Activity from Unmanaged Host
Remediation:
Deploy EDR to all unmanaged endpoints.
Gain visibility into all endpoints to better hunt for malicious activity and block any ransomware deployments.
Check to ensure EDR is on all hosts with unmanaged function.
Client could leave gaps during installation.
2.
Isolate/disconnect network until EDR is fully deployed.
TA might still be on hosts that we don't have visibility into. Disabling network until fully deployed allows us to have full visibility and clean up any persistence.
Disable/Reset passwords for any compromised user accounts.
Prevent further activity from compromised users. This could slow the TA down or make them reveal additional compromised accounts.
Put network blocks in place for any network IOCs found.
Since beacon C2s are hardcoded, they will not reach out to any additional IPs. Blocking them early on could brick beacons that the TA has established.
Use intel to find any additional IOCs if the group may be known.
If threat intel is available and the group has been seen before in the past using the same TTPs, hunting on these TTPs can speed up scoping.
Apply IOAs rules for network IOCs and hash blocks for implants.
When a new sensor is installed on a host and a beacon is already running or network connections to the C2 are being sent, it will be detected immediately.
Kill TA process/malware and remove persistence.
To ensure the TA can't come back easily and to narrow down their attack paths.
Ensure backup servers are isolated and immutable.
Incase encryption does occur, backups can be used to restore systems.
Reset all passwords and KRBTGT double tap.
Resetting all passwords will prevent the TA from recessing the compromised accounts with the previous passwords. This can cut off their access to important accounts.
Investigation Methodology:
Search for compromised users
Pull DCs to find hosts that the account logged into (4624, 4769. 4768, SUM database).
VPN logs with user auths.
Firewall logs (sometimes may have usernames).
Pull all alerts for context and IOCs
Users
Files
IPs
Hosts
Compromised user activity
Process executions (if EDR or event logs)
Base forensics
Logs of application TA is abusing
Investigate internal or external IPs activity is originating from
Pull DCs to find hosts that the IP connected to (4624, 4769. 4768, SUM database).
VPN logs with IP pools
Edge firewall logs
Netflow logs
Note IPs of internal hosts and determine what host they belong to.
Track all IPs and ensure they are all investigated.
IOC hunt for files, users, IPs, filenames.
Hunt in EDR
Hunt In SIEM
Prioritize searching for and reporting on active TA processes and tools like their C2s.
Engage quick win hunt to find things outside of IOC hunt.
Quick wins in EDR
Quick wins in SIEM
Repeat process and ensure all IPs and users are noted for further investigation.
Initial Access Checks:
Check VPN version
Could be vulnerable to CVEs
Check for no MFA auths
SIM swapping
Last updated