Listen to this Post

Introduction:
The journey from an IT enthusiast to a Security Operations Center (SOC) Analyst is paved with practical skills and hands-on tool mastery. In today’s threat landscape, proficiency in command-line interfaces across operating systems is not just an advantage—it’s a necessity for effective monitoring, investigation, and response. This article distills core technical commands required to excel in a SOC role, providing a verified toolkit for aspiring and current analysts.
Learning Objectives:
- Master fundamental Linux and Windows commands for log analysis and system interrogation.
- Understand how to use command-line tools for network monitoring and threat detection.
- Develop a workflow for initial incident triage and evidence collection.
You Should Know:
1. Linux System Interrogation for Suspicious Processes
A SOC analyst’s first response to an alert often involves checking for malicious processes on a Linux endpoint.
ps aux --sort=-%mem | head -10
Step-by-step guide: This command lists all running processes (ps aux), sorts them by memory usage in descending order (--sort=-%mem), and displays only the top 10 memory-consuming processes (head -10). High memory usage by an unknown process can be a key indicator of compromise, such as a cryptocurrency miner or malware.
ls -la /proc/<PID>/exe
Step-by-step guide: After identifying a suspicious Process ID (PID) from the first command, use this to find the exact path of the executable that launched the process. Replace `/tmp.
2. Windows Event Log Extraction with PowerShell
Windows Event Logs are a goldmine for forensic analysis. PowerShell allows for efficient querying.
Get-WinEvent -LogName Security -MaxEvents 10 | Where-Object {$_.ID -eq 4625}
Step-by-step guide: This PowerShell cmdlet fetches the 10 most recent events from the Security log (-LogName Security -MaxEvents 10) and filters them to show only failed logon events (Event ID 4625). A spike in 4625 events can indicate a brute-force attack.
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=(Get-Date).AddHours(-24)} | Group-Object ID | Sort-Object Count -Descending
Step-by-step guide: This more advanced command retrieves all System log events from the last 24 hours and groups them by Event ID, sorted by frequency. This is excellent for spotting anomalous activity or recurring system errors that might be related to an attack.
3. Network Connection Analysis
Identifying unauthorized network connections is crucial for detecting backdoors or data exfiltration.
Linux:
netstat -tulpn
Step-by-step guide: The `netstat` command displays network statistics. The flags `-t` (TCP), `-u` (UDP), `-l` (listening ports), `-p` (show PID/program name), and `-n` (numerical addresses) combine to show all listening ports and the associated processes, helping to identify unknown services.
Windows:
netstat -ano
Step-by-step guide: The Windows equivalent, `-a` shows all connections and listening ports, `-n` displays addresses numerically, and `-o` shows the owning process ID. Cross-reference the PID with the Task Manager to investigate suspicious connections.
4. File System Timeline Analysis for IOC Hunting
Creating a timeline of file activity can uncover Indicators of Compromise (IOCs).
Linux:
find / -type f -name ".php" -mtime -1 2>/dev/null
Step-by-step guide: This command searches the entire filesystem (/) for all regular files (-type f) with a `.php` extension that have been modified in the last 1 day (-mtime -1). Any recent, unexpected modification to PHP files in a web directory could indicate a web shell upload. `2>/dev/null` suppresses permission denied errors.
Windows (PowerShell):
Get-ChildItem -Path C:\ -Include .exe -Recurse -ErrorAction SilentlyContinue | Where-Object LastWriteTime -gt (Get-Date).AddDays(-1)
Step-by-step guide: This recursively searches the C: drive for all `.exe` files created or modified in the last day. The `-ErrorAction SilentlyContinue` parameter handles access errors gracefully. This is useful for finding recently dropped malware.
5. Command-Line Packet Inspection with tcpdump
When a full-featured SIEM is unavailable, `tcpdump` provides deep packet inspection.
tcpdump -i any -n port 53
Step-by-step guide: This command captures packets on any interface (-i any), without resolving hostnames (-n), on port 53 (DNS). Monitoring DNS queries can reveal malware communicating with its command-and-control (C2) server through DNS tunneling or beaconing to suspicious domains.
tcpdump -i eth0 -w capture.pcap host 192.168.1.100
Step-by-step guide: This captures all traffic to and from the host `192.168.1.100` on interface `eth0` and writes the raw packets to a file `capture.pcap` for later, more detailed analysis in a tool like Wireshark.
6. User and Logon Session Investigation
Understanding who is logged on and their activity is fundamental.
Linux:
who /var/log/wtmp last -f /var/log/btmp
Step-by-step guide: The `who` command checks the `wtmp` file to see who is currently logged in. The `last` command, reading from the `btmp` file, shows a history of failed login attempts, which is critical for identifying brute-force attacks.
Windows:
quser /server:SERVERNAME
Step-by-step guide: This command queries active user sessions on a remote server. Replace `SERVERNAME` with the actual hostname. Discovering unexpected active sessions, especially from unusual accounts or IP addresses, can indicate credential theft or lateral movement.
7. Integrity Checking with File Hashes
Verifying the integrity of system files against known-good baselines can detect tampering.
Linux/Windows (PowerShell):
Get-FileHash C:\Windows\System32\cmd.exe -Algorithm SHA256
Step-by-step guide: This PowerShell command calculates the SHA-256 hash of the critical `cmd.exe` file. Compare this hash against a known-good baseline hash. A mismatch suggests the file has been replaced by a malicious version, a common technique for persistence.
Linux:
sha256sum /bin/ls
Step-by-step guide: The Linux equivalent for hashing a file. Regularly hash critical binaries in /bin, /usr/bin, and `/sbin` and compare them to a trusted source to detect rootkits or trojaned system utilities.
What Undercode Say:
- The Command Line is the Analyst’s First Responder Kit. GUI-based tools are valuable, but the speed, scriptability, and universal availability of the command line make it indispensable for initial triage and investigation across diverse environments.
- Context is King. A single command rarely tells the whole story. The true skill of a SOC analyst lies in correlating output from multiple commands—linking a suspicious network connection from `netstat` to a process from `ps` and its file path from
/proc—to build a narrative of the attack.
The provided commands represent a foundational toolkit, but their power is unlocked through practiced workflows. Automation through scripting (Bash, PowerShell) to run these checks systematically is the logical next step for efficiency. The evolution of SOC work will increasingly blend these traditional command-line skills with AI-driven SIEMs and SOAR platforms. However, the ability to manually verify alerts and dig into the raw data of a system will remain a critical, trust-building skill for any cybersecurity professional. Automation can flag anomalies, but human expertise, guided by these core commands, confirms the threat.
Prediction:
The future of SOC analysis will see AI assistants pre-correlating data and suggesting investigative queries, dramatically reducing Mean Time to Detect (MTTD). However, this will elevate the importance of fundamental command-line skills rather than replace them. Analysts will need deep technical understanding to validate AI-generated findings, investigate edge cases, and respond to attacks that deliberately evade automated detection by mimicking normal system behavior. The human analyst, armed with a verified command repertoire, will remain the final authority in the incident response chain.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Naresh0 Careerjourney – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


