SenseOn Alert Details
Alert ID: SENSEON-RECON-HOSTINFO-7842
Alert Time: 2024-02-08 11:42:18 EST
Severity: HIGH (78/100)
Source: SenseOn Platform (EDR + UEBA)
Rule: “Suspicious Host Information Enumeration via WMI/PowerShell”
MITRE ATT&CK: T1592 – Gather Victim Host Information
Alert Details:
Detection: Multiple host enumeration commands executed from single endpoint within 5-minute window.
Host: HR-WS-045 (Human Resources)
User: mjohnson (Michelle Johnson, HR Generalist)
IP: 192.168.75.122
OS: Windows 10 Enterprise 22H2
Event Sequence (SenseOn Timeline):
11:38:12 – Process: wmic.exe
Command: wmic computersystem get name,domain,manufacturer,model
Parent: explorer.exe (PID: 3452)
11:39:04 – Process: systeminfo.exe
Command: systeminfo /fo csv
Parent: explorer.exe (PID: 3452)
11:40:22 – Process: powershell.exe
Command: Get-WmiObject Win32_OperatingSystem | Select Caption,Version,OSArchitecture,InstallDate
Parent: explorer.exe (PID: 3452)
11:41:35 – Process: powershell.exe
Command: Get-WmiObject Win32_Processor | Select Name,NumberOfCores,MaxClockSpeed
Parent: explorer.exe (PID: 3452)
11:42:01 – Process: powershell.exe
Command: Get-WmiObject Win32_ComputerSystem | Select TotalPhysicalMemory,Manufacturer,Model,Domain
Parent: explorer.exe (PID: 3452)
11:42:18 – SenseOn Correlation: “System Information Enumeration” – Alert triggered.
Contextual Anomaly Score: 92/100
– User mjohnson has no history of running system information commands.
– Commands executed from explorer.exe (unusual parent for reconnaissance).
– No network connections associated with activity (data staged locally).
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify alert in SenseOn, check user history
SenseOn Console, User Behavior Baseline
Confirmed anomalous activity; user never runs these commands
2. Process Analysis
Investigate parent-child relationships
CrowdStrike Falcon
Explorer.exe spawned cmd.exe (hidden window), which spawned enumeration commands
3. User Interview
Contact user, check for suspicious activity
Teams, Phone
User reported clicking on “HR Survey.docx” from external email
4. Email Investigation
Check email logs for malicious attachment
Microsoft 365 Defender, Proofpoint
Found email from “surveys@hr-survey[.]net” with macro-enabled document
5. Malware Analysis
Analyze document in sandbox
SenseOn Sandbox, Any.Run
Document contained macro that downloaded and executed enumeration script
6. Endpoint Forensics
Check for persistence and data staging
Velociraptor
Found staged data in C:\Users\mjohnson\AppData\Local\Temp\hostinfo.txt
7. Network Hunting
Check for data exfiltration
Palo Alto Firewall Logs
No outbound connections from host during time window
Jira Incident Report
Ticket: SOC-2024-041
Summary: T1592 – Host Information Reconnaissance via Phishing Macro
Status: RESOLVED
Resolution: MALICIOUS – Reconnaissance Contained
Priority: P2 – MEDIUM
Labels: T1592, host-info, reconnaissance, phishing, macro, senseon
Components: Endpoint-Security, Email-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: SenseOn Platform (EDR + UEBA correlation).
Alert: “Suspicious Host Information Enumeration via WMI/PowerShell”.
Host: HR-WS-045 (HR Department, user mjohnson).
Time: 2024-02-08 11:42 EST.
Technique: MITRE ATT&CK T1592 – Gather Victim Host Information.
2. Technical Analysis:
Attack Vector: Phishing email with malicious macro-enabled document (“HR Survey.docx”).
Infection Chain:
User received email from spoofed domain hr-survey[.]net at 11:15 EST.
User opened attachment, enabled macros (prompted by document).
Macro executed PowerShell to download reconnaissance script from 185.143.221[.]45/gather.ps1.
Script ran system enumeration commands via WMI and systeminfo.
Data staged locally as hostinfo.txt (no exfiltration attempted).
Enumeration Commands Observed:
OS version, install date, architecture
CPU model, cores, speed
RAM size, system manufacturer/model
Domain membership
All executed via WMI/PowerShell (living-off-the-land)
Payload Analysis:
gather.ps1 SHA256: 8f7e6d5c4b3a2918…
Script contents: Performed host enumeration and saved to temp file
No persistence mechanisms; reconnaissance only
3. Investigation Findings:
Timeline:
11:15 – Phishing email delivered
11:20 – User opens attachment, enables macros
11:22 – Macro downloads and executes gather.ps1
11:38-11:42 – Enumeration commands run
11:42 – SenseOn alert triggers
11:45 – Host isolated via SenseOn containment
Indicators of Compromise (IoCs):
Network:
– Domain: hr-survey[.]net
– IP: 185.143.221[.]45
– URL: http://185.143.221[.]45/gather.ps1
File:
– HR Survey.docx (SHA256: a1b2c3d4e5f6…)
– gather.ps1 (SHA256: 8f7e6d5c4b3a…)
– hostinfo.txt (staged data)
Host:
– Processes: wmic.exe, systeminfo.exe, powershell.exe
– Registry: No persistence
4. Containment Actions:
Immediate Containment (11:45-12:00 EST):
Host isolated via SenseOn network containment.
User account temporarily disabled.
Malicious IP/domain blocked at firewall and DNS.
Forensic Collection (12:00-13:00 EST):
Captured memory and disk artifacts via Velociraptor.
Retrieved macro document from email quarantine.
Extracted staged data file.
Remediation (13:00-14:30 EST):
Re-imaged host.
Reset user password and enforced MFA.
Updated email filtering rules.
Deployed ASR rule to block Office child processes.
5. Root Cause Analysis:
Primary Cause: User opened malicious macro-enabled document from phishing email.
Contributing Factors:
Email gateway allowed delivery (low reputation but no malware signature).
Macros enabled in Office (default configuration).
User lacked recent phishing awareness training.
6. Business Impact:
Operational Impact: HR workstation offline for ~3 hours.
Data Exposure: None (data staged locally, not exfiltrated).
Financial Impact: Minimal.
7. Remediation & Prevention:
Completed Actions:
Host remediated and returned to service.
User re-trained.
IOCs distributed to all security tools.
Enabled “Block macros from internet” via GPO.
8. Conclusion:
This incident involved a phishing email delivering a macro-based reconnaissance script. The attacker successfully gathered host information but was unable to exfiltrate data. Rapid detection by SenseOn prevented further compromise.
Closure Rationale: Host remediated, user educated, controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 15:00 EST