## https://sploitus.com/exploit?id=7C38CECC-2A55-5BB7-8F34-D5925E1C2C0F
# LetsDefend SOC336: Windows OLE Zero-Click RCE Exploitation Detected
This repository documents my investigation of a LetsDefend alert involving a Windows OLE zero-click remote code execution exploit tied to CVE-2025-21298. The goal is to show the reasoning behind the conclusion, from email triage to endpoint containment.
## Overview
LetsDefend generated the alert after detecting a malicious RTF attachment in an incoming email sent to `Austin@letsdefend.io`. The message came from `projectmanagement@pm[.]me` with the subject `Important: Action Required for Upcoming Project Deadline`. I reviewed the email, attachment, sender details, and endpoint activity to determine whether the alert was a true positive.
## What this repo shows
- Email triage.
- Attachment and hash analysis.
- Threat intel correlation.
- Endpoint and process review.
- C2 and outbound traffic validation.
- Containment decision-making.
## Files
- `writeup/SOC336-Windows-OLE-Zero-Click-RCE-Exploitation-Detected-CVE-2025-21298.md` โ full case study.
- `screenshots/` โ evidence images used in the write-up.
## Main finding
The activity was consistent with a true positive exploit attempt. The malicious RTF attachment, sender details, sender IP, and endpoint process behavior all pointed to a successful delivery chain with suspicious post-delivery activity.
## How to use this repo
Open the write-up first, then review the screenshots in order. The markdown file is written so it can stand on its own inside GitHub without extra context.
## Notes
This repo is written in a natural, straightforward style so it reads like an actual SOC case study.