Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving {{ alert type }}.
Alert Details #
| Key: | Value |
|---|---|
| EventID: | 20 |
| Event Time: | Oct, 19, 2020, 09:54 PM |
| Rule: | SOC105 - Requested T.I. URL address |
| Level: | Security Analyst |
| Source Address: | 172.16.20.4 |
| Source Hostname: | gitServer |
| Destination Address: | 151.101.112.133 |
| Destination Hostname: | raw.github.com |
| Username: | gitUser |
| Request URL: | https://raw.githubusercontent.com/django/django/master/setup.py |
| User Agent: | Wget/1.19.4 (linux-gnu) |
| Device Action: | Allowed |
Initial Triage #
Actions #
- Copied alert details to notes
- Created case
- Began analysis
Thoughts #
“That looks like the normal GitHub ‘raw’ url. If I were a betting man, I’d bet false positive.”
Playbook #
Step 1. Analyze Threat Intel Data #
VirusTotal #
| Item | Result | Comment |
|---|---|---|
| IP | Green | Google results under “Details” mentions it being a raw.githubusercontent.com IP. |
| URL | 1/94 | One false positive. |
| Domain | Green | Real GitHub domain. |
GitHub #
“I went to
https://github.com/django/djangoto take a look. It’s the real django page.setup.pyisn’t there anymore so they must’ve moved it. Regardless, it’s a false positive.”
Step 2. Artifacts #
Value |
Comment | Type |
|---|---|---|
https://raw.githubusercontent.com/django/django/master/setup.py |
github django setup python script | E-mail Domain |
151.101.112.133 |
a github ip | IP Address |
Step 3. Analyst Notes #
“Verdict: False Positive. Closing Case.
Summary: Endpoint connected to a github url via wget to download a setup script for django.
Validated via: VirusTotal, GitHub.
Actions Taken: None.”
Determination #
Verdict #
- False Positive
- Closing Case
Reasoning #
- The URL they connected to was a well known good repository on GitHub.
- The script they were attempting to get was to set up Django; not malware.
- That traffic is not unexpected for a
gitUseron agitServer.
Final Thoughts #
“I can understand why it would alert on GitHub urls. However, the alerts should probably have a whitelist of sorts for repositories the organization is expecting and would reasonably allow.”
