SOC Write-ups

Case notes and investigations from SOC analyst practice scenarios.

SOC336 - Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025-21298)

Detection and investigation of a confirmed Windows OLE zero-click RCE exploitation via a malicious RTF email. OUTLOOK.EXE spawned cmd.exe which executed regsvr32.exe to retrieve a remote payload from a C2 server. The proxy permitted the outbound request. Host was isolated and escalated to L2.

16/05/2026 — CRITICAL — LetsDefend SOC - Endpoint & Proxy Logs (172.16.17.137) · SOC336

#cve-2025-21298#windows-ole#zero-click#rce#regsvr32#phishing#c2
RDP Brute Force Attack on WIN-SERVER - Triage #001

Detection and investigation of an automated RDP brute force attack targeting the Administrator account on WIN-SERVER, originating from an internal Kali Linux machine.

19/04/2026 — MEDIUM — Wazuh SIEM - Agent WIN-SERVER (192.168.10.102) · INC-2026-0001

#brute-force#rdp#windows-authentication#lateral-movement