Honor Code Statement: I, Karthik Kovuru, understand that it is important for me to do my own work so that I may execute my own

knowledge in this exercise. It

is also important that I not receive help, either intentionally or unintentionally, from others. Therefore, I will only use the web resources available to me. Though,
this should not take as long, I also acknowledge that I have 24 hours to complete this investigation.

Review the alert below and answer the questions related to the alert information in this document.

Internal Use - Confidential

Internal Use - Confidential
 Process Event Details View

Internal Use - Confidential

 Original Data for Process Event
{
"Process":{
"image_path":"C:\\Windows\\SysWOW64\\icacls.exe",
"commandline":"icacls \"D:\\*\" /grant Everyone:F /T /C /Q255255255255",
"username":"MDR-ABU-Perrin\\shanp",
"create_time":"2021-06-17T19:25:50.64094Z",
"program_md5":"LklYXk4IVl9SCQsUQGL5fg==",
"parent_image_path":"C:\\Users\\shanp\\Downloads\\blah\\
a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e.exe",
"was_blocked":false,
"user_is_admin":true,
"process_is_admin":true,
"endpoint_platform":"PLATFORM_WINDOWS"
},
"ParentCreateTime":"2021-06-17T19:24:38.289537Z",
"HostProgram":null,
"TargetProgram":null,
"Id":{
"Process_Id":{
"pid":37952,
"time_window":13268431550
},
"HostId":"b680897c4c1b272bc741062e11028b52"
},
"ParentId":{
"Process_Id":{
"pid":25208,
"time_window":13268431478
},
"HostId":"b680897c4c1b272bc741062e11028b52"
},
"program_id":"9f35d4f5c89393a70ff66d985ffac6f78b8c5da5",
"InstanceID":"9a12bea832dcf9e5f51c1bbab82fe9b6",
"windows_user_sid":""
}

Please complete all requested information within this document. Do not submit a separate document.

Internal Use - Confidential

 1. How would you summarize what happened in this event?

As per raw log investigation, adversary trying to exploit privilege escalation to change the parent image path of
file to run with the reverse shell.

2. What technical details would you use to prove this is a threat?

Based on the incident IOC following incident flags are confirmed this incident as a privilege escalation

image_path":"C:\\Windows\\SysWOW64\\icacls.exe",

"commandline":"icacls \"D:\\*\" /grant Everyone:F /T /C /Q255255255255", (This command gives admin rights
to execute a binded reverse shell/malcious file)
parent_image_path":"C:\\Users\\shanp\\Downloads\\blah\\
a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e.exe"

3. What references do you want to share that can further prove this threat?

as per partial reference - https://www.ired.team/offensive-security/privilege-escalation/weak-service-

permissions

4. Is there any other data you would look for that you don’t have access to?

a. Need Endpoint logs to investigate the path and process list to investigate more on malicious activity
b. Need Network/Firewall logs to investigate the file information and IOC (why this unauthnorized attempt
not blocked)
c. Need PAM/IAM logs to investigate user activity and permissions activity performed by the user.

5. Write an executive summary to the CTO of the organization about this alert and what the event reflected.

SOC Investigation summary

1. As per log analysis it’s confirmed as Privilege escalation attempt by the user.
2. based on event data advaersary trying to change the file permissions of the files and execute
unauthorized download file to gain access/install backdoor

SOC Recommendations:

1. Immediately isolate the endpoint and suspend the user account

2. Find the source for unaithorized download and block the source at perimeter level
3. Update the hash values and source IOC at gateway level for security measures.

Internal Use - Confidential

 See next page for more.

Great, based on your findings, write the investigation. Note that, as a security analyst, hold yourself responsible for
reviewing event/log data. Do not ask the customer to do so.

Incident Summary:

Dell MDR has observed an alert associated with ? that is an indication for ?

Host Name: MDR-ABU-Perrin\\shanp

IP Address: 10.0.0.7, 192.168.56.1

User/s: Shanp

OS Type: Windows

Highest Alert Severity: critical

Alert time stamp: 2021-06-17T19:24:38.289537Z

Number of systems identified as being involved: 1

Internal Use - Confidential

 Technical Details:

Dell MDR received ? alert/s for ? activity, involving ?. This alert is associated with ?

1. Text explaining why below data is important to IOCs:

parent_image_path":"C:\\Users\\shanp\\Downloads\\blah\\
a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e.exe"

2. Text explaining why below data is important to IOCs:

"commandline":"icacls \"D:\\*\" /grant Everyone:F /T /C /Q255255255255",

3. Text explaining why below data is important to IOCs:

image_path":"C:\\Windows\\SysWOW64\\icacls.exe",

(you can add more than 3 if needed)

Recommendations:

Dell MDR should recommend the following actions to be taken to prevent this from happening in the future:

References:

https://www.ired.team/offensive-security/privilege-escalation/weak-service-permissions

Internal Use - Confidential