Threats & Attack Techniques

Answer: A knowledge base of adversary tactics and techniques that helps map behaviors to detections, hunting, and response.

Tip: Mention use: “I map alerts to ATT&CK to understand the kill chain stage.”

Answer: Extracting credentials from memory or stores (e.g., LSASS) to enable lateral movement and privilege escalation.

Tip: Signals: suspicious access to LSASS, use of known tools, abnormal authentication patterns.

Answer: Gaining higher permissions than intended (user → admin/root). It can be done via exploits, misconfigurations, or credential abuse.

Tip: Mention both: local and domain escalation paths.

Answer: Infrastructure attackers use to send commands and receive data from compromised systems.

Tip: SOC angle: beaconing patterns, rare domains, unusual ports, periodic callbacks.

Answer: Using legitimate built-in tools (PowerShell, WMI, rundll32) to avoid detection and blend in with normal admin activity.

Tip: Focus on context: suspicious command lines, unusual parents, odd execution times.

Answer: Via cloud storage, HTTPS uploads, DNS tunneling, email, or staging and compressing then sending out.

Tip: Indicators: abnormal upload volume, rare destinations, new tools (rclone), unusual archives.

Answer: Moving across hosts. Examples: remote services (SMB/WinRM), pass-the-hash, RDP, PsExec.

Tip: Mention detective signals: new remote service creation, admin shares, authentication bursts.

Answer: Scheduled tasks, services, startup folder, Run keys, WMI event subscriptions, DLL hijacking.

Tip: In an interview, naming 3–5 with confidence is plenty.

Answer: Compromising software/hardware providers or dependencies so victims get infected through trusted updates or libraries.

Tip: Detection relies on integrity checks, SBOM awareness, and anomaly monitoring.

Answer: To hide payloads, evade signatures, and make analysis harder (packed binaries, encrypted strings, TLS traffic).

Tip: SOC response: lean on behavior + metadata + endpoint telemetry.