SOC137 — Malicious File/Script Download Attempt: A Walkthrough
Powershell-fuelled malware
Last updated
Powershell-fuelled malware
Last updated
Welcome blue teamers!
Now, who is ready to do some SOC alert practice? Today I will be guiding you through the SOC 137 (Malicious File/Script Download Attempt) alert.
NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.
Preceding the investigation, we are given a rundown of the alert summary. It contains vital information that comes in handy later
Take ownership
Create case
Start Playbook
Now, let’s delve into the questions
Select Threat Indicator
From the alert summary, we can find that the malicious .zip file was downloaded onto the NicolasPRD endpoint, with IP Address — 172.16.17.37
Upon unzipping it, we uncover a file named ‘INVOICE PACKAGE LINK TO DOWNLOAD.docm’
Applying Linux’s file command, we determine that the version of Microsoft Word used is from 2007
Process breakdown
From the process tree of the malicious file, we can see that it has a PowerShell executable as a subprocess. The executable is given read permissions, which can be fatal, if not monitored properly.
This becomes evident especially when it has a 95% severity rate of being suspicious
Judging from the evidence and characteristics of the malicious file collected above, we can conclude that the file contacts external domains, through undetected outgoing network traffic
A)Unknown or unexpected outgoing internet traffic
I believe that the malware hasn't been quarantined
A)Not Quarrantined
Analyze malware in 3rd party tools and find C2 address
You can use the free products/services below.
AnyRun VirusTotal URLHouse URLScan HybridAnalysis
From our analysis, we have concluded that the file is indeed malicious
A)Malicious
Please go to the “Log Management” page and check if the C2 address accessed. You can check if the malicious file is run by searching the C2 addresses of the malicious file.
Log Management Please click “Yes” if someone access the malicious address. Otherwise please click “No” button.
Let’s look up the source IP Address (172.16.17.37) on the Log Management section
We get 3 corresponding log entries, but none of them relate to the alert or show any reference to the download of a malicious file (as briefed to us)
Using Hybrid-Analysis to pull up the list of contacted hosts, we find the following domains and IP addresses to verify with
None of the IP Addresses match. Hence we can assume that the C2 Server was not contacted. What are we doing wrong here?
Now, for further verification let’s use the Relations tab of VirusTotal (corresponding to the malicious file)
We finally strike gold here.
172.67.200.96 can be labeled as the IP Address of the C2 Server and it has been accessed by the NicolasPRD endpoint (victim host)
A)Accessed
Please go to the “EDR” page and contain the user machine!
Endpoint Security After containment please click “Next” buttton to finish playbook.
Proceed to contain the NicolasPRD endpoint
We have identified the domains contacted by the malicious file, as well as its MD5 hash, from VirusTotal
We proceed to compile this into our Artifacts chart
Detail this section as much as you can. A good SOC Analyst gives attention to detail.
Finish the playbook Close the alert
Ok, that was unexpected.
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
The SOC Analyst was given a zip file, from which a .docm file containing a suspicious link was extracted. This file was subsequently detected and was found to be malicious.IOCs relating to the file, along with contacted hosts were collected, culminating in the containment of the NicolasPRD endpoint (victim host)
Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!
It would be wise to give the malicious file a run on . It is much safer that way. Upon uploading, we find its contents below
Making use of , we have received conclusive evidence of the file being malicious. Malicious and Suspicious IOCs have been identified and displayed below
