Fake Zoom to Ransomware: The Social Engineering Pipeline

After the initial execution of Zoom_v_2.00.4.exe, the system logged a series of high-privilege events involving SYSTEM-level processes. Investigate the XDR Timeline to determine which service binary was recorded in the description of the ninth event in the sequence.

After the initial execution of a suspicious file by user robert.miller on 2024-05-02T14:49:43.240Z, lateral movement attempts were observed originating from a specific workstation. Analyze the network traffic logs to determine which internal host is now communicating with known malicious command-and-control infrastructure.

An alert was triggered for an unsigned executable masquerading as a common application. Examine the XDR timeline and behavior logs to determine which local or service account was used to execute this file, as this may indicate credential harvesting or lateral movement.

At 2024-05-09T01:22:18.608Z, an unusual process named Zoom_v_2.00.4.exe was observed running under the context of robert.miller. This activity appears to be a masquerading attempt to bypass security controls by mimicking legitimate software; you must locate the specific cryptographic hash associated with this process execution to strengthen our blocklist.

After the initial execution of Zoom_v_2.00.4.exe, the adversary pivoted to credential harvesting. Analyze the chronological events on the affected workstation around 2024-05-09T14:35:07.461Z to find the script used to target backup infrastructure credentials.

An alert triggered at 2024-05-01T08:22:02.799Z regarding a suspicious execution chain initiated by robert.miller. You must determine the exact filename of the masqueraded artifact that was executed immediately after the user interacted with their web browser.

The adversary successfully bypassed initial defenses on corp-wks-001 by chaining scripts through mshta.exe and powershell.exe. Analyze the deep process hierarchy in the XDR panel to find the final executable used to compile or run an inline task that established the foothold.

At 2024-05-01T08:22:02.799Z, user robert.miller executed a suspicious file named Zoom_v_2.00.4.exe which triggered a chain of child processes including mshta.exe and powershell.exe. Analyze the process tree to identify the SHA256 hash of the secondary binary that was dropped and executed during this sequence.

An alert triggered on corp-wks-001 involving a suspicious execution of Zoom_v_2.00.4.exe which subsequently spawned MSBuild.exe and other system binaries. You must analyze the file system modifications made during this incident to find the final artifact left by the attacker.

After the initial execution of a suspicious binary by user robert.miller, the system initiated several outbound connections. Analyze the network traffic logs around 2024-05-07T16:10:04.104Z to determine which internal workstation was communicating with unauthorized external command-and-control infrastructure.