2024 TeamT5 Threat Analyst Summit : Open for Registration !
IR Service Resources

[Incident Response] How to check whether the system has been compromised by yourself?

2023.01.31GSS & IR Team
Share:
The frequent occurrence of cyber attacks has also raised people's vigilance. If the enterprise suspects that its own system, machines, etc. may be attacked and invaded, TeamT5 incident response team will provide the following inspection directions based on its long-term and rich information security incident investigation experience.

1.Check for unusual behavior

  • A large number of abnormal log events (which may possibly be a password spraying attack)
  • Event log id : 4624, 4625
  • Abnormal high-privileged operation behavior

2.Check if there is a new high-privileged account or a new machine added to the domain

  • If so, you can trace back to the source from the account or machine

3.Check for abnormal registration code (registry)

  • Use certain mechanisms to remove malware persistence

4.Check for unusual bandwidth usage

  • Confirm which endpoint which the traffic is coming from to guess what data was stolen

5.Check for abnormally installed applications or services

  • PSEXEC、Anydesk

6.Figure out the attack timeline(Timeline)

7.Find the source of the attack



With solid technical background and frontline expertise, TeamT5 provides an in-depth investigation and responses to real-world cyber-attacks. We identify and research the intruder attacks, the impacts and technical causes of the incidents, and recommend solutions or workarounds to assist our clients in recovery and remediation.
If you have needs for incident response, please contact us: https://teamt5.org/en/request-information/


*Image Courtesy:Pixabay
2023.01.31GSS & IR Team
Share:
We use cookies to provide you with the best user experience. By continuing to use this website, you agree to ourPrivacy & Cookies Policy.