Tweet ghim
🛡️ SOC Analyst (Tier 1) | Building in Public
What 28 days of real blue-team work looks like:
🔍 Splunk · SIEM · Log Analysis
🧠 MITRE ATT&CK · Threat Detection
💻 Kali · Ubuntu · Windows lab
📜 ISC2 Certified in Cybersecurity
English
William · SOC Analyst (Tier 1)
21.3K posts
William · SOC Analyst (Tier 1)
@WilliamInCyber
SOC Analyst (Tier 1) | Splunk · SIEM · MITRE ATT&CK | 28 hands-on labs | SA-based, UK/Gulf timezone overlap | Open to remote roles
Johannesburg, South Africa Tham gia Mart 2020
971 Đang theo dõi911 Người theo dõi
The "silently fail, no console logs" comment in that JS is the tell built to dodge the analyst doing exactly this kind of triage. Device-code phishing is nasty because the victim generates a real token; the only signal is an auth from a context that shouldn't have one. IOCs noted
Anurag@Malwarehunterr
Fake Microsoft Teams device code phishing page Interestingly, the same site was used about a year ago to host Microsoft/Outlook phishing content. URLs: readfile[.]online login.vvorkpage[.]online Old scan: urlscan.io/result/0195f40… #phishing #devicecodephishing #microsoft365 #teams @500mk500 @urlscanio
English
"Getting good takes time" is the part nobody screenshots. I'm months into building SOC labs before applying for a single role brute-force hunts, PowerShell detection, mentoring someone through the same path. No shortcut showed up. The compounding is quiet but it's real.
Emmanuel AO • DevOps & Tech@emmanuelao_
The internet made people believe you can learn tech in 12 months, open an Upwork account, and start earning thousands immediately. Reality hits differently. Getting good takes time. Finding clients takes time. Building trust takes time.
English
Agreed, but I'd add one nuance: the GitHub only tells the story if the repos show decisions not just code. My SOC labs read like incident reports methodology, IOCs, MITRE mapping. That's the part a recruiter can't fake having done. Certs prove you studied; repos prove you shipped
Emmanuel AO • DevOps & Tech@emmanuelao_
Nobody hires you because you collected certificates. They hire you because you can build, debug, and ship. Your GitHub tells that story better than Coursera ever will.
English
Built this exact stack Sentinel workspace + Defender for Cloud. One gotcha on step 2: the Azure Activity connector doesn't always auto-flow. I had to add a manual diagnostic setting to push logs into the workspace before anything showed up. Catches a lot of people on first build.
Ahmedkhan@Ahmed___khaan
3. Cloud Security Monitoring Project Steps: 1. Sign up for a free sandbox account on Microsoft Azure or AWS. 2. Turn on Microsoft Sentinel and connect it to your main cloud activity logs. 3. Create a cloud storage folder and change its settings to be completely public to the internet. 4. Use Microsoft Defender for Cloud to run a scan and find the alert for your exposed storage. 5. Script an automation that automatically flips the public storage back to private.
English
This is a great manual workflow. Once you've done step 2 by hand a few times, automate it I wrote a Bash phishing triage tool that parses SPF/DKIM/DMARC straight from the headers. Spoofing usually shows up as a fail/softfail before you even hit MXToolbox. Saves real triage time.
Ahmedkhan@Ahmed___khaan
Phishing Analysis Project Steps: 1. Download a real, safe phishing email file from a site like Phish Tank. 2. Paste the email headers into MXToolbox to find the sender's true IP address and look for spoofing. 3. Defang all malicious links so nobody can accidentally click them. 4. Check the sender's IP and malicious links on VirusTotal to see if they are flagged as dangerous. 5. Create a mock incident report listing the bad IPs, domains, and the steps to block them.
English
Built nearly this exact stack.
One tip on step 5: new-admin alerts have evasion paths ADSI/WinNT and net user can slip past naive rules.
I lab-verified that gap and filed it to SigmaHQ (#6057). Worth testing your alert against those, not just the obvious path.
Ahmedkhan@Ahmed___khaan
SIEM Detection Lab Project Steps: 1. Install Wazuh on a Linux VM to act as your central security dashboard. 2. Install the Wazuh agent and Sysmon on a Windows VM to track its background processes. 3. Use Kali or a PowerShell script to run a malicious command like whoami against the Windows VM. 4. Log into your SIEM and build a visual graph that displays successful versus failed logins. 5. Create a custom alert that triggers when a new administrative user is created.
English
Files don't delete the account goes read-only over quota.
You keep everything, just can't add new Drive/Photos/Gmail until you're back under 15GB free. ChatGPT's right here.
This is exactly why I've been eyeing self-hosting: own the storage, own the rules.
DROID@droidbuilds
If I cancel my Google One subscription right now, does my 1.67TB just disappear? 😭
English
@CyberRacheal Practicing in a home lab makes this so easy to understand 😌
English
MAC address table.
The switch reads the source MAC of each frame, records its port, and forwards future traffic there.
Unknown destination = flood all ports once, learn the reply, then unicast.
That same table is where a SOC spots MAC flooding attacks.
Cyber_Racheal@CyberRacheal
You plug an Ethernet cable into a switch port, The link light flashes bright green, Data transfers at maximum speed. How does the switch know where to send your data?🤔
English
@CyberSamuraiDev Mr. Robot was right. Every breach I've read this week came down to a human granting access, not a CVE firing. The vishing call into Charter is the cleanest example no malware, just a convincing voice. Hardest layer to patch is the one that answers the phone.
English
@WilliamInCyber In the words of Elliot Alderson, “People always make the best exploits.”
English
This is why "no exploit needed" keeps coming up.
Vishing into Entra, then Salesforce the only signal is a legit login from the wrong context.
My Hydra brute-force lab showed failed-auth is easy to catch.
The hard part is the successful login that shouldn't have happened.
PhishCore@PhishCore
"Charter Communications confirms a data breach. ShinyHunters stole millions of customer records." Someone called a charter employee on april 1st. They convinced the employee to give access to a Microsoft Entra account. With that access, they were able to get into Salesforce. the attack required no software vulnerability. it exploited an authentication process gap and the absence of phishing-resistant MFA. At least 13 million customer records confirmed exposed. names, addresses, emails, phone numbers, support tickets. Your employees face decisions like this every day. If someone asks for credentials, does your team know what to do? If you have never tested this, you do not know the answer.
English
@WilliamInCyber 😹😹😹😹
As funny as this sounds... it's highly undisputable 😹
This is a world of constant learning and practices, if you snooze you loose😹
English
The "stare at the screen and feel nothing" days are the ones nobody screenshots.
I've had a few mid-lab where nothing clicks and you just close the laptop.
Showing up the next day anyway is the whole skill.
Needed this one.
DALU🤍@iam_dalucynthia
We talk a lot about “passion for tech” but nobody talks about the days you stare at the screen and feel nothing. That’s normal too. YOU’RE NOT FAILING.
English
@somadinaaaa Yeah, can't argue with securing the pipe. I just file the VPN under "necessary, not sufficient" it does nothing once an attacker has valid creds, which is where most of my lab incidents start. Right tool, just not the last line of defense.
English
@WilliamInCyber so does every part of the internet. but we shall do the best we can and play with the cards we're given. we're all vulnerable to an extent but a vpn makes sure the tunnelling is secure.
English
"One layer, not a shield" exactly. Most incidents I see in lab work never touch the transit layer a VPN protects. They're identity (stolen creds), endpoint (malicious PowerShell), or the app itself. Encrypting the pipe does nothing if the attacker walks in with valid keys.
NetworkChuck@NetworkChuck
Using a VPN will protect you from hackers.
English
William · SOC Analyst (Tier 1) đã retweet
Prompt injection is ranked number 1 on the OWASP Top 10 for LLM Applications.
Most SOC teams have zero detection for it.
Today I built one from scratch.
Here is how Day 2 of my SOC detection lab went 🧵
English
The scary line is "AI feature added to software you already approved."
That's a new NHI inheriting access no one reviewed.
In my AI-era lab the detection challenge was exactly that you can't alert on data access you never knew the agent had.
Visibility first, then rules.
The Hacker News@TheHackersNews
🚨 The biggest Shadow AI risk may not be a new tool. It may be an AI feature quietly added to software your company already approved. Security teams now need to know where AI is active, what data it can access, and what employees are putting into it. The piece uses 🏆 award-winning solutions as examples of how security vendors are approaching the problem. Read the full article: awards.thehackernews.com/blog/shadow-ai…
English
That "create hidden admin" payload is the detection problem I filed a SigmaHQ gap on (#6057) rogue admin creation has evasion paths that slip past surface rules.
Plus a hidden web shell for persistence.
The account creation IS the IOC worth hunting, not just the script.
The Hacker News@TheHackersNews
🛑 Popular #WordPress plugin scripts were tampered with to plant hidden backdoors. The attack hit #JavaScript used by PushEngage, OptinMonster, and TrustPulse. If a logged-in admin loaded the script, attackers could create a rogue admin account and install a hidden web shell. Over 1.2M sites run the three plugins. Read the full article: thehackernews.com/2026/06/popula…
English
@iam_dalucynthia Yeah and if you’re someone you don’t genuinely love learning you can’t do cybersecurity 😂 too much information to absorb & practice
English
@WilliamInCyber I keep telling people...the journey didn't promise to be easy, if you desire to be at the peak, you must give up what everyone else isn't willing to give up and that's comfort. Discipline will become your second name.
English
"No second click required" is the scary part. The exfil rides Copilot's own trust in a microsoft[.]com link exactly the failure I saw in prompt-injection testing: the agent treats trusted-origin input as a trusted instruction. CVE patched, but detection for this class is thin.
International Cyber Digest@IntCyberDigest
‼️🚨 This is alarming: Researchers found a one-click data exfiltration vulnerability in M365 Copilot. A single click on a trusted microsoft[.]com link let attackers pull emails, MFA codes, meeting notes, and SharePoint/OneDrive files, no permissions or second click required. Microsoft has patched it as CVE-2026-42824, rated critical.
English
Agreed it's not net-new for defenders recon, blast radius, thin defenses are old.
But one thing IS new: the agent itself is the trust boundary.
In my prompt-injection lab the untrusted input WAS the instruction.
No exploit fired, the agent just did as told with dev perms.
spencer@techspence
Coding & Computer AI agents + people who have never traditionally been “technical” == mega huge attack surfaces, big blast radius & thinnest defenses This is not “new” for defenders. Just replace AI with regular computers.
English