T1110 Brute Force T1059.001 Command and Scripting Interpreter PowerShell T1140 Deobfuscate Decode Files or Information T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer T1046 Network Service Discovery T1041 Exfiltration Over C2 Channel T1071.001 Application Layer Protocol Web Protocols
The alert SOC153 Suspicious Powershell Script Executed triggered after execution of endpoint.ps1 on host Matt under Administrator account. Analysis of the script shows multiple layers of obfuscation including base64 and gzip encoding. Decoding revealed a cobalt strike dropper and an additional xor encoded payload consistent with reconnaissance activity. Logs indicate attacker access via brute force from 3[.]16[.]42[.]241 followed by execution of the script
Sep 05 2021 12:43 PM
Host Matt 172[.]31[.]34[.]35 executed the malicious script located at C:\Users\Public\Documents\endpoint.ps1. Exfiltration observed to 3[.]16[.]42[.]144 over port 4444 using netcat
The alert was triggered due to execution of a suspicious PowerShell script. Investigation confirms the script is a cobalt strike dropper used for staging and reconnaissance. The attacker gained access via brute force, executed the payload, performed system reconnaissance, and exfiltrated sensitive SQL database data using netcat. Attack artifacts were removed by the attacker after execution. The endpoint was contained and data exfil confirmed.
🔬 Analysis Reports 🧪 Any.run → https://any.run/report/8dfafede28061407d40224a5b40d55cce8df62bd7124a8a9efb0e952703e2271/113683c9-2ccf-4589-a034-d1221287146d 🦠 VirusTotal (endpoint.ps1) → https://www.virustotal.com/gui/file/e81173b07f77e54f94b0f1c8a4996d2a525520cbb74fac85cfa1ab973fe34075/detection 🦠 VirusTotal (payload) → https://www.virustotal.com/gui/file/8dfafede28061407d40224a5b40d55cce8df62bd7124a8a9efb0e952703e2271/community