Incident handling
aim to know the attackers' tactics, techniques, and procedures
The preparation phase covers the readiness of an organization against an attack
The detection phase covers everything related to detecting an incident and the analysis process of the incident
This phase also covers hunting for the unknown threat within the organization.
Containment, Eradication, and Recovery actions needed to prevent the incident from spreading and securing the network.
steps taken to avoid an attack from spreading into the network
isolating the infected host
clearing the network from the infection traces
gaining control back from the attack
Post-Incident Activity / Lessons Learnt
includes identifying the loopholes in the organization's security posture
improving so that the attack does not happen next time
identifying weaknesses that led to the attack
adding detection rules so that similar breach does not happen again
training the staff if required
Cyber Kill Chain
Map the attacker's activity in each phase during this Investigation [ https://static1.squarespace.com/static/5b636d897c932781e8002af9/t/6018dc12e670955289be56d6/1612241938544/Cyber+Kill+Chain+Report+for+APT+Group+PoisonIvy.pdf ]
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objectives
log sources showing visibility into both network-centric and host-centric activities
SPLUNK [ index=botsv1 ]
click on the Data summary and navigate the available tabs to get the information
wineventlog
It contains Windows Event logs
winRegistry
It contains the logs related to registry creation / modification / deletion etc.
XmlWinEventLog
It contains the sysmon event logs. It is a very important log source from an investigation point of view.
fortigate_utm
It contains Fortinet Firewall logs
iis
It contains IIS web server logs
Nessus:scan
It contains the results from the Nessus vulnerability scanner.
Suricata
It contains the details of the alerts from the Suricata IDS. This log source shows which alert was triggered and what caused the alert to get triggeredā a very important log source for the Investigation.
stream:http
It contains the network flow related to http traffic.
stream: DNS
It contains the network flow related to DNS traffic.
stream:icmp
It contains the network flow related to icmp traffic.
The attacker needs to exploit the vulnerability to gain access to the system/server.
We found two IP addresses from the reconnaissance phase with sending requests to our server.
One of the IPs
40.80.148.42
was seen attempting to scan the server with IP 192.168.250.70.The attacker was using the web scanner Acunetix for the scanning attempt.
Once the attacker has successfully exploited the security of a system, he will try to install a backdoor or an application for persistence or to gain more control of the system.
Attacker uploaded the file to the server before defacing it
Attacker used a Dynamic DNS to resolve a malicious IP
Examine the network-centric log sources
fortigate_utm to review the firewall logs
Objective: find the IP that the attacker decided the DNS
Create Malware / Malicious document to gain initial access / evade detection etc.
Establish domains similar to the target domain to trick users.
Create a Command and Control Server for the post-exploitation communication/activity etc.
Found a domain
prankglassinebracket.jumpingcrab.com
associated with this attack.Object: find the IP address tied to the domains that may potentially be pre-staged to attack Wayne Enterprise.
General OSINT sites:
Virustotal
ThreatMiner
Hybrid-Analysis
Last updated