SOC Investigation

Network Incident Investigation

Public-facing SOC case study documenting suspicious outbound traffic, host-based triage, malicious process correlation, rogue account discovery, plaintext PII exfiltration, containment, validation, and recommendations.

Back to SOC Portfolio View GitHub Repository

01 Overview

Project Overview

This simulated SOC investigation documents suspicious outbound network traffic, host-based triage, account and process correlation, plaintext PII exfiltration, containment actions, and post-remediation validation.

02 Objective

Objective

The objective was to determine the source of suspicious outbound traffic, identify the associated process, validate unauthorized account activity, determine whether sensitive data was exposed, and confirm successful containment.

03 Timeline

Investigation Timeline

09:00Packet capture reviewed in Wireshark.

09:05Suspicious outbound TCP traffic discovered.

09:12Destination IP and port identified.

09:20Endpoint process correlation performed using host tools.

09:35Unauthorized account identified and Event ID 4720 reviewed.

09:50TCP stream followed and plaintext PII exposure confirmed.

10:10Containment completed and traffic stopped.

04 Indicators

Indicators of Compromise

External IP: 75.30.5.55 Compromised Host: 10.10.1.5 Sensor: 10.10.1.55 Port: 1337/TCP Rogue Account: Adm1nistrator Process: WinT0Ols.exe Path: C:\Users\admin\downloads\dist Event ID: 4720

05 Analysis

Analysis

Packet analysis identified suspicious outbound TCP traffic from internal host 10.10.1.5 to external IP 75.30.5.55 over port 1337/TCP. Endpoint triage correlated the connection to a suspicious process named WinT0Ols.exe running from C:\Users\admin\downloads\dist.

Additional host review identified a rogue local account named Adm1nistrator. Event Viewer validation using Windows Event ID 4720 confirmed account creation activity. TCP stream analysis showed plaintext transmission of customer identity data, including names, addresses, and social security numbers.

06 Analyst Notes

Analyst Notes

The combination of unauthorized outbound communication, suspicious process execution, rogue account creation, and plaintext data transfer indicates a compromised endpoint requiring containment and further forensic review.

07 MITRE Mapping

MITRE ATT&CK Mapping

T1041 - Exfiltration Over C2 Channel
T1136 - Create Account
T1071 - Application Layer Protocol
T1059 - Command and Scripting Interpreter

08 Verdict

Final Verdict

Confirmed Host Compromise and Data Exfiltration

The investigation confirmed malicious outbound communication, suspicious process execution, unauthorized account creation, and plaintext exfiltration of personally identifiable information.

09 Recommendations

Recommendations

Implement tighter monitoring for suspicious outbound connections and unusual destination ports.
Alert on unauthorized local account creation events such as Event ID 4720.
Review endpoint process execution paths for suspicious binaries running from user-controlled directories.
Apply egress filtering and endpoint controls to reduce the risk of plaintext data exfiltration.
Restrict execution from user download folders and monitor abnormal process names.

10 Lessons Learned

Lessons Learned

Packet analysis helps detect hidden compromise and data movement.
Network and endpoint evidence create stronger investigations when correlated.
Account creation events are critical indicators during compromise review.
Data exfiltration can occur over plaintext channels when egress controls are weak.

Evidence

Investigation Evidence

Selected screenshots from the investigation workflow. These visuals support the written analysis and help show the investigation process.

Wireshark suspicious outbound traffic evidence

Recommended evidence: suspicious outbound TCP traffic to 75.30.5.55 over port 1337.

Recommended evidence: Windows Event ID 4720 showing unauthorized account creation.

Recommended evidence: host process review showing WinT0Ols.exe execution path.

Back to Investigations Contact Richard