Scribd
Upload
52 views7 pages

SOC Monthly Report

The SOC Monthly Report for February 2025 analyzes security events, identifying True Positives such as privileged account creation, brute force attacks, and potential data exfiltration. Immediate incident response actions included quarantining infected systems and disabling suspicious accounts, while security recommendations emphasize enhanced monitoring, user training, and stricter access controls. The report concludes with a call for ongoing vigilance and proactive measures to mitigate future risks.

Uploaded by

usul.mencari73
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views7 pages

SOC Monthly Report

The SOC Monthly Report for February 2025 analyzes security events, identifying True Positives such as privileged account creation, brute force attacks, and potential data exfiltration. Immediate incident response actions included quarantining infected systems and disabling suspicious accounts, while security recommendations emphasize enhanced monitoring, user training, and stricter access controls. The report concludes with a call for ongoing vigilance and proactive measures to mitigate future risks.

Uploaded by

usul.mencari73
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

SOC Monthly

Report
February 2025

Muhammad Syazwan Bin Dzulkifli


Security Analyst | CompTIA Security+
Table of Contents
Executive Summary ................................................................................................................................ 2
Threat Analysis (TP vs FP Classification) ................................................................................................ 3
Attack Trend ........................................................................................................................................... 5
Incident Response Steps Taken ............................................................................................................. 5
Security Recommendations ................................................................................................................... 6

1
Executive Summary
This report provides an analysis of security events detected in February 2025. The analysis
differentiates between True Positives (TP), which represents real threats and False Positives (FP),
which are harmless events. Findings from the report include privileged account creation indicating a
potential backdoor, mass account lockouts suggesting a possible brute force attack, suspicious cron
job execution which may indicate malware persistence, a large data transfer signaling potential data
exfiltration and malware execution involving a detected and quarantined Trojan.

The report concludes with security recommendations, emphasizing the need for enhanced
monitoring, user awareness training and hardening measures to mitigate future risks.

2
Threat Analysis (TP vs FP Classification)
Case 1: Privileged Account Creation (Event ID 4720)
This case is classified as a True Positive (suspicious). The justification for this classification is based
on the creation of an account named admin_temp with high privileges (Admin +RDP) at 0215H local
time, which is an unusual time for such activity. Additionally, the account was created by SYSTEM
rather than a named administrator, suggesting possible attacker privilege escalation. To further
investigate, it is recommended to review logon/logoff events around the same time, check
PowerShell/CMD execution logs for suspicious activity and correlate with SIEM data for other
anomalous behavior.

Case 2: Mass Account lockouts (Event ID 4740)


This case is classified as a True Positive (likely brute force attack). The justification includes multiple
failed login attempts (5) before lockout, particularly concerning if the targeted account has high
privileges. To differentiate between a misconfiguration and an attack, it is advised to verify whether
the source (WIN-SERVER02) is a known workstation and review network logs for repeated login
attempts from external IPs.

Case 3: Suspicious Cron Job Execution (Linux auth.log)


This case is classified as a True Positive (malware persistence). The justification centers on a hidden
script (/tmp/.hidden/update.sh) that connects to a suspicious external IP (185.67.89.34) and was
executed as root via crond. Immediate mitigation steps include isolating the affected server,
analyzing update.sh for malicious code and blocking the external IP in the firewall.

Case 4: Failed SSH logins (Linux auth.log)


This case is classified as a True Positive (brute force attempt). The justification involves multiple
failed login attempts targeting the root account. To confirm the threat, is it recommended to review
/var/log/secure for additional SSH attempts and determine whether the source IP (192.168.1.105)
is internal or external.

Case 5: Large Data Transfer (Firewall Logs)


This case is classified as a True Positive (potential data exfiltration). The justification is based on
10GB of data being sent to an external IP (185.23.56.89) over HTTPS, a common exfiltration method.
Further investigation should include checking endpoint logs from 10.1.2.50 to determine if a user
was logged in during the transfer and reviewing data loss prevention (DLP) logs to confirm whether
sensitive data was involved.

Case 6: Port Scan Detection (Firewall Logs)


This case is classified as a False Positive (likely authorized scan). The justification hinges on verifying
with the IT/Security team whether this was an approved internal vulnerability scan. If no prior
approval was granted, the activity should be treated as reconnaissance and investigated further.

Case 7: Malware Execution (EDR Logs)


This case is classified as a True Positive (Trojan detected). Response steps include scanning
FINANCE-LAPTOP01 for additional malware, checking for lateral movement and resetting the
credentials of the affected user.

3
Case 8: Legitimate Software Flagged as Malware (EDR Logs)
This case is classified as a True Positive (PUP detection). Confirmation steps involve analyzing
patcher.exe on VirusTotal and verifying with the Devops team to ensure it is a known and trusted
tool. Whitelisting should only be considered if the file is confirmed safe and digitally signed.

4
Attack Trend
The analysis of recent security events reveals several concerning attack trends. Brute force attacks
have been observed across both SSH and Windows systems, with multiple failed login attempts
indicating potential credential stuffing or password spraying attempts. Additionally, a backdoor
creation attempt was detected through the suspicious creation of a high-privilege account
(admin_temp) at an unusual time, suggesting possible attacker persistence.

Another critical trend involves data exfiltration, evidenced by a large HTTPS transfer to an external IP
address, which is a common tactic used by threat actors to stealthily extract sensitive information.
Finally, malware execution was confirmed with the detection of a Trojan on a finance department
laptop, highlighting the risk of compromised endpoints leading to further network infiltration.

These trends underscore the need for enhanced monitoring, stronger access controls and proactive
threat hunting measures to mitigate ongoing and future risks.

Incident Response Steps Taken


Upon identifying the security threats, the following immediate containment and remediation actions
were executed:

Security Response Description


Quarantine of compromised The malware infected endpoints, including the finance laptop with
systems the detected Trojan, were promptly isolated from the network to
prevent further spread.
Account disablement The suspicious privileged account (admin_temp) was disabled to
eliminate potential backdoor access.
IP blocking Confirmed malicious IP address (185.67.89.34) were blocked at the
firewall level to disrupt ongoing malicious communications.
IT security engagement The IT and security teams were alerted for deeper forensic analysis,
including log reviews and threat hunting activities to identify any
additional compromises.

5
Security Recommendations
To mitigate the identified threats and strengthen the organization’s security posture, the following
measures are recommended.

For privileged account monitoring, it is critical to conduct regular audits of administrative account
creations and modifications while enforcing multi factor authentication (MFA) for all privileged
accounts to prevent unauthorized access.

To protect against brute force attacks, organizations should implement strict account lockout policies
after multiple failed login attempts and apply IP based rate limiting to restrict repeated authentication
attempts from suspicious sources.

Regarding endpoint hardening, security teams should review and disable unnecessary cron jobs to
reduce attack surfaces as well as restrict script execution from high risk directories such as /tmp to
prevent malware persistence.

For data loss prevention (DLP), monitoring and alerting on large outbound data transfers particularly
to external IPs is essential, along with enforcing encryption for sensitive data in transit to prevent
exfiltration.

Finally, user awareness training must include regular security education on phishing, social
engineering and malware risks, supplemented by simulated phishing exercises to reinforce threat
recognition and reporting.

Conclusion
February 2025 saw multiple confirmed threats, including malware, brute force attacks and potential
data exfiltration. Immediate actions were taken to mitigate risks and long term hardening measures
are recommended to enhance security posture.

Next Steps:

 Review firewall rules to block malicious IPs


 Conduct a forensic analysis of infected systems
 Update detection rules to reduce false positives

*End of Report*

You might also like