Investigatingin win...
 
Notifications
Clear all

Investigatingin windows

amanedf
(@amanedf)
New Member

Hello All Experts,

Good day.

We are experiencing that the malicious URL http//js.user.51.la is getting accessed from multiple computers without the knowledge of the user. We suspect below possibilities

1. It is getting accessed as it has been embedded in a another website and through that this is getting accessed.
2. Some application has been installed and it is trying to access it.

For point 1, it is quite surprising that multiple users are accessing the same site. Also, if that is the case how can I identify the website through which the traffic is getting initiated? I have got the webcache01.dat, since all traffic or web site are stored in this. Please note we are using chrome browser. (Please let me know if any other I need to collect.)

For point 2, I have collected windows event but I am not able to identify the application. I am not sure if I am missing something. Is it possible to check the application from windows events in this case? if yes, how can we do that?

Please guide me.

Note I apologies, due to security reasons I cannot share files.

Regards,

Quote
Topic starter Posted : 17/01/2019 12:33 pm
keydet89
(@keydet89)
Community Legend

1. It is getting accessed as it has been embedded in a another website and through that this is getting accessed.
2. Some application has been installed and it is trying to access it.

For point 1, it is quite surprising that multiple users are accessing the same site. Also, if that is the case how can I identify the website through which the traffic is getting initiated? I have got the webcache01.dat, since all traffic or web site are stored in this. Please note we are using chrome browser. (Please let me know if any other I need to collect.)

If you're using the Chrome browser, and the users are using the Chrome browser, and option 1 above applies, then you're not going to find anything. Chrome doesn't use the webcacheV01.dat file.

For point 2, I have collected windows event but I am not able to identify the application. I am not sure if I am missing something. Is it possible to check the application from windows events in this case? if yes, how can we do that?

By "windows event", do you mean perhaps "Windows Event Logs"?

If so, these do not maintain information about network connections performed by applications.

Perhaps the best way to go about this is to employ some sort of EDR tool that is able to tell you which process is submitting the domain query…

ReplyQuote
Posted : 17/01/2019 7:40 pm
Kippiis
(@kippiis)
New Member

I'm having the same problem right now.

ReplyQuote
Posted : 18/01/2019 7:35 pm
Share:
Share to...