Managed Sentinel – Alert 154
|Alert Name||COVIT-19 IP address IOC detected - CommonSecurityLog|
|Description||This alert triggers when an connection to an IP address related to COVID-19 malware is detected in CommonSecurityLog.|
|Threat Indicator||Compromised Host|
|MITRE ATT&CK Tactics||Persistence|
Command and Control
|False Positive||Browsers Adware|
Incorrect Threat Intelligence feed
|Recommendations||1. Investigate the type of traffic allowed to the malicious IP address (e.g web, dns, smtp).|
2. Manually perform a validation of the malicious IP address on external Threat Intell sources (e.g www.abuseIPdb.com, virustotal.com).
3. Identify the number of requests within a specific period of time which could be an solid indicator of a compromised host.
4. Perform a AV/AM scan for the affected internal machine