Team: Huntress EDR
Product: Managed Defender Antivirus
Environment: Managed AV (MAV)
Summary: The Huntress Security Operations Center (SOC) will send out Incident Reports and provide guidance on corrective actions via Assisted Remediation.
When does Huntress send an Incident Report?
- When the SOC reviews a suspicious detection and determines a compromise.
What's included in an incident report?
- Severity - Determined
- Related Detections
- Assisted Remediation (if relevant)
What does the Huntress SOC review?
This list will grow over time. Today we focus on:
- Cobaltstrike Detections
- Critical Severity (i.e. Mimikatz, Ransomware, Powershell, Meterpreter)
- Defender Additional Actions
How does Assisted Remediation work?
Assisted remediation will attempt to provide the following actions:
- Delete File
- Full Scan
Example of an Incident Report
[WARNING] Please review this incident report to understand
what was identified before remediating. There may
be unknown malicious processes, files, or other
changes made to the host (and potentially other
hosts within the environment) that remain undetected.
Restoring from a known good backup or clean OS install
is the only way to assure a complete host level remediation. Microsoft Defender Antivirus detected the following: - Cobalt Strike Beacon : Cobalt Strike Beacon is a
legitimate pen-testing tool. However, because of its robust
feature set, including the ability to execute remote commands,
it is used to maintain remote access to a host by threat actors
and often used to deploy other malware including ransomware. Host: HAL9000 Organization: DISCOVERY1 Tags: None Security Products: Windows Defender Remediation Instructions ------------------------ ** Please review these recommendations due to the nature of a Cobalt Strike attack. ** - Consider implementing your Incident Response procedures to fully scope the incident as attackers will often move to other hosts on the network. - Review internal log sources to identify potential unauthorized access. - Review compromised hosts, and if applicable, Active Directory, for any unauthorized accounts. - Consider resetting passwords for all potentially impacted accounts. - Run a full system scan to identify anything real-time scanning may not have identified. - Ensure that all security products are running and correctly configured as expected on affected endpoints as well all possible hosts to increase visibility into potential threat actor activity. - Wipe any affected hosts and reinstall from a known good baseline. Defender Threat Details ----------------------- Threat Name: Backdoor:Win64/CobaltStrike.BH!dha Category: Backdoor Threat Type: Known Bad Detected At: 2022-12-12 14:14:14 UTC Remediated At: 2022-12-12 14:21:07 UTC Severity: Severe Threat Action: Quarantine Threat Status: Quarantined Detection Source: Real Time Execution Status: Blocked OS Resources: ["file:_C:\\Windows\\68c26a9.exe"] Domain User: NT Authority\System Process Name: System Additional Actions: None Threat Name: Backdoor:Win64/CobaltStrike.BH!dha Category: Backdoor Threat Type: Known Bad Detected At: 2022-12-12 14:14:14 UTC Remediated At: 2022-12-12 14:21:07 UTC Severity: Severe Threat Action: Remove Threat Status: Removed Detection Source: Real Time Execution Status: Blocked OS Resources: ["file:_C:\\Windows\\68c26a9.exe"] Domain User: NT Authority\System Process Name: System Additional Actions: None Thanks again for trusting Huntress and please don't hesitate to reach out to
email@example.com if you have any questions.