In this event we’re tasked with investigating an alert relating to the rule SOC147 - SSH Scan Activity stemming from hostname PentestMachine using the IP address of 172.16.20.5. SIEM has caught a file called nmap and provided us with MD5 hash of 3361bf0051cc657ba90b46be53fe5b36 - alternatively we could download the provided zip file, extract the password protected contents and run md5sum on the file to get the same details.
Analysis
To start with, we need to use a service like VirusTotal and/or Hybrid Analysis to check whether the file in question is malicious. We can either upload the actual file, or just use the MD5 hash to query the services. We’ll notice that nothing pops up, and Hybrid Analysis even lists the file/hash as whitelisted. Mind you this is not a guarantee that there isn’t something fishy going on, but it’s a decent indicator that we might not be dealing with a malicious file.
Moving on we’re going to check the Log Management to see what sort of internet traffic the host has had, and we can see that there is one external request to https://github.com/BloodHoundAD/BloodHound/releases. BloodHound is a tool used for Active Directory enumeration, starting to align well with the other tool we’ve seen (nmap) and the apparent use case of this host in general.
We can also check the Command History and Network Connections, cross-referencing these two to see that nmap was indeed ran on this host with the command nmap -sV -sP 172.16.20.0/24 and used to scan the local network.
Finally, since we’re starting to piece together an idea what’s going on here, we should check for any internal email communications by searching for the host IP 172.16.20.5 in the Mailbox. We notice that there is one message to the SOC Team, stating that an all-day network scan will be ran from 12:00 onward from this host, and that any possible SIEM alerts originating from this host should be disregarded. This means that we can safely say that the alert is a False Positive, and nothing unexpected is happening in the network.
Lessons Learned
Read your emails :)
Artifacts
We should note the following:
3361bf0051cc657ba90b46be53fe5b36 MD5 hash of the nmap file, which was caught by the SIEM alert and also supplied to us for further investigation.
elli@letsdefend.io email address for correctly notifying the SOC Team about the planned scanning activities.
Host IP Address 172.16.20.5 from which the indicated traffic originated from.
https://github.com/BloodHoundAD/BloodHound/releases - BloodHoundAD enumeration tool that was downloaded and could also be used for malicious purposes.