HTB CDSA Guide: SOC Analysis Across DC01, PURPLE, IIS and Quantum Security Lab
When you start working on HTB CDSA SOC analysis (Cyber Defense & SOC Analyst) scenarios, it quickly becomes clear that this isn’t about exploitation—it’s about visibility.
Logs, endpoints, user activity… everything tells a story. But it rarely tells it in order.
In this walkthrough-style guide, we’ll connect key elements like DC01.corp.local, PURPLE.corp.local, IIS.corp.local, and artifacts such as invoice.doc, alongside users like Marty.Mcfly, iis_svc, and HTBDEFENSE\sallym. The goal isn’t just to list findings—but to understand how a SOC analyst would actually piece them together.
Understanding the Environment: A Multi-Host SOC Perspective
The CDSA lab environment is intentionally layered. You’re not dealing with a single compromised system—you’re observing activity across multiple hosts:
- DC01.corp.local → Domain Controller (authentication, policy control)
- PURPLE.corp.local → Likely attacker simulation / test system
- IIS.corp.local → Web server, often an initial entry point
And in parallel, another environment appears:
- DESKTOP-CFRVBB0.htbdefence.local
- WIN-HIDUIPTH344.htbdefence.local
- WIN-HHSGPJM3052.htbdefence.local
- DESKTOP-7620F3B.htbdefence.local
These systems reflect endpoint-level visibility—where detection really happens.
Starting Point: SOC Analysis Mindset
Before diving into specific artifacts, it’s important to approach CDSA like a SOC analyst would.
You’re not “attacking.” You’re:
- Reviewing logs
- Correlating events
- Identifying anomalies
That means asking questions like:
- What changed?
- Who initiated it?
- Does this behavior match normal patterns?
Because in most cases, the compromise isn’t hidden—it’s just buried in noise.
Suspicious Document: invoice.doc as an Entry Vector HTB CDSA SOC analysis
Files like invoice.doc are classic initial access vectors.
At first glance, it looks harmless. But in SOC investigations, documents like this often:
- Contain macros
- Trigger PowerShell or script execution
- Lead to outbound connections
If you see this file referenced in logs (email, downloads, or execution events), it’s a strong indicator of:
➡️ Phishing-based initial access
The key is to trace:
- Which user opened it
- What process spawned from it
- What happened immediately after
User Activity: Marty.Mcfly and Initial Compromise
The user Marty.Mcfly stands out as a likely entry point.
In many CDSA scenarios, a standard domain user:
- Opens a malicious attachment
- Executes embedded content
- Triggers the first stage of compromise
From a SOC perspective, you’d look for:
- Office process spawning PowerShell (e.g.,
winword.exe → powershell.exe) - Unusual outbound connections
- Script execution logs
This is where the attack chain begins.
Service Accounts: iis_svc and Lateral Movement
After initial access, attackers often pivot.
The presence of iis_svc suggests a service account tied to IIS.corp.local. These accounts are valuable because:
- They often run with elevated privileges
- They may have access to web configs or credentials
- They’re less frequently monitored
In logs, watch for:
- Authentication attempts using
iis_svc - Access to IIS server resources
- Unexpected login locations
If a regular user account leads to service account usage, that’s a strong sign of credential harvesting and lateral movement.
Domain Controller: DC01.corp.local Indicators HTB CDSA SOC analysis
The Domain Controller (DC01.corp.local) is where things escalate.
Suspicious activity here might include:
- Unusual Kerberos ticket requests
- Authentication spikes
- Privileged account usage
If you see access tied to accounts like:
- HTBDEFENSE\sallym
you should immediately ask:
- Is this normal behavior?
- Where did the authentication originate?
Because once attackers reach the DC, the impact becomes critical.
PURPLE.corp.local: Simulation or Attacker Host?
The hostname PURPLE.corp.local is a subtle hint.
“Purple” often refers to purple team environments—blending red (attack) and blue (defense). In CDSA, this could represent:
- An attacker-controlled system
- A testing node generating activity
If logs show communication with PURPLE:
- Outbound connections
- Lateral authentication
- File transfers
it’s worth treating it as a potential attacker pivot point.
Endpoint Analysis: htbdefence.local Systems HTB CDSA SOC analysis
The htbdefence.local machines add another layer:
- DESKTOP-CFRVBB0.htbdefence.local
- WIN-HIDUIPTH344.htbdefence.local
- WIN-HHSGPJM3052.htbdefence.local
- DESKTOP-7620F3B.htbdefence.local
These endpoints are where you validate what actually happened.
Look for:
- Process creation logs
- Suspicious parent-child relationships
- Credential usage across hosts
For example:
➡️ A process spawned on one machine using credentials from another = lateral movement indicator.
Correlating the Attack Chain
When you connect everything, a likely flow starts to emerge:
- invoice.doc delivered to a user (possibly Marty.Mcfly)
- Execution triggers script-based activity
- Credentials harvested or reused
- Access gained to IIS.corp.local via
iis_svc - Movement across systems in htbdefence.local
- Escalation attempts toward DC01.corp.local
- Possible interaction with PURPLE.corp.local as attacker infrastructure
This is exactly the kind of chain a SOC analyst is expected to reconstruct.
Common Detection Opportunities HTB CDSA SOC analysis
CDSA scenarios are full of detection points—if you know where to look.
Some key ones:
- Office spawning scripting engines
- Unusual service account logins
- Cross-host authentication patterns
- Suspicious document execution
- Unexpected domain controller access
Missing one is normal. Missing all of them usually means you’re not correlating events.
Practical SOC Takeaways
Working through this kind of lab builds habits that matter:
- Don’t trust single events—look for sequences
- Always tie activity back to a user or process
- Treat service accounts as high-risk
- Focus on behavior, not just alerts
Because in real SOC environments, alerts are just the starting point.
Final Thoughts
The HTB CDSA lab isn’t about finding one “right answer.” It’s about understanding how multiple small signals—across systems like DC01.corp.local, IIS.corp.local, PURPLE.corp.local, and endpoints in htbdefence.local—come together.
Artifacts like invoice.doc, users like Marty.Mcfly, and accounts such as iis_svc or HTBDEFENSE\sallym are just pieces.
The real skill is putting them together.
Vendor: https://academy.hackthebox.com/preview/certifications/htb-certified-defensive-security-analyst
Buy this dump: https://cyberservices.store/
