Today, one of our new resellers needed help to investigate an on-going issue in his customer as they could not find root-cause of the incident with a tradiitonal antivirus deployed in the company. They needed a solution to perform threat hunting operations as the customer didn’t have an EDR solution deployed. We have quickly deployed Trapmine solution to the infected endpoint and it took a few minutes to get the first alert as shown below;
The process-map already gave us some light about a suspicious powershell launch on the endpoint. Powershell process was child of command-line (cmd) )process and its parent process was WmiPrvSE.exe process. At this point , we isolated the endpoint from the network with the help of Trapmine to perform the investigation in safer way.
Then, it was straightforward to start an “automated-hunting” or “live hunting” query from Trapmine console to check if there is any WMI Persistent Object by collecting forensic artifacts from the endpoint remotely with a few clicks.
The result is pretty quick and simple! Now we are able to see where the suspicious powershell launch comes from and how to remove them with the help of Trapmine !
Mean Time To Detect, Analyze and Respond : 5-10 minutes!
IoC List:
t.hwqloan.com
t.ouler.cc
ps2.jusanrihua.com
If you need a free endpoint compromise assesment, feel free to contact us