Chapter 4 of 5 · SOC Analyst 80%

📄 The Word document opened clean. Then it spawned PowerShell. That one parent-child pair is how analysts catch ransomware before it encrypts.

Macros still launch PowerShell, and that process chain sits in your Windows logs if you collect the right event. Deploy Sysmon, read event 4688, and hunt the winword to powershell pair that precedes ransomware. Catch it before the files lock. 🛡️

Premium Chapter

Create a free account to access this chapter and start learning with hands-on labs.

Create Free Account

Ready to track your progress?

Create a free account to save your progress, earn XP, and access 170+ hands-on cybersecurity labs.

Start Learning Free

Course Progress

Track your learning journey

0 /5
0 % Complete
5 Remaining
Course Chapters

No chapters found for this filter

6
MITRE ATT&CK mapping
Soon Available Jul 16, 2026
7
Detection engineering with Sigma
Soon Available Jul 17, 2026
8
Threat hunting
Soon Available Jul 18, 2026
9
Threat intelligence
Soon Available Jul 19, 2026
10
SOC operations and metrics
Soon Available Jul 20, 2026
16,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free