Open in app

Sign in

Write

Sign in

Let’s Defend: SOC144-New scheduled task created Walkthrough

Noel Varghese
4 min readJan 27, 2022

--

Hello readers, welcome to this blog entry. Today, we will be trying to solve the SOC144 — New scheduled task created alert, on the Let’s Defend platform.

There’s also a Gitbooks version of the same challenge, written by me. You can go ahead and check it out!

NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.

Introduction to the Alert

The alert particulars are given to analyze and understand:-​

Next steps:-

Take ownership of case

Create Case

Download the file to be analyzed and unzip it

Enumeration

We uncover a python file titled: ‘Sorted-Algorithm.py’

​Let’s have a look at its contents using the editor​

​Gist of program:-

Sorts vowels twice (once in ascending and once in descending order) Takes second element of sorted element array and perform further perform sorting randomly and print the result

Remeber that this script is designed to attack a host at IP — 92.27.116.104 and create a scheduled task named x86_x64_setup.exe,under the C:/Windows/Temp/ path

Questions

Now, let’s open the alert’s playbook

Let’s start filling up details:-

File Analysis

Check if the malware is quarantined/cleaned

Let’s Defend recommends we check Log Management and Endpoint Security sections

Let’s go ahead with our Swiss Army Knife tools Hybrid-Analysis and VirusTotal

When tested on Falcon Sandbox, it found that the file was not malicious

The same was the case with VirusTotal

We answer that the malware is cleaned

Analyze Malware

Analyze malware in 3rd party tools and find C2 address

In this previous section, we had analyzed the artifact and deduced that the file was indeed not malicious

Adding artifacts to the casefile

Let’s compile the information that we have collected:-

Analyst’s Notes, about the alert​

​Finish the Playbook

Close Alert — with notes, describing the alert as a True Positive

Alert Scorecard

​Points Acquired — 10/15. Not bad, not bad at all!

very alert solved is a step towards perfection and I am pretty happy with the score I received.

Summary of Case

An incoming SOC Alert was briefed to us, about an RCE, that caused a process to be scheduled and executed. Upon analysis, the file in question did not throw up any malicious traces of activity, being described as danger-free by VirusTotal and Hybrid-Analysis tool.

Conclusion

Thank you for devouring this blog entry and stay tuned as I try to close down more SOC alerts……

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by giving it a clap!

Lets Defend
Blue Team
Walkthrough
Scheduled Tasks

--

--

Noel Varghese
Noel Varghese

Written by Noel Varghese

108 Followers
2 Following

Threat Researcher at CloudSEK Security+ | eJPT | Connect with me on LinkedIn — https://www.linkedin.com/in/noel--varghese

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams