Posted by

LetsDefend Exploitation Attack




Welcome to my Walkthrough on how to handle an exploitation attack as a SOC Tier 1 analyst. I hate making you read so without wasting any more time let's get stuck in.


To take ownership of this alert, all we have to do is click on the person icon with the little plus on him. Since a SOC is made up of multiple members it is essential to take ownership of the alert so multiple people don't waste time working on the same alert. There are a lot of alerts so we need all hands on deck!! 







Now that we have taken ownership of the event, the first thing we need to do is click on the drop down menu labelled as 1 to get a more detailed breakdown of the alert. I recommend copying and pasting this breakdown on a separate word document, so you continue having access to it. Then after that you need to create a case by clicking on the two arrows.








When the case has been created we are greeted with playbook, which is there to help us handle the security event in the way that specific company handles its events. This is done for consistency within the company.






We need to check if the malware has been cleaned or quarantined. It has not been quarantined, here is why  from our drop down menu that we copied into our word doc. We also can see that it was not quarantined by investigating the logs with the affected IP address.










We can see that the Source IP 185.107.56.141 is entirely different from the IP address belonging to Victor (172.16.17.207). One thing I always do is to run this new IP through the treat intel feature to see if this address has been flagged for any bad activities in the past. And it has, for brute force attacks, so my suspicions were right.





The next step is to run the file hash from our alert details though the VirusTotal product. We see that 47/42 security vendors have flagged this file hash as malicious. Always make sure to select the reanalyze option to get the most recent results and now we have 48/72 security vendors flagging this file hash as malicious.





 
We have to select malicious based on the evidence.








There is a successful log on attempt, so we see can that the C2 address is accessed.


Now according to the playbook, we need contain the device belonging to Victor, so lets go.


 




Go back to the word document with all our information as this is key to locating our artifacts.


It is very necessary to take notes and document your entire process because if other anlaysts or superiors want to go over your work they can see your train of thought and correct you or use that documentation to aid them if you need to escalate the alert to higher ups.


Now we need to close our playbook.


Let's close the alert by clicking the tick.






We copy the notes from before on this notes section as well.



Boom we got the correct result!!!


LetsDefend marks your analysis, and in this case we got full marks. We did it!!!












 

Welcome to Vusi Cyber Party — the digital frontline starts here. This is where cyber threats are hunted, alerts are cracked open, and digital peace is defended. Let’s light up the console and keep the chaos in check.

Comments

Post a Comment