Incident Response Training Course, Malware Alert Investigation, Day 14
9.7 هزار بار بازدید -
3 سال پیش
-
In this full series we
In this full series we will talk about Incident Response and it will be a Free Training Course for everyone. Today is Day-14 and I will show you a real SOC Incident that came from SIEM tool where Antivirus fired an alert of one machine being infected by Emotet Malware. There was another PC on the same network which started suspicious outbound connection just after the first machine got infected with Emotet. In this episode, I will show you how can you efficiently and quickly perform analysis on the memory of the second PC and identify what's wrong in it and what is the relation between PC1 Infection and PC2 outbound communication.
This is an example of triaging real SOC Detection Alert which might arise anytime in your SOC. So we will be covering and trying to answer below questions-
1. Why PC2 is communicating to a malicious IP?
2. Is PC2 also infected with Emotet?
3. If 2 is True, how can you prove that?
4. Any process injection took place on it?
5. What are the IOCs present on the PC2 apart from the IP address?
6. What steps need to be done to contain this incident?
7. If this type of case arises to your SOC, what you MUST do at first.
So if you want to become a SOC BOSS, watch the full episode. All feedbacks are appreciated!! Comment and let me know if you have ever come across any such scenarios or learned something new!
Tools I have used in this Episode-
👉 Volatility
👉 Floss
👉 Capa
🔴DISCLIAMER
-------------------------------------------------------------------------------------------------------------------------
The story has been developed with inspiration of a real case study and from the help of https://cyberdefenders.org/labs/78.
Of note, the memory from this repository contains actual Windows-based malware. That poses a risk of infection when reviewing the pcap on a Windows-based host. I recommend people review the memory in a non-Windows environment.
WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!!
-------------------------------------------------------------------------------------------------------------------------
INCIDENT RESPONSE TRAINING Full Course 👉BlackPerl DFIR || INCIDENT RESPONSE ...
DFIR Free Tools and Techniques 👉 BlackPerl DFIR || DFIR Tools and Tech...
Windows and Memory Forensics 👉 BlackPerl DFIR || Windows and Memory ...
Malware Analysis 👉 BlackPerl DFIR || Malware Analysis Se...
SIEM Tutorial 👉 BlackPerl DFIR || Learn SIEM with me ...
Threat Hunt & Threat Intelligence 👉 BlackPerl DFIR || Threat Hunt & Threa...
⌚
Timelines
-------------------------------------------------------------------------------------------------------------------------
0:00 ⏩ Introduction
1:05 ⏩ Background of Alert
2:44 ⏩ Memory Analysis of PC2
6:13 ⏩ Identify Hidden Process
11:12 ⏩ Dump Malicious Process
15:11 ⏩ Identify Process Injection
21:00 ⏩ Identify Actual Process
27:58 ⏩ Containment/remediation Steps
30:08 ⏩ Summarize
📞📲
FOLLOW ME EVERYWHERE-
-------------------------------------------------------------------------------------------------------------------------
✔ LinkedIn: LinkedIn: blackperl
✔ You can reach out to me personally in LinkedIn as well- https://bit.ly/38ze4L5
✔ Twitter: @blackperl_dfir
✔ Git: https://github.com/archanchoudhury
✔ Insta: (blackperl_dfir)Instagram: blackperl_dfir
✔ Can be reached via [email protected]
CREDIT
-------------------------------------------------------------------------------------------------------------------------
Thank you, Alex Siviero for creating and sharing the memory dump!
Thank you, https://cyberdefenders.org/ for making such awesome CTFs!
SUPPORT BLACKPERL
-------------------------------------------------------------------------------------------------------------------------
╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗
║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣
╠╗║╚╝║║╠╗║╚╣║║║║║═╣
╚═╩══╩═╩═╩═╩╝╚╩═╩═╝
➡️ SUBSCRIBE, Share, Like, Comment
☕ Buy me a Coffee 👉 https://www.buymeacoffee.com/BlackPerl
📧 Sponsorship Inquiries: [email protected]
-------------------------------------------------------------------------------------------------------------------------
🙏 Thanks for watching!! Be CyberAware!! 🤞
This is an example of triaging real SOC Detection Alert which might arise anytime in your SOC. So we will be covering and trying to answer below questions-
1. Why PC2 is communicating to a malicious IP?
2. Is PC2 also infected with Emotet?
3. If 2 is True, how can you prove that?
4. Any process injection took place on it?
5. What are the IOCs present on the PC2 apart from the IP address?
6. What steps need to be done to contain this incident?
7. If this type of case arises to your SOC, what you MUST do at first.
So if you want to become a SOC BOSS, watch the full episode. All feedbacks are appreciated!! Comment and let me know if you have ever come across any such scenarios or learned something new!
Tools I have used in this Episode-
👉 Volatility
👉 Floss
👉 Capa
🔴DISCLIAMER
-------------------------------------------------------------------------------------------------------------------------
The story has been developed with inspiration of a real case study and from the help of https://cyberdefenders.org/labs/78.
Of note, the memory from this repository contains actual Windows-based malware. That poses a risk of infection when reviewing the pcap on a Windows-based host. I recommend people review the memory in a non-Windows environment.
WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!!
-------------------------------------------------------------------------------------------------------------------------
INCIDENT RESPONSE TRAINING Full Course 👉BlackPerl DFIR || INCIDENT RESPONSE ...
DFIR Free Tools and Techniques 👉 BlackPerl DFIR || DFIR Tools and Tech...
Windows and Memory Forensics 👉 BlackPerl DFIR || Windows and Memory ...
Malware Analysis 👉 BlackPerl DFIR || Malware Analysis Se...
SIEM Tutorial 👉 BlackPerl DFIR || Learn SIEM with me ...
Threat Hunt & Threat Intelligence 👉 BlackPerl DFIR || Threat Hunt & Threa...
⌚
Timelines
-------------------------------------------------------------------------------------------------------------------------
0:00 ⏩ Introduction
1:05 ⏩ Background of Alert
2:44 ⏩ Memory Analysis of PC2
6:13 ⏩ Identify Hidden Process
11:12 ⏩ Dump Malicious Process
15:11 ⏩ Identify Process Injection
21:00 ⏩ Identify Actual Process
27:58 ⏩ Containment/remediation Steps
30:08 ⏩ Summarize
📞📲
FOLLOW ME EVERYWHERE-
-------------------------------------------------------------------------------------------------------------------------
✔ LinkedIn: LinkedIn: blackperl
✔ You can reach out to me personally in LinkedIn as well- https://bit.ly/38ze4L5
✔ Twitter: @blackperl_dfir
✔ Git: https://github.com/archanchoudhury
✔ Insta: (blackperl_dfir)Instagram: blackperl_dfir
✔ Can be reached via [email protected]
CREDIT
-------------------------------------------------------------------------------------------------------------------------
Thank you, Alex Siviero for creating and sharing the memory dump!
Thank you, https://cyberdefenders.org/ for making such awesome CTFs!
SUPPORT BLACKPERL
-------------------------------------------------------------------------------------------------------------------------
╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗
║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣
╠╗║╚╝║║╠╗║╚╣║║║║║═╣
╚═╩══╩═╩═╩═╩╝╚╩═╩═╝
➡️ SUBSCRIBE, Share, Like, Comment
☕ Buy me a Coffee 👉 https://www.buymeacoffee.com/BlackPerl
📧 Sponsorship Inquiries: [email protected]
-------------------------------------------------------------------------------------------------------------------------
🙏 Thanks for watching!! Be CyberAware!! 🤞
3 سال پیش
در تاریخ 1400/08/22 منتشر شده
است.
9,769
بـار بازدید شده