LetsDefend is a hands on Blue team training platform where I have completed theory labs as well as practical labs where I respond to tickets based on SOC daily routines. Below are some of the tickets I picked up and worked through.
Embedded Files
⭐ Star symbols are used to represent alerts that were generated from a real phishing attack.
Medium Alert - Suspicious PowerShell Script Executed
Medium Alert - Suspicious PowerShell Script Executed
Investigation overview
Investigated a medium alert involving a suspicious PowerShell script being run on the host machine "Tony". The alert was provided with reference to a file "payload_1.ps1" which was ran from the user's Download directory. This script attempted to communicate with a known malicious command and control (C2) endpoint.
My investigation steps:
1) Isolation
Knowing the file was already downloaded, I wanted to prevent any potential lateral movement or execution of the program. I immediately isolated "Tony" using the endpoint security system. This allowed me to start my analysis without risking going further.
2) Web Browser
As the file was downloaded from the web, I found the exact timestamp that the alert noted and reviewed the URL. This matched what was ran on our host machine.
3) Malware review
I took the URL and checked it against VirusTotal, where numerous vendors deemed it as malicious with detections around possible C2 activities and potential PowerShell backdoor.
This confirmed to me that this was malicious Malware.
4) C2 verification
The playbook wanted me ot confirm whether the C2 was requested or not. By reviewing the network logs, I could see that there was outbound traffic from the host "Tony" to the malicious C2 IP. This traffic was allowed and was successful, showing that the script has reached the C2 before being contained.
Conclusion
This was a True Positive alert and an example of where Malware breached a system. The Malware was downloaded and executed, and not quarantined automatically. The containment only happened once I started investigating and isolating the machine.
My next steps
The next steps I would recommend is to keep the host isolated and escalate to Tier 2 to for further investigation, as the script was executed.
Images to support my investigations are below this dropdown.
High Alert - SQL Injection Detected
High Alert - SQL Injection Detected
During this ticket, I was tasked with investigating a high-severity alert related to detected SQL Injection activity against a webserver "WebServer1000". The initial alert showed a suspicious HTTP request coming from an external IP (118.194.247.28) that included SQL Injection, XSS payloads and an attempt to execute xp_cmdshell to access the /etc/passwd file.
My steps
1) Initial review
Firstly, I began by reviewing the alert details and taking note of the source and destination addresses. The Source IP was related to an external host and should not have been able to gain access. I took this IP to Virustotal, wherein the majority of vendors deemed it as malicious, which helped me identify that this was not part of planned testing. To double check this, I searched internal emails for any keywords such as "test" ", pentest", "SQL" and could not find anything internal.
2) Request Analysis
I then took a deeper look into the HTTP request within the logs, and the payload contained a collection of exploitation attempts being SQL-injected using "UNION ALL SELECT", XSS and a remote command execution attempt of "xp_cmdshell". I did some research into this as I was unsure of this combination, and I found that it was more than likely related to exploitation tools like SQLMap.
3) Success Determination
I then wanted to check if the payload landed. I figured the best way would be to see what went out. The response request was only 865 bytes, which I felt was too little data to be a database, especially considering the attacker attempted to enumerate tables. I then checked on the outbound connections and checked other devices to check for lateral movement, but none were found.
I deemed the attack as unsuccessful, but a True Positive
I based my initial decision on the size of the data leaving and made the decision not to push to level 2. (I was wrong)
4) Feedback
However, after completing the lab and getting feedback, I understood that the correct procedure would have been to escalate due to the presence of attempted RCE (xp_cmdshell) and the fact that the payload reached and executed against the server regardless of the amount of output.
This means the attack must be treated as a successful attack and should require further analysis.
5) Closing notes
Whilst I managed to identify this attack as a true positive, and even though no evidence of exfiltrated data was observed during my review, it still should be treated as a high-risk scenario that requires escalation.
6) New next steps
Raise to T2 for deeper analysis and recommend reviewing current security on the accesses to databases, and monitor these IPs and consider blocking them.
High Alert⭐ Phishing Mail Detected - Excel 4.0 Macros
High Alert⭐ Phishing Mail Detected - Excel 4.0 Macros
During this incident, Investigated a security alert relating to a phishing email containing a malicious Excel attachment that utilised Excel 4.0 macros. The alert indicated that the email was delivered to the user and flagged due to the presence of Excel 4.0 macros.
My steps
1) Initial review
Firstly, I began by reviewing the alert details and identifying the sender, recipient, and device action. The email originated from the external sender trenton@tritowncomputers.com and was sent to the internal user lars@letsdefend.io. The device action was marked as Allowed, confirming that the email was successfully delivered to the user’s mailbox.
The email subject “RE: Meeting Notes” appeared generic and lacked legitimate context, which raised suspicion. The email contained a ZIP attachment, which was immediately treated as potentially malicious due to its delivery method and alert classification.
2) Attachment analysis
I proceeded to analyse the attachment in a secure, isolated environment. The ZIP file (11f44531fb088d31307d87b01e8eabff.zip) contained an Excel file (research-1646684671.xls) and two DLL files (iroto.dll, iroto1.dll). Static analysis revealed that the Excel file used Excel 4.0 (XLM) macros rather than standard VBA macros, a known technique used by attackers to evade detection.
The attachment and its contents were submitted to VirusTotal, where multiple security vendors flagged the files as malicious and associated them with Trojan activity, further confirming malicious intent.
3) Execution determination
To determine whether the malicious attachment was opened or executed, I reviewed Log Management for any outbound connections associated with known command-and-control (C2) infrastructure linked to the malware.
Proxy logs confirmed outbound HTTPS requests originating from excel.exe to the malicious domains nws.visionconsulting.ro and royalpalm.sparkblue.lk. These connections occurred shortly after the email was delivered and were not browser-initiated, confirming that the Excel file was opened and the embedded macros executed successfully.
Based on this evidence, I confirmed that the malicious file was opened and executed, establishing this incident as a True Positive.
4) Containment actions
Following confirmation of execution, the malicious email was deleted from the user’s mailbox to prevent further interaction. Relevant indicators of compromise, including file hashes, domains, and IP addresses, were noted (examples under drop-down) for potential blocking and further investigation.
5) Closing notes
This incident showed a confirmed phishing attack that resulted in malware being executed and communication with a C2 server happening. While no evidence of further payload deployment or data exfiltration was observed during this investigation, the fact that the malware was able to be executed shows a dangerous security risk that should be looked into further.
6) Advised next steps
Escalate the incident to Tier 2 for deeper endpoint analysis
Review the affected host for persistence mechanisms or additional dropped files
Block identified C2 domains and related indicators
Review email security controls related to Excel 4.0 macro handling
Reinforce user awareness around email attachments and reply-themed phishing lures
High Alert⭐ CVE‑2025‑53770 SharePoint ToolShell Auth Bypass and RCE
High Alert⭐ CVE‑2025‑53770 SharePoint ToolShell Auth Bypass and RCE
During this ticket, stepping into it, I had no prior knowledge of this vulnerablility so I did research behind the CVE. I located a SANS page, "Critical SharePoint Zero-Day Exploited: What You Need to Know About CVE-2025-53770" (Reference at the end of the investigation). After gathering a bit of background on the CVE, I found that it is an actively exploited zero-day that uses SharePoint to allow attackers to bypass authentication with the aims to conduct remote code execution by spoofing a Referer Header.
I then found another source from Picus Security that breaks down the attack and shows exactly what the attackers will be sending. In this case, it would be an HTTP POST to an endpoint of "/_layouts/15/ToolPane.aspx?DisplayMode=Edit", and this previously mentioned Referer header would be pointing to "/layouts/15/signout.aspx"
My steps
1) Initial review
After my study of CVE-2025-53770 at a glance from the alert notes, I knew something malicious was in progress. The presence of an unauthenticated POST request to ToolPane.aspx with a spoofed SignOut.aspx referer strongly suggested active exploitation.
2) Endpoint Analysis
I focused on looking at what had happened at the Endpoint, firstly I contained the SharePoint01 server to prevent anymore action. After a review of the endpoint, there were suspicious child processes spawning on the device as well as encoded PowerShell code being executed. I then conducted a review on the file system, and I identified the creation of an unauthorised .aspx file within the SharePoint layouts directory, indicating that the attacker was able to write files to the server.
3) Execution determination
Execution was confirmed through the multiple artefacts being observed on the endpoint. Encoded PowerShell commands were executed, and evidence of a payload being executed was observed. Finally, the presence of the web shell spinstall0.aspx confirms that remote code execution was achieved and persistence was established.
4) Containment actions
Due to the confirmed persistence on the SharePoint server and evidenced exploitation, the incident was escalated. The affected host and malicious artefacts were flagged as this is an active security incident rather than a failed attack attempt.
5) Closing notes
This investigation confirms that a CVE-2025-53770 on SharePoint01 was successful, and the attacker got well past initial access and exploitation actions were being conducted.
6) Advised next steps
Based on my findings, I handed it to escalations for further review, but my recommendations would be around eradicating from the SharePoint server, as well as remediation actions, such as a full review of the SharePoint server to ensure no attacker access remains - then development into preventing this from happening again.
Page updated
Google Sites
Report abuse