LetsDefend level 1 alert SOC130 - Event Log Cleared event-id 64
Details
EventID: 64
Event Time: Feb. 21, 2021, 7:23 p.m.
Rule: SOC130 - Event Log Cleared
Level: Security Analyst
Source Address 172.16.20.3
Source Hostname Exchange Server
File Name powershell.exe
File Hash 7353f60b1739074eb17c5f4dddefe239
File Size 437.50 KB
Device Action Allowed
Download (Password:infected): 7353f60b1739074eb17c5f4dddefe239.zip
playbook
Define Threat Indicator
Answer: Other
Check if the malware is quarantined/cleaned
EndpointManagement - Exchange Server
Process History AcroRd32.exe MD5:357b03e0b8d0c30713f2c41ce60583c5 Path:c:/program files (x86)/adobe/acrobat reader dc/reader/acrord32.exe Start Time:20.09.2020 14:51 Chrome.exe MD5:E9CABAAACF0E50A55DF49698C0800D4B Size:1.72 MB Path:c:/program files (x86)/google/chrome/application/chrome.exe hh.exe MD5:1cecee8d02a8e9b19d3a1a65c7a2b249 Path:C:/Windows/hh.exe ccsvchst.exe MD5:aba0a9709e6c11bc0b6ee21de36743e3 Path:c:/program files (x86)/symantec/symantec endpoint protection/14/bin/ccsvchst.exe Size:142.45 KB notepad.exe MD5:FC2EA5BD5307D2CFA5AAA38E0C0DDCE9 Size:216 KB Path:c:/windows/system32/notepad.exe powershell.exe MD5:7353f60b1739074eb17c5f4dddefe239 Command:Clear-Eventlog -Log System
今回のアラートはpowershell.exeのClear-Eventlog -Log Systemによって起こったもので、これが何によって実行されたのか。ここからはSytsemイベントログが削除されたということしかわからない。
Browser History,Network Connectionsはログ無し。
CMD History 2020-10-10 10:29:01: cls 2020-10-10 10:29:02: net user 2020-10-10 10:29:03: net user backupUser 2020-10-10 10:29:04: net localgroup backupGroup backupUser /add
ログは2020年であるし、あからさまな怪しさはない。
Log Search - 172.16.20.3 Jan, 02, 2021~Jun, 13, 2021
# | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
---|---|---|---|---|---|---|
409 | Jun, 13, 2021, 04:23 PM | Firewall | 172.16.20.5 | 53222 | 172.16.20.3 | 22 |
382 | Mar, 21, 2021, 12:06 PM | Exchange | 189.162.189.159 | 49371 | 172.16.20.3 | 25 |
367 | Mar, 07, 2021, 04:45 PM | Exchange | 221.181.185.237 | 46245 | 172.16.20.3 | 25 |
357 | Feb, 14, 2021, 03:00 AM | Exchange | 27.128.173.81 | 37659 | 172.16.20.3 | 25 |
349 | Feb, 07, 2021, 04:23 AM | Exchange | 172.16.17.82 | 49582 | 172.16.20.3 | 25 |
339 | Jan, 31, 2021, 03:48 PM | Exchange | 49.234.43.39 | 48928 | 172.16.20.3 | 25 |
334 | Jan, 02, 2021, 03:39 PM | Exchange | 104.140.188.46 | 53918 | 172.16.20.3 | 25 |
アラート周辺の期間にはメールの送受信しか確認できない。
Answer: Not Quarantined
Analyze Malware
Process Historyにある他のプロセスを確認しても明らかに怪しいものは無いためNon-Maliciousと判断する。
Answer: Non-malicious
Add Artifacts
Value | Type | Comment |
---|---|---|
7353f60b1739074eb17c5f4dddefe239 | MD5 Hash | powershell.exe Clear-Eventlog -Log System |