Event ID: 304
Rule Name: SOC326 – Impersonating Domain MX Record Change Detected
Severity: HIGH
Category: Brand Protection / Phishing
Event Time: September 17, 2024 – 12:05 PM
Impacted Asset: LETSDEFEND
Background Sometimes attackers don’t kick the door down — they quietly make a copy of your house key first.
In this case, the threat actor registered a look-alike domain and configured email infrastructure before launching a phishing campaign. What initially appeared to be an early warning quickly escalated into active exploitation, resulting in a user clicking a malicious link and communicating with attacker-controlled infrastructure.
Event ID: 238
Rule Name: SOC153 – Suspicious PowerShell Script Executed
Severity: HIGH
Category: Endpoint Compromise / Malware
Event Time: March 14, 2024 – 05:23 PM
Compromised Host: Tony (172.16.17.206)
Tony at work opened a suspicious file they probably shouldn’t have. It was like finding a strange USB drive in the parking lot and plugging it into your computer you don’t know what’s on it, but it starts doing things automatically.
Storing passwords safely is a really important part of running any website or app where people create accounts. When this is done badly, it has led to some of the biggest data leaks ever. Even years later, stolen passwords are still being reused by attackers to break into other accounts.
Below are six common ways passwords have been handled over time, starting with the worst ideas and moving toward safer ones, explained in a simple way.
Alert Name: SOC127 – SQL Injection Detected
Severity: High
Event ID: 235
Event Time: Mar 07, 2024 – 12:51 PM
Category: Web Application Attack
Platform: LetsDefend SOC
This incident shows how someone on the internet tried to trick a website into giving out information it wasn’t supposed to. Instead of breaking in directly, the attacker sent specially crafted messages to the website to see how it would respond.
Even though the website replied with “everything is OK,” it was actually doing things it shouldn’t have in the background.
Alert Name: SOC205 – Malicious Macro has been executed
Severity: High
Event ID: 231
Event Time: Feb 28, 2024 – 08:42 AM
Category: Malware
Platform: LetsDefend SOC
Executive Summary (Management / Business) On February 28, 2024, a user received a malicious email that appeared to contain a legitimate invoice document. When the user opened the attachment, hidden malicious code inside the document was automatically executed.
This hidden code attempted to connect to an external system controlled by an attacker and download additional harmful software.
Scenario You are a junior security analyst at a small Japanese cryptocurrency trading company. After detecting suspicious activity on the internal network, you exported a PCAP for further investigation.
Alert Name: SOC138 – Detected Suspicious Xls File
Severity: High
Event ID: 77
Event Time: Mar 13, 2021, 08:20 PM
Category: Malware
Play Book 1. Alert Overview A high-risk malware alert was triggered due to the detection of a suspicious Excel macro-enabled file (.xlsm) on the host Sofia. Macro-enabled Excel documents are commonly abused to deliver malware via embedded VBA code that downloads and executes malicious payloads.
The file was allowed by the security device, increasing the potential risk of system compromise.
Scenario
Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team - all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?