On April 14, 2026 at 11:42 AM, a TechNova Solutions employee inserted an unvetted USB drive into a corporate workstation. Within seconds the SOC detected: powershell.exe launching with encoded commands, outbound C2 connections, and persistent RAT installation via scheduled task.
EDR alert: "Suspicious Process — powershell.exe + C2 Outbound." Confirmed powershell.exe spawned by explorer.exe (unusual parent chain). C2 connection to 91.108.4.33:4444 (Telegram infrastructure) confirmed. USB insertion logged at 11:42 AM via Event ID 2003. TRUE POSITIVE — escalated to L2.
TECHNOVA-WKS-047 isolated via EDR console. Memory dump acquired with Magnet RAM Capture before remediation.
Static/dynamic analysis of svchost32.exe: AsyncRAT variant with keylogger, screenshot, file exfiltration, reverse shell. Payload decoded from base64 PowerShell command.
Registry key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemHost. Scheduled task removed. C2 IP blocked at firewall.
Searched all endpoints for svchost32.exe, file hash, registry key, C2 IP — no lateral movement confirmed. WKS-047 reimaged from gold image.
Detection: Under 60 seconds from USB insertion to SIEM alert. Infection contained to single workstation. No lateral movement. Root cause: uncontrolled USB access — a preventable policy failure.