Incident conditions

Parameters of the computer (hereinafter also referred to as "asset") on which the incident occurred:

• Asset operating system – Windows 10.
• Asset software – Kaspersky Administration Kit, Kaspersky Endpoint Security.

KUMA settings:

• Integration with Active Directory, Kaspersky Security Center, Kaspersky Endpoint Detection and Response is configured.
• SOC_package correlation rules from the application distribution kit are installed.

A cybercriminal noticed that the administrator's computer was not locked, and performed the following actions on this computer:

1. Uploaded a malicious file from his server.
2. Executed the command for creating a registry key in the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive.
3. Added the file downloaded at the first step to autorun using the registry.
4. Cleared the Windows Security Event Log.
5. Completed the session.

Page top