Mosec2525/learn-soc-with-me-lab-04-new-local-admin-user

# Learn SOC With Me - Lab 04: New Local Admin User Investigation Beginner-friendly Windows SOC lab built as a realistic, safe, static web exercise. This lab teaches how a SOC analyst investigates local account creation, local administrator group membership changes, suspicious command execution, and remote logon activity using synthetic Windows Security, Sysmon, RDP, and EDR logs. Live lab target: Open index.html locally or publish this repo with GitHub Pages. ## What You Will Practice - Reading a Windows privilege escalation alert - Understanding Windows Event IDs for account and group changes - Reviewing successful logon evidence - Correlating process execution with account creation - Identifying suspicious local administrator membership - Mapping activity to MITRE ATT&CK - Assigning severity using evidence - Writing a short SOC triage report - Recommending host and account containment actions ## Scenario Northstar Financial, a fictional company, receives an EDR alert after a new local user is created on a workstation and added to the local Administrators group outside normal maintenance hours. The SOC must determine whether this is authorized IT work or suspicious privilege escalation. Your job: Was the local admin creation authorized? Which host was affected? Which account was created? Who performed the action? What evidence supports the decision? What should the SOC do next? ## Lab Contents . |-- index.html |-- style.css |-- app.js |-- cases/ | `-- case-004-new-local-admin-user/ |-- data/ | |-- alerts/ | |-- answers/ | |-- entities/ | `-- logs/ |-- detections/ | |-- elastic-kql/ | |-- sigma/ | `-- splunk/ |-- docs/ |-- reports/ |-- resources/ `-- schemas/ ## How To Run Recommended local server: python -m http.server 8000 Then open: http://localhost:8000 You can also open `index.html` directly, but a local server gives the most reliable browser behavior for loading JSON data. ## Investigation Workflow Use this sequence: 1. Read the EDR alert. 2. Review successful logon activity. 3. Check process execution evidence. 4. Review Windows account and group events. 5. Identify the created account and admin group membership. 6. Decide whether this is authorized or malicious. 7. Map the behavior to MITRE ATT&CK. 8. Choose verdict, severity, and containment actions. 9. Compare your answer with the expected findings. ## Expected MITRE ATT&CK Mapping - `T1136.001` - Create Account: Local Account - `T1098` - Account Manipulation - `T1078` - Valid Accounts ## Safety All accounts, hosts, IP addresses, commands, and logs in this repository are synthetic and created for training. No real customer data, credentials, malware, or victim infrastructure is included. Use this lab only for defensive learning, portfolio development, and SOC practice. ## Series This repo is Lab 04 in the Learn SOC With Me series. Previous labs: - Lab 01 - Password Spray Investigation - Lab 02 - Suspicious PowerShell Investigation - Lab 03 - Phishing Login Investigation - Lab 05 - Possible Data Exfiltration - Lab 06 - Cloud IAM Anomaly ## References See [resources/references.md](resources/references.md).

标签：自定义脚本