LetsDefend Challenge DFIR: IcedID Malware Family What is the sha256 hash for the malspam attachment? What is the child process command line when the user enabled the Macro? What is the HTML Application file's sha256 hash from previous ques…

今回のアラート Start Playbook! Determine Suspicious Activity What Is Suspicious Activity? Who Performed the Activity? Add Artifacts End appendix 今回のアラート SOC164 - Suspicious Mshta Behavior Low reputation hta file executed via mshta.e…

Details playbook Connect Machine Verify Determine whether alert was TP or FP Choose Incident Type What is the initial access method used in the attack? Determines Scope of Threat/Risk to the Organization What is the persistence method used…