Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware f83fb9ce6a83da58b20685c1d7e1e546 Log Search 92.63.8.47 Check If Someone Requested the C2 Containment Add Artifacts End Details EventID: 36…
Details playbook Are there attachments or URLs in the email? Analyze Url/Attachment http[:]//bit.ly/3ecXem52 netflix-payments.com 112.85.42.180 Check If Mail Delivered to User? Check If Someone Opened the Malicios File/URL? Add Artifacts E…
Details playbook Search Log Analyze URL Address 66.198.240.56 http[:]//interalliance.org/ https[:]//interalliance.org/come2/holme/folde/swiftcopy.ps1 Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Aldo(172.16.17.51) Process Hist…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware eee99e6d8ade9463dd206dfbad3485ea http[:]//decpak.com/cgi-bin/gU/ Check If Someone Requested the C2 Log search - 172.16.17.83 330 331 332 C…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware ff6bbddc34cbd33e2501872b97c4bacd Log search - 172.16.17.33 328 329 Add Artifacts End Details EventID: 38 Event Time: Jan. 1, 2021, 5:36 p.…
Details playbook Search Log 333 Analyze URL Address https[:]//bit.ly/3hNuByx Add Artifacts End Details EventID: 40 Event Time: Jan. 2, 2021, 4:33 a.m. Rule: SOC110 - Proxy - Cryptojacking Detected Level: Security Analyst Source Address 172…
Details mail playbook Are there attachments or URLs in the email? Analyze Url/Attachment 9ed9ad87a1564fbb5e1b652b3e7148c8.zip Check If Mail Delivered to User? Add Artifacts 104.140.188.46 cashbank[.]com Log search - 104.140.188.46 End Deta…
Details playbook Search Log 45.80.181.51 casinos-hub[.]com Log search - 45.80.181.51 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts Endpoint - BellaPRD End Details EventID: 42 Event Time: Jan. 30, 2021, 5:25 p.m. Rule…
Details playbook Search Log 193.239.147.32 Log search 193.239.147.32 Analyze URL Address http[:]//193.239.147.32/OBBBOP.exe OBBOP.exe Has Anyone Accessed IP/URL/Domain? Containment Endpoint - Jack(172.16.17.21) Browser History CMD History …
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Endpoint - BillPRD CMD History Analyze Malware WinRAR.chm Add Artifacts End Details EventID: 44 Event Time: Jan. 31, 2021, 4:59 p.m. Rule: SOC113 - Suspic…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware Endpoint - WilsonPRD Browser History CMD History Network Connections update.py Check If Someone Requested the C2 Log search - 49.233.160.2…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware config.reg importantUpdate.bat Add Artifacts End Details EventID: 50 Event Time: Feb. 6, 2021, 1:58 p.m. Rule: SOC117 - Suspicious .reg Fi…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Analyze Malware 0a1ca6261fdb9671495be58a5691b21f Add Artifacts End 余談 Log search 172.16.17.35 344~348 ~284 EndpointManagement - Katie 141812f77bdef659d1…
Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts End Details EventID: 52 Event Time: Feb. 7, 2021, 4:24 a.m. Rule: SOC120 - Phishing Mail Detected - Internal to Internal Level: Security Analyst SMTP Ad…
Details playbook Collection Data Search Log Analyze URL Address Has Anyone Accessed IP/URL/Domain? Add Artifacts End Details EventID: 53 Event Time: Feb. 7, 2021, 12:19 p.m. Rule: SOC121 - Proxy - Malicious Executable File Detected Level: …
Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 54 Event Time: Feb. 7, 2021, 1:21 p.m. Rule: SOC108 - Malicious Remote Access Software Detected Level: Security Analyst Source Address 10.15…
今週のMalware Redline AnyRunの実行例 主な動き 余談 今週のMalware 毎週AnyRunが同サービスにuploadされたMalwareの統計をとっており、今週は次のようになっていた。 Fresh TOP10 #malware uploads on ANYRUN⬆️ #Emotet 2388 (614)⬆️ #Redline 428 (370)⬆️…
Details playbook Search Log 18 19 22 351 376 Analyze APK com.uijluzvup.hsoextg 2a629fe1790c01fe5a0a83b5c3a12c8a d64760981f9af1f0213ab211e0f12108 Containment Add Artifacts End Details EventID: 55 Event Time: Feb. 7, 2021, 6:21 p.m. Rule: SO…
Details playbook Parse Email Are there attachments or URLs in the email? Add Artifacts 27.128.173.81 End Details EventID: 59 Event Time: Feb. 14, 2021, 3 a.m. Rule: SOC101 - Phishing Mail Detected Level: Security Analyst SMTP Address 27.12…
Details playbook Collection Data Search Log 185.199.109.133 Log 185.199.109.133 352 353 172.16.20.4 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 56 Event Time: Feb. 13, 2021, 4:47 p.…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned Check Endpoint - Maxim CMD History Analyze Malware Add Artifacts End Details EventID: 57 Event Time: Feb. 14, 2021, 11:17 a.m. Rule: SOC124 - Scheduled Ta…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement CMD History Network Connections Process History Analyze Malware Write Registry Connections HTTP/HTTPS requests Check If Someone Request…
Details playbook Collection Data Search Log 356 410 Analyze URL Address Add Artifacts End Details EventID: 60 Event Time: Feb. 14, 2021, 1:05 p.m. Rule: SOC127 - SQL Injection Detected Level: Security Analyst Source Address 172.16.20.5 Sou…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - KatharinePRD Analyze Malware OliwciaPrivInstaller.exe - 436fa243bbfed63a99b8e9f866cd80e5 cmd.exe 接続先まとめ 208.95.112.1 (ip-api[.]…
Details playbook Collection Data Search Log Log Search - 49.234.71.65 Analyze URL Address Has Anyone Accessed IP/URL/Domain? Containment Add Artifacts End Details EventID: 63 Event Time: Feb. 21, 2021, 5:02 p.m. Rule: SOC129 - Successful L…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned EndpointManagement - Exchange Server Log Search - 172.16.20.3 Jan, 02, 2021~Jun, 13, 2021 Analyze Malware Add Artifacts End Details EventID: 64 Event Time…
Details playbook Search Log 18 19 20 351 376 Analyze APK Containment Add Artifacts End Details EventID: 65 Event Time: Feb. 22, 2021, 11:11 a.m. Rule: SOC103 - Malicious APK Detected Level: Security Analyst Source Address 10.15.15.12 Sourc…
Details playbook Define Threat Indicator Check if the malware is quarantined/cleaned LogManagement 359 360 EndpointManagement Analyze Malware phpshell.php 49.234.71.65 Check If Someone Requested the C2 358 361 362 363 364 Containment Add A…
Details playbook Collection Data Search Log Analyze URL Address Add Artifacts End Details EventID: 66 Event Time: Feb. 22, 2021, 8:36 p.m. Rule: SOC102 - Proxy - Suspicious URL Detected Level: Security Analyst Source Address 172.16.17.150 …
Details playbook Collection Data Search Log Analyze URL Address amesiana[.]com Add Artifacts End Details EventID: 69 Event Time: Feb. 28, 2021, 7:57 p.m. Rule: SOC133 - Suspicious Request to New Registered Domain Level: Security Analyst So…