4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 16

Details playbook Analyze Threat Intel Data URL https[:]//pssd-ltdgroup[.]com/ Domain pssd-ltdgroup[.]com 5.188.0.251 Interaction with TI data Log Endpoint Containment Add Artifacts End Details EventID: 16 Event Time: Sept. 20, 2020, 10:54 …

LetsDefend level 1 alert SOC106 - Found Suspicious File - TI Data event-id 17

Details playbook Check if the malware is quarantined/cleaned Analyze Malware Add Artifacts End Details EventID: 17 Event Time: Sept. 22, 2020, 11:10 a.m. Rule: SOC106 - Found Suspicious File - TI Data Level: Security Analyst Source Address…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 18

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment 送信側アドレス cashbank[.]com 172.82.128.241 mail Attachments Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts…

LetsDefend level 1 alert SOC107 - Privilege Escalation Detected event-id 19

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware creditcard -> 27e56f0f4bbb933a9ef25e0e0c2a4aaae578bdc2623e6bcdf664834e4ce60c9d Check If Someone Requested the C2 Add Artifacts End Details…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 20

Details playbook Analyze Threat Intel Data https[:]//raw.githubusercontent[.]com/django/django/master/setup.py 151.101.112.133 Add Artifacts End Details EventID: 20 Event Time: Oct. 19, 2020, 9:54 p.m. Rule: SOC105 - Requested T.I. URL add…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 21

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware F46B0C39FCFDF4C0426C9276A2BB48C6 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 21 Event Time: Oct. 20, …

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 22

Details playbook Search Log Analyze URL Address アクセス先ip 35.189.10.17 Suspicious URL: http[:]//stylefix[.]co/guillotine-cross/CTRNOQ/ Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 22 Event Time: Oct.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 24

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 1ceda3ccc4e450088204e23409904fa8 Check If Mail Delivered to User? Add Artifacts End Details EventID: 24 Event Time: Oct. 25, 2020, 9:32 p.m. Ru…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 25

Details 送信元 157.230.109.166 playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 5a3de19f198269947bb509152678b7d2 Check If Mail Delivered to User? Add Artifacts End Details EventID: 25 Event Time: Oct.…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 26

Details playbook Analyze URL Address 217.8.117.7 http[:]//jamesrlongacre.ac[.]ug/ac.exe User Agent: Firewall Test - Dont Block <- ???? Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 26 Event Time: Oct. 29, 2020, 7:05…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 27

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Sender IP 146.56.209.252 Sender Domain zol.co[.]zw Mail URL link: https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/ hredoybangladesh[.]com Chec…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28

Details playbook Analyze Threat Intel Data http[:]//115.99.150.132:56841/Mozi.m Download file Mozi.m Interaction with TI data Log search Add Artifacts End Details EventID: 28 Event Time: Oct. 29, 2020, 7:34 p.m. Rule: SOC105 - Requested T.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 29

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Check If Mail Delivered to User? Add Artifacts End Details EventID: 29 Event Time: Oct. 29, 2020, 7:43 p.m. Rule: SOC101 - Phishing Mail Detected Level: Se…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 31

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware cdde99520664ac313d43964620019c61 Endpoint - JohnComputer Process History Logsearch Check If Someone Requested the C2 Containment Add Artif…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 32

Details playbook Search Log Analyze URL Address https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU encrypted-tbn0.gstatic[.]com 172.217.17.174 Add Artifacts End Details EventID: 32 Event…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 36

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware f83fb9ce6a83da58b20685c1d7e1e546 Log Search 92.63.8.47 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 36…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 34

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment http[:]//bit.ly/3ecXem52 netflix-payments.com 112.85.42.180 Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts E…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 35

Details playbook Search Log Analyze URL Address 66.198.240.56 http[:]//interalliance.org/ https[:]//interalliance.org/come2/holme/folde/swiftcopy.ps1 Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Aldo(172.16.17.51) Process Hist…

LetsDefend level 1 alert SOC109 - Emotet Malware Detected event-id 39

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware eee99e6d8ade9463dd206dfbad3485ea http[:]//decpak.com/cgi-bin/gU/ Check If Someone Requested the C2 Log search - 172.16.17.83 330 331 332 C…

LetsDefend level 1 alert SOC108 - Malicious Remote Access Software Detected event-id 38

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware ff6bbddc34cbd33e2501872b97c4bacd Log search - 172.16.17.33 328 329 Add Artifacts End Details EventID: 38 Event Time: Jan. 1, 2021, 5:36 p.…

LetsDefend level 1 alert SOC110 - Proxy - Cryptojacking Detected event-id 40

Details playbook Search Log 333 Analyze URL Address https[:]//bit.ly/3hNuByx Add Artifacts End Details EventID: 40 Event Time: Jan. 2, 2021, 4:33 a.m. Rule: SOC110 - Proxy - Cryptojacking Detected Level: Security Analyst Source Address 172…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 41

Details mail playbook Are there attachments or URLs in the email? Analyze Url/Attachment 9ed9ad87a1564fbb5e1b652b3e7148c8.zip Check If Mail Delivered to User? Add Artifacts 104.140.188.46 cashbank[.]com Log search - 104.140.188.46 End Deta…

LetsDefend level 1 alert SOC111 - Traffic to Malware Domain event-id 42

Details playbook Search Log 45.80.181.51 casinos-hub[.]com Log search - 45.80.181.51 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts Endpoint - BellaPRD End Details EventID: 42 Event Time: Jan. 30, 2021, 5:25 p.m. Rule…

LetsDefend level 1 alert SOC112 - Traffic to Blacklisted IP event-id 43

Details playbook Search Log 193.239.147.32 Log search 193.239.147.32 Analyze URL Address http[:]//193.239.147.32/OBBBOP.exe OBBOP.exe Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Jack(172.16.17.21) Browser History CMD History …

LetsDefend level 1 alert SOC113 - Suspicious hh.exe Usage event-id 44

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint - BillPRD CMD History Analyze Malware WinRAR.chm Add Artifacts End Details EventID: 44 Event Time: Jan. 31, 2021, 4:59 p.m. Rule: SOC113 - Suspic…

LetsDefend level 1 alert SOC116 - DNS Hijacking Detected event-id 49

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Endpoint - WilsonPRD Browser History CMD History Network Connections update.py Check If Someone Requested the C2 Log search - 49.233.160.2…

LetsDefend level 1 alert SOC117 - Suspicious .reg File event-id 50

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware config.reg importantUpdate.bat Add Artifacts End Details EventID: 50 Event Time: Feb. 6, 2021, 1:58 p.m. Rule: SOC117 - Suspicious .reg Fi…

LetsDefend level 1 alert SOC118 - Internal Port Scan Activity event-id 51

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware 0a1ca6261fdb9671495be58a5691b21f Add Artifacts End 余談 Log search 172.16.17.35 344~348 ~284 EndpointManagement - Katie 141812f77bdef659d1…

LetsDefend level 1 alert SOC120 - Phishing Mail Detected - Internal to Internal event-id 52

Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts End Details EventID: 52 Event Time: Feb. 7, 2021, 4:24 a.m. Rule: SOC120 - Phishing Mail Detected - Internal to Internal Level: Security Analyst SMTP Ad…

LetsDefend level 1 alert SOC121 - Proxy - Malicious Executable File Detected event-id 53

Details playbook Collection Data Search Log Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 53 Event Time: Feb. 7, 2021, 12:19 p.m. Rule: SOC121 - Proxy - Malicious Executable File Detected Level: …