Zscaler Alert Details
Alert ID: ZSCALER-C2-1071-7842 Alert Time: 2024-02-28 16:30:45 EST Severity: HIGH (88/100) Source: Zscaler Internet Access (ZIA) Rule: “Beaconing to Suspicious Domain – Potential C2” MITRE ATT&CK: T1071.001 – Application Layer Protocol: Web Protocols
Alert Details:
Detection: Periodic HTTPS connections to suspicious domain
User: rpatel@company.com (Raj Patel, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) Destination: https://cdn-updates-service[.]com Time: 16:00-16:30 EST
Traffic Pattern:
16:00:15 – HTTPS GET /api/check (206 bytes response)
16:05:15 – HTTPS GET /api/check (206 bytes response)
16:10:15 – HTTPS GET /api/check (206 bytes response)
… (every 5 minutes, 6 beacons total)
Domain Analysis:
Domain: cdn-updates-service[.]com
Registered: 2024-02-20 (8 days ago)
Registrar: Namecheap (privacy protected)
Hosting IP: 185.143.221[.]89 (Bulgaria)
SSL Certificate: Self-signed (issued to “Microsoft Update Services”)
Traffic Analysis:
Beacon interval: Exactly 5 minutes
Response size: Exactly 206 bytes (consistent)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
No referrer (direct request)
Detection Logic:
Beaconing pattern (periodic connections to same domain)
Domain age (8 days) and reputation (malicious)
Response size consistency (206 bytes)
User rpatel has no business need for this domain
Pattern matches C2 beaconing
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed beaconing to suspicious domain
2. Domain Investigation
Check domain reputation
VirusTotal, Threat Intel
Domain flagged as C2 by 45 vendors
3. Process Investigation
Identify process making connections
CrowdStrike Falcon
svchost.exe with injected code (Cobalt Strike)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block domain and IP
Zscaler, Palo Alto
Domain and IP added to blocklists
6. Malware Removal
Clean infected host
CrowdStrike Live Response
Cobalt Strike beacon removed
Jira Incident Report
Ticket: SOC-2024-144 Summary: T1071 – C2 Beaconing to Malicious Domain via HTTPS Status: RESOLVED Resolution: MALICIOUS – C2 Blocked, Host Cleaned Priority: P2 – MEDIUM Labels: T1071, application-layer-protocol, c2, beaconing, zscaler, cobalt-strike Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (ZIA).
Alert: “Beaconing to Suspicious Domain – Potential C2”.
User: rpatel@company.com (Engineering Department).
Host: ENG-WS-045.
Domain: cdn-updates-service[.]com.
Time: 2024-02-28 16:30 EST.
Technique: MITRE ATT&CK T1071.001 – Application Layer Protocol: Web Protocols.
2. Technical Analysis:
Attack Chain:
15:30 – rpatel account compromised via phishing
15:45 – Attacker logs into ENG-WS-045
15:50 – Cobalt Strike beacon deployed
16:00 – First beacon to C2
16:00-16:30 – 6 beacons every 5 minutes
16:30 – Zscaler detects
C2 Infrastructure:
Domain: cdn-updates-service[.]com
IP: 185.143.221[.]89 (Bulgaria)
Port: 443 (HTTPS)
Beacon Interval: 5 minutes (exact)
Response Size: 206 bytes (commands/status)
Malware Analysis:
Type: Cobalt Strike beacon
Process: Injected into svchost.exe
Persistence: Scheduled task “WindowsUpdate”
Capabilities: Remote access, keylogging, file exfiltration
Beacon Activity:
No commands received yet (only check-ins)
No data exfiltration
Beaconing pattern detected early
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
15:50 – Beacon deployed
16:00-16:30 – Beaconing
16:30 – Zscaler alert
16:32 – SOC investigates
16:33 – Host isolated
16:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Domain: cdn-updates-service[.]com
– IP: 185.143.221[.]89
– Beacon interval: 5 minutes
Host:
– svchost.exe (injected)
– Scheduled task: “WindowsUpdate”
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked C2 domain and IP at firewall and Zscaler.
Terminated beacon process.
Removed scheduled task.
Disabled rpatel account.
Reset password.
Host Remediation:
Full scan, removed Cobalt Strike.
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to malware deployment.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
No EDR alert triggered earlier.
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: None (beaconing only, no exfiltration).
7. Remediation & Prevention:
Completed Actions:
C2 blocked.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced monitoring for beaconing patterns.
8. Conclusion:
An attacker deployed a Cobalt Strike beacon on an engineering workstation, which beaconed to a malicious domain every 5 minutes. Zscaler detected the beaconing pattern and enabled rapid containment before any commands could be executed or data exfiltrated.
Closure Rationale: C2 blocked; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 17:30 EST