🚨SOC202-FakeGPT Malicious Chrome Extension
Hi, I’m Ridesh — a Computer Engineering student on the path to becoming a SOC Analyst. I’m here to share my journey of learning cybersecurity, building projects, and improving my mindset while growing publicly. I’m passionate about cyber defense, psychology, philosophy, ancient wisdom, anime mindset lessons, and everything that builds mental strength. My goal is simple: Build a strong cybersecurity foundation, grow consistently, and connect with people who think like me. If you’re on a similar journey, you’re in the right place — let’s learn and grow together.
Alert Investigation Walkthrough (LetsDefend.io)
Today, I’m going to walk through my investigation of the SOC202 – FakeGPT Malicious Chrome Extension alert from LetsDefend.io.
This write-up documents my step-by-step thought process as a SOC analyst, along with screenshots taken during the investigation to support each finding.
🔍 Alert Overview
The image above shows the initial alert details.
At this stage, the goal is to understand what triggered the alert, which host is affected, and what kind of threat we might be dealing with.
📘 Playbook Review & First Question
After opening the alert, I navigated to the playbook in Case Management.
The first question we need to answer is:
What type of threat indicator is associated with this alert?
To answer this, we must analyze:
Endpoint activity
Network behavior
Log availability
🖥️ Endpoint & Network Activity Analysis
I started by checking the endpoint activity of the affected host (Samuel).
From the endpoint view, we can see that after the alert timestamp, the host device initiated outgoing network connections to multiple IP addresses.
However, when I checked Log Management, there were no corresponding logs for this activity.
This discrepancy is important.
🧠 MY Insight
The absence of logs combined with unexpected outbound traffic strongly suggests unknown or suspicious network behavior originating from the host.
Answer: Unknown / unexpected outgoing internet traffic
🛑 Is the Malware Contained?
The next step is to determine whether the malware has already been quarantined or contained on the affected host.
From the endpoint status, it’s clear that the device was not isolated or contained at this point.
This significantly increases the risk, as the malware can continue communicating or spreading.
Answer: Not Contained
☣️ Is the Malware Malicious or Clean?
To determine whether the file is actually malicious, I used the file hash provided in the alert and analyzed it on VirusTotal.
The results clearly indicate that the file is malicious, with detections from multiple security vendors.
I also reviewed:
Detection details
Community comments
Behavioral indicators
to better understand the nature of the malware before documenting it.
Answer: Malicious
🌐 Command-and-Control (C2) Activity Check
Another critical question is whether the malware established C2 (Command-and-Control) communication.
Although no logs were present in Log Management, the endpoint data confirms suspicious external communication.
Based on the observed behavior, the malware:
Accessed an external C2 address
Disabled or restricted Windows Defender
Executed malicious commands
Attempted actions consistent with Denial-of-Service behavior
Answer: C2 Accessed
🔒 Host Containment Action
Since the malware was confirmed as malicious and the host was not contained, the playbook required immediate containment.
After isolating the host, containment was successfully completed.
Answer: Contained
🧾 Indicators of Compromise (IOCs)
Next, I documented the IOCs identified during the investigation.
Identified IOCs:
IP Address – Observed in endpoint network activity
Malicious URL – Associated with FakeGPT extension behavior
MD5 File Hash – Used for malware identification due to its versatility
These IOCs were observed after the alert trigger time, strengthening their relevance.
📝 Analyst Notes
I always maintain analyst notes while performing the investigation, which helps ensure accuracy and consistency.
When closing the alert, I reused the same notes to maintain a clean and complete case record.
✅ Final Outcome
The alert was successfully investigated, documented, and closed following the playbook.
Key Takeaways: (learnings)
Endpoint visibility can reveal activity even when logs are missing
Chrome extensions can be a serious attack vector
Proper containment is critical once malicious behavior is confirmed
Documentation is as important as detection in SOC operations
🔗 Continue Learning With Me
If you found this walkthrough helpful, you may also like my other SOC and malware analysis blogs:
👉 Check out my other cybersecurity blogs
👉 Follow my learning journey and hands-on labs & alerts investigation
Connect with me:
🔗 LinkedIn: Ridesh bijwe | LinkedIn profile
💻 GitHub: DevR224
I’m learning in public and documenting every step — feel free to connect, share feedback, or discuss SOC investigations or point my mistakes i would love to know your perspective.
🏷️Tags
#SOCAnalyst #LetsDefend #SOCAlertAnalysis #MalwareInvestigation #ChromeExtensionMalware #FakeGPT #BlueTeam #CybersecurityBeginner #SOCPlaybook #ThreatDetection #EndpointSecurity #LearningSOC
