Scribd Logo
Upload

Welcome to Scribd!

  • Identification and Detection

    Uploaded by

    Ben Gad
    13 views22 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views22 pages

    Identification and Detection

    Uploaded by

    Ben Gad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    Incident Response

    Identification and Detection


    Detection Capabilities

    ● Enterprise Detection & Response tools


    ● Increase visibility (logs, sensors)
    ● Security controls (Proxy, IDS/IPS, Automated Sandbox, etc.)
    ● Centralize logs into a SIEM
    ○ Effectively staff and manage your SIEM
    ○ Daily tuning, dedicated staff to do content development
    ● Monitoring policy and process (24x7 SOC)
    Detection Process

    Analyze Develop
    Identify leads Collect Data
    timeline IOCs
    Data Sources

    Host based: Network based:

    ● Application logs ● DHCP leases


    ● Operating System logs ● DNS Requests
    ● Host-based firewall ● Firewall connections
    ● Enterprise detection tools ● Proxy requests
    ● Antivirus ● IDS/IPS alerts
    ● Active Directory ● Email gateway events
    ● Software inventory ● NetFlow/IPFix
    ● System monitoring ● Full packet capture
    ● Critical applications monitoring ● VPN Logs
    Artifacts

    Volatile (stored in memory) Non-volatile (stored on physical drives)


    ● Logged users ● Files
    ● Network information
    ● Open files
    ● Registry hives?
    ● Network connections ● Emails
    ● Network status ● Swap
    ● Process information ● Slack space
    ● Process-to-port mapping ● USB thumb drives
    ● Process memory ● Etc.
    ● Mapped drives
    ● Shares
    ● Clipboard contents
    ● Service/Driver information
    ● Command history
    ● Etc.
    Network status

    net statistics server

    net statistics workstation

    netstat -r

    netstat -ano
    Processes

    ● Process Explorer
    ● TaskManager
    ● tasklist /v
    ● Pslist (pstools)
    ● pslist -x
    ● PowerShell
    Persistence

    ● AutoRuns
    ● Service Creation/Replacement
    ● Service Failure Recovery
    ● Scheduled Tasks
    ● DLL Hijacking
    ● WMI Event Consumers
    ● Local Group Policies, MS Office Addons etc.
    Applications Execution Traces

    ● Registry
    ○ Amcache (%SystemRoot%\AppCompat\Programs\Amcache.hve)
    ○ Shimcache
    ■ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
    ■ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache
    ● Prefetch
    ● Windows Logs
    ● WMI Recent Used Apps
    Prefetch

    Prefetch file creation timestamp = first run time

    ● Allows commonly used programs to open


    faster in Windows
    ● Prefetch filename is executable file name +
    hash of file path
    Logged users

    psloggedon

    logonsessions

    net sessions
    Windows Logs

    Application:%SYSTEMROOT%\system32\winevt\Logs\Application.evtx

    Security:%SYSTEMROOT%\system32\winevt\Logs\Security.evtx

    System: %SYSTEMROOT%\system32\winevt\Logs\System.evtx

    Logon & logoff Service start & stop Windows Errors

    User creation, deletion, changes Network configuration changes Software installation

    Security and policy changes Driver loads and unloads User applications events
    Application/Service logs

    ● OS sub-components
    ○ App locker
    ○ PowerShell
    ○ Task Scheduler
    ○ Remote Desktop
    ○ Microsoft Office
    ● Logging levels
    ○ Operational
    ○ Admin
    ○ Debug
    ○ Analytic
    Windows Logs Improvement

    Check settings of Security log:

    C:\> wevtutil gl Security

    Check settings of audit policies:

    C:\> auditpol /get /category:*


    Windows Logs Improvement

    Increase Log size to support increased auditing:

    C:\> reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Application /v MaxSize /t REG_DWORD /d


    0x19000

    C:\> reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Security /v MaxSize /t REG_DWORD /d


    0x64000

    C:\> reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\System /v MaxSize /t REG_DWORD /d


    0x19000
    Failed Login Attempts Detection

    wevtutil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /f:text /rd:true /c:5

    for /L %i in (1,0,2) do (wevtutil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /f:text


    /rd:true /c:5) & timeout 20
    Process/Services Creation
    Linux Logs

    /var/log/*

    /var/www/*/logs/

    cat

    grep

    less

    tail
    Lateral Movement Traces

    ● Credentials Harvesting
    ● RDP
    ● Windows Admin Shares
    ● PsExec
    ● Windows Remote Management Tools
    ● PowerShell / WMIC
    ● Vulnerabilities
    Hashing

    PS C:\> Get-FileHash <FILE TO HASH> I Format-List

    PS C:\> Get-FileHash -algorithm md5 <FILE TO HASH>

    C:\> certutil -hashfile <FILE TO HASH> SHAl

    C:\> certutil -hashfile <FILE TO HASH> MD5

    find /etc/ -type f -exec mdSsum {} >> mdSsums.txt \;

    md5deep -rs / > mdSsums.txt


    Indicators of Compromise

    ● IP addresses
    ● Domains
    ● Hostnames
    ● Emails
    ● URLs
    ● Hashes
    ● File Paths
    ● MUTEX names
    ToolSet

    ● RedLine (https://www.fireeye.com/content/dam/fireeye-www/services/freeware/sdl-redline.zip)
    ● Eric Zimmeman Tools (https://ericzimmerman.github.io/#!index.md)
    ● Sysinternals Autoruns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
    ● https://williballenthin/python-registry/blob/master/samples/amcache.py
    ● ShimCacheParser (https://github.com/mandiant/ShimCacheParser)

    You might also like