The Ultimate SOC Analyst’s Toolkit: 25+ Commands to Master MDR, XDR, and Threat Hunting

Listen to this Post

Featured Image

Introduction:

The modern Security Operations Center (SOC) is evolving beyond traditional SIEMs, embracing Managed Detection and Response (MDR) and Extended Detection and Response (XDR) frameworks. This shift demands that analysts possess a versatile toolkit to hunt threats, automate response, and leverage intelligence effectively. Mastering a core set of commands across various platforms is no longer optional; it’s fundamental to modern cybersecurity defense.

Learning Objectives:

  • Acquire proficiency in command-line investigations for both Windows and Linux environments prevalent in enterprise networks.
  • Learn to utilize built-in tooling for advanced hunting and to trigger security alerts without dependency on ingested data.
  • Understand key commands for validating threat intelligence and automating initial response actions to common attack patterns.

You Should Know:

1. Hunting for Persistence: Registry & Cron

Persistence mechanisms are a primary focus for attackers. On Windows, the registry is a common location, while Linux attackers often abuse cron jobs or service files.

Windows Registry Query:

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Format-List
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Format-List

Step-by-step guide: These PowerShell commands query the Machine (HKLM) and User (HKCU) run keys, which automatically execute programs on boot. Analysts should scrutinize any unfamiliar entries, comparing them against known-good binaries and their digital signatures.

Linux Cron Inspection:

sudo cat /etc/crontab
sudo ls -la /etc/cron./
sudo crontab -l -u root
sudo crontab -l -u <username>

Step-by-step guide: Review the system-wide crontab file, check the contents of the cron.daily, cron.hourly, etc., directories, and list the cron jobs for the root user and other users. Any job executing a script from a temporary or world-writable directory is highly suspicious.

2. Network Connection Analysis

Identifying unauthorized network connections is a cornerstone of threat hunting and incident response.

Windows Netstat & Process Mapping:

netstat -ano | findstr ESTABLISHED
tasklist /FI "PID eq <PID>"

Step-by-step guide: The first command lists all established connections and their associated Process ID (PID). The second command maps the PID to a running process. Correlate this with threat intelligence to identify callbacks to known malicious IPs.

Linux ss & lsof:

sudo ss -tunlp
sudo lsof -i -P -n

Step-by-step guide: The `ss` command (modern replacement for netstat) shows listening (-l) and established connections, displaying ports (-P), numeric addresses (-n), and the associated process (-p). `lsof` provides a detailed list of all open internet (-i) files and the processes that opened them.

3. Process Investigation & Discovery

Understanding running processes is critical for identifying malware, exploits, and unauthorized software.

Windows PowerShell Process Enumeration:

Get-Process | Where-Object {$_.CPU -gt 50} | Format-Table -AutoSize
Get-WmiObject -Class Win32_Process | Select-Object Name, ProcessId, CommandLine

Step-by-step guide: The first command filters processes consuming high CPU, a potential indicator of compromise. The second uses WMI to get a comprehensive list of all processes with their full command lines, which is essential for spotting malicious arguments.

Linux Process Tree & Details:

ps aux --sort=-%cpu | head -10
pstree -p
ls -l /proc/<PID>/exe

Step-by-step guide: `ps aux` shows all processes; sorting by CPU helps find resource-intensive malware. `pstree` visualizes parent-child process relationships, crucial for understanding attack chains. Reading `/proc//exe` reveals the actual path of the executable behind the process.

4. File System Timeline & Integrity Checking

Attackers leave traces on disk. Finding recently modified files or verifying system binary integrity is a key investigative step.

Windows Recent File Modification:

forfiles /P C:\Windows\System32 /S /D -1 | findstr /V "$Recycle.Bin"

Step-by-step guide: This command recursively searches (/S) the `System32` directory for files modified in the last day (/D -1), excluding the recycle bin. A sudden change to a core OS file is a major red flag.

Linux Find Modified Files & Hashing:

sudo find / -xdev -type f -mtime -1 -print
sudo sha256sum /usr/bin/sshd

Step-by-step guide: The `find` command locates all files on the root filesystem (/) modified in the last 24 hours (-mtime -1). Calculating and comparing the SHA256 hash of critical binaries like `sshd` against a known-good baseline can reveal trojanized system tools.

5. Leveraging Windows Event Logs for Alerting

Directly querying the Windows Event Log can be a powerful method to identify suspicious activity and even trigger alerts without needing to ingest all data into a SIEM.

PowerShell Event Log Query:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625,4624; StartTime=(Get-Date).AddHours(-1)} -MaxEvents 50 | Select-Object TimeCreated, Message

Step-by-step guide: This command retrieves successful (4624) and failed (4625) logon events from the Security log from the last hour. A high volume of failed logons followed by a success could indicate a brute-force attack. Scripting this to run periodically can serve as a lightweight, native detection mechanism.

6. Validating Threat Intelligence IOCs

Once you have a threat intelligence feed, you need to quickly check your environment for known-bad indicators (IPs, Domains, Hashes).

Cross-Platform IOC Hunt with find:

 Hunt for a known malicious file hash
find / -xdev -type f -exec sha256sum {} + 2>/dev/null | grep -i "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

Check for connections to a known malicious IP
sudo netstat -tunap | grep 192.0.2.100

Step-by-step guide: The first command calculates the SHA256 hash of every file on the system and greps for the known-bad hash. The second command checks active network connections for the malicious IP. These are immediate triage steps upon receiving a new IOC.

7. User and Logon Session Analysis

Understanding who is logged on and from where is vital for detecting lateral movement and account misuse.

Windows Logon Sessions:

query user
logoff <sessionid>

Step-by-step guide: The `query user` command lists all active user sessions on a system, including the source IP for RDP sessions. If an unknown or suspicious session is identified, it can be terminated immediately with the `logoff` command using the session ID.

Linux Who & Last:

who -a
last -i

Step-by-step guide: The `who` command shows all users currently logged on and their source IP. The `last` command shows a history of logins, including their source IP addresses (-i option), helping to track an attacker’s movement over time.

What Undercode Say:

  • The barrier to effective defense is not a lack of tools, but a lack of foundational command-line fluency. The most sophisticated XDR platform is only as good as the analyst interpreting its data and performing manual verification.
  • The future of detection engineering lies in the seamless integration of automated playbooks with the analyst’s ability to conduct deep, manual investigation using these core utilities. Automation handles the known, while skilled analysts armed with these commands investigate the unknown.

The recent push towards MDR and XDR outlined in the Detect.FYI articles emphasizes outsourcing 24/7 monitoring, but the onus of deep investigation and response ultimately falls on internal teams. The analysts who thrive will be those who can move beyond the automated alert console and use these fundamental commands to validate, investigate, and contain threats with precision. This skillset allows for the effective prioritization and integration of response automation, as it provides the context needed to build reliable playbooks.

Prediction:

The convergence of MDR, XDR, and AI-driven analytics will not replace the need for hands-on technical skills; it will elevate their importance. As automation handles routine triage, human analysts will be tasked with investigating increasingly complex and novel attacks. The analysts who can fluidly navigate between automated alerts and manual command-line investigation to perform deep forensic analysis will become the most critical—and scarce—assets in cybersecurity. The ability to manually trigger alerts and hunt without total reliance on ingested data, as highlighted in the referenced articles, will become a standard requirement for senior SOC roles, fundamentally shifting hiring practices and training programs towards deep technical proficiency.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Inode Detectionengineering – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky