Incident Investigation Report: Operation DOCKSHOCK
Triaging a complex supply-chain intrusion targeting regional energy distribution. Tracks the complete lifecycle from perimeter XSS probing and weaponized phishing documents to lateral movement and source-code exfiltration using raw web utilities.
This threat intelligence case study and forensic analysis is currently an active investigation. Once complete, it will detail the complete intrusion path, command-and-control infrastructure layout, and mitigation strategy for the Operation DOCKSHOCK intrusion.
Investigation Status: In Progress
Our team is currently analyzing telemetry logs from compromised endpoints, correlating lateral movement via WinRM sessions, and compiling KQL threat hunting queries. The full report will be published here upon completion.
Expected Highlights of the Upcoming Report:
- Initial Access Vector Analysis: Mapping the perimeter XSS probes and spear-phishing campaigns targeting Solvi Systems.
- C2 Beaconing Signature: Detailing the customized backdoor (ecobug.exe) outbound TCP/1337 communication.
- Lateral Movement Tracing: Forensic breakdown of active directory enumeration and WinRM session hijacking.
- Hunting Framework: A pack of KQL rules designed to detect local administrative additions and cURL exfiltration pipelines.