CasesC-1338
Suspicious File Download - C-1338
Detected on May 12, 2025 at 02:14 AM · Updated 18m ago
Status
Open
Due in 4h 20m
Severity
Medium
Score: 5.4
Assignee
AR
Aditi Rao
Analyst
Owner
AB
Alex B.
SecOps Team
Priority
P2
Medium Priority
Case Overview
Large executable file downloaded from unknown domain on workstation.
Case ID
C-1338
Case Type
Suspicious File Download
Tactic / Technique
Credential Access / T1110
Detection Source
Wazuh SIEM
First Detected
May 12, 2025 at 02:14 AM
Last Activity
May 12, 2025 at 02:42 AM
Environment
Prod
Tags
AuthenticationVPNAccount Takeover
Affected Systems
View all (2)VPN-GW-01Online
10.0.1.15 · Palo Alto GlobalProtect
svc-vpn-access
Privileged Account
Linked Alerts
View all (2)Brute force login attempt detected
Wazuh · May 12, 2025 02:14 AM
Multiple failed logins - threshold exceeded
Wazuh · May 12, 2025 02:16 AM
Suspicious source IP geo-anomalous
Wazuh · May 12, 2025 02:18 AM
SLA & Timing
68%
Remaining
SLA24h 0m
DueDue in 4h 20m
Elapsed9h 42m
SLA Target: 24hTime remaining: 14h 18m
Stakeholders
EditAB
Alex B.
Case Owner
AR
Aditi Rao
Assignee
MR
Miguel R.
SOC Manager
IT
Ian T.
Infrastructure Team
Related Reports
View allWeekly Security Summary
May 5 – May 11, 2025
Authentication Threat Report
April 2025
Export Case Summary
Download a summary of this case including details, evidence, and timeline.
Investigation Notes
Initial triage shows multiple failed VPN logins using the svc-vpn-access account from an external IP with no known business justification.
- Verified account is a service account used by automation.
- Source IP 203.0.113.45 not in allowlist.
- No successful login observed.
- Account locked as a precaution.
- Monitoring for additional activity.
AR
Aditi Rao · May 12, 2025 03:02 AM (edited)
Evidence Attachments (4)
View allvpn_failed_logins_2025-05-12.log
72 KB · May 12, 02:16 AM
wazuh_alert_5501.json
18 KB · May 12, 02:18 AM
firewall_traffic_203.0.113.45.pcap
1.4 MB · May 12, 02:22 AM
account_lock_event.png
93 KB · May 12, 02:25 AM
Comments / Collaboration
AR
AB
Alex B.Owner· May 12, 2025 03:15 AM
Locked the svc-vpn-access account and added 203.0.113.45 to the firewall blocklist. Monitoring for any downstream activity.
Reply