This lab focuses on investigating a security incident involving a compromised Linux server. The SOC team initially detected suspicious activity, including unauthorized configuration changes and the presence of unknown files in critical directories. A forensic disk image of the affected server was provided for analysis, with the objective of uncovering the attacker’s tactics, techniques, and procedures (TTPs), understanding the scope of the compromise, and identifying actionable mitigation strategies.
The investigation reveals a methodical attack involving unauthorized SSH access, privilege escalation, persistent malware deployment, data exfiltration, and attempts to cover tracks. The attacker utilized several techniques, such as disabling default security features in system configuration files, scheduling malicious processes for persistence, and using standard Linux utilities like wget, scp, and sudo to execute their operations stealthily. However, gaps in the attacker’s operational security, including saved session history and partially deleted logs, provided crucial evidence for reconstructing their activities.
Throughout this walkthrough, we use tools such as Photorec to recover deleted files, analyze logs like auth.log for SSH connections, and inspect key files such as .bash_history and /etc/sudoers to track the attacker’s behavior. The investigation also includes analyzing malware signatures through platforms like VirusTotal to identify the malicious executable and tracing its origin on the attacker’s server.
This lab highlights the