DocumentationInfrastructure & Security Documentation
Endpoint Investigation Playbook
Project Context
Developed for Security Operations Center (SOC) analysts to guide triage when suspicious SSH logins or remote execution behavior are flagged by host intrusion detection systems (HIDS).
SSH Endpoint Investigation Playbook
Guidelines for forensic triage when suspicious activity is detected on Linux hosts via SSH.
1. Initial Access Verification
Confirm the origin IP and SSH session parameters:
# List active logins and session details
w
# Inspect historical authentication attempts
sudo grep "sshd" /var/log/auth.log | grep "Accepted"
2. Process Analysis
Locate processes spawned by the target session:
# Display tree view of active user processes
pstree -u <username>
# Review exact process command arguments
ps auxfww | grep -i <pid_or_username>
3. Network Connection Audit
Inspect listening sockets and open ports initiated by suspicious processes:
# List established and listening sockets
sudo ss -tupn
# Map open files and sockets back to PIDs
sudo lsof -i -P -n
4. Preservation & Containment
If command execution points to active exfiltration or reverse shell payloads:
- Block target IP at local firewall.
- Isolate host interface (using VLAN segment or cloud security group).
- Capture memory footprint (
LiMEdump) before shutting down or rebooting.