Checking the context of the generated alerts.Creating an indicators of compromise (IOCs) list and observe for tactics, techniques, and procedures (TTPs) to check in the environment, which will be improved in the next items.It involved several interconnected steps that occurred simultaneously and repeatedly throughout the process. In fact, we published a report on a similar case wherein we used Cobalt Strike to track a Conti ransomware campaign.īefore we delve into the details we want to detail the process we followed in this investigation. In such cases, the initial detections usually point to something big: the distribution of ransomware. We first uncovered several detections related to Cobalt Strike, accompanied by a machine learning detection later verified as IcedID. However, this report focuses on the process of uncovering its tracks in order to fully contain and remove the malware. The Cobalt Strike variant used here follows its typical characteristics. The alert from one endpoint led to the collection of further evidence and clues that pointed to other infected endpoints, eventually revealing the root of the attack.Ĭobalt Strike is a well-known beacon or post-exploitation tool that has been linked to ransomware families like Ryuk, DoppelPaymer, and Povlsomware. This blog will cover the tactics and steps we took during this investigation.
What followed was a deeper investigation that involved searching for other similarly infected endpoints and the confirmation of a Cobalt Strike detection. In late May, Trend Micro Managed XDR alerted a customer to a noteworthy Vision One alert on one of their endpoints.
0 kommentar(er)
