Over the last two years, I’ve been taking notes along the way on all different topics that have been focused on defensive security. Recently I decided to clean up and compile the mountain of .txt files that I have, so they are both easier to reference and so I can share them with people looking to foster a career as a security analyst like me.
I plan to add more to this list in the future as I continue to aggregate the information that I’ve recorded and if anyone out there has anything that they believe I should add to this list, I’d greatly appreciate your input and or feedback.
Alerts
- Choose the most critical alert.
- Long tail analysis: unique and least frequent alerts.
- What is the progress of the attack?
- Has there been data destruction/exfiltration?
Adversary tempo – many adversaries will execute commands and then wait a period of time (>= 30 – 60 mins) before executing commands again.
Phishing
SMTP header analysis-
What time was the email sent? Check geolocation of IP if possible.
- Assess “reply-to” and “Return-path”.
- Investigate “Received” section and analyze it against a solution like:
https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx
- Use a URL extractor to pull all the links from the body of the email for further investigation.
https://www.browserling.com/tools/extract-urls
- Verify the reputation, age, etc. of the URLs/IPs within the body and header of the email.
Attachments-
- Analyze any possible malicious attachments in a sandbox environment or against databases like:
Compromised-
- If a user opened or replied to a phishing email you’ll want to purge the email from all exiting mailboxes, ie:
Inform staff first > MS Exchange Online > Search sender/subject > Delete all instances of this email
- If an account was compromised, you’ll want to employ credential eviction:
Lock/disable account > reset password > inform account owner > continuously monitor account
Compose Phishing Rules-
- Filter malicious: IP, email address/domain, subject/body of email, extracted URLs or attachments.
Stop Spam-
- SPF
- Utilize greylisting or tarpitting. This is where your mail transfer agent(MTA) will initially reject the email. The server will then wait for a predefined time to see if the sending server will resend within that window. If it is sent within the window it will be forwarded to the destination.
OS Analysis
Windows:
Command and Scripting Interpreter Used by Adversaries:
- Windows CMD
- PowerShell
- JavaScript *Fake Updates- Chrome.Update.0a05c8.zip\Chrome.Update.09246f6.js
- AutoIT *c:\users\dewrz\appdata\local\temp\ipx001.tmp\deutsche.exe.pif
MS IR Playbooks:
Is something bogging down the system? CPU/RAM spikes? A spike in traffic leaving the endpoint? Look for strange behavior such as suspicious child processes, calls out to Ips/domains or odd connections.
- Procmon
- Processhacker
- Sysmon
- EDR
Get a file hash:
- Cmd- certutil -hashfile <filename> md5
- PowerShell- Get-FileHash <filename>
Monitor persistence by checking:
- Use Autoruns
- Recently installed services-
Get-WinEvent -FilterHashtable @{logname=’system’; id=7045} | format-list
- Registry run keys-
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- scheduled tasks-
schtasks /query /fo list /v
- Check network connections-
netstat -a
- Check the start-up folder:
- C:\Users\$username\AppData\Roaming\Microsoft \Windows\Start Menu\Programs\Startup\
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
- Check *.exe or *.bat added to a system within the last 14 days:
Get-ChildItem -Path “c:\” -File -Recurse -Include “*.exe”, “*.bat” | Where-Object {$_.CreationTime -ge (Get-Date).AddDays(-14)}
Log Analysis:
- Webserver logs: C:\inetpub\logs\LogFiles\W3SVC1
- Example from CMD-
wevtutil qe Security /q:*/System/EventID=4624 /c:10
*This will display the last 10 successful logons from the security log.
- Example from powershell-
Get-WinEvent -LogName Security -FilterXPath ‘*/System/EventID=4648’ -Oldest -MaxEvents 1
*This will show the oldest event where a logon was attempted using explicit credentials from the security log.
Sysmon Event IDs:
1 – Process Creation
2 – Process Changed A File Creation Time
3 – Network Connections
4, 5 – Sysmon Service Changes
6 – Driver Loaded
7 – Image Loaded
8 – CreateRemoteThread
9 – RawAccessRead
10 – ProcessAccess
11 – File Creation Events
12, 13, 14, – Registry Objects
15 – FileCreateStreamHash
16 – Sysmon Config Change
17, 18 – Pipe Events
19, 20, 21 – WMI Events
22 – DNS Events
23 – FileDelete
24 – Clipboard Changes
25 – Process Tampering
26 – File Deletion Detected
Windows Event IDs:
Account Management-
4720 – A user account was created.
4722 – A user account was enabled.
4724 – An attempt was made to reset an accounts password.
4728, 4732, 4756 – Group membership changes.
Authentication-
4776 – The domain controller attempted to validate the credentials for an account.
4771 – This event is logged on domain controllers only and only failure instances of this event are logged (Kerberos pre-authentication failed).
4768 – This event is logged on domain controllers only and both success and failure instances of this event are logged (A Kerberos authentication ticket TGT) was requested.
4769 – Windows uses this event ID for both successful and failed service ticket requests (A Kerberos service ticket was requested ).
Event Log Tampering-
1102 – Whenever Windows Security audit log is cleared, event ID 1102 is logged.
104 – This event is logged when the log file was cleared.
Network-
5140 – A network share object was accessed
5145 – Network share object was checked to see whether client can be granted desired access.
Scheduled Task-
4698 – A scheduled task was created.
4702 – A scheduled task was updated.
Services-
4697 – A service was installed on the system.
7045 – Created when new services are created on the local Windows machine.
7034 – The service terminated unexpectedly.
7036 – The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state or, The Print Spooler service entered the running state.
7040 – The start type of the IPSEC services was changed from disabled to auto start.
Sessions-
4624 – An account was successfully logged on.
4625 – An account failed to log on.
4634, 4647 – User initiated logoff / An account was logged off.
4648 – A logon was attempted using explicit credentials.
4672 – Special privileges assigned to new logon.
Linux:
Users and Group Modification-
Has there been a new user added? Group modified? Password changed?
- Quickly check users:
- cat /etc/passwd
- cat /etc/groups
- User added?
grep useradd /var/log/auth.log
- Password changed?
grep passwd /var/log/auth.log
- Group changes?
- grep groupadd /var/log/auth.log
- grep usermod /var/log/auth.log
- Check brute force or failed password attempts:
grep “Failed password” /var/log/auth.log
- Check login history:
last
- Check who has sudo permissions:
cat /etc/sudoers
Mounts-
- Check mounts:
- dmesg | grep mount
- cat /proc/mounts
- findmnt
Persistence-
- Open Connection:
- lsof -i -p
- nestat -a
- Check cron jobs:
cat /etc/crontab
- Check cron jobs by user:
cat /var/spool/cron/crontabs/*
- Check cron history:
- cat /var/log/syslog | grep cron
- journalctl -u cron
- Check bashrc and profile:
- cat bachrc
- cat bash_profile
- Hunting suspicious processes and network connections:
- netstat -nlap
- pstree
- lsof <pid>
- htop
- Check the authorized ssh keys:
find / -name “authorized_keys”
- Check for suspicious services:
- service –status-all
- service <name> status
- cat /lib/systemd/system/cron.service
- stat /lib/systemd/system/cron.service
Files-
- Check the /tmp directory.
- Search for all the files of a user in the /tmp dir:
find /tmp -user <username>
- Found a suspicious file?
- file <filename>
- stat <filename>
- strings <filename>
- Search for files with suspicious extensions:
- find / -type f -name “*.<extension>”
- find / -type f \( -name “*.sh” -o -name “*.php” -o -name “*.php7” -o -name “*.elf” -o -name “*.js” \)
- Search for file modification time:
find / -name ‘cat.jpg’ -newermt “2023-02-15 00:00:00” ! -newermt “2023-02-15 23:59:00”
Search for Web Shells-
- Search for files that call the system function:
- grep -Rn “system *(” /var/www
- grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval) *\(” /var/www
Network:
DHCP-
Rogue devices can be discovered by searching for hostnames that do not adhere to the naming conventions of the organization or searching for MAC OUIs that are different from the company’s corporate hardware.
ICMP-
ICMP can be used for data exfiltration and can transport 65507 bytes of data.
- Identify the process related to the ICMP traffic using solutions such as listdlls.exe and process hacker.
- IDS/IPS
- Zeek
DNS-
Is the DNS request malicious? Is it querying a TLD or a free domain?
Is there a ton of requests from one source IP?
Check the age and reputation of the domain:
- https://centralops.net/co/
- https://www.virustotal.com/gui/home/url
- http://ci-www.threatcrowd.org/
- Whois <domain name> | grep -I create
How long is the domain? Is there entropy in the name? Is the domain > 72 characters?
*Many CDNs have very long sub/domains
C2 Communication / Data Exfiltration-
DNS Tunneling-
Utilize software solutions like AC Hunter to monitor spikes in DNS queries to a single IP and other beaconing.
Check CNAME and TEXT files for nonsense, random, and long subdomains.
