This post walks through the investigation of a security incident case named SOC336 using letsdefend.io, specifically analyzing a phishing email with a malicious attachment designed to compromise a victim’s machine.

Introduction

Phishing attacks remain one of the most prevalent cybersecurity threats, often serving as the initial vector for malware and ransomware infections. This article provides an in-depth analysis of a phishing incident investigation using LetsDefend.io, a security operations center (SOC) training platform. The case study involves a malicious email with an attachment designed to exploit a remote code execution (RCE) vulnerability.

Incident Overview

The alert was triggered on February 4 at 4:18 PM due to a Remote Code Execution (RCE) vulnerability on a Windows system.

The phishing email was sent to an employee named Austin, with the subject:
โžœ โ€œAction Required for Upcoming Project Deadlineโ€

The malicious attachment was an RTF document that, when opened, executed an exploit to gain control of the system.

Understanding the Security Incident

The incident began when the SOC received an alert on February 4 at 4:18 PM, indicating the detection of an RCE vulnerability being exploited on a Windows system. The investigation revealed that the phishing email was sent to a recipient named Austin at LetsDefend.io, with the subject line “Action Required for Upcoming Project Deadline.”

The Malicious Payload

The phishing email contained an RTF document attachment designed to exploit a vulnerability. Upon opening the attachment:

  • The exploit triggered CMD execution from Outlook, leading to further malicious activities.
  • The malware attempted to unregister security defenses using DLL manipulation.
  • A connection to a remote C2 server was established to maintain attacker control over the compromised system.

Step-by-Step Investigation

1. Taking Ownership of the Incident

The first step was to claim the alert and follow the SOC investigation playbook. This involved:

  • Identifying the initial infection vector (the phishing email and its attachment).
  • Analyzing the affected system and relevant logs.
  • Tracking malware execution using process monitoring.

2. Process Analysis

An in-depth analysis of Windows system processes revealed the following sequence:

  1. Outlook received the email and opened the RTF attachment.
  2. The attachment executed a CMD process, which launched further system commands.
  3. The system attempted to register and unregister DLL files, manipulating registry entries to evade detection.
  4. The malware established communication with a Command-and-Control (C2) server, confirming its execution.

3. Network and Log Investigation

To confirm external communication, investigators analyzed network logs:

  • The attack was linked to an external IP (84.xxx.xxx.118), indicating data exfiltration.
  • Port 80 was used, suggesting HTTP-based C2 communication.
  • System logs showed that a malicious shell script had been downloaded from the attacker’s server.
  • Endpoint security logs showed no quarantine activity, meaning that antivirus solutions did not block the attack.

Containment and Mitigation

To prevent further damage, the SOC team implemented containment measures:

  • Isolating the compromised machine from the network.
  • Identifying Indicators of Compromise (IoCs) including:
    • The attacker’s C2 IP address.
    • The malicious email sender’s address.
    • The malware file name and potential hash values.
  • Marking the alert as a True Positive after completing the investigation.

Lessons Learned

  1. Employee Awareness: Phishing awareness training is critical to reducing the likelihood of successful attacks.
  2. Endpoint Monitoring: Continuous monitoring of email attachments and CMD execution can provide early detection.
  3. Incident Playbooks: Following structured investigation playbooks helps SOC analysts conduct thorough and efficient investigations.
  4. Threat Intelligence Sharing: Documenting IoCs and sharing them with threat intelligence platforms enhances overall security.

Video Walkthrough

Conclusion

Gobuster is a powerful and essential tool for web enumeration in penetration testing. By leveraging different modes (directories, subdomains, and virtual hosts), security professionals can uncover hidden resources and improve the security posture of web applications. Practicing with CTF challenges like TryHackMe helps users build real-world skills in ethical hacking.

๐Ÿ” Summary

  • ๐Ÿ›ก๏ธ Security Incident Overview: The video provides a walkthrough of investigating a phishing email case on the LetsDefend platform. The email contained a malicious RTF attachment aimed at compromising a Windows machine.
  • ๐Ÿ“… Incident Timeline: The attack was detected on February 4 at 4:18 PM, where the security solution flagged a Remote Code Execution (RCE) vulnerability being exploited. The email was sent to Austin at LetsDefend.io, with the subject “Action Required for Upcoming Project Deadline.”
  • ๐Ÿ“‚ Malicious File Analysis: The RTF document attachment contained an exploit that, when opened, triggered CMD execution from Outlook, which led to the registration of a DLL (Dynamic Link Library) aimed at unregistering security measures on the system.
  • ๐Ÿ”ฌ Investigation Process:
    • Ownership of the alert was taken to start the investigation.
    • Playbook was initiated to analyze indicators of compromise (IOCs).
    • Malware containment analysis was performed by checking log management and endpoint security logs.
  • ๐Ÿ–ฅ๏ธ Process Analysis:
    • The Outlook email client launched CMD, which executed commands to compromise the system.
    • The malicious command targeted the registry to register or unregister a DLL.
    • Network logs confirmed communication with a Command-and-Control (C2) server, which provided further evidence of a successful malware execution.
  • ๐ŸŒ Network Analysis:
    • The attack established communication with an external C2 server at 84.xxx.xxx.118.
    • A port 80 connection was established, confirming shell access to the victim’s machine.
    • Browser history showed no suspicious URLs, reinforcing that the attack was executed via email rather than a malicious website.
  • ๐Ÿ” Log Investigation:
    • The attack sequence was reconstructed by analyzing endpoint activity and correlating logs.
    • Malware was not quarantined, as no Windows Defender activity was detected.
    • Log analysis confirmed data exfiltration attempts and the presence of a malicious shell script downloaded from the attacker’s server.
  • ๐Ÿ› ๏ธ Containment and Conclusion:
    • The compromised machine was isolated to prevent further damage.
    • The security team identified Indicators of Compromise (IoCs) including the attackerโ€™s IP, email address, and file name.
    • Final assessment marked the case as a True Positive phishing attack.
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles