T1592 – Gather Victim Host Info (SenseOn Detection)

by

SenseOn Alert Details

Alert ID: SENSEON-RECON-HOSTINFO-7842
Alert Time: 2024-02-08 11:42:18 EST
Severity: HIGH (78/100)
Source: SenseOn Platform (EDR + UEBA)
Rule: “Suspicious Host Information Enumeration via WMI/PowerShell”
MITRE ATT&CK: T1592 – Gather Victim Host Information

Alert Details:

Detection: Multiple host enumeration commands executed from single endpoint within 5-minute window.

Host: HR-WS-045 (Human Resources)

User: mjohnson (Michelle Johnson, HR Generalist)

IP: 192.168.75.122

OS: Windows 10 Enterprise 22H2

Event Sequence (SenseOn Timeline):

11:38:12 – Process: wmic.exe

          Command: wmic computersystem get name,domain,manufacturer,model

          Parent: explorer.exe (PID: 3452)

11:39:04 – Process: systeminfo.exe

          Command: systeminfo /fo csv

          Parent: explorer.exe (PID: 3452)

11:40:22 – Process: powershell.exe

          Command: Get-WmiObject Win32_OperatingSystem | Select Caption,Version,OSArchitecture,InstallDate

          Parent: explorer.exe (PID: 3452)

11:41:35 – Process: powershell.exe

          Command: Get-WmiObject Win32_Processor | Select Name,NumberOfCores,MaxClockSpeed

          Parent: explorer.exe (PID: 3452)

11:42:01 – Process: powershell.exe

          Command: Get-WmiObject Win32_ComputerSystem | Select TotalPhysicalMemory,Manufacturer,Model,Domain

          Parent: explorer.exe (PID: 3452)

11:42:18 – SenseOn Correlation: “System Information Enumeration” – Alert triggered.

Contextual Anomaly Score: 92/100

– User mjohnson has no history of running system information commands.

– Commands executed from explorer.exe (unusual parent for reconnaissance).

– No network connections associated with activity (data staged locally).

SOC Investigation Process

StepActionTools UsedFindings
1. Alert ValidationVerify alert in SenseOn, check user historySenseOn Console, User Behavior BaselineConfirmed anomalous activity; user never runs these commands
2. Process AnalysisInvestigate parent-child relationshipsCrowdStrike FalconExplorer.exe spawned cmd.exe (hidden window), which spawned enumeration commands
3. User InterviewContact user, check for suspicious activityTeams, PhoneUser reported clicking on “HR Survey.docx” from external email
4. Email InvestigationCheck email logs for malicious attachmentMicrosoft 365 Defender, ProofpointFound email from “surveys@hr-survey[.]net” with macro-enabled document
5. Malware AnalysisAnalyze document in sandboxSenseOn Sandbox, Any.RunDocument contained macro that downloaded and executed enumeration script
6. Endpoint ForensicsCheck for persistence and data stagingVelociraptorFound staged data in C:\Users\mjohnson\AppData\Local\Temp\hostinfo.txt
7. Network HuntingCheck for data exfiltrationPalo Alto Firewall LogsNo outbound connections from host during time window

Jira Incident Report

Ticket: SOC-2024-041
Summary: T1592 – Host Information Reconnaissance via Phishing Macro
Status: RESOLVED
Resolution: MALICIOUS – Reconnaissance Contained
Priority: P2 – MEDIUM
Labels: T1592, host-info, reconnaissance, phishing, macro, senseon
Components: Endpoint-Security, Email-Security

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: SenseOn Platform (EDR + UEBA correlation).
  • Alert: “Suspicious Host Information Enumeration via WMI/PowerShell”.
  • Host: HR-WS-045 (HR Department, user mjohnson).
  • Time: 2024-02-08 11:42 EST.
  • Technique: MITRE ATT&CK T1592 – Gather Victim Host Information.

2. Technical Analysis:

  • Attack Vector: Phishing email with malicious macro-enabled document (“HR Survey.docx”).
  • Infection Chain:
  1. User received email from spoofed domain hr-survey[.]net at 11:15 EST.
  2. User opened attachment, enabled macros (prompted by document).
  3. Macro executed PowerShell to download reconnaissance script from 185.143.221[.]45/gather.ps1.
  4. Script ran system enumeration commands via WMI and systeminfo.
  5. Data staged locally as hostinfo.txt (no exfiltration attempted).
  • Enumeration Commands Observed:
  • OS version, install date, architecture
  • CPU model, cores, speed
  • RAM size, system manufacturer/model
  • Domain membership
  • All executed via WMI/PowerShell (living-off-the-land)
  • Payload Analysis:
  • gather.ps1 SHA256: 8f7e6d5c4b3a2918…
  • Script contents: Performed host enumeration and saved to temp file
  • No persistence mechanisms; reconnaissance only

3. Investigation Findings:

  • Timeline:

11:15 – Phishing email delivered

11:20 – User opens attachment, enables macros

11:22 – Macro downloads and executes gather.ps1

11:38-11:42 – Enumeration commands run

11:42 – SenseOn alert triggers

11:45 – Host isolated via SenseOn containment

  • Indicators of Compromise (IoCs):

Network:

– Domain: hr-survey[.]net

– IP: 185.143.221[.]45

– URL: http://185.143.221[.]45/gather.ps1

File:

– HR Survey.docx (SHA256: a1b2c3d4e5f6…)

– gather.ps1 (SHA256: 8f7e6d5c4b3a…)

– hostinfo.txt (staged data)

Host:

– Processes: wmic.exe, systeminfo.exe, powershell.exe

– Registry: No persistence

4. Containment Actions:

  • Immediate Containment (11:45-12:00 EST):
  • Host isolated via SenseOn network containment.
  • User account temporarily disabled.
  • Malicious IP/domain blocked at firewall and DNS.
  • Forensic Collection (12:00-13:00 EST):
  • Captured memory and disk artifacts via Velociraptor.
  • Retrieved macro document from email quarantine.
  • Extracted staged data file.
  • Remediation (13:00-14:30 EST):
  • Re-imaged host.
  • Reset user password and enforced MFA.
  • Updated email filtering rules.
  • Deployed ASR rule to block Office child processes.

5. Root Cause Analysis:

  • Primary Cause: User opened malicious macro-enabled document from phishing email.
  • Contributing Factors:
  1. Email gateway allowed delivery (low reputation but no malware signature).
  2. Macros enabled in Office (default configuration).
  3. User lacked recent phishing awareness training.

6. Business Impact:

  • Operational Impact: HR workstation offline for ~3 hours.
  • Data Exposure: None (data staged locally, not exfiltrated).
  • Financial Impact: Minimal.

7. Remediation & Prevention:

Completed Actions:

  • checkedHost remediated and returned to service.
  • checkedUser re-trained.
  • checkedIOCs distributed to all security tools.
  • checkedEnabled “Block macros from internet” via GPO.

8. Conclusion:

This incident involved a phishing email delivering a macro-based reconnaissance script. The attacker successfully gathered host information but was unable to exfiltrate data. Rapid detection by SenseOn prevented further compromise.

Closure Rationale: Host remediated, user educated, controls enhanced.

Analyst: [Walter White], SOC Analyst
Date: 2024-02-08 15:00 EST

Leave a Comment