CyberLex Blue Team Academy

Episode 10 — The Scheduled Task That Recreated Itself | Security Operations: Persistence & Automated Rebuild Loops

EPISODE 10 — THE SCHEDULED TASK THAT RECREATED ITSELF Security+ Domain 4 concepts • CySA+ threat analytics • SOC persistence detection Persistence is the attacker’s greatest weapon. And one of the stealthiest forms of persistence is a scheduled task that… won’t stay deleted. Defenders remove it. Minutes later, it reappears. Delete again. It returns again. This isn’t a misconfiguration. It’s a self-healing persistence loop — designed to survive every defensive attempt. In this cinematic scenario, you’ll see how attackers build auto-rebuilding tasks, how fileless payloads hide in memory, and how SOC analysts investigate the subtle indicators surrounding persistence mechanisms. What you’ll learn: • How attackers create scheduled tasks that auto-rebuild • How fileless scripts persist invisibly in memory • Why scheduled tasks are powerful detection points • How C2 frameworks use heartbeat-style DNS traffic • How to safely contain persistence mechanisms • How task creation logs reveal credential misuse • How real-world SOC teams escalate persistence findings Security Operations Skills Covered: ✔ Automation & orchestration visibility ✔ Fileless execution & in-memory persistence ✔ Task scheduler abuse ✔ DNS-based command-and-control patterns ✔ Behavioral EDR/XDR investigation ✔ Incident response workflow for persistence ✔ Threat hunting signals This scenario reinforces key concepts from: Security+ (SY0-701) — Automation, persistence mechanisms, task scheduler abuse, detection & response CySA+ (CS0-003) — Behavioral analytics, fileless attack patterns, DNS-based C2, credential misuse Designed for exam learners and real SOC analysts. Ideal for: — Security+ learners — CySA+ learners — SOC Tier 1 analysts — Threat hunters — Blue team defenders — Anyone learning how persistence works in the real world Cinematic. Practical. Exam-relevant. This is how defenders recognize threats that refuse to disappear. New episodes weekly. Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles. Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/ [https://www.amazon.com/stores/author/B0FX7TZSV4/] CyberLex Learning — Forge the Defender.

Episode 9 — The DNS Query That Didn’t Match Any Pattern | Security Operations: DNS Analysis & C2 Detection

EPISODE 9 — THE DNS QUERY THAT DIDN’T MATCH ANY PATTERN Security+ Domain 4 concepts • CySA+ network analytics • SOC DNS anomaly detection DNS is one of the most misunderstood — and most exploited — protocols in cybersecurity. Attackers use it for stealthy command-and-control, tunneling, and low-and-slow exfiltration because most environments treat DNS as “just infrastructure,” not a high-signal detection source. In this cinematic scenario, you’ll learn how a single strange DNS query becomes the clue that exposes a hidden attacker channel. What you’ll learn: • How DNS tunneling and C2 communication work • Why random or structured-looking domains signal early compromise • How SOC analysts correlate DNS telemetry with endpoint behavior • How attackers use domain generation algorithms (DGAs) • How unknown domains differ from known-malicious ones • How to isolate endpoints beaconing through DNS • How passive DNS and DPI support threat hunting Security Operations Skills Covered: ✔ Network monitoring ✔ SIEM correlation ✔ DNS analysis ✔ Anomaly detection ✔ C2 discovery ✔ Incident response actions ✔ Threat hunting fundamentals This scenario reinforces key concepts from: Security+ (SY0-701) — Network monitoring, DNS analysis, anomaly detection CySA+ (CS0-003) — DNS-based threat detection, DGA identification, C2 behavior analytics Designed for exam learners and working defenders. Ideal for: — Security+ learners — CySA+ candidates — SOC Tier 1 analysts — Threat hunters — Anyone learning practical detection techniques This episode blends exam clarity with real-world intuition — teaching DNS detection the way defenders actually experience it. New episodes weekly. Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles. Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/ [https://www.amazon.com/stores/author/B0FX7TZSV4/] CyberLex Learning — Forge the Defender.

Episode 8 — The Process That Hid in Memory | Security Operations: EDR Detection & Fileless Attacks

EPISODE 8 — THE PROCESS THAT HID IN MEMORY Security+ Domain 4 concepts • CySA+ behavioral analytics • SOC fileless attack detection Modern attackers don’t always drop files. Sometimes the entire attack happens in memory — invisible to antivirus, bypassing traditional scans, and relying on stealth to stay ahead of the SOC. In this cinematic scenario, you’ll see how defenders detect fileless techniques through subtle signals: unusual PowerShell behavior, reflective loading, credential access attempts, and processes that should never run the way they’re running. What you’ll learn: • How fileless attacks operate without touching disk • Why memory-only processes are early indicators of compromise • How EDR/XDR telemetry exposes reflective loading & AMSI bypass attempts • How attackers attempt credential access through LSASS • What suspicious PowerShell behavior looks like • How to isolate, contain, and escalate memory-resident threats Security Operations Skills Covered: ✔ EDR/XDR telemetry interpretation ✔ Memory analysis fundamentals ✔ Fileless malware techniques ✔ Behavioral & heuristic detection ✔ Credential theft monitoring ✔ Threat hunting signals ✔ Incident response workflow for in-memory attacks This scenario reinforces key concepts from: Security+ (SY0-701) — EDR/XDR, behavioral detection, malware identification, IR workflows CySA+ (CS0-003) — Memory-based attacks, credential access attempts, advanced detection analytics Designed to support both exam learners and working SOC analysts. Ideal for: — Security+ learners — CySA+ learners — SOC Tier 1 analysts — Blue team defenders — Incident responders — Anyone learning how modern attackers avoid traditional AV Short. Cinematic. Practical. A real-world look into attacks designed to stay invisible. New episodes weekly. Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles. Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/ [https://www.amazon.com/stores/author/B0FX7TZSV4/] CyberLex Learning — Forge the Defender.

Episode 7 — The Cloud Bucket Created at 3:14 A.M. | Security Operations: Cloud Monitoring & Rogue Resource Detection

CyberLex Blue Team Academy — Where Defenders Are Forged. EPISODE 7 — THE CLOUD BUCKET CREATED AT 3:14 A.M. Security+ Domain 4 concepts • CySA+ cloud analytics • SOC cloud misconfiguration detection Cloud breaches rarely begin with loud signals. Most start with something small — a resource you didn’t create. At 3:14 A.M., a new storage bucket appears. No change request. No automation job. No scheduled deployment. Just a new asset, quietly created in your cloud environment. In this cinematic scenario, you’ll learn how defenders spot unauthorized cloud resources — and how attackers exploit misconfigurations to pivot, store payloads, or prepare for data exfiltration. What you’ll learn: • How unauthorized buckets reveal early attacker activity • Why service account misuse is one of the biggest cloud risks • How to read IAM logs, API calls, and CloudTrail events for abnormal activity • How attackers conduct stealthy cloud reconnaissance • Why misconfigurations are the easiest path into cloud environments • How SOC teams contain and remove rogue cloud assets safely Security Operations Skills Covered: ✔ Cloud monitoring and alerting ✔ IAM misconfigurations & service account abuse ✔ API call pattern analysis ✔ Cloud log correlation and investigation ✔ Reconnaissance behavior in cloud environments ✔ Incident response workflow for cloud-based threats ✔ Secure bucket configuration and guardrails This scenario reinforces key concepts from: * Security+ (SY0-701) — Cloud monitoring, access control, misconfigurations, security operations * CySA+ (CS0-003) — Cloud event analysis, behavioral detection, service account misuse Designed for learners AND real-world defenders. Ideal for: * Security+ learners * CySA+ learners * SOC Tier 1–2 analysts * Cloud security beginners * DevOps / SRE teams learning secure operations * Anyone learning how attackers exploit cloud misconfigurations Short. Cinematic. Practical. Cloud security, told the way defenders actually experience it. New episodes weekly. Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles. Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/ [https://www.amazon.com/stores/author/B0FX7TZSV4/] CyberLex Learning — Forge the Defender.

Episode 6 — The Email That Passed Every Check | Security Operations: Email Threat Detection & Identity Attacks

CyberLex Blue Team Academy — Where Defenders Are Forged. EPISODE 6 — THE EMAIL THAT PASSED EVERY CHECK Security+ Domain 4 concepts • CySA+ email threat analytics • SOC identity attack detection Some of the most dangerous attacks never look dangerous at all. No spelling errors. No suspicious attachments. No fake branding. Everything passes SPF, DKIM, and DMARC. To most users, the email looks perfect — identical to one the organization would send. But to a trained defender, subtle signals reveal something deeper: a credential-harvesting attempt built to bypass filters and survive scrutiny. In this cinematic scenario, you’ll explore how attackers craft stealthy phishing campaigns — and how defenders detect them before identities are stolen. What you’ll learn: • How advanced phishing bypasses traditional email filters • Why lookalike domains are so effective • How credential-harvesting portals mimic corporate systems • Quiet signals buried in headers, links, and timing • How MFA fatigue and credential stuffing follow phishing attacks • How SOC analysts respond to stealthy identity-based threats Security Operations Skills Covered: ✔ Email filtering fundamentals ✔ Threat hunting for subtle indicators ✔ Identity anomalies ✔ Phishing detection ✔ Sandbox analysis ✔ Log correlation ✔ Credential misuse detection ✔ Incident escalation workflows This scenario reinforces key concepts from: * Security+ (SY0-701) — Email security, phishing detection, IAM misuse, incident escalation * CySA+ (CS0-003) — Behavioral email analysis, threat hunting, credential misuse patterns Designed for learners AND working defenders. Ideal for: * Security+ learners * CySA+ learners * ISC2 CC beginners * SOC Tier 1–2 analysts * Blue team defenders * Anyone developing real-world email threat detection instincts Short. Cinematic. Practical. This episode blends exam relevance with true defender intuition. New episodes weekly. Security Operations told through story-driven scenarios. Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles. Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/ [https://www.amazon.com/stores/author/B0FX7TZSV4/] CyberLex Learning — Forge the Defender.