Activity from Unmanaged Host
Last updated
Last updated
| # | Actions: | Reason: |
|---|---|---|
Deploy EDR to all unmanaged endpoints.
Gain visibility into all endpoints to better hunt for malicious activity and block any ransomware deployments.
Disable/Reset passwords for any compromised user accounts.
Prevent further activity from compromised users. This could slow the TA down or make them reveal additional compromised accounts.
Put network blocks in place for any network IOCs found.
Since beacon C2s are hardcoded, they will not reach out to any additional IPs. Blocking them early on could brick beacons that the TA has established.
Use intel to find any additional IOCs if the group may be known.
If threat intel is available and the group has been seen before in the past using the same TTPs, hunting on these TTPs can speed up scoping.
Apply IOAs rules for network IOCs and hash blocks for implants.
When a new sensor is installed on a host and a beacon is already running or network connections to the C2 are being sent, it will be detected immediately.
6.
Reset all passwords and KRBTGT double tap.
Resetting all passwords will prevent the TA from recessing the compromised accounts with the previous passwords. This can cut off their access to important accounts.