SOC137 Alert Investigation (EventID 76) | Malicious DOCM Blocked | LetsDefend SOC скачать в хорошем качестве

SOC137 Alert Investigation (EventID 76) | Malicious DOCM Blocked | LetsDefend SOC

In this video, we investigate SOC137 – Malicious File or Script Download Attempt (EventID 76) on the LetsDefend SOC platform. This alert involves a malicious DOCM document download attempt that was successfully blocked, but with historical indicators of prior compromise on the same endpoint — making this a particularly interesting SOC case. 🔍 Investigation Summary Endpoint attempted to download INVOICE PACKAGE LINK TO DOWNLOAD.docm Internal source IP: 172.16.17.37 SIEM confirmed the download attempt was blocked File hash verified as malicious via VirusTotal Endpoint telemetry showed: ❌ No active compromise on March 14 ⚠️ Historical IOC on March 7 involving obfuscated PowerShell Execution observed via wmic process call create PowerShell execution policy bypass and hidden execution 🧩 MITRE ATT&CK Techniques T1204.002 – Malicious File T1059 – Command and Scripting Interpreter (PowerShell) 🧠 Analyst Insight (Why This Alert Is Tricky) When initially investigated, the historical PowerShell activity suggested the endpoint may have been compromised — which led to an incorrect outcome in the simulation. After re-investigating the alert strictly within the March 14 timeframe, with no active endpoint telemetry or execution evidence, the correct conclusion was reached: The malicious download was blocked No active compromise occurred on the alert date Historical infection did not factor into the scoring logic This highlights an important SOC lesson: Investigate what the alert shows — not what may have happened earlier unless correlated by scope or time. ✅ Final Outcome Verdict: True Positive Status: Malicious document confirmed, execution blocked Playbook Actions Completed: Check if someone requested the C2 (+5) Analyze malware (+5) Verify quarantine/cleanup status (+5) 📌 Alert Details Rule: SOC137 – Malicious File or Script Download Attempt Severity: Medium EventID: 76 Category: Malware This walkthrough is ideal for SOC Level 1 analysts learning: How to scope investigations correctly When historical IOCs matter — and when they don’t How SOC simulations score alerts vs real-world judgement 🔐 Disclaimer For educational and defensive security purposes only. #SOC #LetsDefend #SOC137 #MalwareAnalysis #TruePositive #DOCMMalware #PowerShell #MITREATTACK #BlueTeam #SOCAnalyst #DFIR #IncidentResponse #SIEM #CyberSecurity