Additional Info:
Investigation Date: 2\/11\/2026<\/p>\n\n\n\n
Retrospective Note:
As of 6\/18\/2026, if revisiting this today, I’d add that the 4th bullet in the synopsis, the investigation was done via an EDR solution, and would list the exact commands run by the attacker and the timestamps at which they were executed.
Would also point out that I remotely RDP’d into the host on the 6th bullet point and checked the script contents on the live host.
Add in the queries run on the SIEM to support the 7th and 8th bullet points. Covering that no exfiltration traffic was seen going out of the victim host, as well as any lateral movement.
And finally, the rationale for the closure: why it was a true positive. With that being said, I confirmed unauthorized access via SSH brute-force attacks, followed by credential enumeration and decoding activity, which was tied to the alert trigger.<\/p>\n\n\n\n
========== Title(s) ==========\n\nSOC302 - Suspicious Base64 Encoding\/Decoding Commands Detected\n\n========== Alert Details ==========\n\nEventID : 278\nEvent Time : Jul, 17, 2024, 12:18 PM\nRule : SOC302 - Suspicious Base64 Encoding\/Decoding Commands Detected\nLevel : Incident Responder\nHostname : Wilburn\nIp Address : 172.16.17.74\n\nCommand Line :\ndecoded = base64.b64decode(encoded)\n\nTrigger Reason :\nDetects suspicious use of Base64 encoding or decoding commands which could be used for data obfuscation.\n\n========== Raw logs\/Headers ==========\n\nN\/a \n\n=============================================\n\n \n==== OSINT\/SandboxAnalysis\/ThreatIntel\/Artifacts\/References ====\n\nhttps://www.virustotal.com\/gui\/ip-address\/143.244.44.163\/detection\n0\/94\nAs of date 2\/11\/2026, no vendors mark the IP as malicious but relations show history of connection to malicious files\n\nhttps:\/\/www.abuseipdb.com\/check\/143.244.44.163\nIP has a history of maliciousness\n\nInternal Threat intelligence returned no results, recommend adding artifacts\n\nDecoded File hash:\n\nmd5sum decoded_file.txt \nd15ebd5d4016e9099d2ba47107887f3a decoded_file.txt\nsha1sum decoded_file.txt \n3c535e4050cf5f711fae9d6793366bee8e828e29 decoded_file.txt\nsha256sum decoded_file.txt \n364929ca5c536a03370f0cb8d2207ae466046a8cbe1424cad268c0feb0a63159\n\n========== Historical Analysis ==========\n\nL1 Note :\nMinutes before the alert, I saw a Brute Force attempt with different users from the IP 143.244.44.163 towards the system. However, I could not determine whether this attack was successful or not.\n\n========== Queries Ran ==========\n\nQueries ran from Malicious IP revealed Brute Force attack. No call back seems to be returned\n\n========== Synopsis ==========\n\n> L1 Analyst hand over notes pointed out that a brute force attack was detected before this event was triggered.\n> Verification of the brute force attack on the date of the event confirms that a successful login occurred on the Wilburn host at the IP address of (172.16.17.74) via the SSH protocol from the attacker IP 143.244.44.163 at Jul, 17, 2024, 06:44 AM for the analyst account\n> Performed OSINT on offending IP, taking note of history\n> Investigation of the endpoint shows enumeration activity performed by the unauthorized individual. Activity included looking at system architecture and OS versioning, groups present on the system, interrogating the passwd database and file searches for keywords such as passwords and important strings.\n> EDR shows terminal history showing the intruder using python to decode a file with base64 encoded content\n> After investigating the endpoint, the decoded content seems to be IPs, Usernames, and passwords\n> SIEM and EDR telemetry shows no extraction of the sensitive data found but the individual was still able to access it\n> Telemetry indicates that the Wilburn system is the only one affected. No sign of lateral movement or attacker expansion on network.\n> Isolated affected system. Recommend user password rotation and SSH key change\n\n========== Closure Code ==========\n\nTrue Positive<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Additional Info:Investigation Date: 2\/11\/2026 Retrospective Note:As of 6\/18\/2026, if revisiting this today, I’d add that the 4th bullet in the synopsis, the investigation was done via an EDR solution, and would list the exact commands run by the attacker and the timestamps at which they were executed.Would also point out that I remotely RDP’d into the host on the 6th bullet point and checked the script contents on the live host.Add in the queries run on the SIEM to support the 7th and 8th bullet points. Covering that no exfiltration traffic was seen going out of the victim host, as<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-1163","page","type-page","status-publish","hentry"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t