Listen to this Post
Introduction:
Security Operations Center (SOC) analysts are the frontline defenders against a relentless onslaught of cyber threats. This guide provides a technical deep dive into the most common security incidents, equipping analysts with the verified commands and methodologies needed to detect, investigate, and respond effectively.
Learning Objectives:
- Identify the key indicators of compromise (IoCs) for 30 common security incidents.
- Execute critical Linux and Windows commands to investigate and triage live incidents.
- Implement immediate containment and eradication steps to mitigate active threats.
You Should Know:
1. Investigating Brute Force & Password Spraying Attacks
Verified Linux command list or code snippet:
Check for failed login attempts on Linux
sudo grep "Failed password" /var/log/auth.log
sudo grep "Invalid user" /var/log/auth.log | awk '{print $8}' | sort | uniq -c | sort -nr
Check for failed login attempts on Windows via PowerShell
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Select-Object -First 10
Step‑by‑step guide: Failed authentication logs are the primary IoC. On Linux, the `auth.log` file is the source of truth. The `awk` and `uniq` commands help identify the most targeted usernames. On Windows, PowerShell can query the Security event log for specific Event ID 4625 (logon failure). A high volume of these events from a single IP or for a single username indicates a brute-force attack, while failures for many usernames with common passwords suggest password spraying.
2. Detecting Phishing & Spear Phishing Campaigns
Verified command or code snippet:
Analyze email headers for suspicious origins curl -s https://raw.githubusercontent.com/undercode/PhishingAnalyzer/main/header_check.py | python3 - --header "email_header.txt" Check URL reputation with VirusTotal API (replace API_KEY) curl -s -X POST 'https://www.virustotal.com/vtapi/v2/url/report' --form 'apikey=API_KEY' --form 'resource="https://suspicious-url.com"'
Step‑by‑step guide: Phishing relies on deception. Analyzing email headers can reveal spoofed “From” addresses and malicious routing. The provided Python script checks header authenticity. For any embedded URLs, the VirusTotal API provides a crowdsourced reputation check. A high number of detections confirms malicious intent.
3. Triaging Malware & Ransomware Infections
Verified command or code snippet:
Windows - Identify unusual processes
Get-Process | Where-Object { $<em>.CPU -gt 50 -or $</em>.WorkingSet -gt 100MB } | Format-Table Name, CPU, WorkingSet -AutoSize
Isolate a compromised endpoint using Windows Firewall
netsh advfirewall firewall add rule name="QUARANTINE" dir=out action=block enable=yes
Step‑by‑step guide: High CPU/Memory usage by an unknown process is a classic IoC. The PowerShell command helps spot these anomalies. Upon confirmation, immediate network isolation is critical to prevent lateral movement or C2 communication. The `netsh` command blocks all outbound traffic from the host.
4. Identifying Impossible Travel and Suspicious Logins
Verified command or code snippet:
Correlate login events with GeoIP data (Example using a SIEM query) index=windows EventCode=4624 | iplocation Source_Network_Address | table _time, Account_Name, Source_Network_Address, Country_Name, Region, City | where Country_Name != "United States"
Step‑by‑step guide: Impossible travel is identified by correlating login timestamps and geolocations. This pseudo-Splunk query demonstrates the logic: filter successful logins (Event ID 4624), enrich the source IP with geography, and then flag any logins that originate from an unexpected country based on the user’s typical behavior.
5. Hunting for Command & Control (C2) Communication
Verified command or code snippet:
Linux - Check for established network connections to known-bad IPs
netstat -tunap | grep ESTABLISHED
Cross-reference connections with threat intelligence feeds
for ip in $(netstat -tn | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort -u); do
whois $ip | grep -i "country|org-name"
done
Step‑by‑step guide: C2 channels manifest as established network connections to external IPs. `netstat` reveals these connections. The subsequent loop performs a basic whois lookup on each connected IP to identify its country and organization. Connections to hosting providers or countries with no business presence are immediate red flags.
6. Uncovering Data Exfiltration via DNS Tunneling
Verified command or code snippet:
Analyze DNS query logs for unusually long subdomains or high volume
sudo tcpdump -i any -n -s 0 port 53 | awk '{print $NF}' | grep -oP '[a-zA-Z0-9.-]{50,}' | sort | uniq -c | sort -nr
Check for TXT or NULL queries which are common in tunneling
sudo tcpdump -i any -n -s 0 port 53 and 'udp[bash] & 0x80 != 0' | grep -E "(TXT|NULL)"
Step‑by‑step guide: DNS tunneling hides data in DNS queries. The first command uses `tcpdump` to capture DNS traffic and filters for exceptionally long domain names, a common trait. The second command filters for unusual DNS query types like TXT or NULL, which are not commonly used in legitimate traffic and are popular for tunneling tools.
7. Detecting Web Shells on a Compromised Server
Verified command or code snippet:
Linux - Find recently modified files in web root
find /var/www/html -name ".php" -mtime -1 -ls
Linux - Search for common web shell code patterns
grep -r "eval(|base64_decode(|shell_exec(|system(|passthru(" /var/www/html/
Step‑by‑step guide: Web shells are often PHP files uploaded to web directories. The `find` command locates recently modified files, which could indicate a new upload. The `grep` command searches the contents of files for dangerous functions often used in web shells to execute operating system commands.
What Undercode Say:
- Proactive Hunting is Non-Negotiable. Relying solely on automated alerts means you only find what you already know to look for. The most dangerous threats are those that evade your existing rules; proactive hunting using these commands is essential for uncovering them.
- Context is King. A single failed login is noise; 1,000 are an attack. A process using CPU is normal; one using CPU and calling out to a foreign IP is not. Correlating IoCs with context (volume, timing, geography) is what separates a true positive from a false alarm.
The modern SOC analyst must be equal parts programmer, network engineer, and detective. The provided commands are not just tools but the foundational elements of an investigative mindset. Mastery of the command line allows for rapid hypothesis testing and evidence gathering that GUI-based tools often obscure. The shift-left movement in security isn’t just for developers; analysts must shift left into deeper technical proficiency to keep pace with adversaries. The future of SOC work is automation-augmented, not automation-replaced, and these skills are the bedrock of that future.
Prediction:
The increasing volume and sophistication of these common incidents will push SOC capabilities towards hyper-automation. SOAR platforms will become standard, leveraging AI to auto-remediate low-complexity alerts like brute-force attacks instantly. This will free analysts to focus on advanced threat hunting and incident response for the most sophisticated attacks, particularly those leveraging AI-generated phishing and deepfakes, fundamentally elevating the role of the SOC analyst from alert triager to cyber investigator.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: https://lnkd.in/p/dTh9m_Y2 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
