Description

We don't just monitor, we hunt.

Can you see the story of an attack in Event Logs and Wireshark traffic?

Do you understand how Kerberos, NTLM, and PKI are structured and compromised?

You don't wait for an alert, you proactively search for anomalies?

For you, MITRE ATT&CK is not theory, but a work plan?

Then you belong with us! Our team is a special forces unit against targeted attacks. We are looking for someone who sees not just data in Windows and AD logic, but evidence.

Responsibilities

You will:

• investigate complex incidents and hunt threats within the infrastructure
• perform deep analysis of attacks on AD, Windows OS, PKI, and the network
• automate everything possible using PowerShell/Python. Routine is not your enemy; you simply eliminate it.

Requirements

What is important to us:

• knowledge of the internal architecture of Windows OS (processes, services, registry, WMI, RPC, DACL/SACL)
• understanding and experience working with Windows OS event logs, knowledge of key security-related event IDs
• understanding of Active Directory architecture, components, and principles of operation (forest, domain, sites, services, trust)
• understanding of main attack vectors on AD (Kerberoasting, ASREPRoasting, Golden Ticket, Silver Ticket, DCSync, ACL attacks, etc.) and methods for their detection
• ability to analyze AD security configuration (auditing GPO settings, user and group access rights, delegations, etc.)
• knowledge of authentication protocols: NTLM, Kerberos (including ticket details, TGT, TGS), LDAP(s)
• understanding of Public Key Infrastructure (PKI) based on Active Directory Certificate Services (AD CS)
• understanding of Certificate Authority (CA) architecture and roles, including root and subordinate CAs, certificate templates
• knowledge of key attack vectors on AD CS
• ability to analyze CA logs and settings for signs of compromise or misconfiguration leading to privilege escalation
• understanding of the process of certificate request, issuance, revocation, and distribution of Certificate Revocation Lists (CRL)
• understanding of the TCP/IP stack and key network protocols (DNS, DHCP, HTTP/S, SMB, RDP, SSH, FTP, etc.)
• understanding of network security fundamentals (firewalls, VPNs, proxies, etc.).

Will be a plus:

• experience with SIEM platforms and writing correlation rules
• understanding of cryptography basics (symmetric/asymmetric encryption, digital signatures, certificates)
• knowledge of cybersecurity frameworks (MITRE ATT&CK, Kill Chain, NIST CSF)
• ability to analyze network traffic (packets) using Wireshark, tcpdump to detect anomalies and signs of compromise (data exfiltration, C2 traffic)
• proficiency in PowerShell for automating administrative and security tasks.

Conditions

We offer:

• a comfortable, modern office
• office-based work format
• annual salary review, annual bonus
• corporate gym and recreation areas
• more than 400 educational programs from SberUniversity for professional and career development
• adaptation program and supervisor assistance at the start
• extended voluntary health insurance (DMS), preferential insurance for family members, and a corporate pension program
• flexible mortgage discount equal to 1/3 of the Central Bank's key rate
• free SberPrime+ subscription, discounts on products from partner companies
• referral bonus for recommending friends to join Sber's team.