+
phone

We're experiencing a Breach!

exit_to_app

To AlertIQ!

Your Trusted Partner

In this War against Cyber Crimes

No more security operation complications with AlertIQ's data analytics engine and transparency.

Welcome to AlertIQ

At the end of the day, the goals are simple:

Safety and Security.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Trusted Security

Lorem ipsum dolor sit amet, consectetur adipiscing

Value for Results

Lorem ipsum dolor sit amet, consectetur adipiscing

about image

Our Services

corporate_fare
corporate_fare

Managed Detection and Response

Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old.
admin_panel_settings
admin_panel_settings

SOC-as-a-Service

Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it.
cloudy
cloudy

Managed Security Vulnerability

There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words.
See All Services

23 +

Years of Experience

500

Complete Projects

100 +

Employees

300 +

Satisfied clients

#19501 FPT - T1021.002, T1570, T1569.002 - Rundll32 Without Parameters incident
What is it :

User DESKTOP-RBKDM7S\Tungdr4 run malicious commands using Powershell

Status

Closed

Severity

High

Category

Lateral Movement

Analyst

tenantdemo.tungnd27

Start Date

2022-03-30 11:16:41

Closed Date

---

Where is it?

Hostname: DESKTOP-RBKDM7S
IP: 192.168.158.147

When did it get here?

2022-03-30 11:11:00

How did it get here?

User DESKTOP-RBKDM7S\Tungdr4 run malicious commands:

  • c:\windows\system32\PREPREPRErundll32.exePOSTPOSTPOST
  • C:\Windows\system32\PREPREPRErundll32.exePOSTPOSTPOST C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask"
  • "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -ScriptEngine JScript -InlineProtocolHandler About -UseRundll32 -Rundll32FilePath $env:windir\system32\PREPREPRErundll32.exePOSTPOSTPOST}

How did we detect it?

Carbon Black Response watchlist: FPT - T1021.002, T1570, T1569.002 - Rundll32 Without Parameters

Tags
escalate
incident
Comments

What action should we take ?

Check with user if there is a testing/simulation process

Evidences

There is no attachment.

Type Value
ID 74ab01b3-c6a6-4ce4-860c-d540e4cb4f3a
Category Unknown
Severity Unknown
SourceID splunk_HTTP
LogType splunk
TenantShortName FSO
TenantID 061e322a-5010-4336-838a-56225e5d4ea1
AlertName SAS - Brute Force to Admin Account
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.SEVERITY Unknown
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.CATEGORY Unknown
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.ALERT_TYPE ''
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.USERNAME fptadmin1309$
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.ALERT_NAME SAS - Brute Force to Admin Account
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.LOG_TYPE splunk
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.SOURCE_ID splunk_HTTP
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.TENANT_ID 061e322a-5010-4336-838a-56225e5d4ea1
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1.TENANT_SHORTNAME FSO
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._time 1658731618.804
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.result.Failures 120
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.result.Destination ITHN-DC16-T01.fsoft.fpt.vn
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.result.User fptadmin1309$
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.result.Source IP ::ffff:10.34.224.97
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.result.Source ::ffff:10.34.224.97
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.result._time 1658730600
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.results_link https://fsiem.fsoft.com.vn:443/app/SplunkEnterpriseSecuritySuite/@go?sid=scheduler__huynq101__SplunkEnterpriseSecuritySuite__RMD531ff11b0889b3578_at_1658731500_86908_97408486-6C50-4953-A3CE-41F0C4DC7ED1
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.owner huynq101
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.app SplunkEnterpriseSecuritySuite
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.search_name SAS - Brute Force to Admin Account
ValueDiffs.9cd54aed-7991-48a4-9462-6014561e4da1._raw.sid scheduler__huynq101__SplunkEnterpriseSecuritySuite__RMD531ff11b0889b3578_at_1658731500_86908_97408486-6C50-4953-A3CE-41F0C4DC7ED1
AlertTimeLast 2022-07-25T06:47:31.331278Z
AlertFirstDelivered 1658731618.804
AlertTimeFirst 2022-07-25T06:47:31.331278Z
AlertCount 1
  • tenantdemo.tungnd27_customer_admin changed status from Done to Closed.
  • tenantdemo.tungnd27_customer_admin changed case details.
    Updated field:
    1
    Updated field:
    Simulation process
  • tenantdemo.tungnd27_customer_admin updated an action.

    Updated status action “Check with user if there is a testing/simulation process” from Inactive to Active
  • tenantdemo.tungnd27 changed status from In-progress to Done.
  • tenantdemo.tungnd27 added a new action “Check with user if there is a testing/simulation process”.
  • tenantdemo.tungnd27 changed status from New to In-progress.
  • tenantdemo.tungnd27 updated question “What is it?”
    User DESKTOP-RBKDM7S\Tungdr4 run malicious commands using Powershell
  • tenantdemo.tungnd27 updated question “How did we detect it?”
    Carbon Black Response watchlist: FPT - T1021.002, T1570, T1569.002 - Rundll32 Without Parameters
  • tenantdemo.tungnd27 updated question “How did it get here?”
    User DESKTOP-RBKDM7S\Tungdr4 run malicious commands: - c:\\windows\\system32\\PREPREPRErundll32.exePOSTPOSTPOST - C:\\Windows\\system32\\PREPREPRErundll32.exePOSTPOSTPOST C:\\Windows\\system32\\PcaSvc.dll,PcaPatchSdbTask" - "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -ScriptEngine JScript -InlineProtocolHandler About -UseRundll32 -Rundll32FilePath $env:windir\system32\PREPREPRErundll32.exePOSTPOSTPOST}
  • tenantdemo.tungnd27 updated question “When did it get here?”
    January 1st 1970, 7:00:00 am (UTC)
    March 30th 2022, 11:11:00 am (UTC)
  • tenantdemo.tungnd27 updated question “Where is it?”
    Hostname: DESKTOP-RBKDM7S IP: 192.168.158.147
  • tenantdemo.tungnd27 changed case details.
    Updated field: Tag
    escalate
    escalate/incident
  • tenantdemo.tungnd27 changed case details.
    Updated field: Tag
    escalate
  • marci changed case details.
    Updated field: Owner
    tenantdemo.truongpq3
    tenantdemo.tungnd27
  • tenantdemo.truongpq3 requested escalate
  • tenantdemo.tungnd27 changed case details.
    Updated field: Owner
    tenantdemo.truongpq3
  • tenantdemo.tungnd27 changed severity from Unknown to High.
  • tenantdemo.tungnd27 changed case details.
    Updated field: Category
    Unknown
    Lateral Movement
  • marci created a new case.

Our Client Say

logo

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut laboredolore magna aliqua

testimonial

Stanley Tate

Web Developer
logo

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut laboredolore magna aliqua

testimonial

Lana Shelton

Architect
logo

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut laboredolore magna aliqua

testimonial

Mario Houston

Social Worker

Blog & Article

image

What Is Machine Learning – A Complete Beginner’s Guide

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incididunt

Continue Reading
image

Machine Learning, Artificial Intelligence – And The Future Of Accounting

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incididunt

Continue Reading
image

Overcoming the Challenges Associated with Machine Learning and AI Strategies

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incididunt

Continue Reading

Trust is built with consistency.

Office Location
Software Area, Hoa Lac Hi-tech Park, Km 29, Thang Long highway

Useful Links

Our Services

2022 AlertIQ. Crafted with by SAS.