search

Set 10

91. Capstone Triage – Extract Breach Indicators

Scenario SOC team initiates a final triage to isolate breach indicators from logs.

Instructions:

  • Navigate to ~/kactii29

  • Create folder breach_indicators

  • Assume incident.log exists

  • Extract lines containing BREACH

  • Save output to breach.log

Commands Expected: grep, output redirection

92. Capacity Baseline – Disk Usage Evidence

Scenario Final incident report requires disk usage baseline during the event.

Instructions:

  • Navigate to ~/kactii29

  • Create capacity_baseline

  • Measure directory disk usage

  • Display results in human-readable format

  • Save output to capacity_baseline.txt

Commands Expected: du -h

93. User Accountability – Incident Login Record

Scenario Leadership requires evidence of users logged in during the incident.

Instructions:

  • Navigate to ~/kactii29

  • Create incident_logins

  • Capture logged-in users

  • Append date and time

  • Save to incident_users.log

Commands Expected: who, date, output redirection

94. Tool Readiness – Incident Utility Verification

Scenario SOC confirms required utilities were available during investigation.

Instructions:

  • Navigate to ~/kactii29

  • Create tool_readiness

  • Locate paths for grep, du, and ss

  • Save output to tool_readiness.txt

Commands Expected: which

95. Scheduler Validation – Incident Job Capability

Scenario SOC verifies whether scheduled tasks could have executed during the incident.

Instructions:

  • Navigate to ~/kactii29

  • Create scheduler_validation

  • Check cron service status

  • Start service if inactive

  • Save output to scheduler_validation.txt

Commands Expected: systemctl status, systemctl start

96. Deferred Task Review – Incident-Time Jobs

Scenario Incident analysis requires a list of all deferred jobs present.

Instructions:

  • Navigate to ~/kactii29

  • Create incident_jobs

  • List all scheduled at jobs

  • Save output to incident_jobs.txt

Commands Expected: atq

97. Runtime Context – Incident Environment Snapshot

Scenario SOC reconstructs execution context using environment variables.

Instructions:

  • Navigate to ~/kactii29

  • Create incident_environment

  • Display all environment variables

  • Save output to incident_env.txt

Commands Expected: printenv

98. Network Exposure – Incident Port Snapshot

Scenario Security team documents network exposure during the incident window.

Instructions:

  • Navigate to ~/kactii29

  • Create incident_network

  • Capture all listening TCP and UDP sockets

  • Save output to incident_ports.txt

Commands Expected: ss -tuln

99. Evidence Consolidation – Unique Incident Artifacts

Scenario Final report requires a normalized list of unique incident artifacts.

Instructions:

  • Navigate to ~/kactii29

  • Create incident_artifacts

  • Assume artifacts.log exists

  • Sort and remove duplicate entries

  • Save to unique_artifacts.txt

Commands Expected: sort, uniq

100. Final Assurance – Incident Uptime Proof

Scenario Executive summary requires proof that the system remained operational.

Instructions:

  • Navigate to ~/kactii29

  • Create final_assurance

  • Capture system uptime

  • Append timestamp

  • Save to final_uptime.log

Commands Expected: uptime, date, output redirection

PreviousSet 9NextL4 - Lieutenant

Last updated