Kaspersky Unified Monitoring and Analysis Platform

Incident conditions

Parameters of the computer (hereinafter also referred to as "asset") on which the incident occurred:

  • Asset operating system – Windows 10.
  • Asset software – Kaspersky Administration Kit, Kaspersky Endpoint Security.

KUMA settings:

  • Integration with Active Directory, Kaspersky Security Center, Kaspersky Endpoint Detection and Response is configured.
  • SOC_package correlation rules from the application distribution kit are installed.

A cybercriminal noticed that the administrator's computer was not locked, and performed the following actions on this computer:

  1. Uploaded a malicious file from his server.
  2. Executed the command for creating a registry key in the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive.
  3. Added the file downloaded at the first step to autorun using the registry.
  4. Cleared the Windows Security Event Log.
  5. Completed the session.