LetsDefend- SOC112 — Traffic to Blacklisted IP

IP blacklisting is a technique for preventing fraudulent or unauthorized IP addresses from connecting to your networks. Blacklists are lists of IP addresses that you want to block, either as a cluster or individuals.

Information on this alert is as follows:

The reason for triggering the alert is traffic to a malicious IP. According the playbook that we have to follow, the info required to start our analysis are listed below:

Source Address : 172.16.17.21

Destination Address: 193.239.147.32

User Agent: Mozilla/5.0 (Windows NT 10.0; Microsoft Windows 10.0.15063; en-US) PowerShell/6.0.0

The next steps are to analyze the logs and analyze the URL to see if it is actually malicious or not.

From the logs we note that there was indeed data traffic from the IP 172.16.17.21 to 193.239.147.32. It also appears that the firewall did not block this traffic because if we select see raw log, the content comes up empty.

Now let’s analyze the URL to see if we find anything interesting. After using several third-party tools, we can say with certainty that the URL is malicious. But we have an additional interesting piece of information: the URL is associated with AveMariaRAT.

AveMaria is a Remote Access Trojan, which are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. In particular this malware has the abilities to provide remote desktop access, act as a keylogger, escalate user privileges, steal passwords, and more. It usually arrives at system as a result of phishing mails, but the RAT is available as a subscription on the dark web.

On January 31, 2021 the URL was accessed by user Jack with the following IP 172.16.17.21 The firewall did not block data traffic, and the destination IP address was 193.239.147.32.

As we could see from the analysis of the logs and network connections we can proceed to write the report for this incident and quarantine the device.