CDSA
HackTheBox

HTB Certified Defensive Security Analyst

Intermediate Practical SOC/DFIR exam Pass: Passing report $210

Defensive security — log analysis, threat hunting, incident response, DFIR.

Official Page
IssuerHackTheBox
FormatPractical SOC/DFIR exam
Duration7 days
Pass ScorePassing report
Overview Syllabus (7) Tools (6) Cheat Sheets (1) Labs (1)
Cheat Sheets
SIEM & Forensics Reference

Splunk SPL Detection Queries

# Brute force detection (failed logins)
index=windows source="WinEventLog:Security" EventCode=4625
| stats count by src_ip, user | where count > 10

# Pass-the-Hash (NTLMv2 logon type 3 with no password)
index=windows EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
| where NOT (user="ANONYMOUS LOGON" OR user="*$")

# Kerberoasting (TGS-REQ for RC4 encrypted tickets)
index=windows EventCode=4769 Ticket_Encryption_Type=0x17
| stats count by Account_Name, Service_Name

# DCSync (replication privileges from non-DC)
index=windows EventCode=4662 Properties="*1131f6aa*" OR Properties="*1131f6ab*" OR Properties="*89e95b76*"
| where NOT SubjectUserName="*$"

# PowerShell execution
index=windows EventCode=4103 OR EventCode=4104
| rex field=Message "(?i)ScriptBlock\s+Text\s*=\s*(?P