Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Malicious network traffic from foreign IPs was observed trying to establish communication to a compromised internal system. The internal system was then observed trying to execute lateral movement to other internal systems by undertaking nefarious actions that were essentially blocked by the on-premises Host Intrusion Detection System (HIDS).
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
Image 1 – Initial Alarm
Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we&rsquo…
Posted by: Josh Gomez |
The post Stories from the SOC – System compromise with ateral movement appeared first on Cybersecurity Insiders.
May 26, 2020 at 09:09PM
0 comments:
Post a Comment