杏吧传媒

Search
searchclose icon

Assisted Remediation in Action

Glitch effectGlitch effectGlitch effect
Glitch banner

This week we had the opportunity to help an MSP partner contain and remediate an Emotet/TrickBot infection that impacted a client with 50+ computers and servers.

Considering how quickly TrickBot reinfects systems and drops ransomware, this was the perfect opportunity to kick the tires on our Assisted Remediation beta feature鈥攚hich was .

Keep reading for a play-by-play of how this incident unfolded.

Introducing the Situation

Network Titan鈥檚 day started out with a bang when 杏吧传媒 detected TrickBot on 23 of 55 systems within one of their clients鈥 networks. This created a separate incident report for each host containing remediation details. Don鈥檛 get us wrong, our remediation steps are easy to follow. However in this case, time was of the essence and no one wants to manually clean from 20+ workstations and servers. 馃槈

Knowing that Assisted Remediation was coming (we like to call it the 鈥淢agic Button鈥), it鈥檚 no surprise that their IT Services Manager, Chris Nolan, reached out to the聽聽杏吧传媒 SOC team for help.

Coordinating Preemptive Efforts

During the discussion, ThreatOps analysts agreed that our assisted remediation feature would help to quickly delete the malicious scheduled tasks, services, and files. However, we would still need the Network Titan team to disable (part of our existing ) and implement to help prevent the malware from reinfecting newly cleaned systems.

While performing these actions, the 杏吧传媒 Team upgraded all hosts with the beta agent and prepared remediation plans similar to the one below:

Remediation actions the agent will perform when instructed.

Executing the Remediation

Now with the upgraded agents in place, it was time to execute鈥攐ur moment of truth! As soon as the remediation plans were tasked/approved, our team began rapidly mashing [F5], watching incident after incident flip from Active to Resolved.

In under 20 minutes, 杏吧传媒 and Network Titan were able to clean up 21 of the 23 infected hosts (two hosts were offline).

Once those two hosts were powered on, they also received the agent upgrade and Assisted Remediation tasks鈥攔esolving those machines as well. Needless to say, both teams were excited about the result.

Parting Thoughts

With Assisted Remediation, 杏吧传媒 addressed our partner鈥檚 most pressing need: to quickly reduce the client鈥檚 level of risk posed by this incident without impacting productivity.

Although this cleanup effort still required work on our partner鈥檚 behalf (like rebooting machines to eliminate non-persistent payloads and re-enabling Administrative Shares), we鈥檙e pretty darn happy about this success!

Share

Sign Up for 杏吧传媒 Updates

Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy
Oops! Something went wrong while submitting the form.
杏吧传媒 at work