HM Haider Mustafa Back to portfolio

SOC Investigation

Authentication abuse to PowerShell execution.

A Windows telemetry case built around repeated failed logons, successful privileged access, follow-on execution, and detection output.

Severity High
Host WS-FIN-07
Privileged account it-admin
Failed logons 5

Project view

One external source repeatedly failed to authenticate, then succeeded against a privileged account on the same host. That access was followed by hidden PowerShell, outbound traffic, a dropped script, and scheduled task persistence.

Open first

Start with the brief view above. The findings have been written into a PDF report to mirror a normal analyst handoff, the summary opens as a readable page, and the full pack keeps the raw artefacts together in one download.

Incident pack Report PDF Readable summary

Case Shape

The incident path at a glance.

01 4625 burst

one source IP keeps failing

02 4624 success

privileged account access

03 PowerShell -enc

hidden execution begins

04 Persistence

task created and staged

Basic overview

The case begins with repeated failed logons from one external IP against a service account and then a privileged account. The same source later succeeds, after which the host launches encoded PowerShell, reaches out over the network, writes a script into ProgramData, and creates a scheduled task.

The aim of the project was to investigate that full sequence from authentication abuse into host execution, write the findings into a report, and build detection logic that would surface the same pattern faster in a SOC workflow.

Findings
  • Loading findings...
Timeline
  1. Loading timeline... Telemetry is being pulled into the page.
Detection logic

KQL

SecurityEvent
| where EventID == 4625
| summarize FailureCount=count() by IpAddress, TargetUserName, Computer
| where FailureCount >= 5
| join kind=leftouter (
    SecurityEvent
    | where EventID == 4624
) on IpAddress, TargetUserName, Computer

SPL

index=wineventlog (EventCode=4625 OR EventCode=4624)
| stats count(eval(EventCode=4625)) as failed_count
  earliest(_time) as first_seen
  latest(_time) as last_seen by src_ip user host
| where failed_count >= 5
| sort - last_seen

Sigma

title: Suspicious Encoded PowerShell After Authentication Activity
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection_image:
    Image|endswith: '\\powershell.exe'
Recommended analyst actions
  • Loading analyst actions...