This article will provide information about the investigation of the Mitre T1059 incident in the event management panel.
Logsign Response Query
In the following case, it was observed that the T1059 Mitre scenario was executed on a server and traffic movement towards the internet was generated. With the triggering of the alarm, the firewall blocking process was automated, the associated user was disabled, and the user was removed from Logsign security automation from high-privileged groups.
Looking at the summary panel, 3 incidents related to the event occurred, 3 action models were run, 6 findings were collected, the Mitre tactic Execution was identified, and on the summary card, it is displayed that this event first occurred on 2023-04-05 10:40:27, and the process was repeated approximately 40 minutes later.
When we check the findings, we can see that the adminlgs user, the identified source of the Mitre, and the domain address it was trying to go to are present.
Let's examine the event more in-depth with Logsign response queries.
Let's examine the network movements between the server and the external source it accessed with the following query.
We examined the start time of the first network movement, the used port information, and the destination IP information in the incoming logs.
We can also check the callback connection status.
We observe that a callback connection has been established.
Let's examine the bandwidth range report of the traffic movement.
In the above bandwidth reports, an abnormal traffic of 6.4 GB was detected, and considering the possibility of this traffic being a 6.4 GB data leakage, the accessed data should be checked by examining the file movements. Let's quickly examine the file movements from the event management panel.
By looking at the logs in the folder where the file inspection was performed, we found the accessed file as shown above.
The machine infected with malware is isolated over the network, and the malicious file inside can be analyzed through a sandbox.
After analyzing the findings and notes, the Case reason is written, and the event (incident) is closed.