Managed Sentinel – Alert 500

Alert IDMS-A500
Alert NameAPT Babyshark Lookup
DescriptionThis alert triggers when an indicator of compromise related to Babyshark Advanced Persistence Threat (APT) is identified in the SecurityEvents log.

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
Severity LevelHigh
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsExecution
Priviledge Escalation
Command and Control
Log sourcesWindows
False PositiveUnknown
Recommendations1. Initiate Security Incident Response Plan process
2. Isolate affected internal machine from corporate network
3. Perform a full scan of the infected host using endpoint security tool.
4. Investigate in Sentinel if any lateral movements were done from the infected machine.
5. Exercise caution and educate users on the safe handling of emails.
6. Install latest updates for your antimalware software and ensure it runs properly.
7. Install latest updates to the Windows OS software on the infected machine