Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving a threat intelligence alert indicating an endpoint is connecting out to a known malicious domain.
Alert Details #
| Key: | Value |
|---|---|
| EventID: | 16 |
| Event Time: | Sep, 20, 2020, 10:54 PM |
| Rule: | SOC105 - Requested T.I. URL address |
| Level: | Security Analyst |
| Source Address: | 172.16.17.47 |
| Source Hostname: | BillPRD |
| Destination Address: | 5.188.0.251 |
| Destination Hostname: | pssd-ltdgroup.com |
| Username: | Mike01 |
| Request URL: | https://pssd-ltdgroup.com |
| User Agent: | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063 |
| Device Action: | Allowed |
Initial Triage #
Actions #
- Copied alert details to notes
- Created case
- Began analysis
Thoughts #
“Always confuses me when it’s allowed for endpoints to connect to known bad domains. Regardless, we’ll play by the playbook.”
Playbook #
Step 1. Analyze Threat Intel Data #
IP #
| Key: | Value |
|---|---|
| VirusTotal: | 0/93 (Relations Shows Otherwise) |
Thoughts #
“That initial score is misleading. Looking in the ‘Relations’ tab shows that it is associated with malware.”
Domain Name #
| Key: | Value |
|---|---|
| VirusTotal: | 15/94 (Malicious) |
Thoughts #
“That’s more of what I was expecting.”
Step 2. Interaction with TI data #
Log Management: #
| Key: | Value |
|---|---|
| type: | Firewall |
| source_address: | 172.16.17.47 |
| source_port: | 54211 |
| destination_address: | 5.188.0.251 |
| destination_port: | 443 |
| time: | Sep, 20, 2020, 10:54 PM |
| Main Process: | Krankheitsmeldung_092020_07.xlsm |
| Request URL: | https://pssd-ltdgroup.com |
Thoughts #
“Because of course it’s a VBS macro’d excel sheet connecting out.”
Endpoint Security #
Processes #
| Key: | Value |
|---|---|
| MD5: | 14970ce0a3d03c46a4180db69866d0d1 |
| Path: | c:/users/Bill/desktop/Krankheitsmeldung_092020_07.xlsm |
| Size: | 558.83 KB |
| Username: | Bill01 |
| Start Time: | 20.09.2020 22:51 |
| Key: | Value |
|---|---|
| VirusTotal: | 47/67 (trojan.gracewire/smth) |
Thoughts #
“Surprised the anti-malware on the endpoint didn’t pick this up. For that matter, why can endpoints run VBS macro’d files?”
Step 3. Containment #
Endpoint Security Action #
- Containment of
BillPRDendpoint initiated
Step 4. Artifacts #
Value |
Comment | Type |
|---|---|---|
14970ce0a3d03c46a4180db69866d0d1 |
trojan.gracewire/smth | MD5 Hash |
pssd-ltdgroup.com |
IOC for Attached Malware | E-mail Domain |
5.188.0.251 |
IOC Domain Resolved IP | IP Address |
Step 5. Analyst Note #
“Verdict: True Positive. Escalate.
Summary: Endpoint ran a trojan VBS macro’d excel file. Contacted out to C2. Containment initiated.
Validated via: Logs, Endpoint, VirusTotal.
Actions Taken: Containment Initiated.”
Determination #
Verdict #
- True Positive
- Escalate Case
Reasoning #
- Network IOC and endpoint process logs verify that malware has been run.
- The endpoint is compromised.
Final Thoughts #
“Was odd that VirusTotal’s score for that IP comes back green, when the relations tab shows clearly that malicious domains and malicious files are related to it.”
“I’m sure the organization has a reason, but I really wish macros were blocked on an organizational level with few exceptions.”
