All topics ›
SOC Analyst ›
MITRE ATT&CK
MITRE ATT&CK · SOC Analyst Walk me through investigating a T1059 Command and Scripting Interpreter alert.
T1059 = adversary using Bash, PowerShell, cmd.exe, Python for execution. Investigation steps: (1) Get full command line from EDR/Sysmon Event 1; (2) Identify parent process (was PowerShell launched from Word? = malicious; from Sysmon Event 1 ParentImage); (3) Check for encoded commands (PowerShell -EncodedCommand → base64 decode); (4) Check network connections from process (Sysmon Event 3); (5) Check files written (Sysmon Event 11); (6) Hash + reputation check on any artifacts. Sub-techniques: T1059.001 PowerShell, T1059.003 Windows Command Shell, T1059.006 Python — investigation differs slightly per shell.
Want the full explanation? This is the atomic answer suitable for
quick interview prep. For the structured deep-dive — including code samples,
strong-answer vs weak-answer notes, common follow-up questions, and how this fits
the larger soc analyst topic — see the full Q&A on Networkers Home:
→ SOC Analyst Interview Hub — Full Q&A with deep context
→ SOC Analyst Interview Hub — Full Q&A with deep context
How Networkers Home prepares students for this kind of question
This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.
→ View the complete soc analyst interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation
Related MITRE ATT&CK questions
MITRE ATT&CK
Q. What's the difference between MITRE ATT&CK and Cyber Kill Chain?
Cyber Kill Chain (Lockheed Martin, 2011) — linear 7-phase model: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives. Simple, easy to teach, but oversimplified — modern at…
Read full answer →