<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Shubham Chaudhary</title>
    <description>The latest articles on DEV Community by Shubham Chaudhary (@xpert4cyber).</description>
    <link>https://dev.to/xpert4cyber</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3949974%2Feaab38f0-db73-45a8-aec6-4f08adb516df.png</url>
      <title>DEV Community: Shubham Chaudhary</title>
      <link>https://dev.to/xpert4cyber</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/xpert4cyber"/>
    <language>en</language>
    <item>
      <title>SonicWall SMA1000 Zero-Days: Breaking Down CVE-2026-15409 and CVE-2026-15410</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Wed, 15 Jul 2026 16:56:25 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/sonicwall-sma1000-zero-days-breaking-down-cve-2026-15409-and-cve-2026-15410-3acm</link>
      <guid>https://dev.to/xpert4cyber/sonicwall-sma1000-zero-days-breaking-down-cve-2026-15409-and-cve-2026-15410-3acm</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fr2mjndhq1zwgctm243ex.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fr2mjndhq1zwgctm243ex.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
SonicWall disclosed two zero-day vulnerabilities in its SMA1000 secure remote access appliances this week — and they're not theoretical. SonicWall has confirmed active exploitation in the wild, and CISA has already added both to its Known Exploited Vulnerabilities catalog.&lt;/p&gt;

&lt;p&gt;If you're running SMA 6210, 7210, or 8200v appliances, this is worth your attention today, not next sprint.&lt;/p&gt;

&lt;h2&gt;
  
  
  The two CVEs
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-15409&lt;/strong&gt; — SSRF vulnerability in the Appliance Work Place interface. CVSS 10.0. No authentication required.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-15410&lt;/strong&gt; — Post-auth code injection in the Appliance Management Console. CVSS 7.2. Requires admin-level access.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Individually, the second one looks less alarming since it needs admin credentials. But researchers are seeing both exploited &lt;em&gt;together&lt;/em&gt; — the SSRF flaw appears to be used to reach internal API surfaces, effectively creating a path toward admin-level control, which then unlocks the code injection bug for full remote code execution.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters beyond the CVSS number
&lt;/h2&gt;

&lt;p&gt;A CVSS 10.0 score gets attention, but the interesting engineering lesson here is the &lt;strong&gt;chaining&lt;/strong&gt; — two flaws with different individual risk profiles combining into something much worse than either alone. It's a good reminder that vulnerability triage based on a single CVSS score in isolation can miss compound risk.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to check right now
&lt;/h2&gt;

&lt;p&gt;If you manage these appliances, SonicWall's advisory lists specific log indicators worth hunting for — including unexpected API routes in &lt;code&gt;extraweb_access.log&lt;/code&gt; and suspicious &lt;code&gt;/wsproxy&lt;/code&gt; requests. No workaround exists outside of patching (hotfix versions 12.4.3-03453 / 12.5.0-02835), and SonicWall recommends a full compromise assessment before treating a vulnerable appliance as "patched and done."&lt;/p&gt;

&lt;p&gt;I wrote a full breakdown with the complete attack chain, log-based IOCs, and a step-by-step investigation checklist here:&lt;br&gt;
👉 &lt;a href="https://www.xpert4cyber.com/2026/07/sonicwall-sma1000-critical-vulnerability-cvss-10.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/sonicwall-sma1000-critical-vulnerability-cvss-10.html&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Curious if others here are seeing this actively targeted in their environments, or if your org has already rolled out the hotfix.&lt;/p&gt;

</description>
      <category>security</category>
      <category>cybersecurity</category>
      <category>networking</category>
      <category>devops</category>
    </item>
    <item>
      <title>You Know 'Tree' as a Dev Tool. Security Teams Weaponize It.</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Wed, 15 Jul 2026 14:29:53 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/you-know-tree-as-a-dev-tool-security-teams-weaponize-it-32el</link>
      <guid>https://dev.to/xpert4cyber/you-know-tree-as-a-dev-tool-security-teams-weaponize-it-32el</guid>
      <description>&lt;h2&gt;
  
  
  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F47fn3mpw8qkapeozf05k.png" alt=" " width="800" height="800"&gt;
&lt;/h2&gt;

&lt;p&gt;It's 2:55 AM when the SOC phone rings. A mid-sized fintech company just got hit with ransomware — and nobody knows how deep the attacker went.&lt;/p&gt;

&lt;p&gt;Before touching a single log file, the incident responder runs one command most devs associate with basic file listing.&lt;/p&gt;

&lt;p&gt;Within seconds, she has a complete visual map of the file system — and spots a hidden web shell disguised as a static image file, buried three folders deep.&lt;/p&gt;

&lt;h2&gt;
  
  
  The command devs know, security teams weaponize
&lt;/h2&gt;

&lt;p&gt;Most of us learn this command as a way to document project folders or generate a quick README structure. Security professionals use it very differently — as a fast triage tool during incident response, digital forensics, and penetration testing.&lt;/p&gt;

&lt;p&gt;When you land on a potentially compromised host, one of your first questions is simple: &lt;strong&gt;what does this file system actually look like?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Attackers don't always announce themselves. Sometimes it's a single rogue script hidden four directories deep, disguised with a legitimate-looking name — and a flat &lt;code&gt;ls -R&lt;/code&gt; output just buries it in noise.&lt;/p&gt;

&lt;h2&gt;
  
  
  Real-world example: catching a web shell
&lt;/h2&gt;

&lt;p&gt;A web application server starts making unusual outbound connections. EDR flags it. A responder is dispatched.&lt;/p&gt;

&lt;p&gt;Instead of manually navigating with repeated &lt;code&gt;cd&lt;/code&gt; and &lt;code&gt;ls&lt;/code&gt;, they run a targeted scan of the web root and upload directories — and within seconds, spot &lt;code&gt;images/logo_v2.php&lt;/code&gt; sitting inside what should be a static image folder.&lt;/p&gt;

&lt;p&gt;Classic web shell placement. Surfaced visually, instantly.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why it matters for devs too
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;It's read-only and low-impact — safe to run without risking further compromise&lt;/li&gt;
&lt;li&gt;It surfaces hidden dotfiles and persistence mechanisms&lt;/li&gt;
&lt;li&gt;It's faster than GUI file explorers or spinning up forensic tooling&lt;/li&gt;
&lt;li&gt;It works across Linux, macOS, and Windows (via WSL)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you're a developer who's never thought about this command outside of documenting a repo structure, it's worth knowing how security teams actually use it in the field.&lt;/p&gt;

&lt;p&gt;I wrote a full breakdown covering the exact commands, detection use cases, and expert tips here 👇&lt;/p&gt;

&lt;p&gt;🔗 &lt;a href="https://www.xpert4cyber.com/2026/07/tree-command-cybersecurity-soc-analysts.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/tree-command-cybersecurity-soc-analysts.html&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;What's your go-to first command when investigating a system issue? Let me know in the comments 👇&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>linux</category>
      <category>devops</category>
      <category>security</category>
    </item>
    <item>
      <title>Hackers Can Hide Their Tracks—Here's How to Catch Them with Linux stat</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Mon, 13 Jul 2026 18:04:11 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/hackers-can-hide-their-tracks-heres-how-to-catch-them-with-linux-stat-30io</link>
      <guid>https://dev.to/xpert4cyber/hackers-can-hide-their-tracks-heres-how-to-catch-them-with-linux-stat-30io</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo28b2aecs79zgkwey6h1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo28b2aecs79zgkwey6h1.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Linux #CyberSecurity professionals: Can you really trust a file's timestamp?
&lt;/h1&gt;

&lt;p&gt;Attackers often manipulate Linux file metadata to hide malicious activity, making incident response and DFIR investigations far more challenging than they appear.&lt;/p&gt;

&lt;p&gt;I break down how the &lt;strong&gt;Linux &lt;code&gt;stat&lt;/code&gt; command&lt;/strong&gt; helps security analysts inspect file metadata, identify suspicious timestamp anomalies, and understand the difference between atime, mtime, ctime, and birth time in real-world investigations.&lt;/p&gt;

&lt;p&gt;If you're learning:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Linux Security&lt;/li&gt;
&lt;li&gt;Digital Forensics (DFIR)&lt;/li&gt;
&lt;li&gt;SOC Analysis&lt;/li&gt;
&lt;li&gt;Incident Response&lt;/li&gt;
&lt;li&gt;Threat Hunting&lt;/li&gt;
&lt;li&gt;Ethical Hacking&lt;/li&gt;
&lt;li&gt;Malware Analysis&lt;/li&gt;
&lt;li&gt;Blue Team Operations&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;...this guide is worth bookmarking.&lt;/p&gt;

&lt;p&gt;🔗 Read the complete guide:&lt;br&gt;
&lt;a href="https://www.xpert4cyber.com/2026/07/linux-stat-command-fake-timestamps.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/linux-stat-command-fake-timestamps.html&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  LinuxCommands #LinuxAdmin #DFIR #SOC #ThreatHunting #DigitalForensics #IncidentResponse #CyberDefense #EthicalHacking #InfoSec #CyberSecurityTraining #BlueTeam #RedTeam #OpenSource #SysAdmin #MalwareAnalysis #DetectionEngineering #MITREATTACK #SecurityOperations #LinuxTips
&lt;/h1&gt;

</description>
      <category>cybersecurity</category>
      <category>linux</category>
      <category>forensic</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>The Linux locate Command: A Faster Alternative to find (With Security Use Cases)</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Sun, 12 Jul 2026 18:02:16 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/the-linux-locate-command-a-faster-alternative-to-find-with-security-use-cases-3hd6</link>
      <guid>https://dev.to/xpert4cyber/the-linux-locate-command-a-faster-alternative-to-find-with-security-use-cases-3hd6</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwemgieaa54ajrajvcu50.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwemgieaa54ajrajvcu50.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
Most devs and sysadmins default to &lt;code&gt;find&lt;/code&gt; when searching for files on Linux.&lt;/p&gt;

&lt;p&gt;But there's a faster, built-in alternative that most people overlook — and it's not just useful for everyday file searches. It's a tool SOC analysts reach for during live incident response, and one attackers use during post-exploitation recon too.&lt;/p&gt;

&lt;p&gt;Here's the short version:&lt;/p&gt;

&lt;p&gt;Instead of scanning the filesystem live like &lt;code&gt;find&lt;/code&gt; does, this command queries a pre-built index of your entire filesystem — which is why it can return results across hundreds of thousands of files in under a second.&lt;/p&gt;

&lt;p&gt;In my latest write-up, I cover:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;How it actually works under the hood (index vs. live scan)&lt;/li&gt;
&lt;li&gt;A real-world example: hunting down a hidden webshell in seconds&lt;/li&gt;
&lt;li&gt;Why this command rarely gets flagged by security tools&lt;/li&gt;
&lt;li&gt;Practical detection &amp;amp; hardening tips if you're on the defensive side&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you work with Linux systems — as a developer, sysadmin, or in security — this is one command worth understanding properly, including its blind spots.&lt;/p&gt;

&lt;p&gt;Full breakdown here:&lt;br&gt;
&lt;a href="https://www.xpert4cyber.com/2026/07/locate-command-linux-security-guide.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/locate-command-linux-security-guide.html&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;What's your go-to command for fast file searches on Linux? Curious if others have used this one in real investigations.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>linux</category>
      <category>devops</category>
      <category>learning</category>
    </item>
    <item>
      <title>The Linux find Command: 20 Real-World Uses for Threat Hunting &amp; Incident Response</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Sat, 11 Jul 2026 17:26:11 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/the-linux-find-command-20-real-world-uses-for-threat-hunting-incident-response-2mka</link>
      <guid>https://dev.to/xpert4cyber/the-linux-find-command-20-real-world-uses-for-threat-hunting-incident-response-2mka</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fodrhkpwch6eeb9rs87um.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fodrhkpwch6eeb9rs87um.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
Wrote up a breakdown of the Linux &lt;code&gt;find&lt;/code&gt; command from a SOC/incident-response angle — not just syntax, but how it's actually used in live investigations.&lt;/p&gt;

&lt;p&gt;Covers things like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Catching a web shell using &lt;code&gt;-mtime&lt;/code&gt; + &lt;code&gt;-perm&lt;/code&gt; checks&lt;/li&gt;
&lt;li&gt;Hunting SUID/SGID binaries for privilege escalation risks&lt;/li&gt;
&lt;li&gt;Spotting world-writable dirs commonly used for malware staging&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Full post here if useful: &lt;a href="https://www.xpert4cyber.com/2026/07/linux-find-command-guide.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/linux-find-command-guide.html&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Curious what commands others reach for first during an incident — always interesting to see how different teams triage under pressure.&lt;/p&gt;

</description>
      <category>security</category>
      <category>linux</category>
      <category>devops</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>The mv Command Mistake That Can Destroy Digital Evidence in Seconds</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Sat, 11 Jul 2026 07:48:13 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/the-mv-command-mistake-that-can-destroy-digital-evidence-in-seconds-52nk</link>
      <guid>https://dev.to/xpert4cyber/the-mv-command-mistake-that-can-destroy-digital-evidence-in-seconds-52nk</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmj3istw4dw5cbqzhmurc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmj3istw4dw5cbqzhmurc.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
At 2:47 AM, a junior engineer ran a routine Linux command to quarantine a suspicious file during a live security incident. No malware. No exploit. Just &lt;code&gt;mv&lt;/code&gt; — used without the right flag — and a piece of forensic evidence was gone forever.&lt;/p&gt;

&lt;p&gt;This is a story that plays out more often than most engineers realize. &lt;code&gt;mv&lt;/code&gt; feels harmless because it's one of the first commands anyone learns on Linux. But in security-sensitive work — malware triage, evidence handling, incident response — it can silently overwrite files, break chain of custody, or give attackers an easy way to hide in plain sight.&lt;/p&gt;

&lt;h2&gt;
  
  
  What makes &lt;code&gt;mv&lt;/code&gt; risky
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Silent overwrites&lt;/strong&gt; — by default, &lt;code&gt;mv&lt;/code&gt; replaces existing files with zero warning&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Metadata/timestamp changes&lt;/strong&gt; — cross-filesystem moves can alter data that matters for forensic timelines&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;No built-in audit trail&lt;/strong&gt; — without &lt;code&gt;auditd&lt;/code&gt; or FIM tooling, moves and renames leave no record&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Attackers also use &lt;code&gt;mv&lt;/code&gt; as a living-off-the-land technique — renaming a malicious binary to mimic a legitimate system process name so it blends in and evades casual detection.&lt;/p&gt;

&lt;h2&gt;
  
  
  The safer pattern
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;mv&lt;/span&gt; &lt;span class="nt"&gt;-iv&lt;/span&gt; /tmp/.hidden/update /evidence/CASE-4471-update.bin &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;ls&lt;/span&gt; &lt;span class="nt"&gt;-la&lt;/span&gt; /evidence/
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This prompts before overwriting (&lt;code&gt;-i&lt;/code&gt;), logs the move (&lt;code&gt;-v&lt;/code&gt;), tags the file with a case ID, and verifies the result immediately — the difference between a clean chain of custody and an evidence-handling failure.&lt;/p&gt;

&lt;p&gt;I put together a full breakdown covering the complete &lt;code&gt;mv&lt;/code&gt; command set, real incident response scenarios, and detection methods SOC teams actually use — flags, syntax, &lt;code&gt;auditd&lt;/code&gt; rules, and prevention checklist included.&lt;/p&gt;

&lt;p&gt;👉 Read the full guide here: &lt;a href="https://www.xpert4cyber.com/2026/07/mv-command-guide-soc-analysts.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/mv-command-guide-soc-analysts.html&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;What's the closest call you've had with a command like &lt;code&gt;mv&lt;/code&gt;, &lt;code&gt;rm&lt;/code&gt;, or &lt;code&gt;chmod&lt;/code&gt; during a live incident? Curious to hear how other teams handle evidence integrity under pressure.&lt;/em&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmj3istw4dw5cbqzhmurc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmj3istw4dw5cbqzhmurc.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

</description>
      <category>tutorial</category>
      <category>security</category>
      <category>cybersecurity</category>
      <category>learning</category>
    </item>
    <item>
      <title>Why Cybersecurity Professionals Should Master the Linux cp Command</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Thu, 09 Jul 2026 17:53:05 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/why-cybersecurity-professionals-should-master-the-linux-cp-command-4d4j</link>
      <guid>https://dev.to/xpert4cyber/why-cybersecurity-professionals-should-master-the-linux-cp-command-4d4j</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhxddqn1f89kfwthg1lvp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhxddqn1f89kfwthg1lvp.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  The Linux &lt;code&gt;cp&lt;/code&gt; Command Isn't as Harmless as You Think
&lt;/h1&gt;

&lt;p&gt;Most developers use the Linux &lt;code&gt;cp&lt;/code&gt; command every day to copy files and directories.&lt;/p&gt;

&lt;p&gt;But in cybersecurity, the same command is frequently used during post-exploitation, payload staging, persistence, and even data theft.&lt;/p&gt;

&lt;p&gt;Understanding how legitimate Linux utilities can be abused is an important skill for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Linux Developers&lt;/li&gt;
&lt;li&gt;DevOps Engineers&lt;/li&gt;
&lt;li&gt;System Administrators&lt;/li&gt;
&lt;li&gt;Ethical Hackers&lt;/li&gt;
&lt;li&gt;SOC Analysts&lt;/li&gt;
&lt;li&gt;DFIR Investigators&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In my latest guide, I explore the security side of the Linux &lt;code&gt;cp&lt;/code&gt; command, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Why attackers prefer native Linux commands&lt;/li&gt;
&lt;li&gt;Common real-world attack scenarios&lt;/li&gt;
&lt;li&gt;Detection and monitoring strategies&lt;/li&gt;
&lt;li&gt;Defensive best practices&lt;/li&gt;
&lt;li&gt;Practical command examples&lt;/li&gt;
&lt;li&gt;A complete &lt;code&gt;cp&lt;/code&gt; command cheat sheet&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you're working with Linux in development, operations, or security, this guide will help you better understand both the administrative and security implications of one of the most commonly used commands.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;Read the complete guide here:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;
&lt;div class="crayons-card c-embed text-styles text-styles--secondary"&gt;
    &lt;div class="c-embed__content"&gt;
        &lt;div class="c-embed__cover"&gt;
          &lt;a href="https://www.xpert4cyber.com/2026/07/hacker-hiding-linux-cp-command.html" class="c-link align-middle" rel="noopener noreferrer"&gt;
            &lt;img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fblogger.googleusercontent.com%2Fimg%2Fb%2FR29vZ2xl%2FAVvXsEjPE9AJ3kLXztDPso9637_-UUPfIRa2G6x4rh7-gq8USKqHExnt_LRZjF5Fbap4dVsCyJ28fXx3coC-mGEelsP4rFkttv8IX_LBszRKb0LTdDmDQYFULhyphenhyphen-yKz1ckiZWBA3db_cvaRlqCWuKorGzlT7wdy-g8cfvO0KjQ6OHrwoORPy8mBPx9gCjSBtOYox%2Fw1600%2Flinux-cp-command-hacker-data-breach.png" height="542" class="m-0" width="800"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
      &lt;div class="c-embed__body"&gt;
        &lt;h2 class="fs-xl lh-tight"&gt;
          &lt;a href="https://www.xpert4cyber.com/2026/07/hacker-hiding-linux-cp-command.html" rel="noopener noreferrer" class="c-link"&gt;
            I Found a Hacker Hiding in a Single Linux cp Command
          &lt;/a&gt;
        &lt;/h2&gt;
          &lt;p class="truncate-at-3"&gt;
            A routine Linux cp command hid a real breach in progress. See how attackers stage stolen data—and how SOC teams catch it. 
          &lt;/p&gt;
        &lt;div class="color-secondary fs-s flex items-center"&gt;
            &lt;img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.xpert4cyber.com%2Ffavicon.ico" width="48" height="48"&gt;
          xpert4cyber.com
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
&lt;/div&gt;


&lt;p&gt;I'd also love to hear how your team monitors native Linux command abuse in production environments.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>tutorial</category>
      <category>security</category>
      <category>career</category>
    </item>
    <item>
      <title>Kali Linux 2026.2 Just Dropped — Here's Why Security Professionals Should Pay Attention</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Tue, 07 Jul 2026 17:34:34 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/kali-linux-20262-just-dropped-heres-why-security-professionals-should-pay-attention-5ban</link>
      <guid>https://dev.to/xpert4cyber/kali-linux-20262-just-dropped-heres-why-security-professionals-should-pay-attention-5ban</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F065tcxvpd46m4cqq4err.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F065tcxvpd46m4cqq4err.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
Kali Linux 2026.2 isn't just another maintenance release. It introduces several new capabilities that can significantly improve the workflow of penetration testers, SOC analysts, digital forensics investigators, and security researchers.&lt;/p&gt;

&lt;p&gt;After testing the release, I put together a complete breakdown covering:&lt;/p&gt;

&lt;p&gt;What's actually new in Kali Linux 2026.2&lt;br&gt;
Newly introduced cybersecurity tools&lt;br&gt;
Practical use cases for each tool&lt;br&gt;
Which professionals should upgrade immediately&lt;br&gt;
Installation and upgrade methods&lt;br&gt;
Performance improvements and security enhancements&lt;br&gt;
Real-world penetration testing scenarios&lt;/p&gt;

&lt;p&gt;Rather than repeating the official release notes, I explain what these changes mean from a practical cybersecurity perspective.&lt;/p&gt;

&lt;p&gt;If you're preparing for certifications like OSCP, PNPT, CEH, CRTO, Security+, or you're active in Bug Bounty Hunting, Red Teaming, Blue Team Operations, SOC, DFIR, Threat Hunting, Malware Analysis, or OSINT, this guide is worth reading.&lt;/p&gt;

&lt;p&gt;📖 Full article:&lt;br&gt;
&lt;/p&gt;
&lt;div class="crayons-card c-embed text-styles text-styles--secondary"&gt;
    &lt;div class="c-embed__content"&gt;
        &lt;div class="c-embed__cover"&gt;
          &lt;a href="https://www.xpert4cyber.com/2026/07/kali-linux-2026-2-new-hacking-tools.html" class="c-link align-middle" rel="noopener noreferrer"&gt;
            &lt;img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fblogger.googleusercontent.com%2Fimg%2Fb%2FR29vZ2xl%2FAVvXsEh_etNWUSCNvSkBJE-C6bBZpmw6N0YeOVe4aIm2tGb2p_jjZbcvdL8BbSrSFp22ah70AgAedhFshBiDj5xG0_L06ZMM87Qw528FoeG3UQxbWx8E0Y4NNfskYyJtVv9V-FFNnGeTmrDw-RM0K0xDd2sDpukR3AcV7m0A5eb8Wn8YbuEt_C8vm-khlUiEZ1hE%2Fw1600%2Fkali-linux-2026-2-released-new-hacking-tools.png" height="542" class="m-0" width="800"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
      &lt;div class="c-embed__body"&gt;
        &lt;h2 class="fs-xl lh-tight"&gt;
          &lt;a href="https://www.xpert4cyber.com/2026/07/kali-linux-2026-2-new-hacking-tools.html" rel="noopener noreferrer" class="c-link"&gt;
            Kali Linux 2026.2 Released: 9 New Hacking Tools &amp;amp; Major Upgrades 
          &lt;/a&gt;
        &lt;/h2&gt;
          &lt;p class="truncate-at-3"&gt;
            Kali Linux 2026.2 is here with 9 new hacking tools, kernel 6.19, GNOME 50 &amp;amp; faster VM boots. Full guide to features, tools &amp;amp; upgrades inside.
          &lt;/p&gt;
        &lt;div class="color-secondary fs-s flex items-center"&gt;
            &lt;img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.xpert4cyber.com%2Ffavicon.ico" width="48" height="48"&gt;
          xpert4cyber.com
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
&lt;/div&gt;


&lt;p&gt;I'd love to hear which new feature or tool you're most excited to try.&lt;/p&gt;

&lt;h1&gt;
  
  
  CyberSecurity #KaliLinux #EthicalHacking #PenTesting #Linux #InfoSec #RedTeam #BlueTeam #SOC #ThreatHunting #OSINT #DFIR #DigitalForensics #BugBounty #SecurityResearch #OpenSource #CyberDefense #LinuxSecurity #MalwareAnalysis #CyberThreats
&lt;/h1&gt;

</description>
      <category>cybersecurity</category>
      <category>learning</category>
      <category>tutorial</category>
      <category>security</category>
    </item>
    <item>
      <title>I Watched rm -rf Wipe a Production Server — Here's the Full rm Command Guide</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Tue, 07 Jul 2026 09:23:57 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/i-watched-rm-rf-wipe-a-production-server-heres-the-full-rm-command-guide-1b5c</link>
      <guid>https://dev.to/xpert4cyber/i-watched-rm-rf-wipe-a-production-server-heres-the-full-rm-command-guide-1b5c</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F2k7p7x308r0utzwrt7ut.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F2k7p7x308r0utzwrt7ut.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
It was 2:47 AM when a junior sysadmin at a fintech company ran one command he thought he understood: &lt;code&gt;rm -rf /var/www/html/*&lt;/code&gt;. He meant to clear a staging folder. He was actually in a root shell on the production server.&lt;/p&gt;

&lt;p&gt;Four seconds later, three years of application code, configs, and customer data were gone. No prompt. No warning. No undo button.&lt;/p&gt;

&lt;p&gt;This isn't a rare story — it's one of the most common root causes behind real server outages reported by SOC teams and cloud providers. Sometimes it's more damaging than an actual cyberattack, because there's no attacker to contain, only data to restore (if backups even exist).&lt;/p&gt;

&lt;h2&gt;
  
  
  A few things most devs get wrong about &lt;code&gt;rm&lt;/code&gt;
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;It doesn't send files to a Recycle Bin or Trash — they're unlinked from disk instantly&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;rm -rf&lt;/code&gt; skips confirmation prompts entirely, even for protected files&lt;/li&gt;
&lt;li&gt;Attackers actively abuse it during real intrusions — clearing &lt;code&gt;.bash_history&lt;/code&gt;, wiping &lt;code&gt;/var/log&lt;/code&gt;, and destroying backups to block incident response after ransomware&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Habits that actually prevent this
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;Alias &lt;code&gt;rm&lt;/code&gt; to always confirm: &lt;code&gt;alias rm='rm -i'&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Preview wildcards before deleting: &lt;code&gt;echo *.txt&lt;/code&gt; before &lt;code&gt;rm *.txt&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Visually separate staging vs. production (different prompt colors, hostnames, MOTD banners)&lt;/li&gt;
&lt;li&gt;Keep immutable/offline backups that survive even root-level compromise&lt;/li&gt;
&lt;li&gt;Never run destructive commands from memory — verify with &lt;code&gt;pwd&lt;/code&gt; and &lt;code&gt;ls&lt;/code&gt; first&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;In the full guide, I cover every practical &lt;code&gt;rm&lt;/code&gt; command use case with expected output, how attackers use it for anti-forensics and ransomware cleanup, how SOC teams detect suspicious deletions in logs, and complete prevention strategies for sysadmins and DevOps teams.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://www.xpert4cyber.com/2026/07/rm-command-linux-tutorial.html" rel="noopener noreferrer"&gt;Read the complete tutorial here&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Have you ever run a destructive command against the wrong environment? Drop your story (or your recovery process) in the comments.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>tutorial</category>
      <category>learning</category>
      <category>security</category>
    </item>
    <item>
      <title>rmdir vs rm -r: The Linux Command Difference That Can Cost You Real Evidence</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Mon, 06 Jul 2026 17:56:08 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/rmdir-vs-rm-r-the-linux-command-difference-that-can-cost-you-real-evidence-489o</link>
      <guid>https://dev.to/xpert4cyber/rmdir-vs-rm-r-the-linux-command-difference-that-can-cost-you-real-evidence-489o</guid>
      <description>&lt;h2&gt;
  
  
  The 2 AM Cleanup Mistake
&lt;/h2&gt;

&lt;p&gt;It's 2:47 AM. A SOC analyst is cleaning up a compromised web server after an attacker dropped a staging directory full of webshells. Someone runs &lt;code&gt;rm -r&lt;/code&gt; on a path without checking what else lives in it.&lt;/p&gt;

&lt;p&gt;Three minutes later, the incident lead is asking why production log evidence just vanished — before forensics even got a chance to image the disk.&lt;/p&gt;

&lt;p&gt;This happens more often than people think, and it comes down to one thing: not understanding the difference between a command that fails safely and one that deletes everything in its path.&lt;/p&gt;

&lt;h2&gt;
  
  
  rmdir vs rm -r
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;rmdir&lt;/code&gt; deletes a directory &lt;strong&gt;only if it's empty&lt;/strong&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;rmdir &lt;/span&gt;myfolder
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If &lt;code&gt;myfolder&lt;/code&gt; has anything inside — a file, a hidden config, a leftover log — this fails with an error. Nothing gets deleted.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;rm -r&lt;/code&gt;, on the other hand, deletes the directory &lt;strong&gt;and everything inside it&lt;/strong&gt;, instantly:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;rm&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; myfolder
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;No check. No warning. No undo without a backup.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why This Matters in Security Work
&lt;/h2&gt;

&lt;p&gt;In SOC and incident response contexts, this isn't just a Linux trivia fact — it's an operational safeguard:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Evidence preservation&lt;/strong&gt; — deleting the wrong directory mid-investigation can destroy artifacts needed for a forensic timeline.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Malware cleanup&lt;/strong&gt; — attackers often leave empty staging folders behind after wiping payloads. Knowing which directories are actually safe to remove is a daily task for responders.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Blast radius reduction&lt;/strong&gt; — a command that fails safely limits the damage of human error, which is one of the top root causes in breach post-mortems.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Useful rmdir Variations
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Remove nested empty directories from the deepest level up&lt;/span&gt;
&lt;span class="nb"&gt;rmdir&lt;/span&gt; &lt;span class="nt"&gt;-p&lt;/span&gt; dir1/dir2/dir3

&lt;span class="c"&gt;# Verbose output — good for audit trails during incident cleanup&lt;/span&gt;
&lt;span class="nb"&gt;rmdir&lt;/span&gt; &lt;span class="nt"&gt;-v&lt;/span&gt; myfolder

&lt;span class="c"&gt;# Suppress errors on non-empty dirs without deleting anything&lt;/span&gt;
&lt;span class="nb"&gt;rmdir&lt;/span&gt; &lt;span class="nt"&gt;--ignore-fail-on-non-empty&lt;/span&gt; myfolder
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  The Takeaway
&lt;/h2&gt;

&lt;p&gt;In production or forensic environments, default to the command that fails loudly, not the one that succeeds silently and takes something important with it.&lt;/p&gt;

&lt;p&gt;I wrote a full deep-dive on this — including real incident response scenarios, detection strategies (auditd, SIEM logging, FIM), and expert cleanup habits — here:&lt;/p&gt;

&lt;p&gt;👉 &lt;a href="https://www.xpert4cyber.com/2026/07/rmdir-vs-rm-linux-command-guide.html" rel="noopener noreferrer"&gt;Full guide: rmdir vs rm -r&lt;/a&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>security</category>
      <category>learning</category>
      <category>beginners</category>
    </item>
    <item>
      <title>The Hidden Security Risk Behind the mkdir Command on Linux</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Sun, 05 Jul 2026 19:01:51 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/the-hidden-security-risk-behind-the-mkdir-command-on-linux-d0b</link>
      <guid>https://dev.to/xpert4cyber/the-hidden-security-risk-behind-the-mkdir-command-on-linux-d0b</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fse60t0hx3w2yfsdvm4fq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fse60t0hx3w2yfsdvm4fq.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
Malware doesn't always hide in obvious places.&lt;/p&gt;

&lt;p&gt;Sometimes it hides in the most boring, most overlooked command in Linux — &lt;code&gt;mkdir&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;Every sysadmin and developer uses it dozens of times a day to create folders. That's exactly why attackers love it too. It's benign by design, which means it almost never triggers an alert — making it a favorite low-noise building block for staging cryptominers, building persistence, and evading detection on compromised Linux servers.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this breakdown covers
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;How attackers actually abuse &lt;code&gt;mkdir&lt;/code&gt; in real cryptojacking and botnet campaigns (Kinsing, TeamTNT-style playbooks)&lt;/li&gt;
&lt;li&gt;The logs, indicators, and IOCs SOC teams should actually be hunting for&lt;/li&gt;
&lt;li&gt;Proven detection and prevention strategies (auditd rules, mount restrictions, FIM tools)&lt;/li&gt;
&lt;li&gt;Expert-level triage tips from real SOC investigations&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you work in security, DevOps, or manage Linux infrastructure, this is worth the full read.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;Read the complete technical breakdown here:&lt;/strong&gt;&lt;br&gt;
&lt;a href="https://www.xpert4cyber.com/2026/07/mkdir-command-hide-malware-linux.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/mkdir-command-hide-malware-linux.html&lt;/a&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>beginners</category>
      <category>tutorial</category>
      <category>security</category>
    </item>
    <item>
      <title>The cd Command Every SOC Analyst Should Actually Master</title>
      <dc:creator>Shubham Chaudhary</dc:creator>
      <pubDate>Fri, 03 Jul 2026 18:37:51 +0000</pubDate>
      <link>https://dev.to/xpert4cyber/the-cd-command-every-soc-analyst-should-actually-master-3d8n</link>
      <guid>https://dev.to/xpert4cyber/the-cd-command-every-soc-analyst-should-actually-master-3d8n</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fi8qc3wlrd3rjg9wzptul.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fi8qc3wlrd3rjg9wzptul.png" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;br&gt;
*&lt;em&gt;It's 2:47 AM and a SOC alert just fired&lt;br&gt;
*&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Unusual outbound traffic from a production server. No AI dashboard walking you through it — just a terminal and sixty seconds to figure out if this is a false positive or a live breach.&lt;/p&gt;

&lt;p&gt;First move: cd /var/log. Second move: cd /tmp, because that's where attackers love to stage payloads — it's world-writable, and most people don't think twice about it.&lt;/p&gt;

&lt;p&gt;If you've only ever thought of cd as "how you move around folders," it's worth a second look. In digital forensics and incident response, cd is literally how you trace an attacker's footprints through a compromised system — from an initial web shell drop, through privilege escalation artifacts, into log directories, and finally to whatever persistence mechanism they left behind.&lt;/p&gt;

&lt;p&gt;A few cd patterns that actually matter in production/security work&lt;br&gt;
cd -                    # jump back to your last directory instantly&lt;br&gt;
cd /etc &amp;amp;&amp;amp; pwd           # navigate + confirm location in one line&lt;br&gt;
[ -d /opt ] &amp;amp;&amp;amp; cd /opt   # only cd if the directory exists — critical for scripts run across inconsistent fleets&lt;br&gt;
cd ~username              # inspect a suspicious account's home directory (permissions allowing)&lt;/p&gt;

&lt;p&gt;None of these are advanced. But under pressure, during a live incident, knowing them cold — instead of Googling syntax — is the difference between containing a breach in 20 minutes and still being lost in /usr/share an hour later while data walks out the door.&lt;/p&gt;

&lt;p&gt;*&lt;em&gt;Why this matters beyond the terminal&lt;br&gt;
*&lt;/em&gt;&lt;br&gt;
Attackers know the filesystem just as well as defenders do. /tmp, /var/tmp, and hidden files in user home directories are classic staging grounds — which is exactly why SOC teams build detection around directory activity (auditd rules, bash history correlation, EDR process-tree analysis) rather than just file-content scanning.&lt;/p&gt;

&lt;p&gt;I wrote a full breakdown covering every cd command variation with real SOC context, a complete breach-investigation walkthrough, attacker tradecraft, and detection/hardening strategies — link at the top (canonical) and below if you want to go deeper:&lt;/p&gt;

&lt;p&gt;🔗 &lt;a href="https://www.xpert4cyber.com/2026/07/cd-command-linux-guide.html" rel="noopener noreferrer"&gt;https://www.xpert4cyber.com/2026/07/cd-command-linux-guide.html&lt;/a&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>cybersecurity</category>
      <category>linux</category>
      <category>beginners</category>
    </item>
  </channel>
</rss>
