4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend

LetsDefend Challenge Malware Analysis: Malicious Doc

LetsDefend Challenge Malware Analysis: Malicious Doc What type of exploit is running as a result of the relevant file running on the victim machine? What is the relevant Exploit CVE code obtained as a result of the analysis? What is the na…

LetsDefend Challenge Malware Analysis: Malicious VBA

LetsDefend Challenge Malware Analysis: Malicious VBA The document initiates the download of a payload after the execution, can you tell what website is hosting it? What is the filename of the payload (include the extension)? What method is…

LetsDefend Challenge Malware Analysis: Remote Working

LetsDefend Challenge Malware Analysis: Remote Working What is the date the file was created? With what name is the file detected by Bitdefender antivirus? How many files are dropped on the disk? What is the sha-256 hash of the file with em…

LetsDefend Challenge Malware Analysis: Presentation As a Malware

LetsDefend Challenge Malware Analysis: Presentation As a Malware What was the general name / category of the malicious file in the analyzed ppt file? Which of the url addresses it communicates with has been detected as harmful by sandboxes…

LetsDefend Challenge DFIR: Memory Analysis writeup

LetsDefend Challenge DFIR: Memory Analysis What was the date and time when Memory from the compromised endpoint was acquired? What was the suspicious process running on the system? (Format : name.extension) Analyze and find the malicious t…

LetsDefend Challenge DFIR: IcedID Malware Family writeup

LetsDefend Challenge DFIR: IcedID Malware Family What is the sha256 hash for the malspam attachment? What is the child process command line when the user enabled the Macro? What is the HTML Application file's sha256 hash from previous ques…

LetsDefend level 1 alert SOC164 - Suspicious Mshta Behavior event-id 114

今回のアラート Start Playbook! Determine Suspicious Activity What Is Suspicious Activity? Who Performed the Activity? Add Artifacts End appendix 今回のアラート SOC164 - Suspicious Mshta Behavior Low reputation hta file executed via mshta.e…

LetsDefend level 2 alert SOC154 - Service Configuration File Changed by Non Admin User event-id 102

Details playbook Connect Machine Verify Determine whether alert was TP or FP Choose Incident Type What is the initial access method used in the attack? Determines Scope of Threat/Risk to the Organization What is the persistence method used…

LetsDefend level 1 alert SOC165 - Possible SQL Injection Payload Detected event-id 115

Details playbook Is Traffic Malicious? What Is The Attack Type? Check If It Is a Planned Test What Is the Direction of Traffic? Was the Attack Successful? Add Artifacts Do You Need Tier 2 Escalation? End Details EventID : 115 Event Time : …

LetsDefend Challenge DFIR: Port Scan Activity writeup

LetsDefend Challenge DFIR: Port Scan Activity Question1: What is the IP address scanning the environment? 一番沢山パケットを飛ばしていそうなのが怪しい. $ tshark -r port\ scan.pcap -z conv,ip -q ============================================…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 16

Details playbook Analyze Threat Intel Data URL https[:]//pssd-ltdgroup[.]com/ Domain pssd-ltdgroup[.]com 5.188.0.251 Interaction with TI data Log Endpoint Containment Add Artifacts End Details EventID: 16 Event Time: Sept. 20, 2020, 10:54 …

LetsDefend level 1 alert SOC106 - Found Suspicious File - TI Data event-id 17

Details playbook Check if the malware is quarantined/cleaned Analyze Malware Add Artifacts End Details EventID: 17 Event Time: Sept. 22, 2020, 11:10 a.m. Rule: SOC106 - Found Suspicious File - TI Data Level: Security Analyst Source Address…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 18

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment 送信側アドレス cashbank[.]com 172.82.128.241 mail Attachments Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts…

LetsDefend level 1 alert SOC107 - Privilege Escalation Detected event-id 19

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware creditcard -> 27e56f0f4bbb933a9ef25e0e0c2a4aaae578bdc2623e6bcdf664834e4ce60c9d Check If Someone Requested the C2 Add Artifacts End Details…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 20

Details playbook Analyze Threat Intel Data https[:]//raw.githubusercontent[.]com/django/django/master/setup.py 151.101.112.133 Add Artifacts End Details EventID: 20 Event Time: Oct. 19, 2020, 9:54 p.m. Rule: SOC105 - Requested T.I. URL add…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 21

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware F46B0C39FCFDF4C0426C9276A2BB48C6 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 21 Event Time: Oct. 20, …

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 22

Details playbook Search Log Analyze URL Address アクセス先ip 35.189.10.17 Suspicious URL: http[:]//stylefix[.]co/guillotine-cross/CTRNOQ/ Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 22 Event Time: Oct.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 24

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 1ceda3ccc4e450088204e23409904fa8 Check If Mail Delivered to User? Add Artifacts End Details EventID: 24 Event Time: Oct. 25, 2020, 9:32 p.m. Ru…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 25

Details 送信元 157.230.109.166 playbook Are there attachments or URLs in the email? Analyze Url/Attachment Attachments 5a3de19f198269947bb509152678b7d2 Check If Mail Delivered to User? Add Artifacts End Details EventID: 25 Event Time: Oct.…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 26

Details playbook Analyze URL Address 217.8.117.7 http[:]//jamesrlongacre.ac[.]ug/ac.exe User Agent: Firewall Test - Dont Block <- ???? Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 26 Event Time: Oct. 29, 2020, 7:05…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 27

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Sender IP 146.56.209.252 Sender Domain zol.co[.]zw Mail URL link: https[:]//hredoybangladesh[.]com/content/docs/wvoiha4vd1aqty/ hredoybangladesh[.]com Chec…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 28

Details playbook Analyze Threat Intel Data http[:]//115.99.150.132:56841/Mozi.m Download file Mozi.m Interaction with TI data Log search Add Artifacts End Details EventID: 28 Event Time: Oct. 29, 2020, 7:34 p.m. Rule: SOC105 - Requested T.…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 29

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment Check If Mail Delivered to User? Add Artifacts End Details EventID: 29 Event Time: Oct. 29, 2020, 7:43 p.m. Rule: SOC101 - Phishing Mail Detected Level: Se…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 31

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware cdde99520664ac313d43964620019c61 Endpoint - JohnComputer Process History Logsearch Check If Someone Requested the C2 Containment Add Artif…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 32

Details playbook Search Log Analyze URL Address https[:]//encrypted-tbn0.gstatic[.]com/images?q=tbn:ANd9GcSjESkzn2LUxELhnqZZWBbmGwtbqfFsaemB9w&usqp=CAU encrypted-tbn0.gstatic[.]com 172.217.17.174 Add Artifacts End Details EventID: 32 Event…

LetsDefend level 1 alert SOC104 - Malware Detected event-id 36

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware f83fb9ce6a83da58b20685c1d7e1e546 Log Search 92.63.8.47 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 36…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 34

Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment http[:]//bit.ly/3ecXem52 netflix-payments.com 112.85.42.180 Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts E…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 35

Details playbook Search Log Analyze URL Address 66.198.240.56 http[:]//interalliance.org/ https[:]//interalliance.org/come2/holme/folde/swiftcopy.ps1 Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Aldo(172.16.17.51) Process Hist…

LetsDefend level 1 alert SOC109 - Emotet Malware Detected event-id 39

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware eee99e6d8ade9463dd206dfbad3485ea http[:]//decpak.com/cgi-bin/gU/ Check If Someone Requested the C2 Log search - 172.16.17.83 330 331 332 C…

LetsDefend level 1 alert SOC108 - Malicious Remote Access Software Detected event-id 38

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware ff6bbddc34cbd33e2501872b97c4bacd Log search - 172.16.17.33 328 329 Add Artifacts End Details EventID: 38 Event Time: Jan. 1, 2021, 5:36 p.…