01Alertingfoyl SIEMClick an alert to triage · understand the chain
foyl SIEM
Alert Queue · INC-2024-0847
Live
Impossible Travel — Auth from two countries within 4 minutes
User: sarah.chen@acme-corp.com · 185.220.101.47 (RU) → 10.0.1.52 (US)
CRITICAL
09:44:18
Outbound C2 Callback — Known Tor exit on port 4444
Host: WKSTN-0112 · dst: 45.142.212.100:4444 · process: powershell.exe
CRITICAL
09:44:01
MFA Fatigue Attack Suspected — 9 push requests in 90 seconds
User: sarah.chen@acme-corp.com · App: Microsoft Authenticator
HIGH
08:51:02
Suspicious DNS — Lookalike domain acme-corp-secure.com resolved
Host: WKSTN-0112 · resolved: 185.220.101.47 · TTL: 60s (fast-flux indicator)
HIGH
08:47:31
Lateral Movement — SMB ADMIN$ WKSTN-0112 → SRVR-DC01
User: sarah.chen (stolen session) · ntds.dit enumeration attempt
HIGH
09:14:55
Large Outbound Transfer — 847 MB to dropbox-cdn.io over HTTPS
Host: WKSTN-0112 · protocol: HTTPS/443 · duration: 4m 22s
MEDIUM
09:44:01
Alert Detail
← Select an alert
Reading the Alert Queue
Alerts fire in reverse chronological order but the investigation runs forward. Sort chronologically: suspicious DNS at 08:47 is patient zero — that's when Sarah clicked. Impossible travel and C2 callback firing simultaneously at 09:44 means the attacker already has a foothold and is actively operating. Triage starts with highest severity + earliest in the attack chain.
02Email InvestigationProofpoint TAPExtract IOCs · understand AiTM technique
Proofpoint TAP
Message Trace · sarah.chen@acme-corp.com
FromIT-Security-Team@acme-corp-secure.com (domain registered 3 days prior)
Tosarah.chen@acme-corp.com
Subject⚠ URGENT: Verify your account — unusual sign-in detected
Received2024-11-14 08:12:04 UTC · via 185.220.101.47
DKIMFAIL
SPFFAIL — acme-corp-secure.com not authorized
DMARCFAIL → QUARANTINE (user self-released 08:45)

Dear Sarah,

Our security systems have detected an unusual sign-in attempt on your account. To protect your account, please verify your identity immediately.

Action Required: Click the link below. This link expires in 15 minutes.

https://acme-corp-secure.com/login/verify (click to add as IOC)

IT Security Team — Acme Corporation

Proofpoint Analysis
AiTM phishing kit (EvilGinx2) — proxies real Microsoft login, captures session tokens, bypasses MFA entirely
Domain acme-corp-secure.com registered 2024-11-11 — 3 days before attack. Cloudflare privacy guard.
Sending IP 185.220.101.47 matches known AiTM infrastructure (Tor exit node)
DMARC quarantined this email — user manually released at 08:45 and clicked at 08:47
Urgency language, IT impersonation, 15-minute countdown — classic social engineering
IOC Collector
Click highlighted elements to add IOCs
AiTM — Why MFA Didn't Stop This
Classic phishing steals credentials. AiTM proxies the real login in real time — Sarah authenticates including MFA, but the attacker's proxy captures the session cookie. That cookie is replayed without credentials or MFA. Key lesson: user self-released this email from quarantine. DMARC worked — user override defeated it. Document this as a process gap.
03Identity InvestigationMicrosoft Entra IDTrace the auth chain · confirm session token theft
Microsoft Entra ID
Sign-in Logs · sarah.chen
a3f9d2c1-b8e7-4f0a-9d3c
Sign-in Logs
MFA Activity
Active Sessions
Risk Detections
Successful sign-in — Office 365
08:34:12 · 10.0.1.52 (US/Seattle) · Chrome/Win10 · MFA: SMS ✓
⚠ Sign-in from foreign IP — token replay, no password entered
08:51:02 · 185.220.101.47 (RU/Moscow) · Unknown device
⚠ MFA bypass confirmed — stolen session token replayed
08:51:19 · 185.220.101.47 · 90-day persistent token, no MFA challenge
⚠ SharePoint bulk access — Finance Q4, 23 files in 4 minutes
09:02:44 · 185.220.101.47 · Finance/Q4Reports · ~340 MB
⚠ OAuth app registered — “Outlook Sync Helper” Mail+Files permissions
09:08:31 · 185.220.101.47 · Persistence mechanism
MFA approved — Authenticator push
08:34:14 · Approved in 8 seconds
⚠ MFA push #1 — Denied by user
08:51:02
⚠ MFA push #2–9 — All denied · fatigue bombing pattern
08:51:04–08:52:34 · 8 denials in 90 seconds
⚠ MFA bypassed via token replay — no challenge presented
08:51:19 · AiTM-captured cookie — attacker never needed MFA
⚠ 2 active sessions — one legitimate, one attacker. Revoke all to contain.
SessionIPLocationStartedLast ActiveStatus
a9f2...3d8110.0.1.52US/Seattle08:34:1209:41:22LEGITIMATE
b4e7...9c22185.220.101.47RU/Moscow08:51:1909:44:01MALICIOUS
DetectionRiskTimeDetail
Impossible TravelHIGH09:44:18US→RU in <4 min
Unfamiliar Sign-in PropertiesMED08:51:02New device + IP
Malicious IP AddressHIGH08:51:02Tor exit / AiTM infra
Token Replay AttackHIGH08:51:19Stolen AiTM session cookie
Event Detail
← Select an event
Token Theft vs Credential Theft
Resetting Sarah's password won't remove the attacker's session — you must revoke all Entra tokens. Also: the OAuth app registered at 09:08 persists even after token revocation. It's a second persistence mechanism that must be removed separately. This two-step persistence (token + OAuth app) is standard attacker practice to survive remediation.
04ContainmentSentinelOne EDRIsolate → Revoke → Kill C2 · order matters
SentinelOne
Endpoint: WKSTN-0112 · sarah.chen
● ACTIVE THREAT
WKSTN-0112
● ACTIVE THREAT — NOT ISOLATED
Process Tree — WKSTN-0112
explorer.exePID 1204
chrome.exePID 3892
chrome.exe --rendererPID 4201 ⚠ spawned cmd
cmd.exePID 5512 · browser-spawned ⚠
powershell.exe -enc JAB…PID 6104 · MALICIOUS
net.exe → 45.142.212.100:4444C2 ACTIVE
Process Detail
← Select a process
Containment Checklist
Host Isolated✗ Pending
Sessions Revoked✗ Pending
C2 Killed✗ Pending
Containment Order Matters
Isolate first — cuts all network paths simultaneously. Then revoke tokens. Then kill the process. If you kill C2 first, the attacker may trigger a secondary persistence mechanism. The browser→cmd→powershell chain is a classic click-to-execute dropper — chrome renderers should never spawn cmd.exe. That's your smoking gun in the process tree.
05Log CollectionMulti-sourceCollect all sources before they roll over
⚠ Some sources retain for only 30 days. Collect everything before analysis.
foyl SIEMPENDING
Network events, alert history, correlation rules. Window: 2024-11-14 07:00–11:00 UTC
Entra ID Sign-in LogsPENDING
Auth, MFA, risk detections, sessions. 30-day retention — collect now.
SentinelOne EDRPENDING
Process execution, file writes, network connections for WKSTN-0112.
Proofpoint TAPPENDING
Message trace, click events, quarantine release, sender domain intel.
M365 Unified Audit LogPENDING
SharePoint, file downloads, Teams, OAuth apps, Exchange. 90-day retention.
Perimeter FirewallPENDING
Inbound/outbound flows for WKSTN-0112. C2 callbacks, exfil flows.
06AnalysisM365 Unified Audit LogReconstruct attacker actions · identify blast radius
M365 Unified Audit Log
User: sarah.chen · 2024-11-14
TimeOperationWorkloadObjectIPResult
Event Detail
← Select an event
Reconstructing Attacker Actions
Filter by the malicious session IP (185.220.101.47) to isolate only attacker actions. The OAuth app at 09:08 is critical — it persists after token revocation and must be removed separately. File access events show exactly what was read. Download events show exfil. The UAL is your forensic record of everything the attacker did inside M365 under Sarah's identity.
07Threat Huntfoyl SIEM · Entra IDPivot on IOCs · hunt for additional compromise
Pivot on: 185.220.101.47 45.142.212.100 acme-corp-secure.com dropbox-cdn.io powershell -enc
Select an IOC above or write a custom query to begin hunting
Confirmed Findings
Hunt to populate
Pivoting from One IOC
Each IOC is a jumping-off point. The phishing IP may have hit other employees. The C2 IP may connect to other hosts. The encoded PowerShell pattern is a dropper signature — hunt it across all endpoints. Every additional hit expands your blast radius assessment and may change the incident from “one user” to “domain-wide.”
08Incident ReportDocument the full incident · fill manually or autofill
01Incident Overview
Incident ID
Severity
Date / Time Detected
Analyst
Incident Title
Executive Summary
02Affected Assets
Primary User
Department
Affected Hosts
Affected Systems
Data Exposure Assessment
03Attack Timeline
Initial Access
Credential / Token Compromise
Lateral Movement
Data Exfiltration
Detection
Containment
04Indicators of Compromise
05Containment & Remediation
Immediate Actions Taken
Remediation Required
06Root Cause & Recommendations
Root Cause
Recommendations
MITRE ATT&CK Techniques