Investigatingin win...
 
Notifications
Clear all

Investigatingin windows

3 Posts
3 Users
0 Likes
733 Views
(@amanedf)
Posts: 1
New Member
Topic starter
 

Hello All Experts,

Good day.

We are experiencing that the malicious URL http//js.user.51.la is getting accessed from multiple computers without the knowledge of the user. We suspect below possibilities

1. It is getting accessed as it has been embedded in a another website and through that this is getting accessed.
2. Some application has been installed and it is trying to access it.

For point 1, it is quite surprising that multiple users are accessing the same site. Also, if that is the case how can I identify the website through which the traffic is getting initiated? I have got the webcache01.dat, since all traffic or web site are stored in this. Please note we are using chrome browser. (Please let me know if any other I need to collect.)

For point 2, I have collected windows event but I am not able to identify the application. I am not sure if I am missing something. Is it possible to check the application from windows events in this case? if yes, how can we do that?

Please guide me.

Note I apologies, due to security reasons I cannot share files.

Regards,

 
Posted : 17/01/2019 12:33 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

1. It is getting accessed as it has been embedded in a another website and through that this is getting accessed.
2. Some application has been installed and it is trying to access it.

For point 1, it is quite surprising that multiple users are accessing the same site. Also, if that is the case how can I identify the website through which the traffic is getting initiated? I have got the webcache01.dat, since all traffic or web site are stored in this. Please note we are using chrome browser. (Please let me know if any other I need to collect.)

If you're using the Chrome browser, and the users are using the Chrome browser, and option 1 above applies, then you're not going to find anything. Chrome doesn't use the webcacheV01.dat file.

For point 2, I have collected windows event but I am not able to identify the application. I am not sure if I am missing something. Is it possible to check the application from windows events in this case? if yes, how can we do that?

By "windows event", do you mean perhaps "Windows Event Logs"?

If so, these do not maintain information about network connections performed by applications.

Perhaps the best way to go about this is to employ some sort of EDR tool that is able to tell you which process is submitting the domain query…

 
Posted : 17/01/2019 7:40 pm
(@kippiis)
Posts: 1
New Member
 

I'm having the same problem right now.

 
Posted : 18/01/2019 7:35 pm
Share: