In the Secure Operations Center (SOC), analysts are constantly sifting through a constant stream of alerts, each one potentially signaling a security incident. While the sheer volume of alerts can be overwhelming, understanding the most common types of alerts can help prioritize investigations and identify real threats efficiently.
I spoke with the MPGSOC team running our scalable cloud-based SOC-as-a-Service and asked them to dive into the top 5 most frequent SOC alerts they encounter, while providing insights into the alert’s origin, significance, and how to approach them effectively. This information is particularly valuable for organizations considering managed security services as it highlights the types of threats their SOC provider will be familiar with and equipped to handle.
1. Base64 Encoded PowerShell Download Cradle:
This alert typically fires when a script attempts to download and execute PowerShell code encoded in Base64 format. Attackers often use this technique to obfuscate malicious commands and bypass traditional security controls.
Origin: This alert can be triggered by various sources, including malicious websites, phishing emails with embedded links, could also be non-malicious admin/dev activity.
What to do:
- Investigate the source: Identify the origin of the download attempt, such as the website accessed or the email received.
- Analyze the downloaded content: Decode the Base64 string and analyze the PowerShell script for suspicious activities like file downloads, system modifications, lateral movement or non-malicious admin/dev activity.
- Isolate and contain: Isolate the compromised system and prevent further communication with the malicious source.
- Scope the environment: After decoding what the PowerShell script does, look for similar activities on other machines to isolate and contain.
- Remediate: Remove the malicious script and address any vulnerabilities exploited in the attack.
More about malicious PowerShell downloads can be found here via CrowdStrike.
2. HTTP Headers Seen Within Default Cobalt Strike Malleable Profiles:
Cobalt Strike is a legitimate penetration testing tool, but attackers often misuse it for malicious purposes. This alert flags the presence of specific HTTP headers associated with Cobalt Strike's default malleable profiles, which attackers can customize to evade detection. CrowdStrike, MPGSOC’s MDR solution, has “observed a continued increase in the use of Cobalt Strike by eCrime and nation-state adversaries.”
Origin: This alert can indicate an attempt to establish a covert communication channel between the compromised system and the attacker's command and control (C2) server.
What to do:
- Prepare: Examine the default HTTP headers defined within the malleable profiles provided by Cobalt Strike.
- Investigate: Analyze the configurations within the HTTP headers and investigate anomalies and unusual configurations that deviate from the default or known baseline.
- Contain: Isolate and contain the affected host(s) to prevent further communications with the attacker.
- Eradicate: Remove the malicious artifacts to prevent further exploitation.
- Recover: Remediate vulnerabilities or misconfigurations that allowed the activity to occur.
- Lessons Learned: Use the incident to enhance security defenses, updating security policies, and improving incident response plans.
3. Executable Written to the Wrong Folder:
This alert flags the writing of an executable file to unexpected locations like the "Music" or "PerfLogs" folders. Attackers often try to hide malicious files in non-standard directories to evade detection.
Origin: This alert can indicate various malicious activities, including malware installation, persistence mechanisms, or attempts to exploit vulnerabilities on the system.
What to do:
- Analyze the executable: Identify the file type, origin, and potential functionality of the executable.
- Investigate system modifications: Look for other suspicious activities like registry modifications or scheduled tasks created by the malware.
- Isolate and contain: Isolate the compromised system and prevent further execution of the malicious file.
- Scope the environment: Search other systems for the executable in non-standard folders, isolate, and contain them as needed.
- Remediation: Remove the malicious file and address any vulnerabilities exploited in the attack.
4. 16 Character Windows Service Registration:
Windows services are background processes that run on the system. This alert triggers when a service is registered with a specific length of 16 characters, which is a common tactic used by malware, like Impacket and Metasploit, to blend in with legitimate system services using a service name of 16 random characters.
Origin: This alert can indicate the installation of malware that utilizes a service to maintain persistence on the system and execute malicious activities.
What to do:
- Investigate the service: Analyze the properties of the newly registered service, including its name, description, and associated files for 16 random character service names.
- Check for suspicious activity: Look for unusual behavior associated with the service like lateral movement and malicious executions.
- Isolate and contain: If deemed malicious, disable the service and isolate the compromised system.
- Scope the environment: Search other systems in the network for the same service name, or other names with 16 random characters.
- Remediation: Remove the associated malware and address any vulnerabilities exploited for service registration.
5. Office Apps Executing Command-Lines:
This alert flags instances where legitimate Microsoft Office applications like Word or Excel attempt to execute command-line tools like "cmd" or "powershell." While some legitimate use cases exist, it can also be a sign of malicious activity.
Origin: This alert can indicate various scenarios, including:
- Macro-based attacks: Attackers can embed malicious macros in Office documents that execute commands upon opening.
- Exploiting vulnerabilities: Attackers may exploit vulnerabilities in Office applications to execute arbitrary code on the system.
- Legitimate use: In some cases, users might use Office applications to automate tasks through scripts, triggering this alert.
What to do:
- Identify the application and user: Investigate which Office application and user triggered the script execution.
- Analyze the script: If possible, obtain and analyze the script's content to understand its purpose and potential risks.
- Check for vulnerabilities: Ensure the affected Office application is patched with the latest security updates.
- Implement application control: Consider implementing application control solutions to restrict unauthorized script execution within specific applications.
Remember: The specific alerts, as always, can vary, as can their effect on your attack surface. However, understanding the common themes and potential implications can help you stay vigilant and identify suspicious activity promptly.
Empowering Effective Security Through Expertise and Technology
Navigating the complexities of SOC alerts can be daunting, even for seasoned IT professionals. As cyber threats become more sophisticated, staying ahead of the curve requires constant vigilance and specialized knowledge. By understanding the most common alert types, their significance, and potential implications, you can build a stronger security foundation.
However, managing this process effectively often demands resources and expertise beyond what many organizations possess. This is where MPGSOC comes in. Our team of seasoned security analysts, equipped with advanced technologies and unwavering dedication, empowers you to:
- Gain peace of mind with 24/7 monitoring: We meticulously watch your network, allowing your internal IT team to focus on strategic initiatives.
- Benefit from expert analysis and prioritization: Our analysts prioritize and investigate alerts with deep-seated understanding, ensuring swift and accurate responses.
- Mitigate risks and minimize downtime: Our incident response expertise helps you contain threats quickly and recover efficiently.
Partnering with MindPoint Group's SOCaaS is not just about managing alerts; it's about proactive security tailored to your needs. We empower you to confidently navigate the threat landscape, safeguard your organization, and focus on what matters most - your core business.
Ready to experience the difference? Book a call with our sales team today and discover how MPGSOC can be your shield against the evolving cyber threat landscape.
