SOC Analyst Reports ‐ Sample - aeonmike/CyberSecurity-BlueTeam GitHub Wiki

📄 HTB CDSA Incident Report

1. Executive Summary

Provide a high-level overview of the incident for non-technical stakeholders.

On March 31, 2025, suspicious activity was detected within the organization's internal network. An attacker exploited a vulnerable web server, gained access to internal systems, performed privilege escalation, and exfiltrated sensitive data. Swift containment and investigation were carried out to assess the impact and prevent further compromise.

2. Timeline of Events

Time (UTC)	Event Description
2025-03-31 08:14	Initial exploitation via web shell on IIS
2025-03-31 08:18	User `svc_backup` credentials dumped via LSASS
2025-03-31 08:30	Lateral movement to DC via SMB
2025-03-31 08:45	Data exfiltration using `Rclone` to Dropbox

3. Tactics, Techniques, and Procedures (TTPs)

Tactic	Technique	ID	Description
Initial Access	Exploit Public-Facing App	T1190	IIS Web Shell deployed
Credential Access	OS Credential Dumping	T1003.001	LSASS memory dump
Lateral Movement	SMB/Windows Admin Shares	T1021.002	Moved to DC using psexec
Exfiltration	Exfiltration Over Web Service	T1567.002	Rclone to Dropbox

4. Indicators of Compromise (IOCs)

🔹 Network IOCs

Type	Value	Description
IP	185.100.87.50	C2 server
Domain	dropbox-api[.]com	Used for exfiltration

🔹 File Hashes

File Name	SHA256 Hash
rclone.exe	`a1b2c3d4e5f67890abcdef...`

🔹 Registry/Artifacts

Key/Value	Description
`HKCU\Software\Microsoft\Windows\...`	Persistence mechanism

5. Analysis Summary

Host Logs:

Found suspicious cmd.exe spawning PowerShell
LSASS dump detected by memory analysis (Sysmon Event ID 10)

Network Logs:

Unusual traffic to Dropbox during off-hours
SMB traffic spike from compromised server

6. Detection Rules

🔸 Sigma Rule Snippet

title: Suspicious Rclone Execution
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\rclone.exe'
  condition: selection