I think the EventID is key here. It should be sequential in the EDR's logs. So following that logic...
2142685 cpt-ws002 userinit.exe malicious create process blocked
(this was listed as blocked plus it isn't even a choice)
2142696 cpt-ws002 notepad.exe likely safe process execution allowed
(no issues here)
2142734 cpt-ws002 NO-AV.exe Suspicious halt process allowed
(this appears to be the start of the detected and allowed malicious behavior)
Choosing C since that appears to be the first instance of a malicious process being allowed to run.
1. The process "Dearcry.exe" on device "cpt-ws002" is classified as "Inconclusive" and was allowed to create something, making it a possible candidate. However, the name "Dearcry.exe" seems malicious, and on device "cpt-ws026" it was classified as "Malicious" but was blocked. This makes "Dearcry.exe" a suspect, but its activity on "cpt-ws002" isn't definitively malicious based on the given data.
2. The process "NO-AV.exe" on device "cpt-ws002" is classified as "Suspicious" and was allowed to halt a process. This behavior is typical of ransomware, which often tries to disable security measures. Thus, this makes "NO-AV.exe" on "cpt-ws002" a strong candidate for the ransomware's origin.
3. The process "NO-AV.exe" on device "cpt-ws026" was also classified as "Suspicious", but it was quarantined, which means its malicious activities were halted.
Answer:
C. cpt-ws002, NO-AV.exe
Device: cpt-ws002
Process: NO-AV.exe
Even with the fact that event ID is chronological, NO-AV.exe still sounds like something that would stop anti-virus so to give way to payload execution.
Line # Possible scenario. Event ID
9 Malware blocked. 2142689
5 Possible process injection. 2142696
2 Anti-virus stopped. 2142734
1 Privilege escalation. 2142755
0 Payload delivered. 2142773
4 Payload executed. 2152101
3 Spawn child processes. 2152118
8 Malware quarantined. 2152734
7 Malware tries to re-establish connection. 2152755
6 Malware blocked. 2152773
10 Establish C2. 2153855
Here's why:
The DearCry.exe process is marked as malicious on device ws002 in event 2152773 (with the action "Blocked"). This indicates that DearCry.exe was identified as ransomware and was prevented from further execution. Additionally, in event 2142773, DearCry.exe is also observed as an inconclusive process (with "Allowed" action), meaning it was allowed to run at some point on ws002 before being flagged as malicious. The DearCry.exe process on ws002 is the first indicator where it started as an allowed process, and later it was identified and blocked as malicious. This points to ws002 and DearCry.exe as the origin of the ransomware. NOT C because cpt-ws002, NO-AV.exe: NO-AV.exe is marked as suspicious, but it wasn't flagged as malicious. This makes it less likely to be the source of the ransomware.
Implementing DoH on mobile devices can be done through dedicated apps or manual settings on the device itself. For enterprises, using MDM to centrally configure and enforce DoH ensures compliance with security policies and simplifies the management process. This approach secures DNS queries by encrypting them and ensures they adhere to the network restrictions, providing enhanced security and privacy for mobile users.
If you order the id's it looks like
cpt-ws002 NO-AV.exe with the threat type “halt process” is the origin.
If the attackers aren’t being creative with their naming conventions, AV typically stands for Antivirus. And the threat is Halt process.
I think the attack started with cpt-ws002 no-av.exe shutting down the antivirus.
A simpler way to put it, the first Dearcry.exe process allowed was the one that started the ransomware. Any other activity could or could not be related to the ransomware.
I believe that the first step of the ransomware was disabling the AV (answer C). I also believe that the subsequent step of executing dearcry.exe is where the ransomware began the victim's engagement part.
So to me, the AV being disabled kicked the ransomware off.
Read the event IDs carefully (they aren't really in order).
Option C happened before Option A (AV was disabled before dearcry.exe could be run on the machine). We can see elsewhere in the logs that the AV should have been blocking dearcry.exe.
it is reasonable to infer that the first step in the attack was to disable the AV with option C, therefore that is where it started. Else dearcry.exe would not have been allowed to run.
The 2142734 ID event in cpt-ws002 shows that the NO-AV.exe process, classified as "Suspicious", had the "Halt process" action allowed.
If we follow the logic that this action (Halt process allowed) can represent the beginning of a detected and allowed malicious behavior, it can be concluded that the malicious activity started in cpt-ws002 with the NO-AV.exe process.
Option C, cpt-ws002, NO-AV.exe, is not the correct answer because the ransomware did not originate from this process. The EDR output shows that the NO-AV.exe process on cpt-ws002 was allowed to halt, as indicated by the line 2142734 cpt- N0-AV.exe Halt process Allowed ws 0 02. This means that the NO-AV.exe process was stopped, so it could not have initiated the ransomware infection. On the other hand, the DearCry.exe process on cpt-ws002 was allowed to create, which is typically how ransomware begins its infection process. Therefore, the ransomware likely originated from cpt-ws002, DearCry.exe. So, the correct answer is E. cpt-ws002, DearCry.exe.
I'm going to make an assumption about the chart and say that the "Threat type" category means the "possible threat it could produce", not the action that happened because there is a specific category called "Action". So so 2142734 was not halted, that was the type of threat it potentially was classified as. It was allowed to execute and halt a process. I'm also assuming the attackers/comptia is not going to be too inventive in their naming conventions and assume that the "AV" in "NO-AV.exe" stands for "no antivirus" and that that process shut down the antivirus protection on that system. My only question is, is comptia being super picky about the wording of "originate" I think that the antivirus was shut down to allow event 2142773 to execute and actually deploy the malware. I'm going with C and hoping comptia isn't being too literal in determining which executable was the one to deploy and hoping they mean initiate.
Based on the provided data, it appears that the ransomware originated from the process Dearcry.exe with Event ID 2152773. This is because the action associated with this process was create and its classification was Malicious, which was subsequently Blocked. This suggests that an attempt was made to create a malicious process, which aligns with the behavior of ransomware.
So, the answer to your question would be B) cpt-ws026, DearCry.exe if we assume that Event ID 2152773 corresponds to device cpt-ws026.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ThatGuyOverThere
Highly Voted 1 year, 1 month agoweaponxcel
Highly Voted 1 year, 1 month agodeeden
Most Recent 1 day agoBright07
1 week, 2 days agoicecool2019
6 months agob49eb27
8 months, 1 week agoElDirec
10 months, 2 weeks agoCraZee
10 months, 3 weeks agoTrap_D0_r
11 months, 2 weeks agoTrap_D0_r
11 months, 2 weeks agoJhonys
1 year agobiggytech
1 year ago[Removed]
1 year, 1 month agob49eb27
8 months, 3 weeks agonmap_king_22
1 year, 1 month agoAdeshola1960
1 year, 2 months agohheerreessjjoohhnnyy
1 year, 2 months agoCXSSP
1 year, 2 months ago