Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the slack integration.

Goal

Detect when a malicious file is shared or uploaded within Slack.

Strategy

This rule monitors Slack for file uploads or shares that are flagged as potentially malicious. Files can be detected as malicious through integrated security tools or antivirus scanning mechanisms. Sharing of malicious files could lead to malware infections, data breaches, or other security risks if users inadvertently download or interact with the file.

Triage and response

1. Determine if the file is truly malicious by:

   • Reviewing the details of the flagged file, including file type, name, and hash, using security tools or integrated antivirus solutions.
   • Identifying the user {{@usr.email}} who uploaded or shared the file and contacting them to determine if the file was shared intentionally or if their account may be compromised.
   • Checking the activity logs of the user, including recent file uploads, message history, and other behaviors that could indicate compromised credentials or malicious intent.

2. If the file is confirmed as malicious:

   • Begin your organization’s incident response process to contain and investigate further.
   • Quarantine the file: Remove the malicious file from Slack, ensuring no one else can download or access it.
   • Instruct all users who interacted with the file to:
     • Refrain from downloading the file.
     • Run antivirus or endpoint detection tools on their systems to check for potential compromise.
   • Review and block any additional files from the same source, and monitor Slack for similar uploads from the user or others in the organization.
   • Investigate if the user’s account has been compromised, and if so, reset credentials and enforce multi-factor authentication (MFA).