Alert Playbook - Device - File/Process/Script/Tool
Do not assume an account is not compromised. We do not know who is behind a legitimate account.
We are looking for context to identify suspicious activity.
File Reputation
-
Lookup hash in VirusTotal
- Playbook: Playbook - VirusTotal File
- Verify signature
- Verify global prevalence
- Google for context: file name, folder names, hash, command line, software company, software description, script/command strings
File Context
-
Investigate parent process
- Repeat steps from File Reputation section
- Is the parent/parent process Explorer, Service, Scheduled Task?
-
Is the file in a suspicious/uncommon folder?
- see suspicious folders annex
-
Where does the file come from?
- Downloads folder, External drive (X:), File Share
Timeline
- Look for events before and after for more context: URLs, Connections, Dropped files, etc
- Search in the Timeline for keywords: file name, folder names, IP, domain, command line, strings
- A domain before a download can give you the origin URL
Advanced Hunting
-
Look for file activity within the folder:
- Defender Query: Device - Activity in Folder -> Modify the folder regex accordingly
-
Look for the browser history and correlate with the download time to find the origin URL
- Defender Query: Device - Browser History
- Pivot! Use any finding and repeat the steps for further context
Device and User Context
- Verify the criticality of the device. Does the activity make sense?
- Is it a critical device?
- is it a server or a workstation?
-
Verify the user details. Does the activity make sense?
- Is the user an IT admin?
- Is the user Non-IT user?
- Is the user a Developer/Solution Designer?
Escalation Form
Fill out the form below before escalating an alert. Take a screenshot of the output or select and copy the entire page and share it with the relevant people: