DJN2: Incident Response Incident Reporting Template
WGU D482 DJN2: Incident Response Report
Template for Engineering
Application Issues.
Design by Paradigm | Incident Reporting
Template
SECTION A: INCIDENT DETAILS
Incident number(s): HDE-1001
HDE-1050
HDE-1072
Incident date(s): 13 DEC
Report author: 001184431
Report date: 21 DEC
Summary of incident: At 10 am on 13 December the help desk reported ticket
HDE-1001. There were application performance issues
regarding the server hosting the engineering application
which resulted from unauthorized updates installed via a
spoofed email. When investigated, there was high CPU
utilization, suspicious processes and network traffic from
the server. To remediate, the malicious application was
terminated, antivirus restored, and firewall policy updated
to block traffic.
Impacted system(s): WIN-6JNN6RLT6IL
Primary function of the The impacted system is used a device that hosts CAD
impacted system(s): software used by Engineering.
Impacted user(s): ,
,
Incident timeline: From 10:00 AM to on December 13 to 3:20 PM December
13
Functional impact:
(See section: Glossary) ☒HIGH ☐MEDIUM ☐LOW ☐NONE
Incident priority:
☒HIGH ☐MEDIUM ☐LOW
Additional notes: More users than indicated may have been affected
but may not have reported issue.
, DJN2: Incident Response Incident Reporting Template
Incident type: (check all that apply)
☒Compromised system ☐Lost equipment/theft
☐ Compromised user credentials ☐Physical break-in
(e.g., lost password) ☒Social engineering (e.g., phishing)
☐ Network attack (e.g., DoS) ☐Law enforcement request
☒Malware (e.g., virus, worm, Trojan) ☐Policy violation (e.g., acceptable use)
☐ Reconnaissance (e.g., scanning, ☐Other: Click or tap here to enter text.
sniffing)
SECTION B: DETECT
Hostname of the WIN-6JNN6RLT6IL
impacted system(s):
IP address of the 10.10.20.10
impacted system(s):
Operating system of the Microsoft Windows Server 2019 Standard
impacted system(s):
SECTION C: INVESTIGATE
Destination port of 3333
malicious traffic:
Additional notes & Excessive traffic to 159.203.162.18 logged at the
observations: Server_Firewall from 10.10.20.10, this port and protocol
is known to be associated with trojans
SECTION D: REMEDIATE
Summary of actions taken To restore functionality highly utilized processes were
to restore functionality of terminated, disk was cleaned including temp files.
impacted system(s): Xmrig.exe file also cleaned.
Summary of actions taken Restored functionality of Windows Defender Antivirus,
to restore network updated firewall to block traffic on port 3333. Scanned
security: device for further issues.
Additional notes & When searching online for the xmrig miner process, it was
observations: recommended to delete temp files, offline web
pages and temp internet files.
SECTION E: LESSONS LEARNED
WGU D482 DJN2: Incident Response Report
Template for Engineering
Application Issues.
Design by Paradigm | Incident Reporting
Template
SECTION A: INCIDENT DETAILS
Incident number(s): HDE-1001
HDE-1050
HDE-1072
Incident date(s): 13 DEC
Report author: 001184431
Report date: 21 DEC
Summary of incident: At 10 am on 13 December the help desk reported ticket
HDE-1001. There were application performance issues
regarding the server hosting the engineering application
which resulted from unauthorized updates installed via a
spoofed email. When investigated, there was high CPU
utilization, suspicious processes and network traffic from
the server. To remediate, the malicious application was
terminated, antivirus restored, and firewall policy updated
to block traffic.
Impacted system(s): WIN-6JNN6RLT6IL
Primary function of the The impacted system is used a device that hosts CAD
impacted system(s): software used by Engineering.
Impacted user(s): ,
,
Incident timeline: From 10:00 AM to on December 13 to 3:20 PM December
13
Functional impact:
(See section: Glossary) ☒HIGH ☐MEDIUM ☐LOW ☐NONE
Incident priority:
☒HIGH ☐MEDIUM ☐LOW
Additional notes: More users than indicated may have been affected
but may not have reported issue.
, DJN2: Incident Response Incident Reporting Template
Incident type: (check all that apply)
☒Compromised system ☐Lost equipment/theft
☐ Compromised user credentials ☐Physical break-in
(e.g., lost password) ☒Social engineering (e.g., phishing)
☐ Network attack (e.g., DoS) ☐Law enforcement request
☒Malware (e.g., virus, worm, Trojan) ☐Policy violation (e.g., acceptable use)
☐ Reconnaissance (e.g., scanning, ☐Other: Click or tap here to enter text.
sniffing)
SECTION B: DETECT
Hostname of the WIN-6JNN6RLT6IL
impacted system(s):
IP address of the 10.10.20.10
impacted system(s):
Operating system of the Microsoft Windows Server 2019 Standard
impacted system(s):
SECTION C: INVESTIGATE
Destination port of 3333
malicious traffic:
Additional notes & Excessive traffic to 159.203.162.18 logged at the
observations: Server_Firewall from 10.10.20.10, this port and protocol
is known to be associated with trojans
SECTION D: REMEDIATE
Summary of actions taken To restore functionality highly utilized processes were
to restore functionality of terminated, disk was cleaned including temp files.
impacted system(s): Xmrig.exe file also cleaned.
Summary of actions taken Restored functionality of Windows Defender Antivirus,
to restore network updated firewall to block traffic on port 3333. Scanned
security: device for further issues.
Additional notes & When searching online for the xmrig miner process, it was
observations: recommended to delete temp files, offline web
pages and temp internet files.
SECTION E: LESSONS LEARNED
