4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

2022-01-01から1ヶ月間の記事一覧

LetsDefend level 1 alert SOC125 - Suspicious Rundll32 Activity event-id 58

LetsDefend Malware

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement CMD History Network Connections Process History Analyze Malware Write Registry Connections HTTP/HTTPS requests Check If Someone Request…

#LetsDefend #Emotet

LetsDefend level 1 alert SOC127 - SQL Injection Detected event-id 60

LetsDefend

Details playbook Collection Data Search Log 356 410 Analyze URL Address Add Artifacts End Details EventID: 60 Event Time: Feb. 14, 2021, 1:05 p.m. Rule: SOC127 - SQL Injection Detected Level: Security Analyst Source Address 172.16.20.5 Sou…

#LetsDefend

LetsDefend level 1 alert SOC126 - Suspicious New Autorun Value Detected event-id 61

LetsDefend Malware

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - KatharinePRD Analyze Malware OliwciaPrivInstaller.exe - 436fa243bbfed63a99b8e9f866cd80e5 cmd.exe 接続先まとめ 208.95.112.1 (ip-api[.]…

#LetsDefend #malware

LetsDefend level 1 alert SOC129 - Successful Local File Inclusion event-id 63

LetsDefend

Details playbook Collection Data Search Log Log Search - 49.234.71.65 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 63 Event Time: Feb. 21, 2021, 5:02 p.m. Rule: SOC129 - Successful L…

#LetsDefend

LetsDefend level 1 alert SOC130 - Event Log Cleared event-id 64

LetsDefend

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - Exchange Server Log Search - 172.16.20.3 Jan, 02, 2021~Jun, 13, 2021 Analyze Malware Add Artifacts End Details EventID: 64 Event Time…

#LetsDefend

LetsDefend level 1 alert SOC103 - Malicious APK Detected event-id 65

LetsDefend Malware

Details playbook Search Log 18 19 20 351 376 Analyze APK Containment Add Artifacts End Details EventID: 65 Event Time: Feb. 22, 2021, 11:11 a.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.12 Sourc…

#LetsDefend

LetsDefend level 1 alert SOC128 - Malicious File Upload Attempt event-id 62

LetsDefend Malware

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned LogManagement 359 360 EndpointManagement Analyze Malware phpshell.php 49.234.71.65 Check If Someone Requested the C2 358 361 362 363 364 Containment Add A…

#LetsDefend

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 66

LetsDefend

Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 66 Event Time: Feb. 22, 2021, 8:36 p.m. Rule: SOC102 - Proxy - Suspicious URL Detected Level: Security Analyst Source Address 172.16.17.150 …

#LetsDefend

LetsDefend level 1 alert SOC133 - Suspicious Request to New Registered Domain event-id 69

LetsDefend

Details playbook Collection Data Search Log Analyze URL Address amesiana[.]com Add Artifacts End Details EventID: 69 Event Time: Feb. 28, 2021, 7:57 p.m. Rule: SOC133 - Suspicious Request to New Registered Domain Level: Security Analyst So…

#LetsDefend

LetsDefend level 1 alert SOC131 - Reverse TCP Backdoor Detected event-id 67

LetsDefend Malware

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Check If Someone Requested the C2 Add Artifacts End Details EventID: 67 Event Time: March 1, 2021, 3:15 p.m. Rule: SOC131 - Reverse TCP Ba…

#LetsDefend

LetsDefend level 1 alert SOC132 - Same Malicious File Found on Multiple Sources event-id 68

LetsDefend Malware

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security MikeComputer JohnComputer Sofia Analyze Malware msi.dat 81.68.99.93 Check If Someone Requested the C2 Add Artifacts End Details EventID:…

#LetsDefend

LetsDefend level 1 alert SOC134 - Suspicious WMI Activity event-id 71

LetsDefend Malware

Details Playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security 161.35.41.241 Analyze Malware Connection to 161.35.41.241 315 316 317 318 余談 Check If Someone Requested the C2 Containment Add Artifac…

#LetsDefend

LetsDefend level 1 alert SOC135 - Multiple FTP Connection Attempt event-id 72

LetsDefend

Details playbook Collection Data Source Address: 42.192.84.19 Destination Address: 172.16.20.4 User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36 Search Log 371 372 …

#LetsDefend

LetsDefend level 1 alert SOC136 - Data Leak via Mailbox Forwarding Detected event-id 74

LetsDefend

Details playbook Parse Email Are there attachments or URLs in the email? yandex[.]ru Add Artifacts End Details EventID: 74 Event Time: March 7, 2021, 5:31 p.m. Rule: SOC136 - Data Leak via Mailbox Forwarding Detected Level: Security Analys…

#LetsDefend

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 75

LetsDefend

Details playbook Analyze Threat Intel Data 67.199.248.10 https[:]//bit[.]ly/TAPSCAN Add Artifacts End Details EventID: 75 Event Time: March 7, 2021, 5:47 p.m. Rule: SOC105 - Requested T.I. URL address Level: Security Analyst Source Address…

#LetsDefend

LetsDefend level 1 alert SOC138 - Detected Suspicious Xls File event-id 77

LetsDefend Malware

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement Analyze Malware ORDER SHEET & SPEC.xlsm 177.53.143.89 multiwaretecnologia.com[.]br Check If Someone Requested the C2 LogManagement Add …

#LetsDefend

LetsDefend level 1 alert SOC137 - Malicious File/Script Download Attempt event-id 76

LetsDefend Malware

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Log Search 368 Mar, 07, 2021, 01:50 PM Proxy 172.16.17.37 48463 49.51.12.195 443 iluuryeqa[.]info 49.51.12.195 369 Mar, 07, 2021, 01:54 PM Proxy 172.16.17…

#LetsDefend

LetsDefend level 1 alert SOC103 - Malicious APK Detected event-id 80

LetsDefend Malware

Details playbook Search Log Analyze APK search APK End Other writeup Details EventID: 80 Event Time: March 15, 2021, 9:55 p.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.14 Source Hostname JessieP…

#LetsDefend #Malicious APK

LetsDefend level 1 alert SOC119 - Proxy - Malicious Executable File Detected event-id 79

LetsDefend Malware

Details Create Case Collection Data 140.82.121.4 Search Log Analyze URL Address Add Artifacts End Details EventID: 79 Event Time: March 15, 2021, 9:30 p.m. Rule: SOC119 - Proxy - Malicious Executable File Detected Level: Security Analyst S…

#LetsDefend

LetsDefend level 1 alert SOC119 - Proxy - Malicious Executable File Detected event-id 83

LetsDefend Malware

Details Create Case Collection Data Search Log Analyze URL Address Access https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit www.win-rar[.]com 51.195.68.163 Add Artifacts End Details EventID: 83 Event Time: March 21, 2021, 1:…

#LetsDefend #WinRAR

SecurityAnalystっぽいことができる!今一押しのサービス「LetsDefend」

LetsDefend Phishing Mail

今まで、 公開情報から何となくマルウェアの解析とかしていた 無料で配布されているデータセットや資料に倣って学習していた 等でイマイチ実際にSOCであったりでやっていることのイメージがはっきりとしていなかったが、「LetsDefend」に触れたことで「現場…

#LetsDefend #フィッシングメール #マルウェア