r/SecurityCareerAdvice • u/makeiteasy_24 • 1d ago
Finished a free webinar on live SOC investigations. Here's Part 1 of what we covered (Technical Post).
So on 16 May 2026 (Saturday) I ran a live session for students who wanted to see what actual threat analysis looks like. Not the sanitized course version. The real thing, sitting in front of an alert, zero context, figuring out what the hell happened in real time.
Thank you to everyone who attended the webinar.
158 people registered. Over 50 stuck through the whole thing. A lot of them had never seen this part of the job before.
The setup was simple: phishing email lands in the SOC queue. Subject line says "Your wallet has been Blocked." Legitimate looking. Urgent. Classic social engineering. But here's what actually went down when I investigated it.
The email came from info@metamaask[.]io note the extra 'A'. One character lookalike domain. It bypassed email filters on 6 mailboxes. 2 got caught. 4 didn't.
From there it gets worse. The attachment is an Excel file with macros. User opens it. Macro executes. Spawns PowerShell with an encoded command. Downloads a second-stage payload. Implant ends up running on the host.
Then we tracked the C2 beaconing in network logs. Seven connections to the attacker's server, exactly five minutes apart. Every. Single. Time. That precision isn't a human, it's the malware checking in on a timer. Port 443, disguised as normal HTTPS traffic.
That's the full chain. Email to implant running in minutes.
I walked through all of this using actual queries, real endpoint telemetry, and network logs. The way it actually works at my Job. No slides. No theory. Just the investigation.
For those targeting your first SOC role this is what the job actually looks like. Not the tool walkthroughs. Not the labs. This. Sitting with incomplete data, using your tools to build the picture, making calls fast and accurate.
If you want specific guidance on breaking into SOC or want me to review where you're stuck, drop a comment or DM me.
2
u/AddendumWorking9756 23h ago
The lookalike domain is such a clean teaching example, one swapped character getting past people who swear they'd never fall for it. Did you get into pivoting from the registration data out to the rest of the infra, or is that saved for part two?
1
u/makeiteasy_24 21h ago
Definitely, it's once of the most classic phishing/typoquatting technique.
For example:
microsoft[.]com to rnicrosoft[.]com: Notice 'r' and 'n'I already checked those data(who is data, serving IP Address, domain history, DNS resolution) before the webinar, but due to time constraint in webinar I was not able to dive deep into this.
3
u/makeiteasy_24 1d ago
If you want to see the full recording (Part 1 is published, Part 2 on persistence is coming soon), it's here: https://youtu.be/WYaLKn7rdTk
Full breakdown is also on Medium if you want the detailed writeup (Along with screenshots).
Also a newsletter covering this kind of stuff(Link in Bio) if you want to stay updated on real incident work and interview prep (Bonus: Free CyberSecurity Roadmap PDF Attached that I designed myself).
2
u/Mysterious_Client_55 1d ago
Keep up the good work mate, would love more videos like this
2
u/makeiteasy_24 1d ago
Thank you so much!
This definitely made up my day!Part 2 for this would be dropping up this week on my Youtube Channel!
3
u/Lemonbear63 1d ago
Dang I didn’t know about this, I’d definitely join to see that