In this short video, an analyst on Rapid7’s Managed Detection and Response (MDR) team explains how he responded to an alert for a malicious Word document downloaded in a customer’s environment.
For more on how the MDR team approaches alerts and threats, check out our video on Threat Hunting.
A typical day for me when I come in the office, the first thing that I do is to check all the alerts are available to me, and try to triage all of them to see which ones are critical.Show more Show less
One specific alert that drew my attention was a file that was downloaded to a machine, via Outlook. When the Outlook process triggered an alert, it showed me the details of a malicious document that was executed from the Outlook process. The Word document in this case executed additional scripts from it, powershell scripts, that reached out to a command and control server, outside, and grabbed a second stage loader to execute malicious code on the machine, and take control of the machine, allowing the attacker to control the machine remotely.
I was able to see the command and control traffic that was sent out. When I saw that I was able to trigger additional queries, searches through InsightIDR and find what specific traffic was being sent out, the command and control traffic showed me that the domain that it was connected to was a fast fluxing domain, meaning that it's changing all the time. That way the attacker was trying to hide its behavior inside the environment once it got a foothold of one asset.
After that other email alerts came to my attention and I saw the same behavior not only on one asset but different assets. At that point I knew I had to escalate the case and interact with the customer advisor to let the customer know that we wanted to take action on this specific alert because it was spreading rapidly and it was also a way for the attacker to compromise the company.
As the alert was being triggered and we were triaging the alert with the customer advisor and the rest of the analyst team, we found out that we can create a specific signatures to detect that type of behavior. Our signatures can detect when the scripts were run, but attackers change their methodologies often. So we were able to tune out more of the alert, and find other strings that the attacker was using to evade detection. And from then find what other methodologies he was using and specifically find the malicious document and the processes that were run across all the machines that were being targeted by the attacker.