2022-01-01から1ヶ月間の記事一覧
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement CMD History Network Connections Process History Analyze Malware Write Registry Connections HTTP/HTTPS requests Check If Someone Request…
Details playbook Collection Data Search Log 356 410 Analyze URL Address Add Artifacts End Details EventID: 60 Event Time: Feb. 14, 2021, 1:05 p.m. Rule: SOC127 - SQL Injection Detected Level: Security Analyst Source Address 172.16.20.5 Sou…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - KatharinePRD Analyze Malware OliwciaPrivInstaller.exe - 436fa243bbfed63a99b8e9f866cd80e5 cmd.exe 接続先まとめ 208.95.112.1 (ip-api[.]…
Details playbook Collection Data Search Log Log Search - 49.234.71.65 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 63 Event Time: Feb. 21, 2021, 5:02 p.m. Rule: SOC129 - Successful L…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - Exchange Server Log Search - 172.16.20.3 Jan, 02, 2021~Jun, 13, 2021 Analyze Malware Add Artifacts End Details EventID: 64 Event Time…
Details playbook Search Log 18 19 20 351 376 Analyze APK Containment Add Artifacts End Details EventID: 65 Event Time: Feb. 22, 2021, 11:11 a.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.12 Sourc…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned LogManagement 359 360 EndpointManagement Analyze Malware phpshell.php 49.234.71.65 Check If Someone Requested the C2 358 361 362 363 364 Containment Add A…
Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 66 Event Time: Feb. 22, 2021, 8:36 p.m. Rule: SOC102 - Proxy - Suspicious URL Detected Level: Security Analyst Source Address 172.16.17.150 …
Details playbook Collection Data Search Log Analyze URL Address amesiana[.]com Add Artifacts End Details EventID: 69 Event Time: Feb. 28, 2021, 7:57 p.m. Rule: SOC133 - Suspicious Request to New Registered Domain Level: Security Analyst So…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Check If Someone Requested the C2 Add Artifacts End Details EventID: 67 Event Time: March 1, 2021, 3:15 p.m. Rule: SOC131 - Reverse TCP Ba…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security MikeComputer JohnComputer Sofia Analyze Malware msi.dat 81.68.99.93 Check If Someone Requested the C2 Add Artifacts End Details EventID:…
Details Playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security 161.35.41.241 Analyze Malware Connection to 161.35.41.241 315 316 317 318 余談 Check If Someone Requested the C2 Containment Add Artifac…
Details playbook Collection Data Source Address: 42.192.84.19 Destination Address: 172.16.20.4 User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36 Search Log 371 372 …
Details playbook Parse Email Are there attachments or URLs in the email? yandex[.]ru Add Artifacts End Details EventID: 74 Event Time: March 7, 2021, 5:31 p.m. Rule: SOC136 - Data Leak via Mailbox Forwarding Detected Level: Security Analys…
Details playbook Analyze Threat Intel Data 67.199.248.10 https[:]//bit[.]ly/TAPSCAN Add Artifacts End Details EventID: 75 Event Time: March 7, 2021, 5:47 p.m. Rule: SOC105 - Requested T.I. URL address Level: Security Analyst Source Address…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement Analyze Malware ORDER SHEET & SPEC.xlsm 177.53.143.89 multiwaretecnologia.com[.]br Check If Someone Requested the C2 LogManagement Add …
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Log Search 368 Mar, 07, 2021, 01:50 PM Proxy 172.16.17.37 48463 49.51.12.195 443 iluuryeqa[.]info 49.51.12.195 369 Mar, 07, 2021, 01:54 PM Proxy 172.16.17…
Details playbook Search Log Analyze APK search APK End Other writeup Details EventID: 80 Event Time: March 15, 2021, 9:55 p.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.14 Source Hostname JessieP…
Details Create Case Collection Data 140.82.121.4 Search Log Analyze URL Address Add Artifacts End Details EventID: 79 Event Time: March 15, 2021, 9:30 p.m. Rule: SOC119 - Proxy - Malicious Executable File Detected Level: Security Analyst S…
Details Create Case Collection Data Search Log Analyze URL Address Access https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit www.win-rar[.]com 51.195.68.163 Add Artifacts End Details EventID: 83 Event Time: March 21, 2021, 1:…
今まで、 公開情報から何となくマルウェアの解析とかしていた 無料で配布されているデータセットや資料に倣って学習していた 等でイマイチ実際にSOCであったりでやっていることのイメージがはっきりとしていなかったが、「LetsDefend」に触れたことで「現場…