ECIR

Some notes while studying eCIR with AhmedSultan

(1) Incident Handling process overview

1-preparation [tasks , items , tools , kits ] 2-Detection & Analysis -network perimeter -host perimeter -host level -application level

3-Containment,Eradication & Recovery - short term [disable network , shut machine off , vlan] - long term you should : [identfiy insider or not , isolate the area , utilize incident forms]

netstat -naob : detect all connections in pc with the program name [.exe]

losf -i :22 : is port 22 open ? no "cheack process" netstat -anp | grep :22 yes "cheack ports "

EDR : providing more fully-featured protection against a wide range of potential threats

\ canary tokens \Write blocker : data backup [soft ,hard]

heterogenous enterprice : diffrent networks and devices [switches ,camera,...]

GRR [server] :IR foucsed on remote live forensics [get access to all machines ] VNC viewer :acsess remotely [machine] and then open browser to open the GRR server memory --> memory analysis --> REKALL plugin --> specfic memory analysis in a program [plugin :idrmodeles] [program :calc.exe ] malicious [calc.exe ,notepad.exe] mostly name-changed

\ Firstly we need to gather information suspicous if [ip is out ranged ,process name ] NETWORKS >> netstate PROCESS >> results REGISTRY >> HKET_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/* HKET_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/* [USUALLY SUS]

xxd [file name] | more : inspection the file

Velociraptor : additional capabilites than GRR as [vql : velocidex query language] search to get specific result

(2) Intrusion Detection by Analyzing Traffic [Wireshark]

communication model :any network traffic disassemple based on comm models [frames,packet,headers] (OSI ,TCP/IP)

APP --> HTTP,DNS TRANSPORT --> TCP,UDP INTERNET -->IP NETWORK ACCESS --> IEEE 802.X

RFC [Request For Comment] Document : knowing normal traffic looks to spot abnormalities when analyzing traffic

Network access layer [802.x] [ IP , ARP , ICMP ]

Most common [Ethernet [802.3] , Wireless [802.11] , bluetooth]

header : 14 byte data : 46-1500 byte tail : 4 byte maximum Ethernet frame 1518 byte

MAC Address --> for every network card

ARP Protocol --> get MAC Address from IP [arp -a] 1- send broadcast request to the ip 2-the targeted ip recieve and send reply with mac address [without validation]

ARP Normal : [client ,server ,normal flow [few requests 2,3]] In wireshark [dublicate IP address] is the arb poisoning [Gratitus arb reply]

how to prevent arp poisoning 1-static ARP MAC table 2-arb monitor 3-switch feature DAI [dynamic arp inspection]

MAC flooding ---> make the switch act like hub [send reply as broadcast] SOLVE [ port security ] packet [1 byte]

THE IP LAYER

Header --> [ length , total lenght , fragment offset ]

abusing fragmentation :نقطع الباكيت المصابة قطع صغيرة وتعدى واحدة واحدة ونرجع نجمعها تانى تصيب الهدف IPv6 ---> IPv4 [Tunneling] to connect

Transport layer [TCP , UDP]

\ relative sequance numper in wireshark for more easy analysis

\ 3 way handshake [NORMAL] 1- SYN 2- SYN / ACK 3- ACK

excessive SYN || single host [port] to multiple ports || same [seq] numper ---> scanning diffrent flags [RST , PSH , FIN , VRG] RST scan : send SYN to [0] port , if replied its live and vice versa

Spoofing : victim still work Hijacking: victim is stolen and lose control

ICMP --> network troubleshooting [error message] , ping - not using port - Has types each one has code - Address mask request : try to know the subnet mask to do piviot attack [-PM] - Timestamp Request : to know the time so coulde the zero day exploits work before getting security updates [-PP]

ptunnel : in normal case each ping should be replied with one reply , and the packet size should be the same or almots equally in size wise ptunnel tool make covert channel [ex: to send https request hidely but pretend to be ICMP] [more than one reply , the diffr in packet size]

ICMP redirect : change routing taple to theApplication layer [https , smtp , dns]

NetBIOS :-Name service [port 137] : in windows lan each device know the other IP of the other devicese by this protocol -Distribution service [138] -Session service [139]

SMP :sharing files in win [NBSS [Session service] should be opened] [139 ,445] RPC : remote desktop protocol [3389]

/\ LAB/\

Suricata : network IDS, IPS monitor engine to inspect malicious activity [by using specific rules] host : one for each device individually in network network : to the whole network

Multi-Threading : doing many proccess in the same time [pipeline] false postive : a normal traffic is susbended SOLVE [cheack all the rules] in IPS mode Modes : 1- IDS [passive .. just listen and detect] no Time consuming 2- IPS [active .. prevent & block] Time consuming 3- IDPS [HYBRID .. detect & prevent] no latency 4- NSM [Network Security Monitoring] useful during investigation

Rules:- [ ls -lah /etc/suricata/rules/ ] show up the rules in soricata - [more /etc/suricata/rules/[rule name] ] more detalis of the rule

Input:- offline [sudo suricata -r PCAPs/eicar-com.pcap ] - online [sudo suricata -i ens33] jq : make it readable [filter] fast.log : clear text .. alerts

How to make a rule in suricata

[ each active rule consumes CPU and memory]

  1. header [action] --> alert , log , pass , drop , reject

  2. protocol --> tcp ,udp ,icmp ,ip ,http ,tls ,smn ,dns

  3. rule message [options] - Flow --> statue of traffic [to server, to cleint ,established] - rule metadata [refrence , sid ,rev]

Macro execution : empedded objects run in office documnts /.exe :any letter [name ,numper , char ,...]

bro [zeek]

contains [host ,uri , referrer ,user_agent ,status_code] bro-cut host < http.log 3:04 PM 8/6/2023e

Net flow [cisco] :- record connection between two hosts (PORT : 2055) - cheack only header [not the payload ]

IPFIX : standrad for all vendors by IEFT [cisco , hwaiwi , ..] (PORT : 4739)

Toolkits :- yaf - silk - flow viewer

SolarWinds analyisis : wireless network traffic analysis to identify specific endpoints or applications using your wireless bandwidth. virus total : cheack if the [data,link] is infected beconing malware : communicate with the attacker to show the malware is still alive

Practical Incident Handling

Certificate Transperency | censys : if certificate is valid or not War driving -phone sweep : proactive detection -kismet : scanning wireless in location by antenna -insider : wireless detection [hidden as well] -wepRTC : service to connect

Exploitation : access gain

  • BGP Hijacking : rerouting traffic to attacker network [AS]

  • Passive & Active sniffing SSL Stripping : MITM on HTTPS .. tool make https --> http [clear text]

  • Remote Exploit [buffer overflow] : more data than the buffer can handle [any data , malware]

  • NTLM : Hashing the passwordss

Post Exploitation

1] windows/linux Privialge:- Stored credentials[ fake files and fake login account ] - Registry [sysmon : hash --> virus total ] - Unquoted Service path - service binary [make use of unquoted service and replace it with attacker process] - Always install elevated

2] Credentials & theft[مفاتيح الخزنة]:- [LM [DES] , NTLMv1 [MD4] , NTLMv2 [MD5] , Kerberos]

SOC Operation & Analytics

SEIM :- analyze - event correlation - disparate sources PCI DSS : standars [as IEEE]

Splunk

APT group : هجمات متواصلة من جهة معينة

Spulnk Architecture 1-Forwarder [collect&send] 2-Indexer [Data store / Processing] 2- Search Head

[ index=botsv1 imreallynotbatmancom sourcetype=stream* | stats count(src_ip) as Requests by src_ip | sort - Requests ] --> count most source ip

// 40.80.148.42 is sus cuz has alot fo sources [event]

[index=botsv` imreallynotbatman.com src=40.80.148.42 sourcetype=suricata]

Logging

Windows logging [c/system32/winevt/logs --> .evt files]

  • user account created : 4720

  • user account enabled : 4722

SMTP [simple mail transfer protocol] sources [phishing] : [microsoft exchange , soam appliance , postfix , sendmail ,] not recommended to collect soam logs from multible sources keep an eye :- Numerous e-mails - Usage of key personnel names [whaling CEOs] - Domain names similar - e-mails sent by unauthorized server - abnormal SMTP user agent

DNS [domain name server] Treasure trove sources : BRO - ZEEK DNS sinkholing : redirect untrusted request to 0.0.0.0 domain keep an eye :- sinkhole interacting - newly observed domain - newly created domain - random / computer generated domains - NXDOMAIN responses [DGA] - volume of requests

HTTP [most commonly used and attacked] sources [wep servers , wafs ,ids ,wep proxies , firewall] keep an eye:- HTTP methode [GET/POST] - 400 , 200 error - inside out IP - extremely long URL - Abnormal user agent

mimikats : password cracker from memory LSASS PsExec : telnet to get continous move to victim rundll 32 : used to run malicious dll [library for devlopers] beaconing malware : trojan to send confirm that backdoor is still open

PreviousSECURITY+NextEJPTv1

Last updated