: A bank holding company in the U.S. Midwest with an extensive IT infrastructure.
: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for this financial institution.
: A user with admin privileges inserted a rescue disk
CD into their workstation which is usually used when you can no longer boot to your machine. The specific endpoint and user were identified. The program HBCDMenu.exe was launched and soon thereafter everything.exe
. This program expects Admin privileges. Other utilities that were launched include cports.exe, smartsniff, and wirelessnetview.exe. All of these are noted on VirusTotal as problematic.
: Great coverage at the endpoint from the EventTracker sensor allowed detailed information on removable media insertion and subsequent actions to be captured. The analyst team at the SIEMphonic SOC were able to identify the potential problem behavior and notify the IT team promptly.
: Isolate the system from the network and eject the CDROM. Interview the user to determine motivation and need for such powerful tool usage. If possible, reimage the target machine.
: Trust your users but verify out-of-the-ordinary behavior.