Marcus locked the account. But he didn't stop. He queried the network logs for journalofsocresearch[.]com . Two other workstations. Both in finance. Both with active RDP sessions to the domain controller.
powershell -enc SQBmACgAJABlAG4AdgA6AFAAQQBUAEgA...
No one from payroll logs in at 2:15 AM.
Then he did the thing no tool could automate. He manually traced the registry hives of the infected finance workstations. Found a scheduled task named "OneDriveSyncFix" running every hour. It called a different domain: patch-management-update[.]net .
He pulled the log. Source IP: 10.12.88.204. Internal. The HR file server. effective threat investigation for soc analysts read online
His jaw tightened. He’d written the playbook for this exact scenario last quarter. "Effective threat investigation," he muttered to himself, "means never trusting the label."
He traced the SharePoint link's origin. It was embedded in a document uploaded to the HR share drive yesterday at 2 PM. The uploader? jsmith . John Smith. Senior payroll specialist. Account still active. Last login: 1 hour ago. At 2:15 AM. Marcus locked the account
His heart hammered. Encoded PowerShell. He decoded the first layer. A download cradle. The second layer? A callback to a domain he didn't recognize: journalofsocresearch[.]com .