Ransomware variant detected

Alert Analysis & Remediation Runbook


Use Case: AV – Malware detected but not cleaned





Document History

Version

Date of Submission

Primary Author(s)

Reviewed By

Purpose of Revision

Status

(Draft/Review/Approved)







Table of Contents

Objective: 3

Incident Analysis Steps 3

1. Identify the context 4


Objective:

If this malware can cause any damage on this endpoint or other endpoints in the network

  1. ANALYSIS

Below are the steps to be performed in order to analyze triggered alerts

Incident Analysis Steps


  1. Identify the context

  1. Identify the IP address/ host name of the asset

  2. Identify the AD user name/Email ID associated with this if it is endpoint

  1. Identify Malware details


  1. Check malware name which got triggered

  2. Identify the criticality of the malware as per AV category like ransomware, worm, Trojan, etc

  1.  Check hash value of the file in https://www.virustotal.com and identify the criticality ( Also check how other AV tools are doing for this hash value )

  1. Identify the file path where it got dropped

  1.  Identify where the malware was dropped into the system like /temp, /system32, Admin folder, etc. Criticality and potential damage will increase based on folder where it got dropped.

  2.  Identify if the malware is run from external drive and not from local system


Sample Observations from these checks:

  1. As per information from Virustotal, this malware abc.exe is known to be only quarantined and not cleaned by our AV solution Symantec SEP 1.2. Hence it can be assumed that failure to clean is not caused by any issues related to AV signature updates. However other AV tools like McAfee 8.2 are signatures to clean this type of malware

  2. As per information from Virustotal, this malware abc.exe is known to be successfully cleaned by our AV solution Symantec SEP 1.2. 

    1. Hence it is important to examine if the AV Engine and signatures are updated to latest in your environment. 

    2. We also have seen same infection got cleaned on other endpoints


  1. Identify overall endpoint security status


  1. Identify if the system is having latest AV signature

  1.  If latest signature are not updated, highlight immediately

  1. Identify if the same system was infected with any other malwares in last 48 hours and what was the action taken by AV

  2. Identify any alerts triggered from same system indicating some kind of compromise or infection for last 8 hours

  1.  High number of login. failures from same source IP or source user

  2. High number of proxy denies

  3.  IPS alerts triggered from same source IP

  4. High number of firewall denies from same source IP


Sample Observations from these checks

  • As per the logs, this malware was detected in this directory

    1. /temp : This could have been created by other programmes running on this system

    2. /downloads : It is very likely that user must have downloaded this file from browser

    3. /system32 : It is very rare that malware are detected here and hence this has potential to cause damage

    4. /Admin$: It is likely that it has been created by Admin user or via compromised Admin account. 

    5. External Drive: It is clear from the logs that external drive was the source of infection

  • Over the past 7 days, we have seen X number of infections, out of that Y number of infections are cleaned and Z number of infections are quarantined on this system. It is noted that the average weekly infections count on other systems is much lesser than X. These repeated infections are indication of unsafe user practices or unique user behaviour or already compromised machine

  1. Identify possible source of infection

  1. Identify any allowed proxy connections for last 2 hours from this source IP towards uncategorised domains and verify the reputation of other allowed URLS accessed by same IP

  2. Identify if user received any emails from external domain using SMTP logs in last 24 hours and examine for anything suspicious like suspicious domain name, subject line, attachments , etc

  3. Identify if any of external drive connection attempts using systems logs

  4. Identify any RDP/SMB share access attempts done from other internal systems

Sample Observations from these checks

  • We have also observed other indicators which points to possible infections or other malicious activity from this endpoint

    1. In last 8 hours, we have noticed attempted access to websites like abc.com from this endpoint being denied by our proxy

    2. In last 8 hours, we have noticed failed login attempts from this user/endpoint to different servers including server1, server2, etc

    3. In past 8 hours, we have noticed IPS signatures trigged on same endpoint

  • We have analysed Proxy/SMTP/Remote access logs but could not find any indications of compromise/malicious activity


  1. Identify virus outbreak:

Identify if the same malware got detected in any other systems and check whether they were cleaned or not

Sample Observations from these Checks:

  1. We also have seen same infection got cleaned on other endpoints and cleaned 

  2. We have not identified any other systems infected with same infection









                                         



                                      








                                               

Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

Which tools and software do we need?

 We will need some software when applying the dynamic analysis method. Let's take a look at these software categories. Virtualization Software We do not want to conduct dynamic analysis on our own system as we need to run the malware to be able to examine its activities. For this reason, we should make use of Virtualization Software that helps us work on some virtual systems. Thanks to these software, you can use a different operating system on your host operating system. If they are configured properly, you can perform your analysis safely, as malicious software cannot escape from this virtual operating system. It is useful to make a small note here on these virtualization software. Since these virtualization environments are essentially software, various vulnerabilities that allow malwares to escape out of these virtual environments and allow code executions on the host operating system may occur on these environments. For this reason, It is crucial to keep your virtualization so...
Read more

Packet drafting for IDS_IPS

 Table of contents Introduction Scapy-Overview Snort-Rule References Introduction In this article will demonstrate how we can generate packet that can test/trigger rule in Snort or Suricata using Scapy. Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. Scapy Overview To run Scapy write scapy in your linux terminal as following: ┌──(kali㉿kali)-[~] └─$ sudo scapy [sudo] password for kali:                                                              aSPY//YASa                     apyyyyCY//////////YCa  ...
Read more