Marcus pivoted to SSL certificate intelligence. Found three other domains with the same cert. Two were dead. One was live: hrdocs-trusted[.]com . He browsed it in a sandboxed VM. A perfect clone of the company's SharePoint login page. Credential harvester.
He remembered the first rule of effective threat investigation: Follow the anomaly, not the alert. effective threat investigation for soc analysts read online
: Systems are restored, and a post-mortem is conducted to prevent similar future incidents. 2. Essential Tools for the Modern SOC Analyst Marcus pivoted to SSL certificate intelligence
He downloaded the binary from that domain. Didn't execute. Strings analysis. Embedded in the binary: a hardcoded C2 IP. He geolocated it. A data center in the Netherlands. But the SSL certificate? Issued to a small medical clinic in Ohio. That was the attacker's mistake—reusing a cert. One was live: hrdocs-trusted[