Task 1 : Introduction

As a SOC analyst, it’s important to be able to investigate different types of suspicious activity across a variety of assets in the environment. Knowing what to look for and which details matter most during an investigation is a key part of the role.

Learning Objectives

• Learn how to properly investigate alerts in a SOC environment.

• Understand how to investigate brute-force attacks on Linux systems.

• Discover the persistence mechanism on Windows systems.

• Analyse a web shell on a vulnerable web server.

• Learn how to investigate alerts for three given scenarios using Splunk.

Task 2 : Initial Access Alert

Alert Scenario

You’ve just started your first shift as a SOC analyst at an MSSP. Only a few minutes have passed since an alert about a possible brute force attack appeared on the platform.

Alert Details:

• Alert Name: Brute Force Activity Detection

• Time: 17/09/2025 9:00:21 AM

• Target Host: tryhackme-2404

• Source IP: 10.10.242.248

Your job is to investigate this activity and decide whether it should be considered suspicious.

Answer the questions below

How many failed login attempts were made on the user john.smith?

500

What was the duration of the brute force attack in minutes?

5

What username was the attacker able to privilege escalate to?

root

What is the name of the user account created by the attacker for persistence?

system-utm

Alert Scenario

You are working as a Level 1 SOC Analyst on shift at an MSSP. An alert has come through indicating that a suspicious scheduled task was created on a host.

Alert Details:

• Alert Name: Potential Task Scheduler Persistence Identified

• Time: 30/08/2025 10:06:07 AM

• Host: WIN-H015

• User: oliver.thompson

• Task Name: AssessmentTaskOne

Your job is to investigate this activity and decide whether it should be considered suspicious.

Task 3 : Persistence Alert

Answer the questions below

What is the ProcessId of the process that created this malicious task?

5816

What is the name of the parent process for the process that created this malicious task?

cmd.exe

Which local group did the attacker enumerate during discovery?

Administrators

What is the name of the workstation from which the Threat Actor logged into this host?

DEV-QA-SERVER

Task 4 : Possible Web Shell Alert

Alert Scenario

Your shift as an L1 SOC analyst continues, and you’ve now received the next alert that needs to be investigated. This time, the activity is related to the web.

Alert Details:

• Alert Name: Potential Web Shell Upload Detected

• Time: 14/09/2025 09:31:51 AM

• Resource: http://web.trywinme.thm

• Suspicious IP: 171.251.232.40

Your job is to investigate this activity and decide whether it should be considered suspicious.

Answer the questions below

What time did the brute-force activity using Hydra begin?
Answer Format Example: 2025-01-15 12:30:45

2025-09-14 21:20:27

Which user agent did the attacker use when interacting with the web shell?

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36

What was the number of requests made by the attacker to the server via the web shell?

4

Task 5 : Conclusion

Great job completing this room! You've now gained practical experience in investigating different types of alerts you can encounter in the real world.

• Detecting anomalies on Windows and Linux systems.

• Analysing web shell activity and identifying its traces.

SUBSCRIBE TO GET MORE CONTENT LIKE THIS