Skip to content

SenseOn SOC Playbook: Remote Management Connections

The following process is how managed providers of SenseOn should extend the investigation of incidents in end customer estates and contains best practice guidance for additional manual threat hunting and containment.

Process Flowchart

Malware flowchart

Identification

Source Process Analysis

Action for provider of SenseOn MDR

Use the Directory & File Control Resilience script from the SenseOn repository to first hash the file and then download the sample for analysis in the SenseOn Sandbox.

💡 Resilience Script Access: If you do not have access to the SenseOn Resilience script repository and are a SenseOn MDR provider or customer, contact the SenseOn support team for access.

Check for other suspicious related network connections. This can be achieved in Hunt-Lab by leveraging the following queries in the Query Library: * ‘Connections by a Specific Program’. This will return other connections from the suspicious process. * ‘Usernames associated with a certain program installed on a device’. This will check how common the suspicious program is across the estate.

External Host Analysis

Action for provider of SenseOn MDR

Identify the external host being communicated with, this can involve:

  • Performing a whois lookup of the external location
  • Check the IP/domain against OSINT
  • Checking for previous connections to the location using the ‘Network connections between two hosts’ Hunt-Lab query
  • Checking for DNS requests and resolutions for the external host using the ‘Threat Hunting - DNS Requests’ Hunt-Lab query

Remote Desktop Protocol (RDP) and Terminal Services

Action for provider of SenseOn MDR

Check the RDP and Terminal Services logs for evidence of one or multiple successful connections. This can be achieved in Windows using the Event Viewer.

Application Review

Action for provider of SenseOn MDR

Use the following hunt lab query to identify remote management connection applications across the estate: 

SELECT DISTINCT _hostname,
  name,
  version,
  install_location,
  install_source,
  install_date,
  publisher
FROM endpoint_program
WHERE name LIKE '%X%'

Containment

After confirming malicious behaviour and the attack scope, an impact assessment should be performed before containment actions are taken, this can be done by using the following process.

Impact Assessment

Action for provider of SenseOn MDR

Assess if the initiating process, the connection or the external host are malicious. If so, consider what impact adding any firewall rules may have.

Firewall Configuration & Isolation

Joint action for customer and provider of SenseOn MDR

Add appropriate firewall rule(s) to block further connections to any identified malicious external locations. This can be done using the ‘Firewall Interaction’ resilience script from the SenseOn repository, by interacting with the device locally or using a trusted remote access solution.

💡 Resilience Script Access: If you do not have access to the SenseOn Resilience script repository and are a SenseOn MDR provider or customer, contact the SenseOn support team for access.

If the impact is low, consider isolating the host with an Active Response action instead of bespoke firewall rules to ensure the threat is adequately contained.

Lateral Movement

Action for provider of SenseOn MDR

Check for and minimise lateral movement to other devices on the network. This can involve:

  • Analyse the recently logged in sessions for this account around compromise time frame:
SELECT user,
_hostname,
min(_time_observed),
max(_time_observed)
FROM endpoint_logon_session
WHERE user = 'X'
GROUP BY user, _hostname
  • Locking out the compromised user and resetting credentials

If lateral movement is detected, follow the same steps as above for each affected resource.

Eradication

Joint action for customer and provider of SenseOn MDR

To effectively contain and remediate this sort of incident, the following eradication approaches should be considered. 1. SenseOn MDR provider to review if Uninstalling / removing the abused remote access software is feasible and worthwhile 2. SenseOn MDR provider to review if uninstalling / removing any additional tooling installed by the threat actor is feasible or advise on alternative eradication approach to customer 3. Customer MDR provider to Initiate a full Antivirus scan of affected devices for initial cleanup and remediation where advised

Recovery

Action for provider of SenseOn MDR

Swift recovery should be a fundamental goal of any incident response approach, in this instance the following recovery steps should be considered 1. SenseOn MDR provider to setup periodic monitoring of new inbound external connections 2. SenseOn MDR provider to remove firewall rules added during containment once agreed with customer that threat has been mitigated 3. SenseOn MDR provider to check endpoint behaviour for any unusual behaviour as part of monitoring check and telemetry review. The ‘Host processes within a certain timeframe’ Hunt-Lab query can assist with this.