Event ID: 43 — Let’s Defend
SOC112 — Traffic to Blacklisted IP
- Alert Time: Jan, 31, 2021, 11:02 AM
- Alert Source IP: 172.16.17.21
- Alert URL: http://22.214.171.124/OBBBOP.exe
- Alert Action: Allowed
- Event Type: Proxy
Before we begin the playbook let’s first gather information about the trigger URL. Since the rule name states that the alert was caused to a connection to a blocked IP, we need to check the “Threat Intel” feed to confirm that the IP is present or not.
And yes, we can that the threat intel feed has listed this IP as malicious with a score of 10. Further if we search for the URL in URLhaus, then we can see that the URL points to a sample of “Ave Maria RAT”.
Searching for the sample in VirusTotal also gives confirms us that the sample is indeed malicious
Now that we are confirmed that the URL was indeed malicious, let’s see if the IP or the URL was contacted or not.
Looking at the network logs, we can see that the malicious IP was indeed contacted during the same time as the alert was raised.
And from the endpoint network logs, we can also see that the malicious IP 126.96.36.199 was also contacted during the same time when the alert was created.
Thus we can be sure that the host “Jack” (172.16.17.21) indeed contacted a blocked IP and even requested a malware. Let’s start the playbook
First the playbook ask us to get a standard set of information of the triggering URL namely source IP address, destination IP address and the User-Agent used in the request.
Now the playbook ask us to mark the URL as malicious or non-malicious. We know it’s malicious
The playbook then asks if any of the host’s contacted the malicious URL. We know that host “Jack” accessed the URL. So we mark it as “Accessed”.
The playbook then asks us to start the containment of the host and so we do the same
The playbook now asks us to make a record of the artifacts of this alert. As the only artifacts are URL and the malicious IP, we can add those as the artifacts.
Note: I forgot to the MD5 hash of the sample that malware sample that the URL is pointing to
And finally we add a note to reason about our actions taken for this alert.
And finally we close the case.