Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3286
Views
0
Helpful
1
Replies

DFC threat detected email

EdieDudley14020
Level 1
Level 1

‎08-26-2021 10:38 AM

Received an email that endpoint detected a DFC Threat.  the file has been quarantined but whatever is calling it on reboot still remains.  I've done a full system scan, cleaned Internet temp files and cookies and browser cache.  What should I try next?

The details are

 

    • Event Type: Threat Detected
    • Computer: JPBCB42-CC.Domain.local
    • Hostname: JPBCB42-CC.Domain.local
    • IP: 192.168.1.175
    • User: campbell.c@DOMAIN
    • Detection: VBS.Heur.Laburrak.11.0312637E.Gen
    • File: getadmin.vbs
    • File path: \\?\C:\Users\campbell.c\AppData\Local\Temp\getadmin.vbs
    • Detection SHA-256: cb542f6a0c90761f8b698731af41adc7140c348df92022e205572218c9427c00
    • By Application: cmd.exe
    • Application SHA-256: b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
    • Severity: Medium
    • Timestamp: 2021-08-25 12:14:04 +0000 UTC

 

Labels:
0 Helpful
1 Reply 1

Troja007
Cisco Employee
Cisco Employee

‎08-27-2021 08:07 AM

Hello @EdieDudley14020,

I would recommend the following steps:

  1. activate automated actions to move such a computer to a specific group. Assign a very restrictive policy. Most exclusions should be removed from this policy. Set the cache to the lowest levels. Enable all engines, if not already enabled.
  2. Activate automated action to isolate the computer from the network, so it cannot connect to the internet. Secure Endpoint communication is still possible, so you can investigate the endpoint with Orbital.
  3. Just do a check if File analysis is enabled for the group where the endpoint belongs to, just to be sure any unknown files get analysed.
  4. activate automated action for file analysis, so Secure File Analysis (formerly Threat Grid) is analysing necessary files.
  5. Add the free SecureX integration modules, so you get more information from the Pivot Menu.
  6. Orbital: Generate a forensic snapshot, so you have the actual state of the system documented. The automated action feature to generate the forensic snapshot should also be activated.
  7. The challenge today is, that an endpoint can get infected without a need of a malicious file on the disk. Such an infection can be sticky. As one of many examples: Mitre T1053.
  8. Orbital: Query the running processes: SHA256 Hash Of Running Processes
  9. Orbital: Query all the startup items. This query includes drivers, ie_extensions, scheduled tasks and more: Search For Automatically Executing Binaries, Windows executables that automatically execute, startup_items, Processes Launched From Unsigned Disk Files and more.

Review the Orbital queries to figure out the compromise.

 

Greetings,
Thorsten

0 Helpful
Customers Also Viewed These Support Documents