4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

2022-02-01から1ヶ月間の記事一覧

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 35

Details playbook Search Log Analyze URL Address 66.198.240.56 http[:]//interalliance.org/ https[:]//interalliance.org/come2/holme/folde/swiftcopy.ps1 Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Aldo(172.16.17.51) Process Hist…

LetsDefend level 1 alert SOC109 - Emotet Malware Detected event-id 39

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware eee99e6d8ade9463dd206dfbad3485ea http[:]//decpak.com/cgi-bin/gU/ Check If Someone Requested the C2 Log search - 172.16.17.83 330 331 332 C…

LetsDefend level 1 alert SOC108 - Malicious Remote Access Software Detected event-id 38

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware ff6bbddc34cbd33e2501872b97c4bacd Log search - 172.16.17.33 328 329 Add Artifacts End Details EventID: 38 Event Time: Jan. 1, 2021, 5:36 p.…

LetsDefend level 1 alert SOC110 - Proxy - Cryptojacking Detected event-id 40

Details playbook Search Log 333 Analyze URL Address https[:]//bit.ly/3hNuByx Add Artifacts End Details EventID: 40 Event Time: Jan. 2, 2021, 4:33 a.m. Rule: SOC110 - Proxy - Cryptojacking Detected Level: Security Analyst Source Address 172…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 41

Details mail playbook Are there attachments or URLs in the email? Analyze Url/Attachment 9ed9ad87a1564fbb5e1b652b3e7148c8.zip Check If Mail Delivered to User? Add Artifacts 104.140.188.46 cashbank[.]com Log search - 104.140.188.46 End Deta…

LetsDefend level 1 alert SOC111 - Traffic to Malware Domain event-id 42

Details playbook Search Log 45.80.181.51 casinos-hub[.]com Log search - 45.80.181.51 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts Endpoint - BellaPRD End Details EventID: 42 Event Time: Jan. 30, 2021, 5:25 p.m. Rule…

LetsDefend level 1 alert SOC112 - Traffic to Blacklisted IP event-id 43

Details playbook Search Log 193.239.147.32 Log search 193.239.147.32 Analyze URL Address http[:]//193.239.147.32/OBBBOP.exe OBBOP.exe Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Jack(172.16.17.21) Browser History CMD History …

LetsDefend level 1 alert SOC113 - Suspicious hh.exe Usage event-id 44

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint - BillPRD CMD History Analyze Malware WinRAR.chm Add Artifacts End Details EventID: 44 Event Time: Jan. 31, 2021, 4:59 p.m. Rule: SOC113 - Suspic…

LetsDefend level 1 alert SOC116 - DNS Hijacking Detected event-id 49

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Endpoint - WilsonPRD Browser History CMD History Network Connections update.py Check If Someone Requested the C2 Log search - 49.233.160.2…

LetsDefend level 1 alert SOC117 - Suspicious .reg File event-id 50

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware config.reg importantUpdate.bat Add Artifacts End Details EventID: 50 Event Time: Feb. 6, 2021, 1:58 p.m. Rule: SOC117 - Suspicious .reg Fi…

LetsDefend level 1 alert SOC118 - Internal Port Scan Activity event-id 51

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware 0a1ca6261fdb9671495be58a5691b21f Add Artifacts End 余談 Log search 172.16.17.35 344~348 ~284 EndpointManagement - Katie 141812f77bdef659d1…

LetsDefend level 1 alert SOC120 - Phishing Mail Detected - Internal to Internal event-id 52

Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts End Details EventID: 52 Event Time: Feb. 7, 2021, 4:24 a.m. Rule: SOC120 - Phishing Mail Detected - Internal to Internal Level: Security Analyst SMTP Ad…

LetsDefend level 1 alert SOC121 - Proxy - Malicious Executable File Detected event-id 53

Details playbook Collection Data Search Log Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 53 Event Time: Feb. 7, 2021, 12:19 p.m. Rule: SOC121 - Proxy - Malicious Executable File Detected Level: …

LetsDefend level 1 alert SOC108 - Malicious Remote Access Software Detected event-id 54

Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 54 Event Time: Feb. 7, 2021, 1:21 p.m. Rule: SOC108 - Malicious Remote Access Software Detected Level: Security Analyst Source Address 10.15…

ざっくりと見るRedline Malware

今週のMalware Redline AnyRunの実行例 主な動き 余談 今週のMalware 毎週AnyRunが同サービスにuploadされたMalwareの統計をとっており、今週は次のようになっていた。 Fresh TOP10 #malware uploads on ANYRUN⬆️ #Emotet 2388 (614)⬆️ #Redline 428 (370)⬆️…

LetsDefend level 1 alert SOC122 - Android Banker Malware Detected event-id 55

Details playbook Search Log 18 19 22 351 376 Analyze APK com.uijluzvup.hsoextg 2a629fe1790c01fe5a0a83b5c3a12c8a d64760981f9af1f0213ab211e0f12108 Containment Add Artifacts End Details EventID: 55 Event Time: Feb. 7, 2021, 6:21 p.m. Rule: SO…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 59

Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts 27.128.173.81 End Details EventID: 59 Event Time: Feb. 14, 2021, 3 a.m. Rule: SOC101 - Phishing Mail Detected Level: Security Analyst SMTP Address 27.12…

LetsDefend level 1 alert SOC123 - Enumeration Tool Detected event-id 56

Details playbook Collection Data Search Log 185.199.109.133 Log 185.199.109.133 352 353 172.16.20.4 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 56 Event Time: Feb. 13, 2021, 4:47 p.…

LetsDefend level 1 alert SOC124 - Scheduled Task Created event-id 57

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Check Endpoint - Maxim CMD History Analyze Malware Add Artifacts End Details EventID: 57 Event Time: Feb. 14, 2021, 11:17 a.m. Rule: SOC124 - Scheduled Ta…