`
On February 28, 2024, at 08:42 AM, a user on host Jayne (IP: 172.16.17.198) opened a malicious macro-enabled Word document named edit1-invoice.docm. The embedded macro executed a PowerShell command that attempted to download a remote executable from www[.]greyhathacker[.]net (92.204.221[.]16). This activity was logged by Sysmon and other endpoint telemetry, including DNS queries and script block execution.
Earlier, at 08:12 AM, a phishing email originating from jake.admin[@]cybercommunity[.]info was sent to Jayne, containing the malicious document.
This incident is classified as high severity, as it enabled the download and potential execution of malware. Immediate containment measures included isolating the affected host, preserving relevant artifacts, and defanging the IOCs for safe reporting.
`
PLaybook is now completed:
completedplaybook
Now we close the alert.
closeddescription