ThreatHunter76/Incident-Response-Analysis

# Incident Response Analysis Report ## Introduction This project documents a hands-on Incident Response investigation conducted within the TryHackMe Incident Response Process lab environment. The exercise focused on identifying, analyzing, and investigating suspicious activity on a compromised Windows workstation using structured incident response methodologies. The investigation covered: - Process analysis - Network analysis - Malware investigation - Infection vector identification - Command and Control (C2) communication analysis The analysis was performed using concepts derived from the NIST Incident Response Framework and the SANS Incident Response Process model. # Objective The objective of this project was to simulate a real-world security incident and apply practical incident response techniques to: - Detect suspicious activity - Investigate malware behavior - Analyze malicious network communications - Identify the infection vector - Understand attacker techniques and indicators of compromise (IOCs) # Incident Scenario A user reported that their Windows laptop had become unusually slow and unstable while browsing the internet and working on documents. Initial investigation by the IT department revealed: - High CPU utilization - Persistent outbound network connections - Suspicious system behavior - No alerts triggered by SIEM or EDR solutions The case was escalated to the Incident Response (IR) team for further forensic investigation. # Investigation Process ## 1. Process Analysis Using Windows Task Manager, a suspicious process named: 32th4ckm3 was identified consuming approximately 51.5% CPU resources. Suspicious Indicators * High CPU usage * Unusual process naming convention * Execution from Temp directory * Continuous outbound network communication ⸻ 2. File Location Investigation The malicious executable was found running from: C:\Users\TryCleanUser\AppData\Local\Temp This directory is commonly abused by malware due to its write permissions and low visibility. ⸻ 3. Network Analysis The Process ID (PID) was collected and investigated using: netstat -aofn | find "PID" Findings * Repeated outbound connections * Communication with an external IP address * Potential Command and Control (C2) activity This behavior strongly indicated malware beaconing activity. ⸻ 4. Infection Vector Identification Browser downloads and user activity were reviewed. A suspicious macro-enabled Word document was identified: invoiceN.37484567.docm ⸻ Malware Analysis The .docm file was analyzed using the Microsoft Word VBA Macro Editor. Suspicious VBA Functions Observed * GetObject * Winmgmts * ExecQuery These functions are commonly associated with: * WMI abuse * Malware execution * Remote command execution * System reconnaissance The document was confirmed to contain malicious macro code. ⸻ Key Findings Suspicious Process 32th4ckm3 Observed Behavior * Excessive CPU utilization * Persistent outbound connections * Unauthorized activity ⸻ Command & Control Communication Indicators of C2 activity included: * Continuous outbound traffic * Repeated communication with the same IP address * Unknown external communication ⸻ Infection Vector Malicious macro-enabled document: invoiceN.37484567.docm ⸻ Skills Demonstrated This project provided practical experience in: * Incident Response * Malware Triage * Process Investigation * Network Analysis * Threat Detection * Root Cause Analysis * Command & Control Detection * Windows Endpoint Investigation ⸻ Tools & Techniques Used * Windows Task Manager * Netstat * VBA Macro Editor * Process Analysis * Network Connection Analysis * IOC Investigation ⸻ Lessons Learned * Not all malicious activity triggers SIEM or EDR alerts * Behavioral analysis is critical during investigations * Temporary directories are common malware execution locations * Macro-enabled Office documents remain a major phishing vector * Network analysis is essential for identifying malicious communications ⸻ Frameworks Referenced NIST Incident Response Framework * Preparation * Detection and Analysis * Containment, Eradication, and Recovery * Post-Incident Activity SANS Incident Response Framework * Preparation * Identification * Containment * Eradication * Recovery * Lessons Learned ⸻ Conclusion This project successfully demonstrated the practical application of incident response methodologies within a controlled SOC lab environment. Through structured investigation techniques, the malicious process, suspicious network communications, and macro-enabled infection vector were successfully identified and analyzed. The exercise strengthened my understanding of: * Threat investigation * Malware behavior analysis * Endpoint monitoring * Incident escalation * Cybersecurity operations workflows ⸻ Author AbdulQudus Olamilekan AbdulHakeem Aspiring SOC Analyst | Threat Hunter | Cybersecurity Enthusiast