Cisco Umbrella Alert Details
Alert ID: UMBRELLA-TOOL-TRANSFER-1105-7842 Alert Time: 2024-02-29 14:15:33 EST Severity: HIGH (88/100) Source: Cisco Umbrella Secure Internet Gateway Rule: “Malicious File Download Blocked – Known Malware” MITRE ATT&CK: T1105 – Ingress Tool Transfer
Alert Details:
Detection: Attempt to download known malicious executable blocked
User: bturner@company.com (Brian Turner, Finance) Source IP: 192.168.45.112 (FIN-WS-078) Destination: http://185.143.221[.]89/mimikatz.exe Time: 14:10 EST Action: BLOCKED (Security category: Malware)
Request Details:
URL: http://185.143.221[.]89/mimikatz.exe
File Size: 1.2 MB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Referrer: http://evil-site.com/downloads.html
Threat Intelligence:
URL categorized as “Malware” (confidence: 95%)
File hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 (known Mimikatz)
Domain: 185.143.221[.]89 known for hosting hacking tools
47 other organizations blocked same URL today
Additional Context:
User bturner visited compromised website at 14:05
Website had drive-by download attempting to drop Mimikatz
Umbrella blocked before download reached endpoint
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Umbrella alert
Cisco Umbrella Dashboard
Confirmed blocked Mimikatz download
2. User Notification
Contact bturner
Teams, Phone
User visited “free software” site; unaware of drive-by
3. Endpoint Scan
Check FIN-WS-078
CrowdStrike Falcon
No malware found (download blocked)
4. URL Blocking
Ensure domain blocked
Umbrella, Palo Alto
Already blocked; verified
5. Threat Hunting
Check for other users accessing same URL
Umbrella Logs, Splunk
3 other users attempted access (all blocked)
6. User Education
Provide security awareness
Email, Training
User advised on drive-by download risks
Jira Incident Report
Ticket: SOC-2024-147 Summary: T1105 – Mimikatz Download Attempt Blocked by Cisco Umbrella Status: RESOLVED Resolution: MALICIOUS – Download Blocked Priority: P2 – MEDIUM Labels: T1105, ingress-tool-transfer, mimikatz, cisco-umbrella, drive-by-download Components: Web-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Umbrella Secure Internet Gateway.
Alert: “Malicious File Download Blocked – Known Malware”.
User: bturner@company.com (Finance Department).
URL: http://185.143.221[.]89/mimikatz.exe.
Time: 2024-02-29 14:15 EST.
Technique: MITRE ATT&CK T1105 – Ingress Tool Transfer.
2. Technical Analysis:
Attack Chain:
14:00 – User searches for “free PDF converter”
14:02 – Clicks on search result (compromised site)
14:03 – Site initiates drive-by download
14:04 – Browser attempts to download mimikatz.exe
14:04 – Umbrella blocks download
14:05 – User continues unaware
Malware Details:
File: mimikatz.exe (credential dumping tool)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Size: 1.2 MB
Purpose: Dump passwords from LSASS, perform Pass-the-Hash attacks
Source Infrastructure:
IP: 185.143.221[.]89 (Bulgaria)
Known For: Hosting hacking tools, malware C2
Domain: Not used (direct IP access)
User Intent:
User was looking for legitimate software
Unaware of drive-by download
No malicious intent
3. Investigation Findings:
Timeline:
14:02 – User clicks malicious link
14:04 – Download attempted
14:04 – Umbrella blocks
14:15 – Alert triggers
14:17 – SOC investigates
14:18 – User contacted
14:20 – Endpoint scan (clean)
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/mimikatz.exe
– IP: 185.143.221[.]89
File:
– mimikatz.exe (SHA256: a1b2c3d4…)
User:
– bturner (no compromise)
4. Containment Actions:
Immediate Actions:
Verified domain/IP already blocked.
User notified.
Endpoint scanned (clean).
Enterprise-wide Actions:
Checked for other users accessing same URL (3 others, all blocked).
No additional action needed.
User Education:
User advised on drive-by download risks.
Recommended using approved software sources.
5. Root Cause Analysis:
Primary Cause: User visited compromised website with drive-by download.
Contributing Factors:
No web filtering blocking malicious sites (until Umbrella).
User unaware of drive-by risks.
6. Business Impact:
Operational Impact: None.
Security Impact: Download blocked; no compromise.
7. Remediation & Prevention:
Completed Actions:
Download blocked.
User educated.
IOCs already in blocklist.
Technical Controls Enhanced:
Verified Umbrella policies are effective.
Enhanced user awareness training on drive-by downloads.
8. Conclusion:
A user visited a compromised website that attempted to download Mimikatz via drive-by download. Cisco Umbrella blocked the malicious file before it could reach the endpoint. No compromise occurred.
Closure Rationale: Download blocked; user educated; no compromise.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 15:30 EST