Isolate the involved host to prevent further post-compromise behavior.
Initiate the incident response process based on the outcome of the triage. Benign true positives (B-TPs) can be added as exceptions if necessary. This activity is unlikely to happen legitimately. Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. Service creation and launch activities. File and registry access, modification, and creation activities. Attempts to contact external domains and addresses. Observe and collect information about the following activities: Use a private sandboxed malware analysis system to perform analysis. Determine if the collected files are malicious: Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client. Retrieve MS Office documents received and opened by the user that could cause this behavior. Investigate other alerts associated with the user/host during the past 48 hours. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
Investigate the process execution chain (parent process tree) for unknown processes. This is generally the result of the execution of malicious documents. This rule looks for suspicious processes spawned by MS Office programs. It also has a wide variety of capabilities that attackers can take advantage of. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access.
You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. # Investigating Suspicious MS Office Child Process
0 kommentar(er)
