"Talk to me," the manager said, voice gravelly.
No one from payroll logs in at 2:15 AM.
He right-clicked. Marked as: Investigated - True Positive - Compromise Confirmed. effective threat investigation for soc analysts read online
Marcus didn't say "I found a suspicious file." He didn't say "high severity." "Talk to me," the manager said, voice gravelly
He ran passive DNS. First seen: 72 hours ago. Registered to a privacy service. No reputation. No threat intel feed had it. It was brand new. A greenfield for an attacker. Marked as: Investigated - True Positive - Compromise
Then he closed the laptop, leaned back, and for the first time that night, closed his eyes. The SOC hummed around him—a cathedral of blinking lights and silent alarms. And somewhere out there, in a data center in the Netherlands, a command shell timed out, waiting for a reply that would never come.
He downloaded the binary from that domain. Didn't execute. Strings analysis. Embedded in the binary: a hardcoded C2 IP. He geolocated it. A data center in the Netherlands. But the SSL certificate? Issued to a small medical clinic in Ohio. That was the attacker's mistake—reusing a cert.