Managed AV - What is an Incident Report?

Team: Huntress EDR
Product: Managed Defender Antivirus
Environment: Managed AV (MAV)
Summary: The Huntress ThreatOps teams will send out Incident Reports and provide guidance on corrective actions via Assisted Remediation. 

When does Huntress send an Incident Report?

• If ThreatOps reviews detection and determines further investigation or action is required.  

What's included in an incident report?

• Severity - Determined 
• Summary
• Related Detections
• Assisted Remediation (if relevant)

What does ThreatOps review?
This list will grow over time. Today ThreatOps focuses on:

• Cobaltstrike Detections
• Critical Severity (i.e. Mimikatz, Ransomware, Powershell, Meterpreter)
• Defender Additional Actions

How does Assisted Remediation work?

Assisted remediation will attempt to provide the following actions:

• Delete File
• Full Scan
• Reboot

Example of an Incident Report

[WARNING]
Please review this incident report to understand 
what was identified before remediating. There may 
be unknown malicious processes, files, or other 
changes made to the host (and potentially other 
hosts within the environment) that remain undetected. 
Restoring from a known good backup or clean OS install 
is the only way to assure a complete host level remediation. 


Microsoft Defender Antivirus detected the following:
- Cobalt Strike Beacon : Cobalt Strike Beacon is a 
legitimate pen-testing tool. However, because of its robust 
feature set, including the ability to execute remote commands, 
it is used to maintain remote access to a host by threat actors 
and often used to deploy other malware including ransomware.


Host: HAL9000
Organization: DISCOVERY1
Tags: None
Security Products: Windows Defender

Remediation Instructions
------------------------
** Please review these recommendations due to the nature of a Cobalt Strike attack. **
- Consider implementing your Incident Response procedures to fully scope the incident as attackers will often move to other hosts on the network.
- Review internal log sources to identify potential unauthorized access.
- Review compromised hosts, and if applicable, Active Directory, for any unauthorized accounts.
- Consider resetting passwords for all potentially impacted accounts.
- Run a full system scan to identify anything real-time scanning may not have identified.
- Ensure that all security products are running and correctly configured as expected on affected endpoints as well all possible hosts to increase visibility into potential threat actor activity.
- Wipe any affected hosts and reinstall from a known good baseline.

Defender Threat Details
-----------------------
Threat Name: Backdoor:Win64/CobaltStrike.BH!dha
Category: Backdoor
Threat Type: Known Bad
Detected At: 2022-12-12 14:14:14 UTC
Remediated At: 2022-12-12 14:21:07 UTC
Severity: Severe
Threat Action: Quarantine
Threat Status: Quarantined
Detection Source: Real Time
Execution Status: Blocked
OS Resources: ["file:_C:\\Windows\\68c26a9.exe"]
Domain User: NT Authority\System
Process Name: System
Additional Actions: None

Threat Name: Backdoor:Win64/CobaltStrike.BH!dha
Category: Backdoor
Threat Type: Known Bad
Detected At: 2022-12-12 14:14:14 UTC
Remediated At: 2022-12-12 14:21:07 UTC
Severity: Severe
Threat Action: Remove
Threat Status: Removed
Detection Source: Real Time
Execution Status: Blocked
OS Resources: ["file:_C:\\Windows\\68c26a9.exe"]
Domain User: NT Authority\System
Process Name: System
Additional Actions: None



Thanks again for trusting Huntress and please don't hesitate to reach out to 
support@huntress.io if you have any questions.