Drive-by Compromise Incident

EDR Alert

Alert Source: Microsoft Defender for Endpoint (MDE)
Alert Time: 2023-10-26 14:32:18 UTC
Severity: High
Device: FIN-0789 (Windows 10, Finance Department)
User: jane.doe@company.com
Alert Title: “Suspicious script execution indicative of drive-by download”
Alert ID: INC-2023-2678

Alert Details:

Detection: TrojanDownloader:PowerShell/CobaltStrike
Path: C:\Users\jane.doe\AppData\Local\Temp\update_check.ps1
Parent Process: msedge.exe (PID: 7845)
Command Line: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\jane.doe\AppData\Local\Temp\update_check.ps1"
Process Tree:
  svchost.exe (services)
    -> msedge.exe (PID: 7845, visited: hxxps://adobe-flash-update[.]online)
      -> cmd.exe (PID: 8921)
        -> powershell.exe (PID: 8923)

Network Connections:
  Destination: 185.165.190[.]71:443 (Unknown hosting provider)
  Protocol: HTTPS
  First Seen: 5 minutes ago

File Creation:
  C:\Users\jane.doe\AppData\Local\Temp\update_check.ps1
  C:\Users\jane.doe\AppData\Local\Temp\tmpAB32.tmp.dll

MITRE ATT&CK Mapping:

• T1189: Drive-by Compromise
• T1059.001: PowerShell
• T1105: Ingress Tool Transfer

---

2. Investigation Process & Tools Used

Step	Action	Tools Used	Findings & Actions
1. Initial Triage	Review alert, check severity, isolate device if necessary.	Microsoft Defender for Endpoint (MDE)	Device auto-isolated due to high severity score (85/100).
2. Process Analysis	Examine process tree, command line, parent/child relationships.	MDE Advanced Hunting, Sysinternals Process Explorer (remotely)	Confirmed Edge spawned cmd->PowerShell chain. Unusual for legitimate browsing.
3. File Analysis	Examine dropped files, check signatures, hash reputation.	VirusTotal, Hybrid Analysis, MDE File Analysis	update_check.ps1: PowerShell downloader with obfuscated Cobalt Strike stager. tmpAB32.tmp.dll: Cobalt Strike beacon (SHA256: a1b2c3…).
4. Network Analysis	Check firewall/proxy logs for connections to suspicious domains/IPs.	Palo Alto Strata Logs, Zscaler ZIA, MDE Network Protection	User visited adobe-flash-update[.]online (domain registered 2 days ago). Beacon calling to C2 IP 185.165.190[.]71:443.
5. Browser Forensics	Examine browser history, downloads, extensions.	MDE Browser Forensics, Chrome/Edge History Analysis	User visited compromised news site with malicious ad (drive-by). Redirect chain: legitimate-news.com -> adnetwork.biz -> adobe-flash-update[.]online.
6. Memory Analysis	Check for evidence of exploitation/in-memory payloads.	Volatility (via MDE memory dump), MDE Memory Scanning	No signs of exploit (like CVE-2021-40444) successful; likely social engineering prompting “update” download.
7. Scope Assessment	Check if other devices visited same site or contacted same C2.	Splunk SIEM (Firewall/Proxy logs), MDE Advanced Hunting	3 other devices visited same domain but blocked by network proxy due to reputation. Only this device executed payload.
8. Containment	Isolate device, block IOCs, reset credentials if suspicious.	MDE Automated Response, Palo Alto Firewall, Cisco Umbrella	1. Device quarantined. 2. Blocked C2 IP & domain at firewall/DNS. 3. User account password reset initiated.
9. Eradication	Remove malicious files, registry entries, persistence mechanisms.	MDE Live Response, EDR Remediation Actions	1. Files deleted via live response. 2. Scheduled tasks/registry entries removed. 3. PowerShell execution policy reset to Restricted.
10. Recovery	Return device to service after verification.	MDE Full Scan, Nessus Compliance Scan	Full scan clean. Device removed from isolation group after 24hr monitoring.

---

3. Detailed Jira Comment

Jira Ticket: SOC-2023-0892
Summary: Drive-by Compromise via Malicious Adobe Flash Update Site
Status: Resolved
Resolution: Malicious - Contained & Remediated
Priority: P1 - High
Labels: drive-by, cobalt-strike, finance-department, edr-alert

Comment by [Walter White] – [25/13:00]:

---

INCIDENT ANALYSIS REPORT: DRIVE-BY COMPROMISE

1. Executive Summary:
On 2023-10-26 at 14:32 UTC, Microsoft Defender for Endpoint (MDE) detected suspicious PowerShell execution on FIN-0789, indicative of a drive-by download compromise. The user (Jane Doe, Finance Dept.) visited a compromised news website via Microsoft Edge, which redirected through a malicious ad network to a fake Adobe Flash update site (adobe-flash-update[.]online). The site prompted a download that executed a PowerShell script, downloading and executing a Cobalt Strike beacon. The device was automatically isolated, and the threat was contained with no lateral movement or data exfiltration detected.

2. Timeline:

14:28 - User visits legitimate-news.com
14:29 - Malicious ad redirects to adobe-flash-update[.]online
14:30 - User clicks "Update Adobe Flash" prompt
14:31 - update_check.ps1 downloads and executes
14:32 - MDE alert triggers, device auto-isolated
14:35 - SOC investigation begins
14:50 - C2 infrastructure blocked, IOCs distributed
15:30 - Malicious artifacts removed via live response
16:00 - User account password reset, security awareness notification sent

3. Technical Analysis:

• Initial Access Vector: Drive-by compromise via malicious advertisement on legitimate news site. No exploit required; social engineering prompted user interaction.
• Malicious Artifacts:
  1. update_check.ps1 – PowerShell downloader with heavy obfuscation. Contained embedded Cobalt Strike stager configuration.
  2. tmpAB32.tmp.dll – Cobalt Strike beacon (SHA256: a1b2c3d4e5f6...). VT detection: 68/92 AV engines.
  3. Registry persistence: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate (removed).
• Network Indicators:
  • C2 IP: 185.165.190[.]71:443 (Hosted on VPS in Netherlands)
  • Domain: adobe-flash-update[.]online (Registered 2 days ago via privacy registrar)
  • Redirect Chain: legitimate-news.com → adnetwork.biz[.]track → adobe-flash-update[.]online
• TTPs Observed (MITRE ATT&CK):
  • T1189: Drive-by Compromise
  • T1059.001: PowerShell for execution
  • T1105: Ingress Tool Transfer (Cobalt Strike beacon)
  • T1547.001: Registry Run Keys for persistence
  • T1573.001: Symmetric Cryptography for C2 communication

4. Scope & Impact Assessment:

• Compromised Assets: Single endpoint (FIN-0789)
• Data Accessed: No evidence of data access/exfiltration. MDE did not detect suspicious file access patterns.
• Lateral Movement: None detected. Network segmentation prevented beacon from communicating with internal resources.
• Business Impact: Low. Finance team member offline for ~4 hours during remediation.

5. Containment & Remediation Actions:

• Immediate Containment (14:32-14:50):
  • Device auto-isolated via MDE (network quarantine).
  • Blocked C2 IP at firewall (Palo Alto) and DNS (Cisco Umbrella).
  • Disabled user’s AD account temporarily for credential reset.
• Eradication (14:50-15:30):
  • Used MDE Live Response to:
    1. Kill malicious processes (powershell.exe PID: 8923)
    2. Delete malicious files (update_check.ps1, tmpAB32.tmp.dll)
    3. Remove registry persistence key
    4. Clear browser cache and temp files
  • Reset PowerShell execution policy to “Restricted”
• Recovery (15:30-16:30):
  • Performed full antivirus scan (clean)
  • Reset user’s password via self-service portal
  • Removed device from isolation group after 1 hour of clean monitoring
  • Restored browser settings to default (removed suspicious extensions)

6. Indicators of Compromise (IOCs):

TYPE         INDICATOR                                   DESCRIPTION
SHA256       a1b2c3d4e5f6...                            Cobalt Strike beacon DLL
URL          hxxps://adobe-flash-update[.]online/check  Initial compromise URL
Domain       adobe-flash-update[.]online                Malicious domain
IP           185.165.190[.]71:443                       C2 Server
Filename     update_check.ps1                           PowerShell downloader
Registry     HKLM\Software\...\Run\AdobeUpdate          Persistence mechanism

7. Root Cause Analysis:

• Primary Cause: User interaction with malicious advertisement disguised as Adobe Flash update.
• Contributing Factors:
  1. User had not completed recent security awareness training (overdue by 45 days).
  2. Microsoft Edge SmartScreen did not block the domain due to recent registration.
  3. Network proxy allowed the initial connection (domain not yet in reputation database).

8. Recommendations & Lessons Learned:

• Technical Controls:
  1. Enable Attack Surface Reduction rule: “Block executable content from email client and webmail” (already enabled but verify).
  2. Deploy browser extension (Cisco Umbrella/WebEx Extension) for additional URL filtering.
  3. Consider implementing Application Control for PowerShell in high-risk departments.
• Process Improvements:
  1. Add adnetwork.biz to block list (associated with malicious ads).
  2. Review and update web filtering categories to block “Newly Registered Domains” for non-business functions.
  3. Implement 24-hour hold on emails/websites with “update” or “flash” keywords for Finance department.
• User Awareness:
  1. Require overdue security training completion before account reactivation.
  2. Send targeted phishing simulation mimicking “software update” theme.
  3. Add banner to internal sites reminding users that Adobe Flash is end-of-life.

9. Conclusion:

This drive-by compromise was successfully detected by EDR and contained before any post-exploitation activities could occur. The rapid auto-isolation feature prevented lateral movement, and the comprehensive remediation eliminated all malicious artifacts. While the user’s actions enabled the initial compromise, defense-in-depth controls performed as designed.

Closure Justification: All IOCs have been blocked, malicious artifacts removed, user re-educated, and compensating controls implemented. No evidence of persistence or additional compromise exists. Recommend closing ticket with documentation for future reference.