Malware Investigation Process

                                           MALWARE INVESTIGATION

Identification

We are monitoring  SIEM sentinel console 24/7. Once incident is triggered assign to our self and Change the status from NEW TO ACTIVE







2.Gather Information

Finding the incident details in the incident page .
After status change open the Incident  and 
Open the Entities and collect the Host Name & Check in the EDR(Endpoint Detection Response) with the Collected Host Name.





Details Gathered


Host name
Username /account
Filename
Hash value
User email ID
Detection : AV
Primary AV : Microsoft Defender
Device action : Prevented/quarantined 
File path
Device os : Linux Ubuntu



Investigation

After collecting the all the details  start the Investigation
Check the Reputation of Hash value in various threat intelligence tools:
Virus total
JOE sandbox
Valkyrie comodo
IBM xforce
Anyrun
Paste the Hash value of above mentioned applications & check for malicious activity


Check the device action is leftalone or quarantined ,
Check the root cause for the Malware, Whether it has come from download, Outlook, External device or it was there in the machine itself.

By checking the Timeline of EDR we can find the RCA for malware
I will Check the EDR Alert story  and timeline story for the details , Connect with the user and check the abnormalities in the machine 
What are the programs running and any new programs installed after the alert
What are all services running and any suspicious service running
Check the process running in the machine 
Check autorun or startup
Check any CNC connection by using netstat –n , Check ARP  checklist by using in arp/a in a command prompt
Check the DNS cache details from the machine 
Check the configuration of the machine using ipconfig in command prompt
Clear the credential manager for both web and windows
Check any Extensions created , delete the unwanted extensions
Check for any other DNS suffixes Run the Full Av on demand scan

Containment

If any suspicious Disconnect from the network  

Remediation

Delete the file from the file path, Run AV scan If it has come from the email: Check how many Members got the same email, Check all those machine
If it downloaded from any website , Block that Website in Proxy server

Close The Incident

Once you have resolved a particular incident (for example, when your investigation has reached its conclusion), you should set the incident’s status to Closed. When you do so, you will be asked to classify the incident by specifying the reason you are closing it. This step is mandatory. Click Select classification and choose one of the following from the drop-down list 
True Positive - suspicious activity 
Benign Positive - suspicious but expected 
False Positive - incorrect alert logic
False Positive - incorrect data
Undetermined 
Screenshot that highlights the classifications available in the Select classification list

 After choosing the appropriate classification, add some descriptive text in the Comment field. This will be useful in the event you need to refer back to this incident. Click Apply when you’re done, and the incident will be closed.











 




Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

Which tools and software do we need?

 We will need some software when applying the dynamic analysis method. Let's take a look at these software categories. Virtualization Software We do not want to conduct dynamic analysis on our own system as we need to run the malware to be able to examine its activities. For this reason, we should make use of Virtualization Software that helps us work on some virtual systems. Thanks to these software, you can use a different operating system on your host operating system. If they are configured properly, you can perform your analysis safely, as malicious software cannot escape from this virtual operating system. It is useful to make a small note here on these virtualization software. Since these virtualization environments are essentially software, various vulnerabilities that allow malwares to escape out of these virtual environments and allow code executions on the host operating system may occur on these environments. For this reason, It is crucial to keep your virtualization so...
Read more

Packet drafting for IDS_IPS

 Table of contents Introduction Scapy-Overview Snort-Rule References Introduction In this article will demonstrate how we can generate packet that can test/trigger rule in Snort or Suricata using Scapy. Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. Scapy Overview To run Scapy write scapy in your linux terminal as following: ┌──(kali㉿kali)-[~] └─$ sudo scapy [sudo] password for kali:                                                              aSPY//YASa                     apyyyyCY//////////YCa  ...
Read more