The Incident Response Team (IRT) should take primary responsibility because the scenario describes an active, complex incident involving lateral movement and likely data exfiltration across sensitive systems, requiring coordinated containment, investigation, and recovery. The SOC often detects and initially triages incidents, but when severity and complexity increase—especially with potential data breach implications—IRT leadership is critical to coordinate cross-functional actions: containment steps, evidence preservation, forensics, remediation, system restoration, stakeholder communications, and regulatory considerations. Threat intelligence supports context (adversary patterns, IoCs/TTPs) but does not run response operations. Security engineering provides remediation support (hardening, patching, segmentation) but typically does not manage incident command and coordination. The SOC continues to support with monitoring, telemetry analysis, and detection tuning, but the IRT is the operational owner for managing the incident lifecycle end-to-end. In mature incident response, the IRT also ensures proper documentation, decision logging, and alignment with legal/compliance requirements—especially important when sensitive customer data and potential breach notification obligations are involved.

The Incident Response Procedures contain the performance measures and proper project and time management details. These procedures are designed to guide the incident response team through each phase of incident management, ensuring that all activities are performed efficiently and effectively. They include specific steps to follow, roles and responsibilities, timelines, and performance metrics to measure the effectiveness of the response.

Host-based artifacts are the most direct evidence to confirm persistence and recurring execution on an endpoint. The scenario already describes classic host persistence mechanisms: scheduled tasks and registry autorun modifications. To confirm and mitigate, a threat hunter should focus on endpoint-resident artifacts such as: persistence entries (scheduled tasks, Run/RunOnce keys, services, WMI subscriptions), process ancestry (which parent launches the malicious script), file system changes (dropped scripts, DLLs, staged payloads), and security control tampering. These artifacts enable containment and eradication because they point to what must be removed and what must be prevented from re-creating itself after reboot. Network-based artifacts are important for identifying C2 destinations and potential lateral movement, but they won’t fully explain how the malware survives termination. Threat intelligence context can help attribute and match TTPs, but it’s not required to confirm persistence locally. Indicators of Attack are behavior patterns (like scheduled task creation, registry autoruns, process injection) and are valuable conceptually, but the option that best represents the concrete evidence you need to examine and remediate on the endpoint is “host-based artifacts.” In SOC response, you’d combine host artifact removal with credential resets and scoping for similar persistence across endpoints.

The highest-signal next step is to scope and confirm the suspicious execution pattern by identifying related process creation events. Event ID 4688 records process creation in Windows Security logs when auditing is enabled, and it can capture command-line details that confirm the use of -ExecutionPolicy Bypass and -NoProfile, as well as parent/child relationships. Since the activity is on a domain controller and the parent is winrm.exe (remote management), the SOC must quickly determine whether this is isolated or part of a broader remote execution campaign. Searching for similar 4688 events over a relevant window (such as the last 24 hours) helps identify frequency, affected accounts, and whether the same command line or script path appears across hosts. Event ID 4625 (failed logon) can provide context for brute force attempts, but it does not directly validate or scope the suspicious PowerShell executions already observed. Event ID 7045 (new service installation) is important if there are signs of service-based persistence, but it is a different hypothesis. Event ID 5145 is about network share access and can be useful for lateral movement, but the immediate priority is to scope execution behavior. Therefore, focusing on 4688 process creation for similar PowerShell executions is the best primary step.

The regular expression provided in the question is designed to detect patterns that are typically found in XSS (Cross-Site Scripting) attacks. Here’s a breakdown of the regex pattern:

/((\%3C)| < )  - This part of the pattern matches the encoded version of  <  which is  %3C , or the symbol  <  itself. In HTML, this symbol denotes the start of a tag.

((\%69)|i|(\%49))  - This matches the encoded version of  i  which is  %69 , the lowercase  i , or the encoded version of  I  which is  %49 .

((\%6D)|m|(\%4D))  - This matches the encoded version of  m  which is  %6D , the lowercase  m , or the encoded version of  M  which is  %4D .

((\%67)|g|(\%47))  - This matches the encoded version of  g  which is  %67 , the lowercase  g , or the encoded version of  G  which is  %47 .

[^\n]+  - This part of the pattern matches one or more characters that are not a newline character.

((\%3E)| > )  - This matches the encoded version of  >  which is  %3E , or the symbol  >  itself, denoting the end of an HTML tag.

The combination of these patterns is looking for a string that resembles an HTML  img  tag, which is a common vector for XSS attacks. XSS attacks involve injecting malicious scripts into webpages viewed by other users, exploiting the trust a user has for a particular site. XSS attacks can occur when a web application uses unsanitized user input in the output it generates.

The role of finalizing strategy, policies, and procedures for a Security Operations Center (SOC) typically falls under the responsibilities of a Chief Information Security Officer (CISO). The CISO is a senior-level executive within an organization who coordinates and manages the overall strategy and defense mechanisms to protect the organization’s information and technology assets. This role involves leadership and strategic decision-making, which includes establishing the SOC’s framework, defining its policies, and overseeing its procedures.

Chain of custody is the formal process used to document and preserve evidence integrity by recording who collected the evidence, who accessed it, where it was stored, and when it changed hands. In SOC and forensic operations, chain of custody is essential for maintaining evidentiary reliability, especially in cases with regulatory, legal, or disciplinary implications. It ensures that evidence has not been altered, tampered with, or mishandled, and it supports defensible conclusions about what occurred. Incident documentation is broader and includes timelines, decisions, actions taken, and communications, but it does not specifically track evidence handling transfers. Data imaging is the creation of a forensic copy of storage media (disk image), a separate technical step that may be recorded within chain-of-custody logs. Digital fingerprinting refers to generating hashes or other identifiers to confirm file integrity; again, it is a technique used within evidence handling, but the tracking record of handlers, locations, and transfers is chain of custody. For SOC analysts, correctly maintaining chain of custody is critical when responding to breaches involving sensitive customer records and potential compliance investigations.

A false negative occurs when malicious activity happens but the detection logic fails to alert. In this case, an attacker successfully authenticates after multiple failed attempts, yet the SIEM rule does not trigger because the threshold (10 failed attempts) was not met. The incident is real, but the system missed it—this is the definition of a false negative. From a SOC engineering perspective, this highlights a common tuning pitfall: rigid thresholds can be evaded by attackers who adjust timing or stop just short of the trigger condition. To reduce false negatives, SOC teams often implement layered detections: alert on “many failed attempts” (lower thresholds), alert on “failed attempts followed by a success,” incorporate user risk context (unusual source IP/geo), and add account lockout or MFA policies to reduce attack success. A false positive would mean an alert triggered for benign activity, which did not occur here. True positives/true negatives require the SIEM to correctly alert or correctly stay silent, respectively. Since the SIEM stayed silent during an actual compromise, the classification is false negative.

A SOC is the operational capability that combines people, process, and technology to deliver continuous monitoring, detection, investigation, and response across an organization. The question requires automated alerting, forensics capability, and active threat hunting. Those are SOC functions when supported by the right tooling (SIEM/EDR/XDR, forensic workflows, playbooks) and staffed analysts. A standalone SIEM provides log aggregation and alerting but does not inherently provide threat hunting and forensics expertise without dedicated analysts and processes. SOAR automates workflows but depends on upstream detections and a team to design and operate playbooks; it does not replace continuous monitoring, investigation, and hunting. Periodic audits are point-in-time checks and cannot deliver rapid detection/response. From a SOC analyst perspective, a SOC provides centralized visibility, 24/7 coverage, triage and escalation, proactive hunts, coordination with incident response, and structured reporting—especially important for multi-region banking environments with high regulatory exposure. Therefore, implementing a SOC is the solution that best meets the full set of requirements.

The  /var/log/wtmp  file in Linux systems is used to record all logins and logouts. The  wtmp  file is a binary file that can be read with tools like  last , which can display the login history of all users or a specific user, as well as the times of system reboots and shutdowns. SOC analysts, like Chloe, would inspect this file to track user activities and investigate potential unauthorized access or other security incidents.