1. Did you check if the connection was allowed?

2. WAS THE AV SCAN DONE ON THE LAPTOP?

2.1 Did you see any similiar pattern on any other machines? hmmm..

3. Thanks for the heads-up. Let me handle this, I will get back to you if anything
is required.
-----------------------------------------------------------------------------------
-------------------------------------------------------------------------------
REVIEW:
4. Let me review this ticket..I see that proper checks are done for the Incident..
hmmm.. EDR and threat intel data are pointing towards a Ransomware Attack

Screenshot: EDR & Threat intel

-----------------------------------------------------------------------------------
-------------------------------------------------------------------------------
CONTAINMENT:
((at this stage, any delay in containment & remediation of Ransomware means
compromise of critical data and disruption of services which will eventually lead
to business impact))

5. So let me act quickly Without wasting much time..........((As a part of

containment process, Let me update the ticket confirming that I will be Isolating
the infected Laptop using the EDR))

6. Now that I have isolated the laptop, ((Let me raise a child ticket assigning it
to the Local Desktop team to rebuild the image of the laptop)).
ScreenShot: Containment
-----------------------------------------------------------------------------------
------------------------------------------------------------------------
THREAT HUNT:
7. ((So the containment is complete, and now I will have to do a THREAT HUNT by
diving deeper to understand how the infection spread to the laptop))

8. I see on the ticket that infected process is outlook.exe.. hmmm which clearly
indciates that the THREAT VECTOR was EMAIL anddddddddd and the infection could be
through a phishing email.
Screenshot: outlook.exe

9. Let me call the Exchange Team to check for any email where the recepient email
Address is of the user using the infected laptop and with the malicious .DOC file
attachment.
Screenshot: email address & DOC File
-----------------------------------------------------------------------------------
----------------------------------------------------------------------------------

10. So the Exchange team just confirmed the presense of the email with the
malicious .DOC file attachment and they also shared 1. Subject line of the
Particular email. 2. Sender EMail Address & 3. Sender IP Address
(ScreenShot): Subject Line, Email Address. Sender IP Address

11. Now let me check with exhange team whether similiar emails were received by
other users in the organisation,................... Yes, they just confirmed that
there are similiar emails received by other users inside the organisation.
(Screenshot: Similiar Emails)
-----------------------------------------------------------------------------------
----------------------------------------------------------------------------------

So all this while you saw the Incident Response Stages, which are in the reverse
direction of how the exact Incident unfolded and every stage is mapped to Cyber
Kill Chain Process.
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------

12. Based on my investigation and as a part of Best Practises to be followed, I

would recommend the client with these Remediation plans:

1. To mark all Hash values derived from Virus Total for Prevention on EDR so that
any similiar malicious attempts from a different source IP Address will be Blocked
in the Future.

2. To check and make sure all the machines have AV agents installed on them and the
AV Updates are pushed periodically without fail.

3. Exchange team should purge all similiar phishing emails on O365, to make sure
that the infection doesnt spread.
- and to block future email transaction from the malicious sender email address on
Exchange server.
- and also if required to block sender IP Address on perimeter firewall

4. As a key takeaway from the learning experience of this incident, it is

recommended to integrate O365 & EDR with the SIEM to proactively kill such threats
in the future.

5. To consider a focussed Cyber Awareness session at the particualar site to

educate users on Phishing Attacks.