# ECIR ## ![](https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQBGZlZCTSAZt0rsMaPHbhGov-N05WQP-dOxFfTGGHIlw\&s) ## (1) Incident Handling process overview 1-preparation \[tasks , items , tools , kits ] 2-Detection & Analysis -network perimeter -host perimeter -host level -application level 3-Containment,Eradication & Recovery - short term \[disable network , shut machine off , vlan] - long term you should : \[identfiy insider or not , isolate the area , utilize incident forms] netstat -naob : detect all connections in pc with the program name \[.exe] losf -i :22 : is port 22 open ? no "cheack process" netstat -anp | grep :22 yes "cheack ports " EDR : providing more fully-featured protection against a wide range of potential threats \ canary tokens \Write blocker : data backup \[soft ,hard] heterogenous enterprice : diffrent networks and devices \[switches ,camera,...] GRR \[server] :IR foucsed on remote live forensics \[get access to all machines ] VNC viewer :acsess remotely \[machine] and then open browser to open the GRR server memory --> memory analysis --> REKALL plugin --> specfic memory analysis in a program \[plugin :idrmodeles] \[program :calc.exe ] malicious \[calc.exe ,notepad.exe] mostly name-changed \ Firstly we need to gather information suspicous if \[ip is out ranged ,process name ] NETWORKS >> netstate PROCESS >> results REGISTRY >> HKET\_LOCAL\_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/\* HKET\_LOCAL\_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/\* \[USUALLY SUS] xxd \[file name] | more : inspection the file Velociraptor : additional capabilites than GRR as \[vql : velocidex query language] search to get specific result ## (2) Intrusion Detection by Analyzing Traffic \[Wireshark] communication model :any network traffic disassemple based on comm models \[frames,packet,headers] (OSI ,TCP/IP) APP --> HTTP,DNS TRANSPORT --> TCP,UDP INTERNET -->IP NETWORK ACCESS --> IEEE 802.X RFC \[Request For Comment] Document : knowing normal traffic looks to spot abnormalities when analyzing traffic ### Network access layer \[802.x] \[ IP , ARP , ICMP ] Most common \[Ethernet \[802.3] , Wireless \[802.11] , bluetooth] header : 14 byte data : 46-1500 byte tail : 4 byte maximum Ethernet frame 1518 byte MAC Address --> for every network card ARP Protocol --> get MAC Address from IP \[arp -a] 1- send broadcast request to the ip 2-the targeted ip recieve and send reply with mac address \[without validation] ARP Normal : \[client ,server ,normal flow \[few requests 2,3]] In wireshark \[dublicate IP address] is the arb poisoning \[Gratitus arb reply] how to prevent arp poisoning 1-static ARP MAC table 2-arb monitor 3-switch feature DAI \[dynamic arp inspection] MAC flooding ---> make the switch act like hub \[send reply as broadcast] SOLVE \[ port security ] packet \[1 byte] ### THE IP LAYER Header --> \[ length , total lenght , fragment offset ] abusing fragmentation :نقطع الباكيت المصابة قطع صغيرة وتعدى واحدة واحدة ونرجع نجمعها تانى تصيب الهدف IPv6 ---> IPv4 \[Tunneling] to connect ### Transport layer \[TCP , UDP] \ relative sequance numper in wireshark for more easy analysis \ 3 way handshake \[NORMAL] 1- SYN 2- SYN / ACK 3- ACK excessive SYN || single host \[port] to multiple ports || same \[seq] numper ---> scanning diffrent flags \[RST , PSH , FIN , VRG] RST scan : send SYN to \[0] port , if replied its live and vice versa Spoofing : victim still work Hijacking: victim is stolen and lose control ICMP --> network troubleshooting \[error message] , ping - not using port - Has types each one has code - Address mask request : try to know the subnet mask to do piviot attack \[-PM] - Timestamp Request : to know the time so coulde the zero day exploits work before getting security updates \[-PP] ptunnel : in normal case each ping should be replied with one reply , and the packet size should be the same or almots equally in size wise ptunnel tool make covert channel \[ex: to send https request hidely but pretend to be ICMP] \[more than one reply , the diffr in packet size] ICMP redirect : change routing taple to theApplication layer \[https , smtp , dns] NetBIOS :-Name service \[port 137] : in windows lan each device know the other IP of the other devicese by this protocol\ -Distribution service \[138] -Session service \[139] SMP :sharing files in win \[NBSS \[Session service] should be opened] \[139 ,445] RPC : remote desktop protocol \[3389] ## /\ LAB/\\ Suricata : network IDS, IPS monitor engine to inspect malicious activity \[by using specific rules] host : one for each device individually in network network : to the whole network Multi-Threading : doing many proccess in the same time \[pipeline] false postive : a normal traffic is susbended SOLVE \[cheack all the rules] in IPS mode Modes : 1- IDS \[passive .. just listen and detect] no Time consuming 2- IPS \[active .. prevent & block] Time consuming 3- IDPS \[HYBRID .. detect & prevent] no latency 4- NSM \[Network Security Monitoring] useful during investigation Rules:- \[ ls -lah /etc/suricata/rules/ ] show up the rules in soricata - \[more /etc/suricata/rules/\[rule name] ] more detalis of the rule Input:- offline \[sudo suricata -r PCAPs/eicar-com.pcap ] - online \[sudo suricata -i ens33] jq : make it readable \[filter] fast.log : clear text .. alerts ### How to make a rule in suricata \[ each active rule consumes CPU and memory] 1. header \[action] --> alert , log , pass , drop , reject 2. protocol --> tcp ,udp ,icmp ,ip ,http ,tls ,smn ,dns 3. rule message \[options] - Flow --> statue of traffic \[to server, to cleint ,established] - rule metadata \[refrence , sid ,rev] Macro execution : empedded objects run in office documnts /.exe :any letter \[name ,numper , char ,...] ### bro \[zeek] contains \[host ,uri , referrer ,user\_agent ,status\_code] bro-cut host < http.log 3:04 PM 8/6/2023e Net flow \[cisco] :- record connection between two hosts (PORT : 2055) - cheack only header \[not the payload ] IPFIX : standrad for all vendors by IEFT \[cisco , hwaiwi , ..] (PORT : 4739) Toolkits :- yaf - silk - flow viewer SolarWinds analyisis : wireless network traffic analysis to identify specific endpoints or applications using your wireless bandwidth. virus total : cheack if the \[data,link] is infected beconing malware : communicate with the attacker to show the malware is still alive ## ## Practical Incident Handling Certificate Transperency | censys : if certificate is valid or not War driving -phone sweep : proactive detection -kismet : scanning wireless in location by antenna -insider : wireless detection \[hidden as well] -wepRTC : service to connect ### Exploitation : access gain * BGP Hijacking : rerouting traffic to attacker network \[AS] * Passive & Active sniffing SSL Stripping : MITM on HTTPS .. tool make https --> http \[clear text] * Remote Exploit \[buffer overflow] : more data than the buffer can handle \[any data , malware] * NTLM : Hashing the passwordss ### Post Exploitation 1] windows/linux Privialge:- Stored credentials\[ fake files and fake login account ] - Registry \[sysmon : hash --> virus total ] - Unquoted Service path - service binary \[make use of unquoted service and replace it with attacker process] - Always install elevated 2] Credentials & theft\[مفاتيح الخزنة]:- \[LM \[DES] , NTLMv1 \[MD4] , NTLMv2 \[MD5] , Kerberos] ## ## SOC Operation & Analytics SEIM :- analyze - event correlation - disparate sources PCI DSS : standars \[as IEEE] ## Splunk APT group : هجمات متواصلة من جهة معينة Spulnk Architecture 1-Forwarder \[collect\&send] 2-Indexer \[Data store / Processing] 2- Search Head \[ index=botsv1 imreallynotbatmancom sourcetype=stream\* | stats count(src\_ip) as Requests by src\_ip | sort - Requests ] --> count most source ip // 40.80.148.42 is sus cuz has alot fo sources \[event] \[index=botsv\` imreallynotbatman.com src=40.80.148.42 sourcetype=suricata] ## Logging Windows logging \[c/system32/winevt/logs --> .evt files] * user account created : 4720 * user account enabled : 4722 SMTP \[simple mail transfer protocol] sources \[phishing] : \[microsoft exchange , soam appliance , postfix , sendmail ,] not recommended to collect soam logs from multible sources\ keep an eye :- Numerous e-mails - Usage of key personnel names \[whaling CEOs] - Domain names similar - e-mails sent by unauthorized server - abnormal SMTP user agent DNS \[domain name server] Treasure trove sources : BRO - ZEEK DNS sinkholing : redirect untrusted request to 0.0.0.0 domain keep an eye :- sinkhole interacting - newly observed domain - newly created domain - random / computer generated domains - NXDOMAIN responses \[DGA] - volume of requests HTTP \[most commonly used and attacked] sources \[wep servers , wafs ,ids ,wep proxies , firewall] keep an eye:- HTTP methode \[GET/POST] - 400 , 200 error - inside out IP - extremely long URL - Abnormal user agent mimikats : password cracker from memory LSASS PsExec : telnet to get continous move to victim rundll 32 : used to run malicious dll \[library for devlopers] beaconing malware : trojan to send confirm that backdoor is still open