Zscaler Alert Details
Alert ID: ZSCALER-C2-WEB-1071-7842 Alert Time: 2024-03-12 11:30:22 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “Beaconing to Suspicious Domain – Potential C2” MITRE ATT&CK: T1071.001 – Application Layer Protocol: Web Protocols
Alert Details:
Detection: Periodic HTTPS connections to suspicious domain (beaconing)
User: alexchen@company.com (Alex Chen, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) Destination: https://cdn-update-service[.]com/api/check Time: 11:15-11:30 EST
Traffic Pattern:
11:15:22 – HTTPS GET /api/check (208 bytes response)
11:20:22 – HTTPS GET /api/check (208 bytes response)
11:25:22 – HTTPS GET /api/check (208 bytes response)
11:30:22 – HTTPS GET /api/check (208 bytes response)
Domain Analysis:
Domain: cdn-update-service[.]com
Registered: 2024-03-05 (7 days ago)
Registrar: Namecheap (privacy protected)
Hosting IP: 185.143.221[.]89 (Bulgaria)
SSL Certificate: Self-signed (issued to “*.cdn-update-service.com”)
Traffic Analysis:
Beacon interval: Exactly 5 minutes
Response size: Exactly 208 bytes (consistent)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
No referrer (direct request)
Detection Logic:
Beaconing pattern (periodic connections to same domain)
Domain age (7 days) and reputation (malicious)
Response size consistency (208 bytes)
User alexchen has no business need for this domain
Pattern matches C2 beaconing
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed beaconing to suspicious domain
2. Domain Investigation
Check domain reputation
VirusTotal, Threat Intel
Domain flagged as C2 by 42 vendors
3. Process Investigation
Identify process making connections
CrowdStrike Falcon
svchost.exe with injected code (Cobalt Strike)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block domain and IP
Zscaler, Palo Alto
Domain and IP added to blocklists
6. Malware Removal
Clean infected host
CrowdStrike Live Response
Cobalt Strike beacon removed
Jira Incident Report
Ticket: SOC-2024-208 Summary: T1071.001 – C2 Beaconing to Malicious Domain via HTTPS Status: RESOLVED Resolution: MALICIOUS – C2 Blocked, Host Cleaned Priority: P2 – MEDIUM Labels: T1071, web-protocols, c2, beaconing, zscaler, cobalt-strike Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access (ZIA).
Alert: “Beaconing to Suspicious Domain – Potential C2”.
User: alexchen@company.com (Engineering Department).
Host: ENG-WS-045.
Domain: cdn-update-service[.]com.
Beacon Interval: 5 minutes.
Time: 2024-03-12 11:30 EST.
Technique: MITRE ATT&CK T1071.001 – Application Layer Protocol: Web Protocols.
2. Technical Analysis:
Attack Chain:
10:30 – alexchen account compromised via phishing
10:45 – Attacker logs into ENG-WS-045
10:50 – Cobalt Strike beacon deployed
11:15 – First beacon to C2
11:15-11:30 – Beaconing every 5 minutes
11:30 – Zscaler detects
C2 Infrastructure:
Domain: cdn-update-service[.]com
IP: 185.143.221[.]89 (Bulgaria)
Port: 443 (HTTPS)
Beacon Interval: 5 minutes (exact)
Response Size: 208 bytes (commands/status)
Malware Analysis:
Type: Cobalt Strike beacon
Process: Injected into svchost.exe
Persistence: Scheduled task “WindowsUpdate”
Capabilities: Remote access, keylogging, file exfiltration
Beacon Activity:
No commands received yet (only check-ins)
No data exfiltration
Beaconing pattern detected early
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50 – Beacon deployed
11:15-11:30 – Beaconing
11:30 – Zscaler alert
11:32 – SOC investigates
11:33 – Host isolated
11:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Domain: cdn-update-service[.]com
– IP: 185.143.221[.]89
– Beacon interval: 5 minutes
Host:
– svchost.exe (injected)
– Scheduled task: “WindowsUpdate”
Account:
– alexchen (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked C2 domain and IP at firewall and Zscaler.
Terminated beacon process.
Removed scheduled task.
Disabled alexchen account.
Reset password.
Host Remediation:
Full scan, removed Cobalt Strike.
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to malware deployment.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: None (beaconing only).
7. Remediation & Prevention:
Completed Actions:
C2 blocked.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced monitoring for beaconing patterns.
8. Conclusion:
An attacker deployed a Cobalt Strike beacon on an engineering workstation, which beaconed to a malicious domain every 5 minutes. Zscaler detected the beaconing pattern and enabled rapid containment before any commands could be executed.
Closure Rationale: C2 blocked; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 12:30 EST