FORMULARIO - LEVANTAMIENTO DE INFORMACIÓN

Protección de Endpoint EDR CLOUD

Codigo 10931
Cliente ASOCIACION NUEVO HORIZONTE - HUARA
CID 200893
Circuito CARPACCIO 171 -
Servicio Contratado EDR CLOUD
Nombre de Contacto Renzo Fiestas
Cargo Encargado
Telefono 950698114
Email [email protected]

*Nota: El contacto brindado es el único autorizado a solicitar cambios a nuestra área de soporte
 ### CLIENTE DEBE COMPLETAR ESTA TABLA DE INFORMACIÓN ###

Ejemplo

Dispositivo Final
Sistema Operativo

Servidor web Windows

Server APP Windows

Laptop-Marketing MAC-OS

PC-Logistica LINUX

Dispositivos de Endpoint
Dispositivo Final Sistema Operativo
Server Sistema Windows server 2019 Standard
Server Virtuales Windows server 2012 Standard
Server Compartido Windows server 2012 R2 Standard
INFORMACIÓN ### OBSER
* Solo permite la compatibilidad con los siguiente sistemas oper

**Window: 7,8 y 10, Server 2003 R2 SP2, 2008 R1 SP2 y R2, 20

** Linux Centos & RHEL: 6.8 (kernel 2.6.32-642) 6.9 (Kernel 2.6.
CPU (Bits) 514), 7.4 (3.10.0-693), 7.5 (3.10.0-862), 7.6 (3.10.0-957), 7.7 (3.1
** 7.8 (3.10.0-1127); 7.9 (3.10.0-11600); 8.0 (4.18.0-80); 8.1 (4.1
64 bits
** Linux Ubuntu: LTS 16.04.5, 16.04.6, 16.04.7 Server (Kernel:4.
4.4.0-193); LTS 18.04.1, 18.04.2, 18.04.3, 18.04.5 Server (4.15.0-
64 bits 4.15.0-72, 4.15.0-74, 4.15.0-76, 4.15.0-88, 4.15.0-99, 4.15.0-108
Ubuntu LTS 20.04, 20.04.1 Server (Kernel 5.4.0-42, 5.4.0-47, 5.4.
64 bits

** MAC: Yosemite 10.10, El Capitan 10.11, Sierra 10.12, High Si

32 bits

nt
CPU (Bits)
64 bits
64 bits
64 bits
 OBSERVACIÓN
iguiente sistemas operativos de los dispositivos finales:

, 2008 R1 SP2 y R2, 2012, 2012 R2, 2016 y 2019

2-642) 6.9 (Kernel 2.6.32-696), 6.10 (Kernel 2.6.32-754), 7.2 ( 3.10.0-327), 7.3 (3.10.0-
6 (3.10.0-957), 7.7 (3.10.0-957)
8.0 (4.18.0-80); 8.1 (4.18.0-80); 8.2 (4.18.0-193): 8.3 (4.18.0-240)

.04.7 Server (Kernel:4.4.0-131, 4.4.0-142, 4.4.0-145, 4.4.0-169, 4.4.0-173, 4.4.0-184,

18.04.5 Server (4.15.0-34, 4.15.0-36, 4.15.0-45, 4.15.0-54, 4.15.0-55, 4.15.0-66, 4.15.0-70,
, 4.15.0-99, 4.15.0-108, 4.15.0-118, 4.15.0-121 generic)
5.4.0-42, 5.4.0-47, 5.4.0-48, 5.4.0-51, 5.4.0-52 generic)

1, Sierra 10.12, High Sierra 10.13, Mojave 10.14 y Catalina 10.15

GRUPOS DE COLECTORES
Prevención de Ejecución
Malicious File Detection
Privilege Escalation Exploit Detected - A malicious escalation of privileges was detected
Stack Pivot - Stack Pointer is Out of Bounds
Suspicious Driver Load - Attempt to load a suspicious driver
Suspicious File Detected
Suspicious Script Execution - A script was executed in a suspicious context
Unconfirmed File Detected
Prevención de Exfiltración
Access to critical system information
Bruteforce Attempt Detected
Debugged Process - Connection from a Debugged Process
Dynamic Code - Malicious Runtime Generated Code Detected
Executable Format - Bad Executable File Format
Executable Stack - A Stack with Executable Code
Executed Program has no installer
Fake Critical Program - Program Attempted to Hide as a Service
Fake Packer - A Fake Known Packer Detected
Hidden Process - Connection Attempt from a Hidden Process
Injected Executable - Connection Attempt from an Injected Executable
Injected Process - Process Created from an Injected Thread
Injected Thread - Connection from an Injected Thread
Invalid Checksum - Connection Attempt from Application with Invalid Checksum
Invalid Execution - Code Executed from an Invalid Memory Location
Invalid Pointer - Invalid Stack Pointer Value
Kernel Injection - Code Injected from Kernel to User Mode
Known Packer - Activity by an Application packed by a Known Packer was detected
Malicious File Detected
Malicious Process - A Process is Interfering with Collector's Operation
Modified Executable - Connection from an In-Memory Modified Executable
Network Scanning Attempt Detected
Non-standard Communication - Use of non-standard communication method detected
PUP - Potentially Unwanted Program
Partially Mapped - Partially Mapped Executable File on Stack
Privilege Escalation Exploit Detected - A malicious escalation of privileges was detected
Process Hollowing - Process Code Was Replaced
Process Injection - Entry Point Modification Detected
Stack Pivot - Stack Pointer is Out of Bounds
Stack Tampering - Stack Collection Interrupted
Suspicious Application - Connection Attempt from a Suspicious Application
Suspicious Macro - A macro has performed suspicious actions
Suspicious Packer - Activity by an Application packed by a Suspicious Packer was detected
Suspicious Script Execution - A script was executed in a suspicious context
Tampered Executable - Critical Executable was Tampered With
Unconfirmed Executable - Executable File Failed Verification Test
 Unmapped Executable - Executable File Without a Corresponding File System Reference
Writeable Code - Identified an Executable with Writable Code
Prevención de Ransomware
Debugged Process - Connection from a Debugged Process
Disk encryption attempt detected - Suspicious full disk encryption was detected
Dynamic Code - Malicious Runtime Generated Code Detected
Executable Format - Bad Executable File Format
Executable Stack - A Stack with Executable Code
Executed Program has no installer
Fake Critical Program - Program Attempted to Hide as a Service
Fake Packer - A Fake Known Packer Detected
File Encryptor - Suspicious file modification
Hidden Process - Connection Attempt from a Hidden Process
Injected Executable - Connection Attempt from an Injected Executable
Injected Process - Process Created from an Injected Thread
Injected Thread - Connection from an Injected Thread
Invalid Checksum - Connection Attempt from Application with Invalid Checksum
Invalid Execution - Code Executed from an Invalid Memory Location
Invalid Pointer - Invalid Stack Pointer Value
Kernel Injection - Code Injected from Kernel to User Mode
Known Packer - Activity by an Application packed by a Known Packer was detected
Malicious File Detected
Malicious Process - A Process is Interfering with Collector's Operation
Modified Executable - Connection from an In-Memory Modified Executable
PUP - Potentially Unwanted Program
Partially Mapped - Partially Mapped Executable File on Stack
Privilege Escalation Exploit Detected - A malicious escalation of privileges was detected
Process Hollowing - Process Code Was Replaced
Process Injection - Entry Point Modification Detected
Stack Pivot - Stack Pointer is Out of Bounds
Stack Tampering - Stack Collection Interrupted
Suspicious Application - Connection Attempt from a Suspicious Application
Suspicious Packer - Activity by an Application packed by a Suspicious Packer was detected
Tampered Executable - Critical Executable was Tampered With
Unconfirmed Executable - Executable File Failed Verification Test
Unmapped Executable - Executable File Without a Corresponding File System Reference
Writeable Code - Identified an Executable with Writable Code
Control de Dispositivo
USB Application Specific Device Detected
USB Audio Device Detected
USB Audio/Video Device Detected
USB Base Class Device Detected
USB Billboard Device Detected
USB CDC-Data Device Detected
USB Communications and CDC Control Device Detected
USB Content Security Device Detected
USB Diagnostic Device Detected
USB Hub Detected
USB Human Interface Control Device Detected
USB Mass Storage Device Detected
USB Miscellaneous Device Detected
USB Personal Healthcare Device Detecte
USB Physical Device Detected
USB Printer Detected
USB Smart Card Detected
USB Still Imaging Device Detected
USB Type-C Bridge Device Detected
USB Unknown Device Detected
USB Vendor Specific Device Detected
USB Video Detected
USB Wireless Controller Device Detected
 SECURITY POLICIES
GRUPO-SERVIDORES-DMZ

X
ected - A malicious escalation of privileges was detected X
ut of Bounds X
pt to load a suspicious driver X

script was executed in a suspicious context X

mation X
X
n from a Debugged Process
time Generated Code Detected X
table File Format X
Executable Code X
ller X
m Attempted to Hide as a Service X
cker Detected X
ttempt from a Hidden Process X
on Attempt from an Injected Executable X
ted from an Injected Thread X
rom an Injected Thread X
Attempt from Application with Invalid Checksum X
ted from an Invalid Memory Location X
ointer Value X
d from Kernel to User Mode X
Application packed by a Known Packer was detected X
X
s Interfering with Collector's Operation X
tion from an In-Memory Modified Executable X
tected
- Use of non-standard communication method detected X
ogram X
pped Executable File on Stack
ected - A malicious escalation of privileges was detected X
de Was Replaced X
Modification Detected X
ut of Bounds X
tion Interrupted
ction Attempt from a Suspicious Application X
s performed suspicious actions X
an Application packed by a Suspicious Packer was detected X
script was executed in a suspicious context X
Executable was Tampered With X
utable File Failed Verification Test X
table File Without a Corresponding File System Reference X
Executable with Writable Code X

n from a Debugged Process

ed - Suspicious full disk encryption was detected X
time Generated Code Detected X
table File Format X
Executable Code X
ller X
m Attempted to Hide as a Service X
cker Detected X
modification X
ttempt from a Hidden Process X
on Attempt from an Injected Executable X
ted from an Injected Thread X
rom an Injected Thread X
Attempt from Application with Invalid Checksum X
ted from an Invalid Memory Location X
ointer Value X
d from Kernel to User Mode X
Application packed by a Known Packer was detected X
X
s Interfering with Collector's Operation X
tion from an In-Memory Modified Executable X
ogram X
pped Executable File on Stack
ected - A malicious escalation of privileges was detected X
de Was Replaced X
Modification Detected X
ut of Bounds X
tion Interrupted
ction Attempt from a Suspicious Application X
an Application packed by a Suspicious Packer was detected X
Executable was Tampered With X
utable File Failed Verification Test X
table File Without a Corresponding File System Reference X
Executable with Writable Code X

e Detected

ted
d

d
Control Device Detected
etected
d
Device Detected
cted
ected
e Detecte

ted
cted
d
tected

Detected
OLICIES
GRUPO-PC GRUPO-XXXXXX GRUPO-XXXXXX

X
X
X
X

X
X

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X

X
X

X
X
X
X

X
X
X
X
X
X
X
X

X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X

X
X
X
X

X
X
X
X
X
X
UPO-XXXXXX
 EVENTOS
Notificaciones en el sistema
Envio de Notificación
Investigación
Aislamiento de dispositivo
GRUPO-SERVIDORES-DMZ Mover el dispositivo al grupo de alta seguridad
Remediación
Terminar Proceso
Eliminar archivo
Limpiar datos persistentes
Notificaciones en el sistema
Envio de Notificación
Investigación
Aislamiento de dispositivo
GRUPO-PC Mover el dispositivo al grupo de alta seguridad
Remediación
Terminar Proceso
Eliminar archivo
Limpiar datos persistentes
Notificaciones en el sistema
Envio de Notificación
Investigación
Aislamiento de dispositivo
GRUPO-XXXXX Mover el dispositivo al grupo de alta seguridad
Remediación
Terminar Proceso
Eliminar archivo
Limpiar datos persistentes
Notificaciones en el sistema
Envio de Notificación
Investigación
Aislamiento de dispositivo
GRUPO-XXXXX Mover el dispositivo al grupo de alta seguridad
Remediación
Terminar Proceso
Eliminar archivo
Limpiar datos persistentes
 RESPUESTA AUTOMATIZADA A INCIDENTES - PLAYBOOK
MALICIOSO SOSPECHOSO PROBLAMENTE SOSPE

X X X

e alta seguridad

X X X

e alta seguridad

X X X

e alta seguridad

X X X

e alta seguridad

X
PROBLAMENTE SOSPECHOSO POCO CONCLUYENTE PROBLAMENTE SEGURO

X X X

X X X

X X X

X X X