SOC144 - New scheduled task created Alert
Let's explore a suspicious event activity...
Last updated
Let's explore a suspicious event activity...
Last updated
Hello readers, welcome to this blog entry. Today, we will be trying to solve the SOC144 - New scheduled task created alert, on the Let’s Defend platform.
NOTE: Always remember to investigate alerts from Let's Defend, on a VM.
The alert particulars are given to analyze and understand:-
Next steps:-
Take ownership of case
Create Case
Download the file to be analyzed and unzip it
We uncover a python file titled: ‘Sorted-Algorithm.py’
Let’s have a look at its contents using the editor
Gist of program:-
Sorts vowels twice (once in ascending and once in descending order) Takes second element of sorted element array and perform further perform sorting randomly and print the result
Remeber that this script is designed to attack a host at IP — 92.27.116.104 and create a scheduled task named x86_x64_setup.exe,under the C:/Windows/Temp/ path
Now, let's open the alert’s playbook
Let’s start filling up details:-
Since the alert is raised for the occurrence of a scheduled process (unknown), it falls under the third category
Check if the malware is quarantined/cleaned
Let’s Defend recommends we check Log Management and Endpoint Security sections
Let’s go ahead with our Swiss Army Knife tools Hybrid-Analysis and VirusTotal
When tested on Falcon Sandbox, it found that the file was not malicious
The same was the case with VirusTotal
We answer that the malware is cleaned
Analyze Malware
Analyze malware in 3rd party tools and find C2 address
In this previous section, we had analyzed the artifact and deduced that the file was indeed not malicious
A) Non-malicious
Let’s compile the information that we have collected:-
Finish the Playbook
Close Alert — with notes, describing the alert as a True Positive
Points Acquired — 10/15. Not bad, not bad at all!
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
An incoming SOC Alert was briefed to us, about an RCE, that caused a process to be scheduled and executed. Upon analysis, the file in question did not throw up any malicious traces of activity, being described as danger-free by VirusTotal and Hybrid-Analysis tool.
Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!