4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend level 1 alert SOC118 - Internal Port Scan Activity event-id 51

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware 0a1ca6261fdb9671495be58a5691b21f Add Artifacts End 余談 Log search 172.16.17.35 344~348 ~284 EndpointManagement - Katie 141812f77bdef659d1…

LetsDefend level 1 alert SOC120 - Phishing Mail Detected - Internal to Internal event-id 52

Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts End Details EventID: 52 Event Time: Feb. 7, 2021, 4:24 a.m. Rule: SOC120 - Phishing Mail Detected - Internal to Internal Level: Security Analyst SMTP Ad…

LetsDefend level 1 alert SOC121 - Proxy - Malicious Executable File Detected event-id 53

Details playbook Collection Data Search Log Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 53 Event Time: Feb. 7, 2021, 12:19 p.m. Rule: SOC121 - Proxy - Malicious Executable File Detected Level: …

LetsDefend level 1 alert SOC108 - Malicious Remote Access Software Detected event-id 54

Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 54 Event Time: Feb. 7, 2021, 1:21 p.m. Rule: SOC108 - Malicious Remote Access Software Detected Level: Security Analyst Source Address 10.15…

ざっくりと見るRedline Malware

今週のMalware Redline AnyRunの実行例 主な動き 余談 今週のMalware 毎週AnyRunが同サービスにuploadされたMalwareの統計をとっており、今週は次のようになっていた。 Fresh TOP10 #malware uploads on ANYRUN⬆️ #Emotet 2388 (614)⬆️ #Redline 428 (370)⬆️…

LetsDefend level 1 alert SOC122 - Android Banker Malware Detected event-id 55

Details playbook Search Log 18 19 22 351 376 Analyze APK com.uijluzvup.hsoextg 2a629fe1790c01fe5a0a83b5c3a12c8a d64760981f9af1f0213ab211e0f12108 Containment Add Artifacts End Details EventID: 55 Event Time: Feb. 7, 2021, 6:21 p.m. Rule: SO…

LetsDefend level 1 alert SOC101 - Phishing Mail Detected event-id 59

Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts 27.128.173.81 End Details EventID: 59 Event Time: Feb. 14, 2021, 3 a.m. Rule: SOC101 - Phishing Mail Detected Level: Security Analyst SMTP Address 27.12…

LetsDefend level 1 alert SOC123 - Enumeration Tool Detected event-id 56

Details playbook Collection Data Search Log 185.199.109.133 Log 185.199.109.133 352 353 172.16.20.4 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 56 Event Time: Feb. 13, 2021, 4:47 p.…

LetsDefend level 1 alert SOC124 - Scheduled Task Created event-id 57

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Check Endpoint - Maxim CMD History Analyze Malware Add Artifacts End Details EventID: 57 Event Time: Feb. 14, 2021, 11:17 a.m. Rule: SOC124 - Scheduled Ta…

LetsDefend level 1 alert SOC125 - Suspicious Rundll32 Activity event-id 58

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement CMD History Network Connections Process History Analyze Malware Write Registry Connections HTTP/HTTPS requests Check If Someone Request…

LetsDefend level 1 alert SOC127 - SQL Injection Detected event-id 60

Details playbook Collection Data Search Log 356 410 Analyze URL Address Add Artifacts End Details EventID: 60 Event Time: Feb. 14, 2021, 1:05 p.m. Rule: SOC127 - SQL Injection Detected Level: Security Analyst Source Address 172.16.20.5 Sou…

LetsDefend level 1 alert SOC126 - Suspicious New Autorun Value Detected event-id 61

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - KatharinePRD Analyze Malware OliwciaPrivInstaller.exe - 436fa243bbfed63a99b8e9f866cd80e5 cmd.exe 接続先まとめ 208.95.112.1 (ip-api[.]…

LetsDefend level 1 alert SOC129 - Successful Local File Inclusion event-id 63

Details playbook Collection Data Search Log Log Search - 49.234.71.65 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 63 Event Time: Feb. 21, 2021, 5:02 p.m. Rule: SOC129 - Successful L…

LetsDefend level 1 alert SOC130 - Event Log Cleared event-id 64

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - Exchange Server Log Search - 172.16.20.3 Jan, 02, 2021~Jun, 13, 2021 Analyze Malware Add Artifacts End Details EventID: 64 Event Time…

LetsDefend level 1 alert SOC103 - Malicious APK Detected event-id 65

Details playbook Search Log 18 19 20 351 376 Analyze APK Containment Add Artifacts End Details EventID: 65 Event Time: Feb. 22, 2021, 11:11 a.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.12 Sourc…

LetsDefend level 1 alert SOC128 - Malicious File Upload Attempt event-id 62

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned LogManagement 359 360 EndpointManagement Analyze Malware phpshell.php 49.234.71.65 Check If Someone Requested the C2 358 361 362 363 364 Containment Add A…

LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 66

Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 66 Event Time: Feb. 22, 2021, 8:36 p.m. Rule: SOC102 - Proxy - Suspicious URL Detected Level: Security Analyst Source Address 172.16.17.150 …

LetsDefend level 1 alert SOC133 - Suspicious Request to New Registered Domain event-id 69

Details playbook Collection Data Search Log Analyze URL Address amesiana[.]com Add Artifacts End Details EventID: 69 Event Time: Feb. 28, 2021, 7:57 p.m. Rule: SOC133 - Suspicious Request to New Registered Domain Level: Security Analyst So…

LetsDefend level 1 alert SOC131 - Reverse TCP Backdoor Detected event-id 67

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Check If Someone Requested the C2 Add Artifacts End Details EventID: 67 Event Time: March 1, 2021, 3:15 p.m. Rule: SOC131 - Reverse TCP Ba…

LetsDefend level 1 alert SOC132 - Same Malicious File Found on Multiple Sources event-id 68

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security MikeComputer JohnComputer Sofia Analyze Malware msi.dat 81.68.99.93 Check If Someone Requested the C2 Add Artifacts End Details EventID:…

LetsDefend level 1 alert SOC134 - Suspicious WMI Activity event-id 71

Details Playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint Security 161.35.41.241 Analyze Malware Connection to 161.35.41.241 315 316 317 318 余談 Check If Someone Requested the C2 Containment Add Artifac…

LetsDefend level 1 alert SOC135 - Multiple FTP Connection Attempt event-id 72

Details playbook Collection Data Source Address: 42.192.84.19 Destination Address: 172.16.20.4 User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36 Search Log 371 372 …

LetsDefend level 1 alert SOC136 - Data Leak via Mailbox Forwarding Detected event-id 74

Details playbook Parse Email Are there attachments or URLs in the email? yandex[.]ru Add Artifacts End Details EventID: 74 Event Time: March 7, 2021, 5:31 p.m. Rule: SOC136 - Data Leak via Mailbox Forwarding Detected Level: Security Analys…

LetsDefend level 1 alert SOC105 - Requested T.I. URL address event-id 75

Details playbook Analyze Threat Intel Data 67.199.248.10 https[:]//bit[.]ly/TAPSCAN Add Artifacts End Details EventID: 75 Event Time: March 7, 2021, 5:47 p.m. Rule: SOC105 - Requested T.I. URL address Level: Security Analyst Source Address…

LetsDefend level 1 alert SOC138 - Detected Suspicious Xls File event-id 77

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement Analyze Malware ORDER SHEET & SPEC.xlsm 177.53.143.89 multiwaretecnologia.com[.]br Check If Someone Requested the C2 LogManagement Add …

LetsDefend level 1 alert SOC137 - Malicious File/Script Download Attempt event-id 76

Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Log Search 368 Mar, 07, 2021, 01:50 PM Proxy 172.16.17.37 48463 49.51.12.195 443 iluuryeqa[.]info 49.51.12.195 369 Mar, 07, 2021, 01:54 PM Proxy 172.16.17…

LetsDefend level 1 alert SOC103 - Malicious APK Detected event-id 80

Details playbook Search Log Analyze APK search APK End Other writeup Details EventID: 80 Event Time: March 15, 2021, 9:55 p.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.14 Source Hostname JessieP…

LetsDefend level 1 alert SOC119 - Proxy - Malicious Executable File Detected event-id 79

Details Create Case Collection Data 140.82.121.4 Search Log Analyze URL Address Add Artifacts End Details EventID: 79 Event Time: March 15, 2021, 9:30 p.m. Rule: SOC119 - Proxy - Malicious Executable File Detected Level: Security Analyst S…

LetsDefend level 1 alert SOC119 - Proxy - Malicious Executable File Detected event-id 83

Details Create Case Collection Data Search Log Analyze URL Address Access https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit www.win-rar[.]com 51.195.68.163 Add Artifacts End Details EventID: 83 Event Time: March 21, 2021, 1:…

SecurityAnalystっぽいことができる!今一押しのサービス「LetsDefend」

今まで、 公開情報から何となくマルウェアの解析とかしていた 無料で配布されているデータセットや資料に倣って学習していた 等でイマイチ実際にSOCであったりでやっていることのイメージがはっきりとしていなかったが、「LetsDefend」に触れたことで「現場…