Hello Team,

Hope you are doing well.

We have observed “UBA : Suspicious Privileged Activity (Rarely Used Privilege)” from
Source Ips “Multiple“.

Incident Details:
HULK
Detector
ANGEL
Success Audit: A computer account was changed
Success Audit: A Kerberos service ticket was granted
Event ID
Success Audit: An account was successfully logged on
Success Audit: A Kerberos authentication ticket (TGT) was requested
Severity P3 - Low
Username opeyemi.oriolowo
10.0.20.228
Source IP
10.11.39.23
10.0.20.228
Destination IP
172.21.1.27
Protocol 255
Computer Account Changed
Event Subtype Kerberos Session Opened
User Login Success
Event Count Multiple

Event Time Oct 11, 2022, 10:50:47 AM

Offense ID 339823

Incident Analysis:
1. We have observed “UBA : Suspicious Privileged Activity (Rarely Used Privilege”
from Source IP “Multiple” with Username “opeyemi.oriolowo”
2. All the details for the event have been attached.
3. We are raising this incident for informational purpose.

Recommendations:
1. Kindly check the performed activity is legitimate or not.
2. Also, kindly check if the attempts made were legitimate or not.

Sample logs:

++++++Refer Attachment++++++++++++

Hello Team,
Hope You're Doing Well!

We have observed “UCT_005 : Proxy - Attempt to connect to malicious URL”

from Source IP “10.216.72.216” to Destination IPs “192.252.154.117”.

Case Details:

Detector Zscaler Nanolog Streaming Service \(NSS\) @ 10.224.186.229

Event Name Reputation block outbound request: malicious URL

Severity P3-Low
Event Subtype Suspicious Address
Action Reputation block outbound request: malicious URL
Source IP 10.216.72.216
Post NAT Source IP 202.189.246.62
Destination IP 192.252.154.117

URL gamil.com:443
Username [email protected]

Event Count 06

Offense Time Oct 11, 2022, 7:01:20 PM

Offense ID 596527
URL Blacklist Check:

Incident Observation:

 We also observed that Source IP “10.216.72.216” was communicating towards the

destination IPs “192.252.154.117”.
 The mentioned destination URL “gamil.com” is reported as malicious on several
threat intelligence sites.
 Action observed for the following event is blocked.
 This offense was triggered on Log Sources “Zscaler Nanolog Streaming Service \
(NSS\) @ 10.224.186.229”.
 The Source IP belongs to the “United States of America" location.

Risk/Impact

1. As it’s an outbound communication from Source IP “10.216.72.216” towards

Destination IP “192.252.154.117” URL is reported malicious on several threat
intelligence sites.
2. URL Redirection is a vulnerability that allows an attacker to force users of your
application to an untrusted external site. The attack is most often performed by
delivering a link to the victim, who then clicks the link and is unknowingly redirected
to the malicious website.

Recommendation:

1. As the connection is already blocked. Verify if this IP Address is related to your

business purposes and if not kindly Blacklist the mentioned IP.
2. Implement network segmentation, access management, and a zero-trust security
strategy.
3. Check the activity is legitimate or not.
 4. Investigate the incident with user and Source IP.

Raw Logs:

Oct 11 18:54:07 zscaler-nss: LEEF:1.0|Zscaler|NSS|4.1|Reputation block outbound

request: malicious URL|cat=Blocked devTime=Oct 11 2022 18:54:07
Asia/Kolkata devTimeFormat=MMM dd yyyy HH:mm:ss z src=10.216.72.216
dst=192.252.154.117 srcPostNAT=202.189.246.62
realm=Kanakia_ILL [email protected]
srcBytes=545 dstBytes=116 role=EWM BG Compliance policy=Reputation
block outbound request: malicious URL url=gamil.com:443
recordid=7153245040950640649 bwthrottle=NO useragent=Windows Microsoft
Windows 10 Pro ZTunnel/1.0 referer=None hostname=gamil.com
appproto=HTTP_PROXY urlcategory=Malicious Content
urlsupercategory=Advanced Security urlclass=Advanced Security Risk
appclass=General Browsing appname=General Browsing malwaretype=None
malwareclass=None threatname=None riskscore=100 dlpdict=None
dlpeng=None fileclass=None filetype=None reqmethod=CONNECT
respcode=403 contenttype=Other unscannabletype=None
deviceowner=srijith.menon devicehostname=22E-LTP21R-2586

Hello Team,

Hope you are doing well!!!

We have observed an offense as “GTBNIG 045-Proxy-Successful phishing detected”.

Case details:

Detector BLUE-WEB-PROXY2.gtbank.com

Event Name TCP_ACCELERATED

Source IP 10.1.1.217

60983
Source Port 52401
61158
172.64.142.28
Destination IP 172.67.211.92
66.96.149.32

Destination Port 443

Severity P3- Low

toyosi.bankole
Username dolapo.ogunbayo
ayomikun.akinwunmi
streamsss.net
URL Host totalsportal.com
pistisghana.com
 Event Count 3
Oct 11, 2022, 3:31:52 PM
Duration Oct 11, 2022, 4:19:07 PM
Oct 11, 2022, 5:31:36 PM
339840
Offense ID 339844
339849

Threat Intel:

Incident Summary:

 This offense was triggered when mentioned source IP " 10.1.1.217" tried to
communicate with destination IP “172.64.142.28, 172.67.211.92, 66.96.149.32”.
 This offense has triggered under Successful phishing detected from proxy.
 This also indicates the possible Phishing attack.

Recommended Action:
  Kindly check whether it is a legitimate activity or not.
 If not legitimate, then request you to kindly block the URL as well as domains to avoid any
successful malicious activity.
 Investigate the incident with user and Source IP.
 Create employee awareness programs for identifying phishing activities.
 This domain has been listed as Phishing by Symantec ( Bluecoat Proxy OEM ) . GT-Bank
should be raising request on Symantec website for reviewing the domain so that this would
get recategorized correctly after review by Symantec.
 You can visit URL https://sitereview.bluecoat.com/#/lookup-result/totalsportal.com ,
https://sitereview.bluecoat.com/#/lookup-result/pistisghana.com,
https://sitereview.bluecoat.com/#/lookup-result/streamsss.net please find screenshot for
reference .

Raw Logs:
+++Refer Attachment+++

Hello Team,

Hope You're Doing Well

We have observed an offence triggered as “UC 109 - Linux-User created on Linux machine”.

Case Details :

Detector LinuxServer @ ip-10-23-16-24

Alert Name UC 109 - Linux-User created on Linux machine
Offense ID 596475
Symphony Ticket ID 1427664
Severity 3
Source IP 10.23.16.24
Destination IP 10.23.16.24
Username 127668_01
Process ID 15366
Shell /bin/false
Protocol User Account Added
Category User Account Added
Event Time Oct 11, 2022, 4:54:12 PM

Case Details:

 This alert is detected by “LinuxServer @ ip-10-23-16-24”.

 Low level of this alert is “User Account Added”.
  We found Multiple Usernames for this alert.

Recommendation:

 Please check the user is legitimate or not.

 Use this command “grep 'usename' /etc/passwd" to check if the username exists or not.

Payload:

<86>Oct 11 16:55:16 ip-10-23-16-24 useradd[15366]: new user:

name=127668_01, UID=4376, GID=504, home=/sftp/prod/ib/sellers/127668,
shell=/bin/false

Hi Team,

We have observed an offense triggered as “TrendMicro DDI 1-

4: CandC Attack phase containing Security Risk Detection”.

Incident Details:

Detector Trend Micro Deep Discovery Inspector @ 10.3.8.32

Event ID Security Risk Detection

Severity P2 – Medium

Source IP 10.3.1.12
50370
Source Port
50357

Destination IP 165.225.124.38

Destination Port 80

DDI_URL (custom) http://wzrkt.com

DDI_shost kxdk-dc01.kgc.kirloskar.com

Source Asset Name KXDK-DC01

Device Host DDI-01

Protocol TCP_IP

Event Subtype Potential Misc Exploit

Action not blocked

Event Count 2
Destination Network
KIARIO.KIARIO
Location
Offense ID 596420

URL:

Incident analysis:

 We have observed Source IP “10.3.1.12” is trying to communicate with

destination IP “165.225.124.38”.
 We have observed from payload action as Not blocked & detected at Trend Micro
Deep Discovery Inspector @ 10.3.8.32.
 We have observed IP Mentioned is relatively safe according to our threat intel report
and the mentioned url is malicious, so we are raising it as a precautionary measure.

Recommendations:

 Kindly check if the connection is legitimate or not.

 If not kindly block the IP at firewall as a precautionary measure.
 kindly Scan the system with updated Anti-Virus & Anti-Malware and make
sure systems are updated with the latest patches.
 Also Request you to update TrendMicro to the latest version.
 

Raw logs:

Attached

Dear Team,

Hope you are doing well.

We have observed "ARCOS Multiple Login Failure” from source IP "10.61.15.49" toward
destination IP “10.20.64.104” .

Incident Details:

Detector / Log Source ARCOS_WSUYPIMDBDC03

Event Type Authentication Failed

Severity P2-Med

Username 28257

Source IP 10.61.15.49

Destination IP 10.20.64.104
Event Count 7
Event Subtype User Login Failure

Offense ID 22062

Incident Analysis:

1. We have observed "User Login Failure” from source IPs

"10.61.15.49" towards Mentioned destination IP “10.20.64.104” .

2. Detected by Log Source “ARCOS_WSUYPIMDBDC03”

3. As we analyzed the offense, we observed that the authentication failed occurred
multiple times.
Recommendations:

1. Kindly check if the activity performed is legitimate or not.

2. Disable all the users account from the workstation which is not in use/required.
3. Restrict resource sharing.

Sample Packet:

++ Refer Attachment ++

Dear Team,

Hope you are doing well.

We have observed "Multiple Login Failures for the Same User” from Multiple Source IP’s
“Multiple” towards Multiple Destination IP “Multiple”

Incident Details:

DC_AD_Server @ 10.20.34.11
Detector/ Log DC_AD_Server @ 10.20.34.12
Source WSUYONXAPU01
WSUYONXWBU01
Failure Audit: The domain controller failed to validate the credentials for
an account

Success Audit: A logon was successful using explicit credentials

Event Name
Success Audit: An account was successfully logged on
Success Audit: Successful logon with administrative or special privileges
Success Audit: The domain controller validated the credentials for an
account
Severity P3-Low
Username 90452
Source IP 10.20.34.12

10.20.34.11
10.20.25.36
10.20.232.16
 10.250.100.61
Source Port 0
10.20.34.12
10.20.34.11
Destination IP 10.20.25.36
10.20.232.16

Destination Port 0

Protocol 255

Event Count 27

Offense ID 22055

Incident Analysis:

1. We have observed multiple login failures events from mentioned source IP

“Multiple” towards local Destination IP “Multiple”
2. We’ve observed multiple failed logins attempts multiple times
by the same user “90452”.
3. All the details of the incident have been attached.

Disclaimer: We're raising this offense as an informative measure as we've observed a stream
of failure audit events.

Recommendations:

1. Kindly check the password complexity and limit login attempts to avoid brute force
attacks
2. Also, kindly check if the attempts made were legitimate or not.
3. Kindly check any Saved credentials present in the system.

Audit Logs:

Refer Attachment

Dear Team,

Hope you are doing great!!!

We have observed an Offense triggered as “UCT_006 : Proxy - Attempt to connect to
Adware/Spyware sites”

Case Details :

Detector Zscaler Nanolog Streaming Service \(NSS\) @ 10.224.186.229

Alert Name Proxy - Attempt to connect to Adware/Spyware sites
Offense ID 596503
Symphony Ticket ID 1427704
Severity 3
Source IP 192.168.1.16
Source Port 0
Destination IP 108.168.193.189
Destination Port 0
Host Name mybetterck.com
Username [email protected]
Zscalar_URL
mybetterck.com
(custom)
adware/spyware
mybetterck.com
site URL
Record ID 7153231116711821313
Protocol 255
Category Spyware Detected
Event Time 11-Oct-2022, 6:01:28 pm

Case Analysis:

1) As we found this alert as “Proxy - Attempt to connect to Adware/Spyware sites”.

2) We observed the source IP “192.168.1.16” is trying to communicate multiple destination IP
“108.168.193.189”

Recommendation:

1. Please find this activity is legitimate or not.

2. Please block malicious IPs and URLs from your end.
3. Please check those URLs are clean or not on Virus total threat Intel.

Raw Data:

----Attached---
With Regards,

Akash Karad

Hello Team,

Hope you are doing great !!!

We have observed an Offense triggered as “Same Threat Detected on Same Network

Different Hosts

containing On-Demand Scan Resumed”

Incident Details :

Detector Mcafee ePo Datsun

Event ID Threat Intelligence Contain

Severity P2-Med
Source IP Multiple
Destination
192.168.3.15
IP
Username SYSTEM
Action jticlient.contain
Event
Notice
Subtype
Event
13
Count
Offense ID 596556
Incident Analysis:

 This was triggered in log source Mcafee ePo Datsun

 This was detected when the rule content match detect a suspicious threat

Recommendations:
 Check whether this activity is legitimate or not
 Run an Antivirus Scan on the system
 Please Upgrade AV and AM to Latest Signature Products
 Please Check in System if the user has downloaded any malicious file

Raw logs:

Multiple(Refer to attachment)

Dear Team,

Hope you are doing great!!!

We have observed an Offense triggered as “UCT_007 : Proxy - Attempt to connect to Phishing site”

Case Details :

Detector Zscaler Nanolog Streaming Service \(NSS\) @ 10.224.186.229

Alert Name Proxy - Attempt to connect to Phishing site
596432
Offense ID 596456
596462
Symphony Ticket ID 1427605
Severity 3
192.168.31.187
Source IP 192.168.0.104
192.168.1.83
Source Port 0
Destination IP 15+ Attached
Destination Port 0
cym-files-download.s3.eu-west-1.amazonaws.com
Host Name 18.205.204.185
mocmubse.net
Username [email protected]
 [email protected]
[email protected]
AshishKB
Device Owner cymulate.testing
Zscalar_URL mocmubse.net:443
(custom) cym-files-download.s3.eu-west-1.amazonaws.com:443

Protocol 255
Category Phishing Activity
Event Time 11-Oct-2022, 4:24:04 pm

Case Analysis:

3) As we found this alert as “UCT_007 : Proxy - Attempt to connect to Phishing site”.

4) We observed the source IPs “192.168.31.187, 192.168.0.104, 192.168.1.83” is trying to
communicate multiple destination IPs.

Recommendation:

4. Please find this activity is legitimate or not.

5. Please block malicious IPs and URLs from your end.
6. Please check those URLs are clean or not on Virus total threat Intel.

Raw Data:

----Attached---

Hello Team,

Hope You're Doing Well!

We have observed “Firewall - Mutiple Exploits from Same IP ( Fortigate-

IPS)” from Source IP “50.31.21.8” to Destination IPs “10.102.0.101, 10.102.0.55”.

Case Details:

Severity P2-Medium
FortiGate @ 10.101.101.9
Detector
FortiGate @ 172.16.17.130
 Nmap.Script.Scanner - This indicates detection of an attempted scan
from Nmap scripting engine scanner
Event Name Java.Debug.Wire.Protocol.Insecure.Configuration - This indicates an
attempt to use Java Debug Wire Protocol to access remote
debugging

Potential Misc Exploit

Event Subtype
Command Execution
Action Dropped
Source IP 50.31.21.8
Source Port Mutiple
10.102.0.101
Destination IP
10.102.0.55
Destination Port 80
Protocol tcp_ip
Event Count 14
Offense ID 596530

Blacklist Check:

Incident Observation:

 We also observed that Source IP “50.31.21.8” was communicating towards the

destination IPs “10.102.0.101, 10.102.0.55” on destination port "80" in the
environment.
 The mentioned Source IP “50.31.21.8” is reported as malicious on several threat
intelligence sites.
 Action observed for the following event is dropped.
 This offense was triggered on Log Sources “FortiGate @ 10.101.101.9, FortiGate
@ 172.16.17.130”.
 The Source IP belongs to the “Great Britain" location.

Risk/Impact

1. As it’s an inbound communication from Source IP “50.31.21.8” towards

Destination IP “10.102.0.55, 10.102.0.101” & the reputation of the IP address is
malicious, the Impact could be high.

Recommendation:

1. As the connection is already blocked by the firewall. Verify if this IP Address is

related to your business purposes and if not kindly Blacklist the mentioned IP.
 2. Also let us know if the IP belongs to your internal or Third-party Vulnerability
Assessment and Penetration Testing (VAPT) so we can whitelist the same.
3. Implement network segmentation, access management, and a zero-trust
security strategy.

Raw Logs:

Refer Attachment

Dear Team,

Hope you are doing well!!

We have observed an offence triggered as “UC 517 - Arcos - Excessive Sessions from Same User”

Case Details :

Detector Arcos_PIM_TU
Alert Name UC 517 - Arcos - Excessive Sessions from Same User
Offense ID 596441
Symphony
1427614
Ticket ID
Severity 3
Source IP 10.22.18.168
Source Port 0
Destination
10.22.18.168
IP
Destination
0
Port
Protocol 255
Username SSUTHAR1_T
User Mac 10.22.24.43[IN-36LRXM3][20C19B57FC24][][36LRXM3][ACM4.8.5.0]
Server IP
10.22.17.142
Address
Event ID 9200
Event
Access Permitted
Category
Event Time 11-Oct-2022, 3:19:53 pm

Case Details

1. This alert is detected by “Arcos_PIM_TU”

 2. We observed usernames “SSUTHAR1_T”.

Recommendation

1. Kindly check the performed activity is legitimate or not.

Payload

--Attached--

Hope You're Doing Well

We have observed an offence triggered as “GTBNIG 009 - Firewall - Remote to Local horizontal
Scan”.

Case Details :

Detector ASA @ 10.254.253.100

Alert Name Firewall - Remote to Local horizontal Scan
339378
Offense ID 339383
339380
Severity 3
192.227.134.67
Source IP 45.93.16.173
45.93.16.173
5211

Source Port 40107

5579
Destination IP Multiple
5060
Destination Port 3389
Username N/A
Protocol TCP IP
Category Firewall Deny
Event Time Oct 8, 2022, 9:15:10 PM

Case Analysis:
1. We have observed an offence triggered as " GTBNIG 009 - Firewall - Remote to Local
horizontal Scan “ reconnaissance activity.
2. Attacker using Multiple source ports and trying to communicate with destination Port for
scanning.
 3. We observed firewall deny but source IP Is fully Malicious.
4. We also observed these source IPs are proxy server IPs.

Recommendations:

1. A firewall can prevent unauthorized access to a private network. It controls ports and their
visibility, as well as detects when a port scan is in progress before shutting it down.

2. Use tools like IP scanning, network mapper (Nmap), and Netcat to ensure their network and
systems are secure.

3. Please block the source IP from your end.

Raw Data:

----Attached---