Posts for: #Incident-Response

BTLO Incident Response Case Study: Pranoid

Executive Summary A forensic review of Linux auditd logs confirms that the host was compromised through an external SSH brute-force attack. The attacker authenticated as a low-privileged user, executed automated system enumeration, escalated privileges using a local sudo vulnerability, accessed sensitive credential material, and attempted basic anti-forensic cleanup. The entire intrusion lifecycle occurred within approximately six minutes. Scope and Evidence Primary artifact: audit.log (Linux auditd) Tools used: aureport ausearch Manual timeline correlation Observed timeframe:
[Read more]

SOC205 Case Study: Malicious Macro Execution via Phishing Invoice

Alert Name: SOC205 – Malicious Macro has been executed Severity: High Event ID: 231 Event Time: Feb 28, 2024 – 08:42 AM Category: Malware Platform: LetsDefend SOC Executive Summary (Management / Business) On February 28, 2024, a user received a malicious email that appeared to contain a legitimate invoice document. When the user opened the attachment, hidden malicious code inside the document was automatically executed. This hidden code attempted to connect to an external system controlled by an attacker and download additional harmful software.
[Read more]