Threat Intelligence Card

Note: Log into the Security Onion VM and use the following Indicator of Attack to complete this portion of the homework.

Locate the following Indicator of Attack in Sguil based off of the following:

• Source IP/Port: 188.124.9.56:80
• Destination Address/Port: 192.168.3.35:1035
• Event Message: ET TROJAN JS/Nemucod.M.gen downloading EXE payload

Answer the following:

1. What was the indicator of an attack?

• Hint: What do the details of the reveal?

1. Answer:
2. What was the adversarial motivation (purpose of attack)?
3. Answer:
4. Describe observations and indicators that may be related to the perpetrators of the intrusion. Categorize your insights according to the appropriate stage of the cyber kill chain, as structured in the following table.

TTP

Example

Findings

Reconnaissance

How did they attacker locate the victim?

Weaponization

What was it that was downloaded?

Delivery

How was it downloaded?

Exploitation

What does the exploit do?

Installation

How is the exploit installed?

Command & Control (C2)

How does the attacker gain control of the remote machine?

Actions on Objectives

What does the software that the attacker sent do to complete it's tasks?

Answer:

1. What are your recommended mitigation strategies?
2. Answer:
3. List your third-party references.
4. Answer: