The hunting process using the Secdo platform

The hunting process using the Secdo platform

0
Created On 09/25/18 18:17 PM - Last Modified 07/19/22 23:09 PM


Resolution


The hunting process using the SECDO platform is based on querying the database for abnormal behaviors of the organization hosts. Use the following examples to find starting points for investigations:
  • A process communicating with Google DNS servers (excluding svchost and browsers)
  • A process communicating with .ru/.cn domains (excluding browsers and skype)
  • A process communicating with .info/.xyz/.biz domains (excluding browsers and skype)
  • Incoming connections directly from the internet
  • Rundll32.exe communicating with non Microsoft domains
  • A process running from recycle bin
  • A process running with a double extension (.doc.exe, etc.)
  • An unsigned process running from a temp directory
  • A process starts with the OS from the User directory or the temp directory and can only be found in one endpoint
  • A process modifies the hosts file
  • A process writing new values to the run/run once reg keys
  • A process running schtasks.exe with a 'create' argument
  • A process running 'wmic shadowcopy' or 'vssadmin'
  • A process running netsh
  • A process running net use
  • Process Changes certificate settings on the host (add certificate to the certstore)
  • Process different from inetcpl.cpl (DLL) changes the proxy configuration on the host
  • Process try to disable the UAC on the host
  • Process different than browser read the browser history files
  • Process try to identify the host he runs on.
  • Process other than browser access index.dat or chrome db files.
  • Wscript or cscript running a vb/js script from a temp directory or the user directory
  • PowerShell running base64 code
  • PowerShell communicating with a destination on the internet
  • Office process (winword.exe, etc.) having a cmd/powershell/wscript/cscript child
  • Creation of files on disc with the parshe *decrypt*.html or *decrypt*.txt
  • Outgoing connections over ports 20/21/22/23
  • Cmd \ powershell \ wscript running from winword \ excel
  • DLL loaded from different place than System32
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOtCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail