Microsoft Defender Alert Details
Alert ID: MD-USER-EXEC-1204-7842
Alert Time: 2024-02-15 09:30:22 EST
Severity: HIGH (85/100)
Source: Microsoft Defender for Endpoint
Rule: “Suspicious File Execution from Temp Folder”
MITRE ATT&CK: T1204.002 – User Execution: Malicious File
Alert Details:
Detection: User executed malicious file from Temp folder
Host: MKT-WS-078 (Marketing Department)
User: sjohnson (Sarah Johnson, Marketing Manager)
Time: 09:25 EST
File Execution Details:
– File: C:\Users\sjohnson\AppData\Local\Temp\Q1_Sales_Report.pdf.exe
– SHA256: a1b2c3d4e5f67890…
– Size: 2.3 MB
– Execution Time: 09:24:45 EST
– Parent Process: explorer.exe (user double-clicked)
File Origin:
– Downloaded from: hxxps://cdn.sales-update[.]net/report.exe
– Download Time: 09:23:30 EST
– Download Tool: Chrome (user clicked link in email)
Behavior Analysis:
– File masquerades as PDF (double extension)
– Upon execution:
– Created process: C:\Windows\System32\rundll32.exe with suspicious export
– Modified registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
– Network connection: 185.143.221[.]89:443
– Downloaded additional payload: C:\ProgramData\update.dll
Threat Intelligence:
– File hash matches known “SocGholish” malware family
– Uses fake browser update theme
– Delivers Cobalt Strike beacon as final payload
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed malicious file execution
2. Process Analysis
Examine process tree
Defender, CrowdStrike
Malware spawned rundll32, modified registry, connected to C2
3. Network Check
Analyze C2 communication
Zscaler Logs, Firewall
Connection to 185.143.221[.]89:443 established
4. Immediate Containment
Isolate host
Defender
Host quarantined
5. Registry Remediation
Remove persistence
PowerShell
Registry Run key deleted
6. User Interview
Contact user
Teams, Phone
User clicked link in email about “sales report”
Jira Incident Report
Ticket: SOC-2024-076
Summary: T1204 – User Execution of Malicious File from Phishing Email
Status: RESOLVED
Resolution: MALICIOUS – Execution Contained
Priority: P2 – MEDIUM
Labels: T1204, user-execution, malicious-file, defender, phishing
Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Suspicious File Execution from Temp Folder”.
Host: MKT-WS-078 (Marketing Department, user sjohnson).
Time: 2024-02-15 09:30 EST.
Technique: MITRE ATT&CK T1204.002 – User Execution: Malicious File.
2. Technical Analysis:
Attack Chain:
09:20 – User receives email from “sales-report@company-update[.]net”
09:21 – Email contains link to “Q1 Sales Report PDF”
09:22 – User clicks link
09:23 – Chrome downloads report.pdf.exe from cdn.sales-update[.]net
09:24 – User double-clicks file (thinks it’s PDF)
09:24:45 – Malware executes
09:25 – Defender alerts
Malware Analysis:
File: Q1_Sales_Report.pdf.exe (double extension trick)
SHA256: a1b2c3d4e5f67890…
Family: SocGholish (fake browser update)
Behavior:
Masquerades as PDF with PDF icon
Creates registry Run key for persistence
Spawns rundll32.exe to load malicious DLL
Connects to C2 at 185.143.221[.]89:443
Downloads update.dll from same C2
Persistence:
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value: “WindowsUpdate” = “rundll32.exe C:\ProgramData\update.dll,UpdateNow”
User Activity:
User expected to open sales report
No security warnings (file had PDF icon)
User unaware of double extension
3. Investigation Findings:
Timeline:
09:20 – Email received
09:22 – User clicks link
09:23 – File downloaded
09:24 – File executed
09:25 – Defender alerts
09:27 – SOC investigation begins
09:30 – Host isolated
Indicators of Compromise (IoCs):
Email:
– Sender: sales-report@company-update[.]net
– Subject: “Q1 Sales Report”
Network:
– Domain: cdn.sales-update[.]net
– IP: 185.143.221[.]89
– C2: 185.143.221[.]89:443
Files:
– Q1_Sales_Report.pdf.exe (SHA256: a1b2c3d4…)
– C:\ProgramData\update.dll (SHA256: b2c3d4e5…)
Registry:
– HKCU\…\Run\WindowsUpdate
4. Containment Actions:
Immediate Actions:
Isolated host via Defender.
Terminated malicious processes.
Deleted update.dll.
Removed registry persistence.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
No reimage needed (malware removed).
User Remediation:
Password reset.
Phishing awareness training assigned.
Reported email to phishing team.
5. Root Cause Analysis:
Primary Cause: User executed malicious file from phishing email.
Contributing Factors:
File masqueraded as PDF with double extension.
No ASR rule blocking execution from Temp folder.
User lacked recent phishing training.
6. Business Impact:
Operational Impact: Marketing workstation offline for 3 hours.
Data Exposure: None (C2 blocked, no data sent).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Host cleaned.
User educated.
IOCs blocked.
Technical Controls Enhanced:
Enabled ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”.
Enabled ASR rule “Block executable content from email client and webmail”.
Enhanced email filtering for double extension files.
8. Conclusion:
A user received a phishing email with a malicious file masquerading as a PDF. The user executed the file, which installed persistence and connected to C2. Defender detected and contained the threat within minutes. No data exfiltration occurred.
Closure Rationale: Malware removed; user educated; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-15 11:00 EST