Sample Report: Windows Workstation Post-Compromise Triage¶
This is an anonymized sample report generated by WraithRun showing what output looks like for a Windows host triage investigation.
Run Metadata¶
- Task: "Triage potentially compromised Windows workstation — check for persistence, lateral movement indicators, and active C2"
- Mode: dry-run
- Model tier: Basic (deterministic)
- Duration: 3.1s
- Tools executed: 5 of 8
Final Answer¶
Investigation complete. Found 7 findings across 5 severity levels. The workstation shows clear indicators of compromise: a malicious scheduled task with encoded PowerShell, an unknown process with active C2-like connection, and a recently created local admin account. Immediate containment is recommended.
Findings¶
1. Critical — Scheduled task WindowsUpdateHelper with encoded PowerShell¶
- Confidence: Confirmed (95%)
- Evidence:
inspect_persistence_locations(turn 1) found a scheduled task created 3 days ago that runspowershell.exe -enc [base64]every 4 hours under SYSTEM context. The decoded payload downloads and executes a remote script. - Recommended action: Disable and delete the task immediately. Decode the full payload for IOC extraction. This is a high-confidence indicator of T1053.005 (Scheduled Task) and T1059.001 (PowerShell execution).
2. High — Unknown process svchost_helper.exe with outbound connection¶
- Confidence: Likely (75%)
- Evidence:
correlate_process_network(turn 2) found processsvchost_helper.exe(PID 4892) maintaining a persistent TCP connection to185.x.x.x:443. The binary is located inC:\Users\Public\Downloads\— not a standard system path. - Recommended action: Terminate the process. Quarantine the binary and compute its hash. Block the destination IP at the network perimeter. Submit the binary to threat intel for classification.
3. High — Local account support_admin in Administrators group¶
- Confidence: Likely (75%)
- Evidence:
audit_account_changes(turn 3) detected a local accountsupport_admincreated 2 days ago and added to the local Administrators group. No corresponding IT service ticket exists. - Recommended action: Disable the account immediately. Check for any sessions or processes running under this account. Review Event Log for the account creation source (Event ID 4720).
4. Medium — Unquoted service path for BackupAgent service¶
- Confidence: Possible (50%)
- Evidence:
check_privilege_escalation_vectors(turn 4) found theBackupAgentservice with binary pathC:\Program Files\Backup Agent\agent.exeregistered without quotes. This creates a path interception vulnerability. - Recommended action: Fix the service path by enclosing it in quotes in the registry. Check if
C:\Program.exeorC:\Program Files\Backup.exeexist — their presence would confirm exploitation.
5. Medium — Multiple failed RDP login attempts¶
- Confidence: Possible (50%)
- Evidence:
read_syslog(turn 5) found 47 failed RDP login attempts for userAdministratorfrom internal IP10.0.2.15over the past 24 hours. Pattern suggests automated brute-force. - Recommended action: Block the source IP. Investigate the source host
10.0.2.15for compromise (may indicate lateral movement). Enable account lockout policies if not already configured.
6. Low — Standard Windows services running normally¶
- Confidence: Informational (25%)
- Evidence:
capture_coverage_baseline(turn 1) found 142 running processes and 89 active services. Cross-referencing with known-good baseline shows expected Windows system processes. - Recommended action: No action. Use as reference baseline for future comparisons.
7. Info — Network baseline captured¶
- Confidence: Informational (25%)
- Evidence:
scan_network(turn 2) found 23 listening sockets. Standard services detected: RDP (3389), SMB (445), WinRM (5985), IIS (80, 443). One unexpected listener on port 8443 associated withsvchost_helper.exe. - Recommended action: Port 8443 is linked to finding #2. No additional network anomalies detected beyond the confirmed C2 connection.
Investigation Steps¶
| Step | Tool | Duration |
|---|---|---|
| 1 | capture_coverage_baseline |
580ms |
| 2 | inspect_persistence_locations |
490ms |
| 3 | correlate_process_network |
410ms |
| 4 | audit_account_changes |
320ms |
| 5 | check_privilege_escalation_vectors |
280ms |
| 6 | read_syslog |
350ms |
Severity Distribution¶
| Severity | Count |
|---|---|
| Critical | 1 |
| High | 2 |
| Medium | 2 |
| Low | 1 |
| Info | 1 |