SenseOn SOC Playbook: Malware
The following process is how managed providers of SenseOn should extend the investigation of incidents in end customer estates and contains best practice guidance for additional manual threat hunting and containment.
Process Flowchart
Identification
File Analysis
Action for provider of SenseOn MDR
If EndPoint Protection (EPP) has detected a suspected malicious file the hash will be available in the observation details alongside the detected details. Depending upon the EPP configuration they file may be available from Quarantine, contact SenseOn support for details on how to access these files. Alternatively the SenseOn Resilience script ‘Directory & File Control’.
Resilience Script Access: If you do not have access to the SenseOn Resilience script repository and are a SenseOn MDR provider or customer, contact the SenseOn support team for access.
Contact SenseOn support for access to this repository if you are a SenseOn customer or MDR provider.
Hash Intelligence/Third Party Review
Action for provider of SenseOn MDR
Check the file hash against open source threat intelligence vendors - file hash analysis is passive meaning samples do not need to be uploaded externally. Pay attention specifically to the variant of malware these sites attribute this sample to. This will be useful during the eradication phase.
Don't share files: Do not upload files to any public third party services. As it will make the file available to third parties which could leak private information or tip off the attacker that a unique file in that compromise has been detected. Only search for file hashes.
Optional sources:
Dynamic Analysis
Action for provider of SenseOn MDR
- Upload the file to a private malware assessment solution. If you have access to the SenseOn private malware assessment solution follow the privately shared steps to access this and upload the files.
- If the file is malicious, follow the standard escalation procedure to a senior analyst.
Result Analysis and Corroboration
Action for provider of SenseOn MDR
Does the analysis confirm this to be a suspicious or malicious file? 1. How confident is the dynamic analysis? 2. Do third party analysis tools corroborate this assessment? 3. Reference the third party review of the hash for other analysis results.
IOC and TTP Analysis
Action for provider of SenseOn MDR
The below queries can be used as starting points to check for identified IOCs. These should be adapted and modified based on the results of the static and dynamic analysis.
DNS Check
SELECT _time_observed,
source_hostname,
query_name
FROM network_dns
WHERE query_name IN ['IOC1','IOC2']
HTTP Check
SELECT _time_observed,
source_hostname,
dest_hostname,
request_uri
FROM network_http
WHERE dest_hostname IN ['IOC1','IOC2']
OR request_uri IN ['IOC1','IOC2']
OR dest_ip IN ['IOC1','IOC2']
TLS Check
SELECT _time_observed,
source_hostname,
dest_hostname
FROM network_tls
WHERE dest_hostname IN ['IOC1','IOC2']
OR dest_ip IN ['IOC1','IOC2']
Check for TTP & Process behaviours
SELECT _time_observed,
parent_name,
name,
command,
username
FROM endpoint_process
WHERE name IN ['IOC1','IOC2']
OR command LIKE ‘%IOC1%’
Containment
After confirming the malicious behaviour and the attack scope, an impact assessment should be performed before containment actions are taken via the following steps:
Impact Assessment
Action for provider of SenseOn MDR
- Assess the number of hosts impacted - If more than 2 hosts are impacted escalate internally.
- Assess the asset severity of these hosts.
- Is customer escalation required? If any asset is listed as a priority asset, follow the standard escalation procedure to a senior analyst prior to customer notification.
Isolation
Action for provider of SenseOn MDR
- Isolate compromised devices after gaining approval. Each customer should have pre-agreed decision criteria to enable timely containment with the minimum of business impact.
- Assess wider estate continuously using IOCs and TTPs identified in investigation. Isolate further devices if additional malicious behaviour spotted.
Account Containment
Action for customer
- Reset compromised users credentials across Active Directory / Microsoft Entra
- Rotate users keys where applicable
- Revoke any active user sessions
- If necessary lock impacted accounts
Persistence
Action for provider of SenseOn MDR
If the malware has not been automatically cleaned up using EPP utilise eviction scripts from the SenseOn repository to remove malicious processes and persistence mechanisms. If EPP has cleaned up the infection manually confirm all traces have been removed.
Additional optional queries have been provided below to help identify persistence methods, they may need to be modified depending on the incident.
Check the recently logged in sessions for this account around compromise time frame:
SELECT user,
_hostname,
min(_time_observed),
max(_time_observed)
FROM endpoint_logon_session
WHERE user = 'X'
GROUP BY user,
_hostname
Check recently authorised accounts on compromised device
SELECT _time_observed,
_hostname,
user,
profile_path,
home_directory
FROM endpoint_logon_session
WHERE _hostname = 'X'
Review
- Review all IOCs across environment to ensure no additional compromise has occurred during incident
- Review user lockout status to ensure account hasn’t been unlocked during incident by Service desk or other means
- Review active user sessions across device, new sessions seen after lockout may indicate gap that needs escalation
Eradication
Joint action for customer and provider of SenseOn MDR
- Initiate AntiVirus full scan on device for initial cleanup and remediation
- Review dynamic analysis report for endpoint modifications such as registry changes, scheduled task additions, file dropped locations
- Compare dynamic analysis to online resources for the identified strain of malware
- Use these findings on compromised endpoint to confirm AV cleanup, if remnants are left, remove or revert modifications to prior state
- Restore from backup or fresh image depending on severity and scope of incident
Recovery
Joint action for customer and provider of SenseOn MDR
- SenseOn MDR provider to monitor for ongoing activity with created threat hunting queries, this ensures no gaps in the containment and eradication stages
- Create ‘health monitoring’ tasks for endpoint & user behaviour, this is a check to be performed on a frequent basis
- Remove device isolation restrictions after agreed time window with customer
- Agree with customer on successful recovery once no additional anomalous behaviour identified post eradication period