LetsDefend level 1 alert SOC131 - Reverse TCP Backdoor Detected event-id 67
Details
EventID: 67
Event Time: March 1, 2021, 3:15 p.m.
Rule: SOC131 - Reverse TCP Backdoor Detected
Level: Security Analyst
Source Address 172.16.17.14
Source Hostname MikeComputer
File Name msi.bat
File Hash 3dc649bc1be6f4881d386e679b7b60c8
File Size 2,12 KB
Device Action Cleaned
Download (Password:infected): 3dc649bc1be6f4881d386e679b7b60c8.zip
playbook
Define Threat Indicator
msi.batはLetsDefend level 1 alert SOC132 - Same Malicious File Found on Multiple Sources event-id 68 - 4ensiXと同じものなので、流れは同じとなる。
Device Action Cleaned
Answer: Other
Check if the malware is quarantined/cleaned
Answer: Quarantined
Analyze Malware
Answer: Malicious
Check If Someone Requested the C2
Answer: Not Accessed
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| 3dc649bc1be6f4881d386e679b7b60c8 | MD5 Hash | python reverse shell script |
| 81.68.99.93 | IP Address | c2 server |
End
流れ作業となってしまったが同じ。
