{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/blueteam/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["soc","blueteam","threat-hunting"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA security practitioner has released a free, offline SOC toolkit intended for Tier 1 analysts and those new to blue team operations. This toolkit, contained within a single HTML file, provides resources for incident response, alert triage, threat hunting, and analyst onboarding. Released in March 2026, the toolkit includes interactive IR checklists for common incident types (Phishing, Malware, Brute Force, Data Exfil, Suspicious PowerShell), alert triage playbooks with decision trees, threat hunting guides mapped to MITRE ATT\u0026amp;CK, and a structured curriculum for new Tier 1 hires. The threat hunting guides are noteworthy, as they include Splunk and Elastic queries for specific attack techniques like Kerberoasting, Pass-the-Hash, LOLBAS abuse, scheduled task persistence, and C2 communication on non-standard ports. Defenders can leverage the shared hunting queries to enhance their detection capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis toolkit is designed to aid in the \u003cem\u003edetection\u003c/em\u003e of the following attack chains:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e (Phishing, Malware) An attacker gains initial access through methods such as phishing emails or malware-infected attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e (Kerberoasting, Pass-the-Hash) After gaining initial access, the attacker attempts to harvest credentials using techniques like Kerberoasting to target service accounts or Pass-the-Hash to reuse existing credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e (Pass-the-Hash) Using compromised credentials, the attacker moves laterally within the network, accessing additional systems and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e (LOLBAS) The attacker utilizes Living-Off-The-Land Binaries and Scripts (LOLBAS) to execute malicious commands and evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e (Scheduled Task Persistence) The attacker establishes persistence by creating scheduled tasks that execute malicious code at regular intervals.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e (C2 on non-standard ports) The attacker establishes a command and control channel, communicating with compromised systems over non-standard ports to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e (Data Exfil) The attacker exfiltrates sensitive data from the compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e (Data Exfil) The attacker achieves their final objective of data exfiltration, resulting in data loss or exposure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe toolkit helps defenders to mitigate the impact of attacks by providing resources for incident response, alert triage, and threat hunting. Successful implementation of the toolkit\u0026rsquo;s recommendations can lead to faster detection and containment of security incidents, reducing the potential for data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview the threat hunting guides within the toolkit and adapt the provided Splunk and Elastic queries for Kerberoasting, Pass-the-Hash, LOLBAS, scheduled task persistence, and C2 on non-standard ports to your environment.\u003c/li\u003e\n\u003cli\u003eUtilize the provided IR Checklists (Phishing, Malware, Brute Force, Data Exfil, Suspicious PowerShell) to standardize and improve incident response procedures.\u003c/li\u003e\n\u003cli\u003eCustomize and integrate the Alert Triage Playbooks into your existing security operations workflows to assist with the analysis of alerts related to impossible travel, lateral movement, and DNS beaconing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-18T12:00:00Z","date_published":"2026-03-18T12:00:00Z","id":"/briefs/2026-03-soc-analyst-hub/","summary":"A free, offline SOC toolkit aimed at Tier 1 analysts includes IR checklists, triage playbooks, and threat hunting guides mapped to MITRE ATT\u0026CK, with Splunk and Elastic queries for threats such as Kerberoasting, Pass-the-Hash, LOLBAS, scheduled task persistence, and C2 on non-standard ports.","title":"SOC Analyst Toolkit with Threat Hunting Queries","url":"https://feed.craftedsignal.io/briefs/2026-03-soc-analyst-hub/"}],"language":"en","title":"CraftedSignal Threat Feed — Blueteam","version":"https://jsonfeed.org/version/1.1"}