Tuesday, May 26, 2020

Stories from the SOC – System compromise with ateral movement

Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Malicious network traffic from foreign IPs was observed trying to establish communication to a compromised internal system. The internal system was then observed trying to execute lateral movement to other internal systems by undertaking nefarious actions that were essentially blocked by the on-premises Host Intrusion Detection System (HIDS). 
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
Image 1 – Initial Alarm
Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we&rsquo…

Josh Gomez Posted by:

Josh Gomez

Read full post

      

The post Stories from the SOC – System compromise with ateral movement appeared first on Cybersecurity Insiders.


May 26, 2020 at 09:09PM

0 comments:

Post a Comment