IR - SOC293 - Exfiltration Over Pastebin Detected

Continuing with the Incident Responder Path, we tackle an HIGH alert for an "Exfiltration Over Pastebin Detected". Was this a misconfiguration, a false positive or possibly something more malicious? EventID: 269 Event Time: Jun, 26, 2024, 07:16 AM Rule: SOC293 - Exfiltration Over Pastebin Detected Level: Incident Responder Hostname: Gabriela Ip Address: 172.16.17.63 File Name: system_users.ps1 File Path: C:\Users\LetsDefend\Downloads\quick-fix\system_users.ps1 Parent Process: explorer.exe Command Line: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File .\system_users.ps1 Trigger Reason: PowerShell script executed with a suspicious command accessing external URL. Device Action: Allowed L1 Note: PowerShell script 'system_users.ps1' connects to an external URL (pastebin.com). I'm escalating this alert for further analysis to determine the root cause and if it is malicious. quick-fix.zip: https://www.virustotal.com/gui/file/2f2d8121d6b351a32a5c55995450200f3cafd3d26b2cf5f646cd3a80f175450e system_users.ps1: https://www.virustotal.com/gui/file/17cc1b8697aa9a384b8a781ec16c82eea0f0a41f197840e45a1ef8eeb05b71e9 fix.lnk https://www.virustotal.com/gui/file/b9b508b7f58708572598c03d325d4c44474206c24132b60f91345b420c61844b NOTES: -