Managed Sentinel – Alert 157
Alert ID | MS-A157 |
Alert Name | COVID 19 IP address IOC detected - iptables |
Description | This alert triggers when an connection to an IP address related to COVID-19 malware is detected in iptable logs. |
Severity Level | Medium |
Threat Indicator | Compromised Host |
MITRE ATT&CK Tactics | Persistence Command and Control Exfiltration |
Log sources | Firewall |
False Positive | Browsers Adware Incorrect Threat Intelligence feed |
Recommendations | 1. Investigate the type of traffic allowed to malicious domain (e.g web, dns, smtp). 2. Manually perform a validation of the internal machine connecting to this malicious domain and collect the destination IP address. Validate this IP address on external Threat Intell sources (e.g www.abuseIPdb.com, virustotal.com). 3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host. 4. Perform a AV/AM scan for the affected internal machine |