Details playbook Search Log 333 Analyze URL Address https[:]//bit.ly/3hNuByx Add Artifacts End Details EventID: 40 Event Time: Jan. 2, 2021, 4:33 a.m. Rule: SOC110 - Proxy - Cryptojacking Detected Level: Security Analyst Source Address 172…

Details mail playbook Are there attachments or URLs in the email? Analyze Url/Attachment 9ed9ad87a1564fbb5e1b652b3e7148c8.zip Check If Mail Delivered to User? Add Artifacts 104.140.188.46 cashbank[.]com Log search - 104.140.188.46 End Deta…

Details playbook Search Log 45.80.181.51 casinos-hub[.]com Log search - 45.80.181.51 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts Endpoint - BellaPRD End Details EventID: 42 Event Time: Jan. 30, 2021, 5:25 p.m. Rule…

Details playbook Search Log 193.239.147.32 Log search 193.239.147.32 Analyze URL Address http[:]//193.239.147.32/OBBBOP.exe OBBOP.exe Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Jack(172.16.17.21) Browser History CMD History …

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint - BillPRD CMD History Analyze Malware WinRAR.chm Add Artifacts End Details EventID: 44 Event Time: Jan. 31, 2021, 4:59 p.m. Rule: SOC113 - Suspic…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Endpoint - WilsonPRD Browser History CMD History Network Connections update.py Check If Someone Requested the C2 Log search - 49.233.160.2…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware config.reg importantUpdate.bat Add Artifacts End Details EventID: 50 Event Time: Feb. 6, 2021, 1:58 p.m. Rule: SOC117 - Suspicious .reg Fi…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware 0a1ca6261fdb9671495be58a5691b21f Add Artifacts End 余談 Log search 172.16.17.35 344~348 ~284 EndpointManagement - Katie 141812f77bdef659d1…

Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts End Details EventID: 52 Event Time: Feb. 7, 2021, 4:24 a.m. Rule: SOC120 - Phishing Mail Detected - Internal to Internal Level: Security Analyst SMTP Ad…

Details playbook Collection Data Search Log Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 53 Event Time: Feb. 7, 2021, 12:19 p.m. Rule: SOC121 - Proxy - Malicious Executable File Detected Level: …

Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 54 Event Time: Feb. 7, 2021, 1:21 p.m. Rule: SOC108 - Malicious Remote Access Software Detected Level: Security Analyst Source Address 10.15…

Details playbook Search Log 18 19 22 351 376 Analyze APK com.uijluzvup.hsoextg 2a629fe1790c01fe5a0a83b5c3a12c8a d64760981f9af1f0213ab211e0f12108 Containment Add Artifacts End Details EventID: 55 Event Time: Feb. 7, 2021, 6:21 p.m. Rule: SO…

Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts 27.128.173.81 End Details EventID: 59 Event Time: Feb. 14, 2021, 3 a.m. Rule: SOC101 - Phishing Mail Detected Level: Security Analyst SMTP Address 27.12…

Details playbook Collection Data Search Log 185.199.109.133 Log 185.199.109.133 352 353 172.16.20.4 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 56 Event Time: Feb. 13, 2021, 4:47 p.…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Check Endpoint - Maxim CMD History Analyze Malware Add Artifacts End Details EventID: 57 Event Time: Feb. 14, 2021, 11:17 a.m. Rule: SOC124 - Scheduled Ta…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement CMD History Network Connections Process History Analyze Malware Write Registry Connections HTTP/HTTPS requests Check If Someone Request…

Details playbook Collection Data Search Log 356 410 Analyze URL Address Add Artifacts End Details EventID: 60 Event Time: Feb. 14, 2021, 1:05 p.m. Rule: SOC127 - SQL Injection Detected Level: Security Analyst Source Address 172.16.20.5 Sou…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - KatharinePRD Analyze Malware OliwciaPrivInstaller.exe - 436fa243bbfed63a99b8e9f866cd80e5 cmd.exe 接続先まとめ 208.95.112.1 (ip-api[.]…

Details playbook Collection Data Search Log Log Search - 49.234.71.65 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 63 Event Time: Feb. 21, 2021, 5:02 p.m. Rule: SOC129 - Successful L…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - Exchange Server Log Search - 172.16.20.3 Jan, 02, 2021~Jun, 13, 2021 Analyze Malware Add Artifacts End Details EventID: 64 Event Time…

Details playbook Search Log 18 19 20 351 376 Analyze APK Containment Add Artifacts End Details EventID: 65 Event Time: Feb. 22, 2021, 11:11 a.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.12 Sourc…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned LogManagement 359 360 EndpointManagement Analyze Malware phpshell.php 49.234.71.65 Check If Someone Requested the C2 358 361 362 363 364 Containment Add A…

Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 66 Event Time: Feb. 22, 2021, 8:36 p.m. Rule: SOC102 - Proxy - Suspicious URL Detected Level: Security Analyst Source Address 172.16.17.150 …

Details playbook Collection Data Search Log Analyze URL Address amesiana[.]com Add Artifacts End Details EventID: 69 Event Time: Feb. 28, 2021, 7:57 p.m. Rule: SOC133 - Suspicious Request to New Registered Domain Level: Security Analyst So…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Check If Someone Requested the C2 Add Artifacts End Details EventID: 67 Event Time: March 1, 2021, 3:15 p.m. Rule: SOC131 - Reverse TCP Ba…

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security MikeComputer JohnComputer Sofia Analyze Malware msi.dat 81.68.99.93 Check If Someone Requested the C2 Add Artifacts End Details EventID:…

Details Playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security 161.35.41.241 Analyze Malware Connection to 161.35.41.241 315 316 317 318 余談 Check If Someone Requested the C2 Containment Add Artifac…

Details playbook Collection Data Source Address: 42.192.84.19 Destination Address: 172.16.20.4 User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36 Search Log 371 372 …

Details playbook Parse Email Are there attachments or URLs in the email? yandex[.]ru Add Artifacts End Details EventID: 74 Event Time: March 7, 2021, 5:31 p.m. Rule: SOC136 - Data Leak via Mailbox Forwarding Detected Level: Security Analys…

Details playbook Analyze Threat Intel Data 67.199.248.10 https[:]//bit[.]ly/TAPSCAN Add Artifacts End Details EventID: 75 Event Time: March 7, 2021, 5:47 p.m. Rule: SOC105 - Requested T.I. URL address Level: Security Analyst Source Address…