Stage 6 · Lessons learned

Reporting

Auto-generated post-incident reports and the metrics that prove the SOC's value.

Incident report · auto-generated

INC-2026-0418 — Finance Phishing → DC RDP

Drafted by copilot · reviewed by Maya Reyes · 27 Jun 2026 09:14 UTC

Executive summary

On 27 Jun 2026 at 06:30 UTC, a finance user clicked a CFO-impersonation phishing link. Within 1h 44m the adversary established a Cobalt Strike beacon, pivoted to a service account, and attempted lateral movement to a domain controller. The intrusion was contained at 08:18 UTC. No data exfiltration occurred.

Key metrics

Time to detect
4m
Time to triage
9m
Time to contain
1h 48m
Hosts affected
2

Kill-chain narrative

  1. 06:30 — Phishing link delivered to m.kowalski@corp.io.
  2. 06:48 — Link clicked; redirected to invoice-portal-corp[.]co.
  3. 07:20 — Encoded PowerShell stager executed under winword.exe.
  4. 07:41 — Cobalt Strike beacon to Tor exit 185.220.101.42.
  5. 07:58 — svc_backup credential reuse; RDP to DC-EU-01.
  6. 08:14 — Copilot raised critical verdict; analyst approved containment.
  7. 08:18 — Host isolated; account disabled; IP blocked at perimeter.

IOCs

domain   invoice-portal-corp[.]co
ip       185.220.101.42         (Tor exit, AS208294)
ip       104.28.211.18          (resi proxy)
sha256   a3f9...c21e            (CS beacon)
user     svc_backup             (suspended)

Recommendations

  • Restrict child processes of Office apps via ASR rule (mapped to T1059).
  • Tighten conditional access on tier-0 service accounts: deny interactive RDP.
  • Add a Sigma rule for first-time RDP to a domain controller (template available in Hunt).
  • User-awareness refresher for finance team focusing on CFO-impersonation patterns.