T1068 Exploitation for Privilege Escalation
T1204.002 User Execution Malicious File
T1566.001 Phishing Attachment
User on host KatharinePRD (172.16.15.78)
The alert SOC107 Privilege Escalation Detected triggered after execution of a malicious file named creditcard on the endpoint. The file hash is confirmed malicious via VirusTotal and Hybrid Analysis, identifying it as a Linux privilege escalation tool. The process was observed running on the endpoint, indicating successful execution.
Sep 22 2020 03:40 PM
Host KatharinePRD (172.16.15.78). File delivered via email from david@cashback.com and executed locally on the system
The alert was triggered due to detection of privilege escalation activity. Investigation confirms the file is malicious and was executed on the endpoint, likely following delivery via phishing email. Although no outbound network connections were observed, the presence and execution of the privilege escalation tool indicates a successful compromise attempt. The host was contained to prevent further impact and escalation