In this full series we will talk about Incident Response and it will be a Free Training Course for everyone. Today is Day-13 and I will show you a real SOC Incident that came from SIEM tool where Antivirus fired an alert of one machine being infected by Emotet Malware. There was another PC on the same network which started suspicious outbound connection just after the first machine got infected with Emotet. In this episode, I will show you how can you efficiently and quickly perform analysis on the memory of the second PC and identify what's wrong in it and what is the relation between PC1 Infection and PC2 outbound communication. This is an example of triaging real SOC Detection Alert which might arise anytime in your SOC. So we will be covering and trying to answer below questions- 1. Why PC2 is communicating to a malicious IP? 2. Is PC2 also infected with Emotet? 3. If 2 is True, how can you prove that? 4. Any process injection took place on it? 5. What are the IOCs present on the PC2 apart from the IP address? 6. What steps need to be done to contain this incident? 7. If this type of case arises to your SOC, what you MUST do at first. So if you want to become a SOC BOSS, watch the full episode. All feedbacks are appreciated!! Comment and let me know if you have ever come across any such scenarios or learned something new! Tools I have used in this Episode- 👉 Volatility 👉 Floss 👉 Capa 🔴DISCLIAMER ------------------------------------------------------------------------------------------------------------------------- The story has been developed with inspiration of a real case study and from the help of cyberdefenders.org/labs/78. Of note, the memory from this repository contains actual Windows-based malware. That poses a risk of infection when reviewing the pcap on a Windows-based host. I recommend people review the memory in a non-Windows environment. WATCH BELOW Playlists as well, if you want to make your career in DFIR and Security Operations!! ------------------------------------------------------------------------------------------------------------------------- INCIDENT RESPONSE TRAINING Full Course 👉kzbin.info/aero/PLj... DFIR Free Tools and Techniques 👉 kzbin.info/aero/PLj... Windows and Memory Forensics 👉 kzbin.info/aero/PLj... Malware Analysis 👉 kzbin.info/aero/PLj... SIEM Tutorial 👉 kzbin.info/aero/PLj... Threat Hunt & Threat Intelligence 👉 kzbin.info/aero/PLj... ⌚ Timelines ------------------------------------------------------------------------------------------------------------------------- 0:00 ⏩ Introduction 1:05 ⏩ Background of Alert 2:44 ⏩ Memory Analysis of PC2 6:13 ⏩ Identify Hidden Process 11:12 ⏩ Dump Malicious Process 15:11 ⏩ Identify Process Injection 21:00 ⏩ Identify Actual Process 27:58 ⏩ Containment/remediation Steps 30:08 ⏩ Summarize 📞📲 FOLLOW ME EVERYWHERE- ------------------------------------------------------------------------------------------------------------------------- ✔ LinkedIn: www.linkedin.com/company/blac... ✔ You can reach out to me personally in LinkedIn as well- bit.ly/38ze4L5 ✔ Twitter: @blackperl_dfir ✔ Git: github.com/archanchoudhury ✔ Insta: (blackperl_dfir)instagram.com/blackperl_d... ✔ Can be reached via archan.fiem.it@gmail.com CREDIT ------------------------------------------------------------------------------------------------------------------------- Thank you, Alex Siviero for creating and sharing the memory dump! Thank you, cyberdefenders.org/ for making such awesome CTFs! SUPPORT BLACKPERL ------------------------------------------------------------------------------------------------------------------------- ╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗ ║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣ ╠╗║╚╝║║╠╗║╚╣║║║║║═╣ ╚═╩══╩═╩═╩═╩╝╚╩═╩═╝ ➡️ SUBSCRIBE, Share, Like, Comment ☕ Buy me a Coffee 👉 www.buymeacoffee.com/BlackPerl 📧 Sponsorship Inquiries: archan.fiem.it@gmail.com ------------------------------------------------------------------------------------------------------------------------- 🙏 Thanks for watching!! Be CyberAware!! 🤞

This full series of the IR is excellent for someone starting in the field to someone already working. Keep going.

amazing way of teaching and explaining.

Awesome thanks for details explanation.

Thank you sir

Love this series!!

Good one🔥

Awesome video!. Would we have been able to see same information by just leveraging Process explorer?

This is good

I love your videos.. More uefuls

Hey Archit..What are your work hours. Do you do night shifts

Dada pls send this mem dump for practice...

Please do Python series!

hi how i become soc analyst?