We'll be taking a look at an incident we'll be responding to that created an alert for Suspicious Mshta Behavior.
We'll begin with starting the playbook that will give you an overview.
Identify the binary.
Select Endpoint Security and let's search for the machine involved in the alert.
C:/Windows/System32/mshta.exe C:/Users/roberto/Desktop/Ps1.hta - Notice this binary is used to execute JavaScript embedded in HTML which is actually the hta file.
It produces a powershell. The powershell is suspicious, because it is invoking an outbound connection to the url: https://193.142.58.23/Server.txt which appears to download a text file.
The purpose of the suspicious activity, as mentioned before is invoking an outbound connection to a suspicious IP address which will download a file.
A user did not perform the activity, so we would select Malware.
If a machine is suspected to be infected with malware, the next step is to contain that machine and perform cleanup, containment, eradication, and remediation.
Next, we will search for the IOCs (Indicators of Compromise). By using VirusTotal, we will search the IP address and notice this is a malicious IP.
Add the artifacts or malicious items that need to be blocked or cleaned because they are related to malware or and adversary.
Add Analyst Note.
Finish the playbook.
Comments
Post a Comment