Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

[Writeup] LetsDefend - SOC104 - Malware Detected - EventID 84

LetsDefend False_Positive Hybrid-Analysis SIEM SOC VirusTotal Writeup
Table of Contents

Welcome!
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup is for an alert on the LetsDefend simulated SOC.

The Alert:
#

  • EventID: 84
  • Event Time: Mar 21, 2021, 01:04 PM
  • Rule: SOC104 - Malware Detected
  • Level: Security Analyst
  • Source Address: 172.16.17.5
  • Source Hostname: SusieHost
  • File Name: winrar600.exe
  • File Hash: c74862e16bcc2b0e02cadb7ab14e3cd6
  • File Size: 2.95 Mb
  • Device Action: Allowed

Let’s get started. Creating the case. And real quick, I’m gonna throw that hash into VirusTotal to see if it’s a known binary.

VirusTotal:
#

Hmm, only 1 vendor flag. It says it’s signed, so let’s check Signature Info under Details.

Leaning towards a false positive. Let’s check hybrid-analysis as well to be sure.

Hybrid-Analysis:
#

Oh, they have the binary outright whitelisted. A quick analysis of the report shows that this is indeed a false positive. Time for the playbook.

Playbook:
#

The alert rule was malware detection; of the options, only “Other” fits.

The Alert said it was allowed (and it’s a false positive…) but we follow the playbook!

Log Management:
#

Filtering by source address and alert date yields a single log. Endpoint using Chrome to download WinRAR. We can quickly throw that domain name into VirusTotal as well.

“top 1M”, created 24 years ago, and 0 vendor alerts. One last check: Google.

First non-advertisement is indeed that domain. Let’s check the endpoint.

Endpoint Security:
#

Uh, it’s offline. Not optimal. What can you do besides work with what you’ve got?

Well… Back to the playbook!

It isn’t quarantined; the “malware” did make it on the box.

We already did. It’s benign. False Positive!

Finishing Up:
#

MD5 Hash from our notes. Comment: “Benign - WinRAR”

Analyst Note:

Summary: False Positive, WinRAR Installer. The user used Chrome to download WinRAR from the official website. Benign, verified using VirusTotal and Hybrid-Analysis. No weird network logs. Endpoint is offline.

Note:

Summary: False Positive, WinRAR Installer.

Result:
#

Hope this helps!

Reed Eggleston
Author
Reed Eggleston
Exploring Cybersecurity from Policy to Packets