SOP / Play Book for Malware alert of Critical Severity

Pavankumar u Bahadur
[email protected]

 We received an alert of Unknown process detected on a Host during non-

Business hour.

 Alert was triggered under Critical severity - Reason - Unknown Process,

Nona-business hour , AV action allowed , Outbound alert ( Chance of C2
attack / Exfiltration ).

 Since Proxy signature matched with Directory path traversal ../../../../ , SQL
Statements so we have Isolated the System to keep the Network Healthy.

 We observed the case with reference of MITRE ATT&CK to know Attack

Vector (how came inside), Execution ( user or RCR a), what things has
happened after execution.

 Check Network logs with Wireshark , Firewall, Proxy , IPS , System logs ,
System Audit logs.

 SOC , IR, Forensic team will collaborate in every True positive Critical
alerts so we took Full Disk Image and Memory Dump as an Evidence for
Forensic analysis.

 We have to do Malware analysis both Static n Dynamic analysis.

 In Static analysis we use the tool like PE Tool to check process Executable
or not , Bit size applicable for 32/64, File metadata ( creation & last modified )
, signature metadata (Integrity) , Strings (to check the readable strings so we
can conclude what variant of malware it is.

 Dynamic analysis Sandboxing.

 After Static n Dynamic analysis , with collected IOC' s we will check for
those logs in SIEM & EDR to check from which date logs initiated and any C2
/ Outbound Activity done.

 We have to do Memory analysis by using memory dump with the tool Vertility
to find any Unknown process which starts before the Boot time ( fileless
malware which targets genuine process to executive for persistence ).

 By using tools like Autopsy we have to do Forensic analysis to check any

Hidden files.

 Then from Analysis if it was observed that Process was executed by User
while using Power BI & he has clicked on advertise so it is Downloaded into
user machine as Drive by Download.

 But AV Failed to detect it and EDR is detected n Blocked it.

 SOP / Play Book for Malware alert of Critical Severity
Pavankumar u Bahadur
[email protected]

 So we have Guided the user to reset the passwords with complexity and
MFA

 We have boot the system in Safe mood to Stop the Malicious Process and
after that we have Deleted the file from detected path.

 Boot the system in Standard mode.

 Fully scanned the system.

 Taken Backup from Recovery.

 Connected the system back to the Network and Observed closely for any
further Unusual Behaviour.

 Implementing new Inputs such as network Segmentation & Segregation to

safeguard the sensitive data.

 Regularly in Synch with TI to get the Information about the Newly Emerging
Threats.