Case Study — Incident Response / SOC Analysis
Incident Response Capstone: Phishing & Lateral Movement Investigation
This capstone investigates a simulated high-severity incident at HealthSecure Systems, a healthcare software provider. The case study follows the full incident response lifecycle from detection and scoping through containment, eradication, recovery, post-incident review, and long-term security improvement planning.
Status
Completed Case Study
Role
Incident Response Analyst
Severity
High Severity
Incident ID
2025-HSS-IR-002
Executive Summary
What happened
The incident began when a Finance employee interacted with a payroll-themed phishing email. The malicious link led to PowerShell execution on Workstation-23, followed by outbound communication to suspicious infrastructure and attempted lateral movement toward HR payroll and Development DMZ systems.
The investigation classified the event as a high-severity security breach because the attacker demonstrated credential harvesting indicators, command-and-control activity, and attempts to access systems containing sensitive payroll data, Active Directory credentials, and proprietary healthcare application assets.
Evidence Sources
Tools and telemetry reviewed
Video Walkthrough
Capstone presentation
The walkthrough video explains the investigation, evidence, attack flow, response actions, and recommendations.
Attack Chain
Phishing to attempted lateral movement
Payroll-themed phishing email delivered to a Finance employee.
Victim accessed a malicious payroll update link hosted under secure-download.com infrastructure.
Workstation-23 executed an Invoke-WebRequest PowerShell command to download payload.ps1.
The payload showed credential harvesting indicators and generated outbound traffic to 45.77.33.88.
The attacker attempted SMB and RDP access toward HR-SQL01 payroll infrastructure.
The attacker attempted SSH access toward DevAppServer in the Development DMZ using stale jcampbell credentials.
Honeypot telemetry confirmed unauthorized access attempts and helped validate lateral movement behavior.
Timeline
Attack timeline reconstruction
| Time | Event |
|---|---|
| Apr 11, 2025 - 10:05 PM | Phishing email delivered to Finance employee. |
| Apr 12, 2025 - 01:24 AM | Successful logon and suspicious activity observed on Workstation-23. |
| 01:24:18 | PsExec service installation detected. |
| 01:24:39 | Malicious PowerShell Invoke-WebRequest command executed. |
| 01:24:41 | SMB connection toward HR-SQL01 identified. |
| 01:24:55 | RDP session initiated toward HR-SQL01. |
| 01:25:03 | Outbound HTTP communication to 45.77.33.88. |
| 01:25:30 | DNS query to secure-download.com. |
| 01:26:09 | SSH attempt toward DevAppServer detected. |
| 02:11:34 | Honeypot alert triggered using jcampbell credentials. |
IoCs
Indicators of compromise
Malicious domains
maliciousdomain.xyz, secure-download.com, hss-payroll.secure-download.com
External IP
45.77.33.88
Commands / artifacts
Invoke-WebRequest, payload.ps1, PsExecsvc, cmd.exe /c whoami
Affected or targeted systems
Workstation-23, HR-SQL01, DevAppServer
Accounts
finance_user, jcampbell
Protocols
SMB 445, RDP 3389, SSH 22, HTTP 80
MITRE ATT&CK
Technique mapping
Initial Access
Phishing email
Execution
PowerShell Invoke-WebRequest
Credential Access
Cached credential harvesting indicators
Discovery
Internal reconnaissance activity
Lateral Movement
SMB, RDP, and SSH attempts
Command and Control
Outbound HTTP communication
Containment
- Isolated Workstation-23 from the network.
- Blocked malicious domains and external IP infrastructure.
- Restricted SMB, RDP, and SSH traffic between network zones.
- Reset affected credentials and disabled stale employee accounts.
Eradication
- Preserved forensic evidence before remediation.
- Removed malicious PowerShell artifacts and suspicious services.
- Reimaged the compromised workstation from a trusted baseline.
- Performed enterprise-wide IoC scans and corrected logging gaps.
Recovery
- Validated endpoint integrity before reconnecting systems.
- Reviewed HR-SQL01 and DevAppServer for unauthorized access.
- Maintained heightened monitoring across critical systems.
- Verified no confirmed widespread compromise or ransomware deployment was identified.
Evidence Downloads
Project artifacts
Recommendations
Strategic security improvements
Skills Demonstrated