[Writeup] LetsDefend - SOC109 - Emotet Malware Detected

Table of Contents

Welcome!
#

LetsDefend is a Blue Team Training platform.
This writeup is for an alert on the LetsDefend simulated SOC.

The Alert:
#

Well, on the bright side: It’s cleaned!

Actions:

Copy alert details into notes.
Create Case.
Copy the hash into VirusTotal to see if it’s a known file.

Virus Total:
#

True Positive on the alert; that is indeed Emotet.

Playbook:
#

Alright, let’s follow the playbook.

The alert doesn’t match any of these except “Other”.

Let’s check out Log Management and Endpoint Security in new tabs!

Log Management:
#

Given the date and time of the alert we’re investigating, there is nothing of note here.

Endpoint Security:
#

Once again, if we take the alert’s date and time into account, there is nothing of note. (There are things wrong with this box, but it involves a different alert.)

Playbook (continued):
#

It was quarantined by the EDR; the alert said so, and we don’t see any signs of exploitation.

We’ve already done so; Emotet is indeed Malicious!

We already checked the host’s network logs; during the alert time period, the host didn’t “talk” to anyone.

Attach the file’s MD5 hash from our notes, and give it a comment: “Malicious - Emotet Family Malware”

Note:

File verified to be Emotet Family Malware. Endpoint didn’t connect to C2. True Positive. The agent cleaned the malware before execution.

Clean Up:
#

Note:

File verified to be Emotet Family Malware. Endpoint didn’t connect to C2. True Positive. The agent cleaned the malware before execution.

Results:
#

Hope this helps!

Author

Reed Eggleston

Exploring Cybersecurity from Policy to Packets

Welcome! #

The Alert: #

Virus Total: #

Playbook: #

Log Management: #

Endpoint Security: #

Playbook (continued): #

Clean Up: #

Results: #