In this lab, I followed our phishing playbook to triage alert A-2703 for a known-malicious file. I updated the ticket status, assessed the alert details against our procedures, and recorded clear comments and supporting information.
As a Level-1 SOC analyst at a financial services firm, I received a phishing alert about a user downloading “bfsvc.exe” inside a password-protected spreadsheet. The SHA256 hash was already flagged by multiple vendors, so I needed to execute the playbook steps, decide whether to escalate, and complete the alert ticket.
| Ticket ID | Alert Message | Severity | Details | Ticket Status |
|---|---|---|---|---|
| A-2703 | Phishing attempt – possible download of malware | Medium | The user may have opened a malicious email and its attachment | Escalated |
I noted that the sender address (76tguyhh6tgftrt7tg.su) did not match the display name “Def Communications” or the signature (“Clyde West”), and the body contained grammatical errors. The password-protected attachment “bfsvc.exe” was downloaded and executed. Given the previously confirmed malicious hash, I escalated this ticket to Level-2 for further containment and analysis.
| Malicious Hash | 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b |
|---|---|
| Email From | Def Communications <76tguyhh6tgftrt7tg.su> |
| Source IP | 114.114.114.114 |
| To | hr@inergy.com <176.157.125.93> |
| Sent | Wednesday, July 20, 2022 09:30:14 AM |
| Subject | Re: Infrastructure Egnieer role |