Tales from the SOC is a weblog collection that describes current real-world safety incident investigations performed and reported by the AT&T SOC analyst workforce for AT&T Managed Prolonged Detection and Response prospects.
Probably the most prevalent threats at the moment, dealing with each organizations and people alike, is the usage of ransomware. In 2021, 37% of organizations stated they had been victims of some kind of ransomware assault. Ransomware can render massive quantities of essential knowledge inaccessible practically immediately. This makes reacting to potential ransomware occasions in a well timed and correct method extraordinarily essential. Using an endpoint safety device is essential to assist mitigate these threats. Nonetheless, it is important to keep up vigilance and situational consciousness when addressing these threats, and never rely solely on one piece of data when performing evaluation.
The AT&T Managed Prolonged Detection and Response (MXDR) analyst workforce obtained an alarm stating SentinelOne had detected ransomware on a buyer’s asset. The logs urged the risk had been robotically quarantined, however additional evaluation urged one thing extra sinister was afoot. The identical malicious executable had been detected on that asset twice earlier than, each occasions reportedly being robotically quarantined. The sort of persistent malware might be an indicator of a deeper an infection akin to a rootkit. After a extra in-depth evaluation and collaboration with the client, the choice was made to quarantine and energy off the asset, and exchange the asset completely because of this persistent malware.
Preliminary alarm overview
Indicators of Compromise (IOC)
The preliminary SentinelOne alarm alerted us to an executable ‘mssecsvc.exe’:
The identify of the executable in addition to the file path is cleverly crafted to mimic a reputable Home windows program.
Looking occasions for the file hash revealed it had been repeatedly detected on the identical asset over the past 2 weeks. In every occasion the occasion log reviews the executable being robotically quarantined by SentinelOne.
Moreover, a search in USM Anyplace revealed two earlier investigations opened for a similar executable on the identical asset. In each earlier investigations the client famous SentinelOne had robotically quarantined the file however didn’t take any additional motion concerning the asset.
Occasion deep dive
Within the new occasion of this alarm the occasion log reviews SentinelOne efficiently killed any processes related to the executable and quarantined the file.
This will lead one to imagine there isn’t a longer a risk. However the persistent nature of this file raises extra questions than the occasion log can reply.
Reviewing extra indicators
It is very important not depend on a single piece of data when assessing threats and to transcend simply what’s contained within the logs we’re given. Using open-source risk intelligence strengthens our evaluation and may affirm findings. Virus Complete confirmed the file hash was deemed malicious by a number of different distributors.
The executable was additionally analyzed in JoeSandbox. This revealed the file contained a tool path for a binary string ‘FLASHPLAYERUPDATESERVICE.EXE which could possibly be used for kernel mode communication, additional hinting at a rootkit.
Constructing the investigation
Regardless of the occasion log suggesting the risk had been robotically quarantined, the mixture of the repeat prevalence and the findings on open-source risk intel platforms warranted elevating an investigation to the client. The client was alerted to the extra findings, and it was advisable to take away the asset from the community.
The client agreed with the preliminary evaluation and suspected one thing extra severe. The analysts then searched by the Deep Visibility logs from SentinelOne to find out the supply of the mssecsvc.exe. Deep Visibility logs enable us to comply with related processes in a storyline order. On this case, it seems the ‘mssecsvc.exe’ originated from the identical ‘FlashPlayerUpdateService.exe’ we noticed within the JoeSandbox evaluation. Deep Visibility additionally confirmed us that mssecsvc.exe had a Mum or dad Strategy of wininit.exe, which was prone to be the supply of persistence.
One other notable characteristic of USM Anyplace is the flexibility to take motion from one centralized portal. On account of the investigation, the analysts used the Superior AlienApp for SentinelOne to position the asset in community quarantine mode after which energy it off. An inside ticket was submitted by the client to have the asset changed completely.
Limitations and alternatives
A limiting issue for the SOC is our visibility into the client’s setting in addition to what info we’re introduced in log knowledge. The occasion logs related to this alarm urged there was not a risk, because it had been killed and quarantined by SentinelOne. Taking a single occasion of data at face worth might have led to additional injury, each financially and reputationally. This investigation highlighted the significance of considering outdoors the log, researching historic investigations, and mixing a number of sources of data to enhance our evaluation.