Incident Investigate

Introduction

This article will provide information about the investigation of the Mitre T1059 incident in the event management panel.

Logsign Response Query

In the following case, it was observed that the T1059 Mitre scenario was executed on a server and traffic movement towards the internet was generated. With the triggering of the alarm, the firewall blocking process was automated, the associated user was disabled, and the user was removed from Logsign security automation from high-privileged groups.

1.png

 

Looking at the summary panel, 3 incidents related to the event occurred, 3 action models were run, 6 findings were collected, the Mitre tactic Execution was identified, and on the summary card, it is displayed that this event first occurred on 2023-04-05 10:40:27, and the process was repeated approximately 40 minutes later.

2.png

 

When we check the findings, we can see that the adminlgs user, the identified source of the Mitre, and the domain address it was trying to go to are present.

3.png

 

Let's examine the event more in-depth with Logsign response queries.

4.png

Let's examine the network movements between the server and the external source it accessed with the following query.

5.png

 

We examined the start time of the first network movement, the used port information, and the destination IP information in the incoming logs.

6.png

7.png

 

We can also check the callback connection status.

8.png

 

We observe that a callback connection has been established.

9.png

10.png

Let's examine the bandwidth range report of the traffic movement.

11.png

12.png

 

In the above bandwidth reports, an abnormal traffic of 6.4 GB was detected, and considering the possibility of this traffic being a 6.4 GB data leakage, the accessed data should be checked by examining the file movements. Let's quickly examine the file movements from the event management panel.

13.png

14.png

 

By looking at the logs in the folder where the file inspection was performed, we found the accessed file as shown above.

The machine infected with malware is isolated over the network, and the malicious file inside can be analyzed through a sandbox.

After analyzing the findings and notes, the Case reason is written, and the event (incident) is closed.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.