BootCD Booted off the Network The Network: A bank holding company in the U.S. Midwest with an extensive IT infrastructure. The Expectation: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for this financial institution. The Catch: A user with admin privileges inserted a rescue disk CD into their workstation which is usually used when you can no longer boot to your machine. The specific endpoint and user were identified. The program HBCDMenu.exe was launched and soon thereafter everything.exe. This program expects Admin privileges. Other utilities that were launched include cports.exe, smartsniff, and wirelessnetview.exe. All of these are noted on VirusTotal as problematic. The Find: Great coverage at the endpoint from the EventTracker sensor allowed detailed information on removable media insertion and subsequent actions to be captured. The analyst team at the EventTracker SOC were able to identify the potential problem behavior and notify the IT team promptly. The Fix: Isolate the system from the network and eject the CDROM. Interview the user to determine motivation and need for such powerful tool usage. If possible, reimage the target machine. The Lesson: Trust your users but verify out-of-the-ordinary behavior.