Windows Defender Evasion — Brute Force Entry, Rundll32 LOLBin PoC | LetsDefend SOC321
Day 113 of Becoming a SOC Analyst — SOC321 Windows Defender Evasion Attempt (True Positive — Contained)
Brute force from 89.187.177.73 (confirmed malicious via AbuseIPDB) succeeded at 07:07 AM with a valid logon against the LetsDefend account on host Elenora (172.16.17.126), followed immediately by hands-on-keyboard recon via cmd spawned from explorer.exe — whoami, net user, net share, Defender status, firewall profile. The attacker then ran two rundll32 LOLBin PoC commands abusing vbscript and mshtml traversal to spawn calc.exe, with the second variant using LoL45 junk path obfuscation to bypass AV signature matching — first variant was caught, second wasn't. No external C2, no payload deployment — contained to recon and Defender threshold probing only, but the intent is clear.
🔬 Analysis Reports
🔍 AbuseIPDB (89.187.177.73) → https://www.abuseipdb.com/check/89.18...
📦 LOLBAS - Mshtml → https://lolbas-project.github.io/lolb...
🔗 Exploit-DB → https://www.exploit-db.com/exploits/5...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #DefenderEvasion #LOLBins #Rundll32 #BruteForce #DefenseEvasion #IncidentResponse #SIEM #Day113 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity