LetsDefend Challenge DFIR: IcedID Malware Family writeup

LetsDefend Challenge DFIR: IcedID Malware Family What is the sha256 hash for the malspam attachment? What is the child process command line when the user enabled the Macro? What is the HTML Application file's sha256 hash from previous ques…

LetsDefend level 1 alert SOC164 - Suspicious Mshta Behavior event-id 114

今回のアラート Start Playbook! Determine Suspicious Activity What Is Suspicious Activity? Who Performed the Activity? Add Artifacts End appendix 今回のアラート SOC164 - Suspicious Mshta Behavior Low reputation hta file executed via mshta.e…

LetsDefend level 2 alert SOC154 - Service Configuration File Changed by Non Admin User event-id 102

Details playbook Connect Machine Verify Determine whether alert was TP or FP Choose Incident Type What is the initial access method used in the attack? Determines Scope of Threat/Risk to the Organization What is the persistence method used…