.log` for failed SSH attempts and successful logins from unusual IPs:
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -1r -
Implement MFA and Conditional Access: Enforce Multi-Factor Authentication and restrict access based on trusted IP ranges and device compliance.
The IR Cycle and 9 Golden Rules for Investigations
The Incident Response (IR) cycle—Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned—must be applied to every investigation. The 9 golden rules for SOC analysts include:
- Preserve Evidence: Always create a forensic copy before making changes.
- Isolate First, Ask Questions Later: Contain the threat before investigating.
- Follow the Data: Let logs and telemetry guide your investigation, not assumptions.
- Correlate Across Sources: Combine network, endpoint, and cloud logs for a complete picture.
- Map to MITRE ATT&CK: Identify the TTPs (Tactics, Techniques, and Procedures) used.
- Maintain Chain of Custody: Document every action for legal and compliance purposes.
- Communicate Clearly: Use plain language for stakeholders; technical details for the team.
- Automate Repetitive Tasks: Use SOAR playbooks to speed up triage.
- Debrief and Improve: Conduct a post-incident review to refine detection and response.
What Okan Yildiz Say:
- Key Takeaway 1: “Tools don’t detect attacks. Analysts who know where to look do.” This underscores the critical importance of log source knowledge over tool dependency.
- Key Takeaway 2: The 8 attacks mapped in the visual guide represent the most common threats facing SOCs today. Mastering their detection is non-1egotiable for any blue-team analyst.
Analysis: The post highlights a fundamental truth in cybersecurity: detection is a human skill augmented by technology, not replaced by it. The 11-page guide serves as a force multiplier, compressing years of experience into a visual reference. For junior analysts, this is a roadmap; for veterans, it’s a checklist. The emphasis on MITRE ATT&CK mapping bridges the gap between raw logs and adversary behavior, enabling proactive threat hunting rather than reactive alert chasing. The golden rules provide the discipline needed to avoid common investigative pitfalls. Ultimately, the post advocates for a mindset shift—from “what tool do I use?” to “what log tells the story?”
Prediction:
- +1 The democratization of SOC knowledge through visual guides and open-source resources will continue to raise the baseline skill level of entry-level analysts, reducing mean time to detect (MTTD) globally.
- +1 As AI-assisted log analysis becomes more prevalent, the human ability to interpret and contextualize alerts will become the differentiator between average and elite SOC teams.
- -1 The increasing complexity of cloud-1ative and hybrid environments will expand the attack surface, making it harder for analysts to maintain visibility across all log sources without integrated SIEM and XDR solutions.
- -1 Adversaries are already adapting by using legitimate credentials and living-off-the-land techniques, rendering IOC-based detection less effective and pushing the industry toward behavioral and UEBA-driven approaches.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yildizokan Soc – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


