Issue:
Rapid 7: A Laptop PC is compromised (e.g. malware infected, identified as security risk/threat, etc.) as reported & requires digital evidences by Rapid 7 in support of system/network vulnerability mitigation.
Background:
We have been using Rapid7 for Incident Detection and Response (IDR) and Managed Vulnerability Management (MVM) since November 2021. Rapid7 is a 3rd party partner who uses their Cloud Hosted SIEM Solution to retrieve data from networking equipment, computers, and servers, as well as Event Logs for the equipment. Should anything be identified as an issue, the Tier 3 Infrastructure Team is contacted by Rapid7 to begin remediation of the event. Users will be contacted when their Laptop PCs are reported compromised. A forensic triage package is required to run one each of the impacted PCs for further analysis of the security risk/threat event..
Solution:
1. Physically get hold & secure the Laptop PC that was compromised as reported by Rapid 7 and disconnect all LAN/WiFI/Internet connections.
2. Copy & extract the Forensic Triage Package provided by Rapid 7 via Kemin Helpdesk on the compromised Laptop PC.
3. Look for offline_malware_triage_package.exe, select the file and do a right-click on your mouse. Run As Administrator, enter necessary credentials and then press Enter on your keyboard.
4. Upon the completion of the generation of the forensic files, a ZIP folder will be created in the same directory of the offline_malware_triage_package.exe that was ran.
5. Provide the ZIP folder to Rapid7 for analysis via the Tier 3 Infrastructure Support handling the case.