Critical System File Deletion SSH Brute Force, Backdoor Account & auth.log Wiped | LetsDefend SOC306
Day 117 of Becoming a SOC Analyst — SOC306 Critical System File Deletion (True Positive)
Attacker from 87.249.134.136 brute-forced SSH on host Dominic (172.16.17.107), gaining access via the analyst account which held unrestricted sudo rights. Post-login recon was followed by privilege escalation to root, creation of a persistence backdoor account named lettsdefend, then deletion of both auth.log and audit.rules to hinder forensic investigation. Endpoint contained — remediation requires deletion of the backdoor account, analyst password reset, SSH key rotation, and full credential audit across the host.
🔬 Analysis Reports
🔍 AbuseIPDB (87.249.134.136) → https://www.abuseipdb.com/check/87.24...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
00:00 intro Day 117
00:15 alert details
01:12 investigation
05:40 playbook
19:06 analyst notes
22:39 results
24:06 offical security report
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #SSHBruteForce #LogTampering #Persistence #BackdoorAccount #Linux #IncidentResponse #SIEM #Day117 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity