SOC Analyst Simulation - Aziz Alghamdi

Alerts

Dashboard

Playbooks

Cases

Reports

Potential Ransomware Activity Detected Critical

EDR - Endpoint 192.168.1.45 15 minutes ago
Multiple Failed Login Attempts High

Authentication - VPN Gateway 32 minutes ago
Suspicious PowerShell Command Execution High

EDR - Endpoint 192.168.1.23 47 minutes ago
Data Exfiltration Attempt Detected Critical

IDS - Network Sensor 3 1 hour ago
Unusual Authentication Time Medium

Authentication - Office 365 1.5 hours ago
Unencrypted Data Transfer Detected Medium

DLP - Web Proxy 2 hours ago
Outdated Software Version Low

Vulnerability Scanner 3 hours ago
SSL Certificate Expiring Soon Low

Certificate Monitor 4 hours ago

Potential Ransomware Activity Detected

Severity: Critical

Source: EDR - Endpoint 192.168.1.45

Detected: May 1, 2025 10:45 AM

User: jsmith@company.com

Alert ID: EDR-RW-20250501-001

Alert Description

The EDR system detected multiple suspicious activities consistent with ransomware behavior on endpoint 192.168.1.45. This includes mass file encryption attempts, deletion of shadow copies, and communication with known malicious command and control servers.

Detected Activities

Timestamp	Activity	Details	Severity
10:42:15 AM	Process Creation	Suspicious PowerShell command with encoded parameters	High
10:43:22 AM	Command Execution	vssadmin delete shadows /all /quiet	Critical
10:43:48 AM	Registry Modification	Multiple registry keys associated with persistence	High
10:44:05 AM	Network Connection	Connection to known C2 server (185.122.58.12)	Critical
10:44:37 AM	File System Activity	Multiple file extension changes (.doc → .encrypted)	Critical

System Information

Hostname	DESKTOP-FINANCE03
IP Address	192.168.1.45
User	jsmith@company.com (John Smith - Finance Department)
Operating System	Windows 10 Pro 21H2 (OS Build 19044.2251)
Last Patch	April 28, 2025

PowerShell Command Details

Encoded Command

                                powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc
                                JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZ
                                QByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQAxAFYAVwBhACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQB
                                jAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA
                            

Decoded (Partial Analysis)

                                $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAA1VWa"));
                                IEX (New-Object IO.StreamReader(New-Object
                                IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
                            

Recommended Actions

Isolate the affected endpoint immediately to prevent lateral movement and further encryption.
Disable the user account and force password reset for all accounts that may have been logged into the affected system.
Block all communication to the identified command and control IP address (185.122.58.12) at the firewall.
Scan all systems for similar indicators of compromise, especially within the same department.
Preserve forensic evidence for detailed analysis and potential legal requirements.
Initiate incident response plan and notify appropriate stakeholders according to the procedure.

Total Alerts Today

Critical Alerts

2.3h

Mean Time to Resolve

Alerts by Severity

Day

Week

Month

[Severity Distribution Chart Visualization]

Alerts by Source

Day

Week

Month

[Alert Source Distribution Chart Visualization]

Security Playbooks

Playbook Name	Category	Last Updated	Status
Ransomware Response	Malware	April 25, 2025	Active
Phishing Investigation	Email Security	April 22, 2025	Active
Data Exfiltration Response	Data Loss Prevention	April 15, 2025	Active
Brute Force Attack Response	Authentication	April 10, 2025	Active
Insider Threat Investigation	User Activity	April 05, 2025	Active
Cloud Account Compromise	Cloud Security	March 28, 2025	Active
DDoS Mitigation	Network Security	March 20, 2025	Active
Malicious URL Investigation	Web Security	March 15, 2025	Active

Active Incidents

Case ID	Title	Severity	Assigned To	Status
INC-2025-042	Finance Department Ransomware Investigation	Critical	Incident Response Team	In Progress
INC-2025-041	Executive Account Compromise Attempt	High	Michael Chen	In Progress
INC-2025-040	Unusual Database Activity Investigation	Medium	Sarah Johnson	Pending
INC-2025-039	Suspected Data Exfiltration via Email	High	David Wilson	In Progress
INC-2025-038	Cloud Storage Misconfiguration	Medium	Cloud Security Team	Closed
INC-2025-037	Web Application Vulnerability	Medium	Application Security Team	Closed

Security Reports

Report Name	Type	Generated
Daily Security Operations Report	Daily Summary	May 01, 2025
Weekly Threat Intelligence Summary	Threat Intelligence	April 28, 2025
Monthly Incident Response Metrics	Performance	April 30, 2025
Ransomware Incident Post-Mortem	Incident Analysis	April 22, 2025
Quarterly Vulnerability Assessment	Compliance	March 31, 2025
Executive Security Dashboard	Executive Summary	April 30, 2025