~/THM/ SOC L2 Path

Some notes from SOC L2 Path

Intro to Logs

Log Formats

  • Semi-structured Logs: These logs may contain structured and unstructured data, with predictable components accommodating free-form text.

  • Structured Logs: Following a strict and standardised format, these logs are conducive to parsing and analysis.

  • Unstructured Logs: Comprising free-form text, these logs can be rich in context but may pose challenges in systematic parsing.

Network Time Protocol (NTP) is a method to achieve this synchronisation and ensure the integrity of the timeline stored in the logs.

Hot Storage: Logs from the past 3-6 months that are most accessible. Query speed should be near real-time, depending on the complexity of the query. Warm Storage: Logs from six months to 2 years, acting as a data lake, easily accessible but not as immediate as Hot storage. Cold Storage: Archived or compressed logs from 2-5 years. These logs are not easily accessible and are usually used for retroactive analysis or scoping purposes.

logrotate, a tool that automates log file rotation, compression, and management, ensuring that log files are handled systematically. It allows automatic rotation, compression, and removal of log files.

Web Servers: Nginx: Access Logs: /var/log/nginx/access.log Error Logs: /var/log/nginx/error.log Apache: Access Logs: /var/log/apache2/access.log Error Logs: /var/log/apache2/error.log Databases: MySQL: Error Logs: /var/log/mysql/error.log PostgreSQL: Error and Activity Logs: /var/log/postgresql/postgresql-{version}-main.log Web Applications: PHP: Error Logs: /var/log/php/error.log Operating Systems: Linux: General System Logs: /var/log/syslog Authentication Logs: /var/log/auth.log Firewalls and IDS/IPS: iptables: Firewall Logs: /var/log/iptables.log Snort: Snort Logs: /var/log/snort/

The cut command extracts specific columns (fields) from files based on specified delimiters = cut -d ' ' -f 1 apache.log [ we can change the field number to -f 7 to extract the URLs and -f 9 to extract the HTTP status codes ]

grep -E 'pattern1.*pattern2' filename

Regex

https://tryhackme.com/room/catregex RegExr is an online tool to help teach, build, and test regular expression patterns.

grep -E 'post=1[0-9]' apache-ex2.log --> [10,11,12,.. 19]

Advanced Splunk

index=windowslogs | fields + host + User + SourceIp

index=windowslogs | search Powershell

index=windowslogs | table EventID User Image Hostname | dedup EventID [create table , Dedup is the command used to remove duplicate fields from the search results]

index=windowslogs | fields + host + User + SourceIp | rename User as Employees

index=windowslogs | table _time EventID Hostname SourceName | head 5 [ top 5 lines]

index=windowslogs | table _time EventID Hostname SourceName | tail 5

index=windowslogs | table _time EventID Hostname SourceName | sort Hostname

index=windowslogs | table _time EventID Hostname SourceName | reverse

index=windowslogs | top limit=7 Image [top values]

index=windowslogs | rare limit=7 Image [atleast values]

index=windowslogs | highlight User, host, EventID, Image [more focus]

index=windowslogs | stats count(source_IP) [returns the number of data occurrences]

index=windowslogs | chart count by User [Chart Graph]

index=windowslogs | timechart count by Image

Splunk for linux

1- download [splunk] , [splunk forwarder]

2- access splunk after login [The Splunk web interface is at http://coffely:8000]

3- Heavy Forwarders : are used when we need to apply a filter, analyze or make changes to the logs at the source before forwarding it to the destination

Universal Forwarders : its main purpose is to get the logs and send them to the Splunk instance or another forwarder without applying any filters or indexing

4- configure splunk Forwarder / create new index [setting --> forwarder , indexes]

5- link splunk to forwarder [./splunk add forward-server 10.10.77.177:9997]

Next, we will tell Splunk forwarder which logs files to monitor [./splunk add monitor /var/log/syslog -index Linux_host] We can also open the inputs.conf file located in /opt/splunkforwarder/etc/apps/search/local $ ls [inputs.conf]

Installition [ElisticSearch , Logstash , Kibana ]

1- /home/tools/kibana [dpkg -i TOOL ]

2- systemctl daemon-reload [ Presestince ]

3- Configuring TOOL [nano TOOL.yml] 4- Restart TOOL [systemctl restart TOOL.service

Advanced Kibana

Kibana supports two types of syntax languages for querying in Kibana: KQL (Kibana Query Language) and Lucene Query Syntax.

  • KQL :It provides autocomplete suggestions and supports filtering using various operators and functions.

  • Lucene Query Syntax: It is more powerful than KQL but is harder to learn for beginners.

Detection Engineering && Incident Response

Uncoder is a nice tool that helps convert sigma rules to queries that can be immediately used within a SIEM of your choice.

The most common tripwires are Honeypots and Hidden Files and Folders.

Sigma is an open-source generic signature language developed by Florian Roth & Thomas Patzke to describe log events in a structured format. This allows for quick sharing of detection methods by security analysts. It is mentioned that "Sigma is for log files as Snort is for network traffic, and Yara is for files."

Sigmac is a Python-written tool that converts Sigma rules by matching the detection log source field values to the appropriate SIEM backend fields.

An Endpoint Detection and Response (EDR) solution provides a proactive approach toward threat detection and visibility through near real-time monitoring of events on endpoints and evaluates them based on a rules-based automated response and analysis.

Aurora is a Windows endpoint agent that uses Sigma rules and IOCs to detect threat patterns on local event streams using ETW. When a true-positive rule matches, Aurora triggers “response actions” that will be displayed under the Windows Event Log Viewer.

SOCs have evolved over time, with every generation adding new technology. A quick rundown of the SOC generations is as follows:

First-Generation: Initial SOC functions were handled by the IT operations teams; thus, tasks were more blended. The main functions included device monitoring, managing antivirus security and log collection, which was limited and often referred to in the event an incident was reported.

Second-Generation: SIEM tools emerged here and were meant to add to the previous SOC functions. The added operational aspects included events correlation, network and Syslog log collection and case management. This meant that security threat management was the main focus and aimed at correlating events to establish links and provide analysts with visuals that would assist them in investigating incidents.

Third-Generation: Expanded the use of SIEMs by adding vulnerability management and incident response capabilities.

Fourth-Generation: Advance security capabilities are introduced here, including big data security and data enrichment. With this generation, SOCs can analyse large amounts of data to uncover threats in real-time. As an example, threat intelligence feeds have become valuable to SOC teams, expanding the horizons of security investigations.

Security Orchestration, Automation, and Response (SOAR) platforms come into play and allow organisations to analyse threat intelligence efficiently, automate response workflows and triage incidents using human and machine power.

Jump Bag

  • Media drives to store evidence being collected.

  • Disk imaging and host forensic software such as FTK Imager, EnCase, and The Sleuth Kit.

  • Network tap to mirror and monitor traffic.

  • Cables and adapters such as USB, SATA, and card readers to accommodate common scenarios.

  • PC repair kits that include screwdriver sets and tweezers.

  • Copies of incident response forms and communication playbooks.

Threat Hunting

Initial :-

  • host.name: jumphost AND event.category: authentication AND system.auth.ssh.event: Failed [Table]

  • host.name: jumphost AND event.category: authentication AND system.auth.ssh.event: Accepted AND source.ip: (167.71.198.43 OR 218.92.0.115)

  • host.name: web01 AND network.protocol: http AND destination.port: 80 AND source.ip: 167.71.198.43 AND http.response.status_code: 404 [GoBuster Failures]

  • host.name: web01 AND network.protocol: http AND destination.port: 80 AND source.ip: 167.71.198.43 AND http.response.status_code: (200 OR 301 OR 302) [Success attempt]

Execution :-

Command-line Tools :Using built-in commands through powershell.exe and cmd.exe to download and execute the staged payload.

Built-in System Tools :Using certutil.exe or bitsadmin.exe for downloading the remote payload and rundll32.exe to run it.

Scripting / Programming Tools : Using built-in functionalities of programming tools such as Python's os.system() or PHP's exec().

Temp File :The temp folder is also a discreet area that many victims of malware attacks overlook. Some people, in fact, neglect to scan the temp folder when running antivirus software.

Event id [ 4104 ] : block logging && process creation (Sysmon Event ID 1) and network connection (Sysmon Event ID 3) event

  • host.name: WKSTN-* AND winlog.event_id: 1 AND process.name: (cmd.exe OR powershell.exe)

  • host.name: WKSTN-* AND winlog.event_id: (1 OR 3) AND (process.name: (mshta.exe OR certutil.exe OR regsvr32.exe) OR process.parent.name: (mshta.exe OR certutil.exe OR regsvr32.exe)) [Process]

  • host.name: WKSTN-* AND winlog.event_id: (1 OR 3) AND (process.name: (python OR php OR nodejs) OR process.parent.name: (python OR php OR nodejs)) [Code]

Defense Evasion :-

  • host.name: WKSTN-* AND (DisableRealtimeMonitoring OR RemoveDefinitions) [Disable Windows Defender]

  • host.name: WKSTN-* AND winlog.event_id: 1102 [ Deletion ]

  • host.name: WKSTN-* AND winlog.event_id: 8 [Event ID 8 (CreateRemoteThread)]

Persistence:-

Modification of registry keys : Using reg.exe to modify registry keys related to system boot-up, such as Run or RunOnce keys.

Installation of auto-start scripts : Creation of scheduled tasks (via schtasks.exe) to regularly update and execute the implanted malware.

Creation of additional accounts : Using net.exe to create a new user and add it to the local administrators' group.

  • host.name: WKSTN-* AND (winlog.event_id: 4698 OR (schtasks OR Register-ScheduledTask)) --> Event ID 4698 (Scheduled Task Creation) identify the events generated by the parent process of cmd.exe that executed the malicious scheduled task creation.

  • host.name: WKSTN-* AND winlog.event_id: 13 AND winlog.channel: Microsoft-Windows-Sysmon/Operational AND [13 id ---> Registry value set] registry.path: (CurrentVersion\Run OR CurrentVersion\Explorer\User OR CurrentVersion\Explorer\Shell) [To ease the hunting, just some registry keys]

  • host.name: WKSTN-* AND winlog.event_id: 13 AND winlog.channel: Microsoft-Windows-Sysmon/Operational AND process.name: (reg.exe OR powershell.exe)

Command and Control:-

Communication can occur via various channels, such as:

  • Standard network protocols, such as DNS, ICMP, HTTP/s. [Using the DNS protocol as a communication channel via its subdomain.]

  • Known cloud-based services. [ Passing traffic through known web applications such as Google Drive, Telegram, and Discord.]

  • Encrypted custom HTTP/s server. [Using a self-hosted server with a well-groomed domain passing encrypted traffic.]

  • network.protocol: dns AND NOT dns.question.name: *arpa [Table to see top value [Apnormal] ]

  • network.protocol: dns AND NOT dns.question.name: *arpa AND dns.question.registered_domain: "golge.xyz" AND host.name: WKSTN-1

  • host.name: WKSTN-1* AND destination.ip: 167.71.198.43 AND destination.port: 53 [Gather Info around process] [identify the events generated by the parent process of nslookup.exe that established C2 over DNS]

  • host.name: WKSTN-1* AND discord.gg

  • host.name: WKSTN-1* AND winlog.event_id: 1 AND process.parent.executable: "C:\Windows\Temp\installer.exe" [Gather Info around process]

  • host.name: WKSTN-* AND network.protocol: http AND network.direction: egress AND destination.domain: cdn.golge.xyz [Table to see top value [Apnormal] ]

  • host.name: WKSTN-* AND cdn.golge.xyz [Gather Info around process]

Discovery [Enumeration]:-

User Reconnaissance: Using built-in commands like whoami, net user, net localgroup or qwinsta for account enumeration and dir or ls for file and folder enumeration. Host Reconnaissance: Commands such as hostname, wmic, ipconfig or systeminfo for gathering host information, net start or sc.exe query for service enumeration, and simply navigating through GUI-based applications like Windows Security to determine the security controls running in the compromised host. Internal Scanning: Displaying arp table (via arp command), sweeping reachable assets via ping, and scanning open ports using different tools, such as Nmap or PowerShell (leveraging built-in capabilities). Internal Domain Reconnaissance: Using built-in commands like net * /domain or nltest /dclist or loading known PowerShell commands and scripts to list domain users (PowerView or BloodHound) to enumerate domain objects.

  • winlog.event_id: 1 AND process.name: (whoami.exe OR hostname.exe OR net.exe OR systeminfo.exe OR ipconfig.exe OR netstat.exe OR tasklist.exe)

  • winlog.event_id: 3 AND source.ip: 10.10.184.105 AND destination.ip: 10.10.122.219 AND destination.port < 1024 [SUS IPs have 1000 port scan] , [id=3 Networkconnection]

  • winlog.event_id: 3 AND source.ip: 10.0.0.0/8 AND destination.ip: 10.0.0.0/8 AND destination.port: (389 OR 636) AND NOT process.name: mmc.exe (port 389 for LDAP and port 636 for LDAP over SSL) [excluded (mmc.exe) from the query since this process typically generates benign LDAP connections]

SharpHound is a data collection tool, and BloodHound is an analysis and visualization tool; together, they help identify and visualize active directory (AD) trust relationships and privilege escalation paths within a network.

Privilege Escalation:-

Exploitation of vulnerabilities Using known userland and kernel exploits on unpatched hosts. Usage of valid accounts Using runas commands with newly-discovered credentials or re-authenticating with a privileged account in the same machine. Access control abuse Abusing overly permissive Access Control Lists (ACLs), allowing other accounts to grant or acquire additional permissions. Host misconfiguration abuse Abusing insecure service configurations, such as modifiable and restartable services or overwritable service binaries.

  • winlog.event_id: 1 AND user.name: SYSTEM AND NOT winlog.event_data.ParentUser: "NT AUTHORITY\SYSTEM" [Excluded events with a value of NT AUTHORITY\SYSTEM on its ParentUser field since these events do not indicate privilege escalation]

Credential Access:-

Credentials in disk or memory: Dumping LSASS via Mimikatz or creation of LSASS dump file, listing account information in Windows Registry (reg.exe save hklm\sam), or extracting DPAPI credentials with SharpDPAPI. Credentials in files: Harvesting credentials in files using findstr /s/n/m/i password, finding credential manager files (Keepass or SSH keys, and dumping browser credentials via SharpChrome or Firefox Decrypt. Domain credentials: Dumping domain credentials via DCSync or accessing Local Administrator credentials from LAPS. Credential spraying: Multiple failed login attempts of various accounts on a single workstation or failed login attempts on multiple workstations using a single account.

  • winlog.event_id: 1 AND process.command_line: (mimikatz OR DumpCreds OR privilege::debug OR sekurlsa::) Strings used in the command_line query to dump credentials via Mimikatz.

  • winlog.event_id: 11 AND file.path: *lsass.DMP

Normally, domain controllers synchronise directory information, including password hashes, via the Directory Replication Service Remote protocol (MS-DRSR).

  • winlog.event_id: 4662 AND winlog.event_data.AccessMask: 0x100 AND winlog.event_data.Properties: (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 OR 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 OR 9923a32a-3607-11d2-b9be-0000f87a36b2 OR 89e95b76-444d-4c62-991a-0facbeda640c) [event ID 4662 to hunt for events related to Directory Service object access] [AccessMask value of 0x100 (Control Access). This value signifies that the user has enough privileges to conduct the replication.]

-winlog.event_id: 4625 [ failed logon attempts (Event ID 4625) ]

Lateral Movement:-

Exploiting internal services: Attacking internal servers running vulnerable applications/services, such as web applications, printers, email services, and domain controllers. Usage of legitimate admin tools: Using legitimate administration tools, such as PsExec, Windows Management Instrumentation, PowerShell remoting, and Remote Desktop Applications. Authenticating with valid credentials: Using plaintext passwords from credentials discovered or using Pass-the-Hash or Pass-the-Ticket to authenticate using dumped hashes. Accessing sensitive information: Authenticating to file, database, and cloud storage servers.

  • winlog.event_id: 1 AND process.parent.name: WmiPrvSE.exe [WMI]

  • winlog.event_id: 4624 AND winlog.event_data.LogonType: 3 AND winlog.event_data.LogonProcessName: NtLmSsp AND winlog.event_data.KeyLength: 0 [PTH]

"Dwell Time". It represents the average time a threat actor has access to a compromised system before it's detected and eradicated.

Collection:-

Hunting Keylogging --> GetKeyboardState or SetWindowsHook or GetKeyState or GetAsynKeyState or VirtualKey or vKey or filesCreated or DrawText

Exfiltration:-

  • $ping or $ipconfig or $arp or $route or $telnet or $tracert or $nslookup or $netstat or $netsh or $smb or $smtp or $scp or $ssh or $wget or $curl or $certutil or $nc or $ncat or $netcut or $socat or $dnscat or $ngrok or $psfile or $psping or $tcpvcon or $tftp or $socks or $Invoke-WebRequest or $server or $post or $ssl or $encod or $chunk or $ssl --> [some key words for Data Exfiltration over ICMP]

Impact:-

  • del or rm or vssadmin or wbadmin or bcdedit or wevutil or shadow recovery or bootstatuspolicy

Intro to Threat Emulation

DREAD Framework :- To make a [score : ?]

  • Damage - How bad would an attack be?

  • Reproducibility - How easy is it to reproduce the attack?

  • Exploitability - How much work is it to launch the attack?

  • Affected Users - How many people will be impacted?

  • Discoverability - How easy is it to discover the vulnerability?

STRIDE framework [checklist table]:-

  • Spoofing

  • Tampering

  • Repudiation

  • Information Disclosure

  • Denial of Service

  • Elevation of Privilege

Atomic Red Team: is an open-source project that provides a framework for performing security testing and threat emulation. CALDERA™ is an open-source framework designed to run autonomous adversary emulation exercises efficiently

xfreerdp /v [IP] /U [username] /p [password] /cert:ignore[copy_paste option] +clipboard /dynamic -resolution

Malware Analysis

lea : instruction moves the address of the source into the destination. nop : instructions are used for consuming CPU cycles while waiting for an operation or other such purposes. [used by malware authors when redirecting execution to their shellcode] shr/shl :Shift instructions are used instead of multiplication and division by two or powers of two

Static Analysis

pe-tree: utility to analyse the PE header

A packer is a tool to obfuscate the data in a PE file so that it can't be read without unpacking it.

  • Legitimate software developers use packing to address piracy concerns

  • malware authors use it to avoid detection.

The FLARE VM is a Windows-based VM well-suited for malware analysis created by Mandiant (Previously FireEye) REMnux stands for Reverse Engineering Malware Linux. It is a Linux-based malware analysis distribution created by Lenny Zeltser in 2010.

Imphash: the same imphash helps us identify that they might belong to the same malware family. malware bazaar : database for malware to search [md5:hash]

Ghidra: reverse engineering tool that allows users to analyze compiled code to understand its functionality providing decompile, disassemble, debug binaries.

Process hollowing: is a technique malware uses to inject malicious code into a legitimate process running on a victim's computer. The malware creates a suspended process and replaces its memory space with its own code.

If an analyst wants to analyze Linux malware .. OS should be linux -_-

Dynamic Analysis

Regshot is a tool that identifies any changes to the registry (or the file system we select)

Hashes can change even if one bit of the malware is changed (unless we are talking Context-Triggered Piecewise Hashes or fuzzy hashes), so just adding a NOP instruction or other such change can defeat the hash-based detection techniques.

Some researchers have made scripts (See VMwareCloak and VBoxCloak) to help automate Anti-VM Detection.

Malware Families

  • Emotet: Technical details: Emotet is a banking trojan that is often distributed through malicious email attachments, typically in the form of Microsoft Word documents. Once installed, Emotet can steal sensitive information, such as banking credentials and email addresses, and it can also be used to download additional malware. MITRE reference: The MITRE ATT&CK framework includes a reference for Emotet, which can be found at https://attack.mitre.org/software/S0367/.

  • Trickbot: Technical details: Trickbot is a banking trojan that is often distributed through malicious email attachments and is known for its modular design, which allows attackers to add new functionality to the malware as needed. Trickbot has been used to deliver ransomware, exfiltrate data, and perform other types of malicious activity. MITRE reference: The MITRE ATT&CK framework includes a reference for Trickbot, which can be found at https://attack.mitre.org/software/S0383/.

  • QBot: Technical details: QBot is a banking trojan that is often distributed through malicious email attachments and is known for its ability to steal banking credentials and other sensitive information. QBot is also capable of downloading and executing additional malware and can be used to create backdoors on infected systems. MITRE reference: The MITRE ATT&CK framework includes a reference for QBot, which can be found at https://attack.mitre.org/software/S0385/.

  • Dridex: Technical details: Dridex is a banking trojan that is often distributed through malicious email attachments and is known for its ability to steal banking credentials and other sensitive information. Dridex has been active since 2014 and has been one of the most prevalent banking trojans in recent years. MITRE reference: The MITRE ATT&CK framework includes a reference for Dridex, which can be found at https://attack.mitre.org/software/S0384/.

  • Locky: Technical details: Locky is a ransomware family that is often spread through malicious email attachments, typically in the form of Microsoft Word documents. Once installed, Locky encrypts the victim's files and demands a ransom payment in exchange for the decryption key. MITRE reference: The MITRE ATT&CK framework includes a reference for Locky, which can be found at https://attack.mitre.org/software/S0369/.

  • Zeus: Technical details: Zeus is a banking trojan that has been active since 2007 and is often distributed through malicious email attachments. Zeus is known for its ability to steal banking credentials and other sensitive information and has been used in numerous high-profile attacks over the years. MITRE reference: The MITRE ATT&CK framework includes a reference for Zeus, which can be found at https://attack.mitre.org/software/S0382/.

  • Petya: Technical details: Petya is a ransomware family that is often spread through malicious email attachments and has been active since 2016. Petya is known for its ability to encrypt the victim's entire hard drive, making it much more difficult to recover from than other types of ransomware. MITRE reference: The MITRE ATT&CK framework includes a reference for Petya, which can be found at https://attack.mitre.org/software/S0367/.

Previous~/THM/ SOC L1 PathNextSECURITY+

Last updated