Help me study for my Computer Science class. I’m stuck and don’t understand.
Reminder Technical Environment Background:
- Corporate environment
- 200 endpoints, Windows 10
- 70 internal servers, mix of Linux and Windows
- 30 databases, all MSSQL
- 10 internet facing webpages supported by 40 servers in the DMZ
- Regulatory requirements – SOX (publicly traded company)
Investigation Information:
- Proxy logs show that user was redirected to the webpage 3fehef7y539ej.eu from mycorporatenetwork.com (company intranet site)
- 3fehef7y539ej[.]eu resolves to 172[.]16[.]200[.]55
- DNS and Firewall logs indicate that 3 other computers have gone to this address
- AV scan does not provide further information
Forensic Update:
- Forensic memory analysis identifies 4utfind.exe running whenever Internet Explorer is launched
- Sandbox analysis shows 4utfind.exe is injecting a background call to 3fehef7y539ej.eu
Questions:
- What containment steps should be taken?
- How will you know the network is clean?
- Assume that you have a world class SOC will all the tools known to man
- Do NOT attempt to go to the webpages or IP addresses listed
