← Back to Projects

Case Study — Incident Response / SOC Analysis

Incident Response Capstone: Phishing & Lateral Movement Investigation

This capstone investigates a simulated high-severity incident at HealthSecure Systems, a healthcare software provider. The case study follows the full incident response lifecycle from detection and scoping through containment, eradication, recovery, post-incident review, and long-term security improvement planning.

Share case study

Found this useful?

Share this project with a recruiter, teammate, mentor, or anyone reviewing hands-on cybersecurity work.

LinkedInX Email

Status

Completed Case Study

Role

Incident Response Analyst

Severity

High Severity

Incident ID

2025-HSS-IR-002

Executive Summary

What happened

The incident began when a Finance employee interacted with a payroll-themed phishing email. The malicious link led to PowerShell execution on Workstation-23, followed by outbound communication to suspicious infrastructure and attempted lateral movement toward HR payroll and Development DMZ systems.

The investigation classified the event as a high-severity security breach because the attacker demonstrated credential harvesting indicators, command-and-control activity, and attempts to access systems containing sensitive payroll data, Active Directory credentials, and proprietary healthcare application assets.

Evidence Sources

Tools and telemetry reviewed

Snort IDS
Zeek Network Monitoring
Windows Event Logs
Bitdefender EDR
Honeypot Telemetry
Forensic Memory Analysis
MITRE ATT&CK
Incident Response Reporting

Video Walkthrough

Capstone presentation

The walkthrough video explains the investigation, evidence, attack flow, response actions, and recommendations.

Attack Chain

Phishing to attempted lateral movement

1

Payroll-themed phishing email delivered to a Finance employee.

2

Victim accessed a malicious payroll update link hosted under secure-download.com infrastructure.

3

Workstation-23 executed an Invoke-WebRequest PowerShell command to download payload.ps1.

4

The payload showed credential harvesting indicators and generated outbound traffic to 45.77.33.88.

5

The attacker attempted SMB and RDP access toward HR-SQL01 payroll infrastructure.

6

The attacker attempted SSH access toward DevAppServer in the Development DMZ using stale jcampbell credentials.

7

Honeypot telemetry confirmed unauthorized access attempts and helped validate lateral movement behavior.

Timeline

Attack timeline reconstruction

TimeEvent
Apr 11, 2025 - 10:05 PMPhishing email delivered to Finance employee.
Apr 12, 2025 - 01:24 AMSuccessful logon and suspicious activity observed on Workstation-23.
01:24:18PsExec service installation detected.
01:24:39Malicious PowerShell Invoke-WebRequest command executed.
01:24:41SMB connection toward HR-SQL01 identified.
01:24:55RDP session initiated toward HR-SQL01.
01:25:03Outbound HTTP communication to 45.77.33.88.
01:25:30DNS query to secure-download.com.
01:26:09SSH attempt toward DevAppServer detected.
02:11:34Honeypot alert triggered using jcampbell credentials.

IoCs

Indicators of compromise

Malicious domains

maliciousdomain.xyz, secure-download.com, hss-payroll.secure-download.com

External IP

45.77.33.88

Commands / artifacts

Invoke-WebRequest, payload.ps1, PsExecsvc, cmd.exe /c whoami

Affected or targeted systems

Workstation-23, HR-SQL01, DevAppServer

Accounts

finance_user, jcampbell

Protocols

SMB 445, RDP 3389, SSH 22, HTTP 80

MITRE ATT&CK

Technique mapping

Initial Access

Phishing email

Execution

PowerShell Invoke-WebRequest

Credential Access

Cached credential harvesting indicators

Discovery

Internal reconnaissance activity

Lateral Movement

SMB, RDP, and SSH attempts

Command and Control

Outbound HTTP communication

Containment

  • Isolated Workstation-23 from the network.
  • Blocked malicious domains and external IP infrastructure.
  • Restricted SMB, RDP, and SSH traffic between network zones.
  • Reset affected credentials and disabled stale employee accounts.

Eradication

  • Preserved forensic evidence before remediation.
  • Removed malicious PowerShell artifacts and suspicious services.
  • Reimaged the compromised workstation from a trusted baseline.
  • Performed enterprise-wide IoC scans and corrected logging gaps.

Recovery

  • Validated endpoint integrity before reconnecting systems.
  • Reviewed HR-SQL01 and DevAppServer for unauthorized access.
  • Maintained heightened monitoring across critical systems.
  • Verified no confirmed widespread compromise or ransomware deployment was identified.

Evidence Downloads

Project artifacts

Recommendations

Strategic security improvements

Deploy centralized SIEM monitoring and log correlation.
Enforce MFA across privileged accounts and critical systems.
Automate employee offboarding and stale account deprovisioning.
Standardize PowerShell logging and endpoint telemetry.
Expand Linux EDR and SSH monitoring coverage.
Improve segmentation between Finance, HR, IT, and Development DMZ systems.
Conduct recurring phishing simulations and quarterly tabletop exercises.

Skills Demonstrated

What this project shows

Incident ResponseSOC AnalysisPhishing AnalysisPowerShell InvestigationCredential SecurityLateral Movement AnalysisIoC DevelopmentMITRE ATT&CK MappingExecutive ReportingSecurity Roadmap Planning
Contact Me