(Writeup) LetsDefend EventID: 76 - [SOC137 - Malicious File/Script Download Attempt]

Welcome

#

• LetsDefend is a Blue Team Training platform.
• This writeup documents a SOC alert investigation involving a blocked attempt to download a Microsoft Word document with attached VBS macros.

Alert Details

#

Initial Triage

#

Actions

#

• Copied alert details to notes
• Created case
• Began analysis

Thoughts

#

“Luckily the VBS macro’d doc file got blocked.”

Playbook

#

Step 1. Check if the malware is quarantined/cleaned

#

Log Management

#

No relevant logs. (You must keep in mind the timeline. There is another case for the same endpoint in the same month, but they are unrelated to this exercise.)

Endpoint Security

#

Endpoint is messed up due to a different case, but there is no indication the case we’re working on has execution.

Thoughts

#

“Quarantined. The malware was successfully blocked.”

Step 2. Analyze Malware

#

VirusTotal

#

Thoughts

#

“Malicious. If there was execution of this malware, we’d see a DNS resolution of filetransfer.io”

Step 3. Check if Someone Requested the C2

#

Log Management

#

No relevant logs. Not connecting to the IOC domain we indicated.

Thoughts

#

“Not Accessed. Endpoint didn’t run the malware.”

Step 4. Artifacts

#

Step 5. Analyst Notes

#

“Verdict: True Positive. Closing case.
Summary: Endpoint attempted to download malicious DOCM file (Microsoft Word file with VBS macros) and was blocked. (Machine has other issues, but outside scope of this alert.)
Validated via: Log Management, Endpoint Security, VirusTotal.
Actions taken: None.”

Determination

#

Verdict

#

• True Positive
• Close Case

Reasoning

#

• It was indeed malware. (trojan.vpnz)
• It was blocked.

Final Thoughts

#

“I’m happy the DOCM was blocked! Though this exercise did have issues with a lot of overlap with another alert so you had to ignore some problems. Not exactly what you’d do in a real SOC.”