A suspicious, signed program was detected and blocked on an employee's desktop used by Lyndon, rated as a moderate-risk event because it resembles a tool often used for network discovery. The endpoint mitigation acted to stop execution and quarantine attempts, and the alert remains unresolved. Business impact is limited if no lateral activity occurred, but such tools can expose internal systems if allowed to run.
SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus
--- --- LYN-DT-CONCH, no full disk scan command was sent. Not Configured LYN-DT-CONCH, endpoint was not isolated from the network. Not Configured
Recommended Remediation
Containment: Isolate endpoint 'LYN-DT-CONCH' from the network immediately to prevent lateral movement and external connections.
Eradication: Remove and uninstall 'Advanced_IP_Scanner_2.5.4594.1.exe' from 'C:\Users\LYNDON\Downloads' on 'LYN-DT-CONCH' and delete the file '26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b' (SHA256) from all backups and file stores.
Eradication: Terminate any running instances of the originating process 'chrome.exe' under user 'LYN-DT-CONCH\LYNDON' and reset the user's authentication token(s) by forcing a session/token revocation.
Hardening: Ensure application execution control is in place by blocking execution of unsigned or non-approved installers in user Downloads folders and enforce least-privilege for standard users to prevent installation of administrative tools.
Hardening: Validate and restrict use of network scanning tools via application allowlist and update endpoint protection policies to block or quarantine known hacktools classified as 'Malware' with 'suspicious' confidence level.
26d5748f...593c193b
Malicious
File hash detected by 2 security engines. Classified under the meaningful name Advanced_IP_Scanner_2.5.4594.1.exe.
Hybrid-Analysis
26d5748f...593c193b
Malicious
File hash detected by 3 security engines. Classified under the meaningful name Advanced_IP_Scanner_2.5.4594.1.exe.
Indicators of Compromise
The threat indicator shows that a tool called 'Advanced IP Scanner' has been found on the system. This software is typically used to scan networks and identify connected devices. While it can serve legitimate purposes, its detection may suggest unauthorized activity, indicating that someone could be attempting to gather information about the network or its devices for malicious reasons. It's important to investigate its presence to ensure the security of the network.
