CDSA

HackTheBox

HTB Certified Defensive Security Analyst

Intermediate Practical SOC/DFIR exam Pass: Passing report $210

Defensive security — log analysis, threat hunting, incident response, DFIR.

Official Page

IssuerHackTheBox

FormatPractical SOC/DFIR exam

Duration7 days

Pass ScorePassing report

Overview Syllabus (7) Tools (6) Cheat Sheets (1) Labs (1)

Recommended Tools

Autopsy Essential

Forensics

Digital forensics platform

installDownload from sleuthkit.org

usageOpen disk image, run ingest modules

Volatility3 Essential

Forensics

Memory forensics framework

installpip3 install volatility3

usagevol.py -f memory.dmp windows.pslist; vol.py -f mem.dmp windows.netscan

YARA Essential

Malware

Pattern matching for malware

installsudo apt install yara

usageyara rules.yar /path/to/scan

Wireshark Essential

Network

Packet analyzer

installsudo apt install wireshark

usagewireshark -r capture.pcap

Zeek Essential

Network

Network security monitor

installsudo apt install zeek

usagezeek -r capture.pcap

Elastic Stack Essential

SIEM

Open-source SIEM (ELK)

installdocker-compose up (from elastic docs)

usageKibana KQL: event.code:4625 AND NOT user.name:SYSTEM

Splunk Essential

SIEM

Industry-leading SIEM platform

installDownload from splunk.com

usageindex=windows source="WinEventLog:Security" EventCode=4625 | stats count by src_ip

Chainsaw Essential

Windows IR

Windows event log hunting tool

installDownload from github releases

usagechainsaw hunt /var/log/windows/ --rules sigma/ --mapping mappings/sigma-event-logs-all.yml

Hayabusa Essential

Windows IR

Windows event log threat hunting

installDownload from github releases

usagehayabusa csv-timeline -f Security.evtx -o timeline.csv

MISP

Threat Intel

Threat intelligence platform

installDocker: docker-compose up

usageImport/export IOCs, share threat intel