Scribd
Upload
39 views22 pages

Identification and Detection

This document provides information on incident response processes including identification, detection, data collection, and analysis. It details the various host-based and network-based data sources that can be used to identify indicators of compromise, including logs, artifacts, and other forensic evidence. Methods for collecting, analyzing, and correlating this evidence are also described.

Uploaded by

Ben Gad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views22 pages

Identification and Detection

This document provides information on incident response processes including identification, detection, data collection, and analysis. It details the various host-based and network-based data sources that can be used to identify indicators of compromise, including logs, artifacts, and other forensic evidence. Methods for collecting, analyzing, and correlating this evidence are also described.

Uploaded by

Ben Gad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Incident Response

Identification and Detection


Detection Capabilities

● Enterprise Detection & Response tools


● Increase visibility (logs, sensors)
● Security controls (Proxy, IDS/IPS, Automated Sandbox, etc.)
● Centralize logs into a SIEM
○ Effectively staff and manage your SIEM
○ Daily tuning, dedicated staff to do content development
● Monitoring policy and process (24x7 SOC)
Detection Process

Analyze Develop
Identify leads Collect Data
timeline IOCs
Data Sources

Host based: Network based:

● Application logs ● DHCP leases


● Operating System logs ● DNS Requests
● Host-based firewall ● Firewall connections
● Enterprise detection tools ● Proxy requests
● Antivirus ● IDS/IPS alerts
● Active Directory ● Email gateway events
● Software inventory ● NetFlow/IPFix
● System monitoring ● Full packet capture
● Critical applications monitoring ● VPN Logs
Artifacts

Volatile (stored in memory) Non-volatile (stored on physical drives)


● Logged users ● Files
● Network information
● Open files
● Registry hives?
● Network connections ● Emails
● Network status ● Swap
● Process information ● Slack space
● Process-to-port mapping ● USB thumb drives
● Process memory ● Etc.
● Mapped drives
● Shares
● Clipboard contents
● Service/Driver information
● Command history
● Etc.
Network status

net statistics server

net statistics workstation

netstat -r

netstat -ano
Processes

● Process Explorer
● TaskManager
● tasklist /v
● Pslist (pstools)
● pslist -x
● PowerShell
Persistence

● AutoRuns
● Service Creation/Replacement
● Service Failure Recovery
● Scheduled Tasks
● DLL Hijacking
● WMI Event Consumers
● Local Group Policies, MS Office Addons etc.
Applications Execution Traces

● Registry
○ Amcache (%SystemRoot%\AppCompat\Programs\Amcache.hve)
○ Shimcache
■ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
■ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache
● Prefetch
● Windows Logs
● WMI Recent Used Apps
Prefetch

Prefetch file creation timestamp = first run time

● Allows commonly used programs to open


faster in Windows
● Prefetch filename is executable file name +
hash of file path
Logged users

psloggedon

logonsessions

net sessions
Windows Logs

Application:%SYSTEMROOT%\system32\winevt\Logs\Application.evtx

Security:%SYSTEMROOT%\system32\winevt\Logs\Security.evtx

System: %SYSTEMROOT%\system32\winevt\Logs\System.evtx

Logon & logoff Service start & stop Windows Errors

User creation, deletion, changes Network configuration changes Software installation

Security and policy changes Driver loads and unloads User applications events
Application/Service logs

● OS sub-components
○ App locker
○ PowerShell
○ Task Scheduler
○ Remote Desktop
○ Microsoft Office
● Logging levels
○ Operational
○ Admin
○ Debug
○ Analytic
Windows Logs Improvement

Check settings of Security log:

C:\> wevtutil gl Security

Check settings of audit policies:

C:\> auditpol /get /category:*


Windows Logs Improvement

Increase Log size to support increased auditing:

C:\> reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Application /v MaxSize /t REG_DWORD /d


0x19000

C:\> reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Security /v MaxSize /t REG_DWORD /d


0x64000

C:\> reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\System /v MaxSize /t REG_DWORD /d


0x19000
Failed Login Attempts Detection

wevtutil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /f:text /rd:true /c:5

for /L %i in (1,0,2) do (wevtutil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /f:text


/rd:true /c:5) & timeout 20
Process/Services Creation
Linux Logs

/var/log/*

/var/www/*/logs/

cat

grep

less

tail
Lateral Movement Traces

● Credentials Harvesting
● RDP
● Windows Admin Shares
● PsExec
● Windows Remote Management Tools
● PowerShell / WMIC
● Vulnerabilities
Hashing

PS C:\> Get-FileHash <FILE TO HASH> I Format-List

PS C:\> Get-FileHash -algorithm md5 <FILE TO HASH>

C:\> certutil -hashfile <FILE TO HASH> SHAl

C:\> certutil -hashfile <FILE TO HASH> MD5

find /etc/ -type f -exec mdSsum {} >> mdSsums.txt \;

md5deep -rs / > mdSsums.txt


Indicators of Compromise

● IP addresses
● Domains
● Hostnames
● Emails
● URLs
● Hashes
● File Paths
● MUTEX names
ToolSet

● RedLine (https://www.fireeye.com/content/dam/fireeye-www/services/freeware/sdl-redline.zip)
● Eric Zimmeman Tools (https://ericzimmerman.github.io/#!index.md)
● Sysinternals Autoruns (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
● https://williballenthin/python-registry/blob/master/samples/amcache.py
● ShimCacheParser (https://github.com/mandiant/ShimCacheParser)

You might also like