SOC

LD-Deceptive Mail Detected

March 17, 2026

SOC SIEM EDR Log Analysis Phishing AsyncRAT Escalation to L2 True Positive VirusTotal AbuseIPDB

A phishing email with a password-protected ZIP delivered AsyncRAT via a SILENTBUILDER dropper. The victim executed the payload, establishing an active C2 channel and triggering full host reconnaissance before containment.

THM-Phishing Unfolding

March 16, 2026

SOC Splunk Phishing DFIR PowerShell PowerView Powercat DNS Tunneling LNK LOLbins True Positive

LD-Malicious Attachment Detected

March 16, 2026

SOC SIEM EDR Phishing CVE-2017-11882 Xlsx JuicyPotato RCE True Positive VirusTotal AbuseIPDB

Investigation of a phishing email delivering a malicious Excel attachment exploiting CVE-2017-11882, leading to payload download and privilege escalation via JuicyPotato

LD-Suspicious PowerShell Script Executed

March 14, 2026

SOC SIEM EDR PowerShell Fileless Malware Sandbox Evasion True Positive VirusTotal

User Tony downloaded and executed a malicious PowerShell script (payload_1.ps1 / agent3.ps1) classified as trojan.powershell/boxter (Azorult family). The script bypassed execution policy, then fetched and invoked a second-stage payload from kionagranada.com (161.22.46.148), establishing a two-stage C2 chain with a final pivot to 91.236.116.163.

THM-Phishing

March 10, 2026

Splunk SOC SIEM Phishing

Three phishing campaigns were identified across four alerts: a legitimate HR onboarding email (false positive), a fake Amazon delivery notification whose bit.ly link was blocked by the firewall, and a Microsoft account spoofing email from m1crosoftsupport.co whose link was allowed through the firewall

Wazuh + Suricata: injection detection

March 9, 2026

Wazuh SOC EDR SIEM SQL Injection

Detected a SQL Injection attack, observed 85 alerts across 6 rule IDs, and configured automated IP blocking via active response.

HTB-Telly

March 6, 2026

SOC Network Analysis CVE-2026-24061 Telnet Wireshark

An attacker exploited CVE-2026-24061, an authentication bypass in GNU inetutils telnetd, to obtain an unauthenticated root shell, established persistence via linper.sh across multiple cron and systemd locations, and exfiltrated a credit card database before deleting it from the victim server.

Wazuh + Suricata: Malware traffic

March 2, 2026

Wazuh Suricata IDS SOC SIEM EDR

Replayed a malicious PCAP file containing Hancitor dropper traffic that deployed Cobalt Strike, Dridex, and Ficker Stealer. Analyzed 423 Suricata alerts in Wazuh, reconstructed the full infection chain, and mapped findings to MITRE ATT&CK.

Wazuh: SSH Brute Force

February 20, 2026

Wazuh SOC SIEM EDR BruteForce

Simulated an SSH brute force attack using Hydra, observed Wazuh detection across 7 rule IDs, identified a gap in default alerting (max level 10), wrote a custom rule to escalate severity to level 12, and configured automated IP blocking via active response.

HTB-Packet_Puzzle

January 31, 2026

SOC Network Analysis Windows CVE-2024-4577 T1190 Wireshark

Analyzed network traffic showing exploitation of CVE-2024-4577 (PHP-CGI argument injection) against a Windows server running PHP 8.1.25. Attacker achieved RCE, established reverse shell on port 4545, then escalated privileges using GodPotato to spawn a SYSTEM-level shell on port 5555.

↑