Security Analyst Notes: Things to Remember

Over the last two years during my training, I've been taking notes along the way on all different topics that have been focused on defensive security. Recently I decided to clean up and compile the mountain of .txt files that I have, so they are both easier to reference and so I can share them with people looking to foster a career as a security analyst like me. ?

?

I plan to add more to this list in the future as I continue to aggregate the information that I've recorded and if anyone out there has anything that they believe I should add to this list, I'd greatly appreciate your input and or feedback.?

___________________________________________________

Alerts

1. Choose the most critical alert.?
2. Long tail analysis: unique and least frequent alerts.
3. What is the progress of the attack?
4. Has there been data destruction/exfiltration?

Adversary tempo - many adversaries will execute commands and then wait a period of time (>= 30 - 60 mins) before executing commands again.

Phishing

SMTP header analysis-

What time was the email sent? Check geolocation of IP if possible.

• ?Assess "reply-to" and "Return-path".

• Investigate "Received" section and analyze it against a solution like:

https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx

?

• Use a URL extractor to pull?all the links from the body of the email for further investigation.

https://www.browserling.com/tools/extract-urls

?

• Verify the reputation, age, etc. of the URLs/IPs within the body and header of the email.

1. https://urlscan.io/
2. https://www.virustotal.com/gui/home/url

Attachments-

• Analyze any possible malicious attachments in a sandbox environment or against databases like:

1. https://www.virustotal.com/gui/home/
2. https://any.run/
3. https://www.hybrid-analysis.com/

Compromised-

• If a user opened or replied to a phishing email you'll want to purge the email from all exiting mailboxes, ie:

Inform staff first > MS Exchange Online > Search sender/subject > Delete all instances of this email

?

• If an account was compromised you'll want to employ credential eviction:

Lock/disable account > reset password > inform account owner > continuously monitor account

Compose Phishing Rules-

?

• Filter malicious: IP, email address/domain, subject/body of email, extracted URLs or attachments.

Stop Spam-

?

• SPF

• Utilize greylisting or tarpitting. This is where your mail transfer agent(MTA) will initially reject the email. The server will then wait for a predefined time to see if the sending server will resend within that window. If it is sent within the window it will be forwarded to the destination.

OS Analysis

Windows-

Command and Scripting Interpreter Used by Adversaries:

• Windows CMD
• PowerShell
• JavaScript???*Fake Updates-?Chrome.Update.0a05c8.zip\Chrome.Update.09246f6.js
• AutoIT?? *c:\users\dewrz\appdata\local\temp\ipx001.tmp\deutsche.exe.pif

MS IR Playbooks:

• https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks

?

Is something bogging down the system? CPU/RAM spikes? A spike in traffic leaving the endpoint? Look for strange behavior such as suspicious child processes, calls out to Ips/domains or odd connections.

• Procmon
• Processhacker
• Sysmon
• EDR

?

Get a file hash:

• Cmd-???????????????????certutil -hashfile <filename> md5
• PowerShell-???????Get-FileHash <filename>

Monitor persistence by checking:

• Use Autoruns

• Recently installed services-???

Get-WinEvent -FilterHashtable @{logname='system'; id=7045} | format-list

• Registry run keys-

1. ?HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

• scheduled tasks-

? schtasks /query /fo list /v

?

• Check network connections-

? netstat -a

?

• Check the start-up folder:

1. C:\Users\$username\AppData\Roaming\Microsoft \Windows\Start Menu\Programs\Startup\
2. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

• Check *.exe or *.bat added to a system within the last 14 days:

? Get-ChildItem -Path "c:\" -File -Recurse -Include "*.exe", "*.bat" | Where-Object {$_.CreationTime -ge (Get-Date).AddDays(-14)}

?

Log Analysis:

• Webserver logs:???C:\inetpub\logs\LogFiles\W3SVC1

?

• Example from CMD-

?wevtutil qe Security /q:*/System/EventID=4624 /c:10????

*This will display the last 10 successful logons from the security log.

?

• Example from powershell-

? Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4648' -Oldest -MaxEvents 1???

*This will show the oldest event where a logon was attempted using explicit credentials from the security log.

Sysmon Event IDs:

1 - Process Creation

2 - Process Changed A File Creation Time

3 - Network Connections

4, 5 - Sysmon Service Changes

6 - Driver Loaded

7 - Image Loaded

8 - CreateRemoteThread

9 - RawAccessRead

10 - ProcessAccess

11 - File Creation Events

12, 13, 14, - Registry Objects

15 - FileCreateStreamHash

16 - Sysmon Config Change

17, 18 - Pipe Events

19, 20, 21 - WMI Events

22 - DNS Events

23 - FileDelete

24 - Clipboard Changes

25 - Process Tampering

26 - File Deletion Detected

https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/

WinEvent IDs:

?

Account Management-

4720 - A user account was created.

4722 - A user account was enabled.

4724 - An attempt was made to reset an accounts password.

4728, 4732, 4756 - Group membership changes.

?

Authentication-

4776 - The domain controller attempted to validate the credentials for an account.

4771 - This event is logged on domain controllers only and only failure instances of this event are logged ( Kerberos pre-authentication failed ).

4768 - This event is logged on domain controllers only and both success and failure instances of this event are logged ( A Kerberos authentication ticket TGT ) was requested.

?4769 - Windows uses this event ID for both successful and failed service ticket requests ( A Kerberos service ticket was requested ).

?

Event Log Tampering-

1102 - Whenever Windows Security audit log is cleared, event ID 1102 is logged.

104 - This event is logged when the log file was cleared.

?

Network-

5140 - A network share object was accessed

5145 - Network share object was checked to see whether client can be granted desired access.

?

Scheduled Task-

4698 - A scheduled task was created.

4702 - A scheduled task was updated.

?

Services-

4697 - A service was installed on the system.

7045 - Created when new services are created on the local Windows machine.

7034 - The service terminated unexpectedly.

7036 - The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state or , The Print Spooler service entered the running state.

7040 - The start type of the IPSEC services was changed from disabled to auto start.

?

Sessions-

4624 - An account was successfully logged on.

4625 - An account failed to log on.

4634, 4647 - User initiated logoff / An account was logged off.

4648 - A logon was attempted using explicit credentials.

4672 - Special privileges assigned to new logon.

?https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/

?

Linux:

Users and Group Modification-

Has there been a new user added? Group modified??Password changed?

• Quickly check users:???

1. cat /etc/passwd
2. ? cat /etc/groups

• User added????????

grep useradd /var/log/auth.log

• Password changed??????

grep passwd /var/log/auth.log

• Group changes?????

1. grep groupadd /var/log/auth.log
2. ? grep usermod /var/log/auth.log

• Check brute force or failed password attempts:????

grep "Failed password" /var/log/auth.log

• Check login history:??????

last

• Check who has sudo permissions:?

cat /etc/sudoers

?

Mounts-

?

• Check mounts:??????

1. dmesg | grep mount
2. cat /proc/mounts
3. findmnt

Persistence-

• Open Connection:

1. lsof -i -p
2. nestat -a

?

• Check cron?jobs:???????

cat?/etc/crontab

• Check cron jobs by user:?????

cat /var/spool/cron/crontabs/*

• Check cron history:???????

1. cat /var/log/syslog | grep cron
2. journalctl -u cron

• Check bashrc and profile:?????

1. cat bachrc
2. cat bash_profile

• Hunting suspicious processes and network?connections:??

1. netstat -nlap
2. ????pstree
3. ????lsof <pid>
4. ????htop

• Check the authorized ssh keys:?????

find /?-name "authorized_keys"

• Check for suspicious services:????????

1. service --status-all
2. ??????service <name> status
3. ??????cat /lib/systemd/system/cron.service
4. ??????stat /lib/systemd/system/cron.service

Files-

• Check the /tmp?directory.

• Search for all the files of a user in the /tmp dir:????

find /tmp -user <user name>

• Found a suspicious file????????

1. file <filename>
2. stat <filename>
3. ? strings <filename>

• Search for files with suspicious extensions:??

1. find / -type f -name "*.<extension>"
2. find / -type f \( -name "*.sh" -o -name "*.php" -o -name "*.php7" -o -name "*.elf" -o -name "*.js" \)

• Search for file modification time:

find / -name 'cat.jpg' -newermt "2023-02-15 00:00:00" ! -newermt "2023-02-15 23:59:00"

?

Search for Web Shells-

?

• Search for files that call the system function:??????

1. grep -Rn "system *(" /var/www
2. grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval) *\(" /var/www

Network:

DHCP-

Rogue devices can be discovered by searching for hostnames that do not adhere to the naming conventions of the organization or searching for MAC OUIs that are different from the companies corporate hardware.

https://ouilookup.com/

HTTP-

Manual http header analysis:

?

• Cookie and User Agent key:values can reveal C2 communication/data sent.
• POST/GET methods sent to an IP address rather than a domain or also directly to the / root folder.

IDOR:

?

• "GET /dvwa/get_user_info/?id=1 HTTP/1.1"
• "GET /dvwa/get_user_info/?id=2 HTTP/1.1"
• "GET /dvwa/get_user_info/?id=3 HTTP/1.1"?

SQL Injection:

?

• "GET /dvwa/vulnerabilities/sqli/?id=%27+OR+1%3D1+UNION+SELECT+null%2C+version%28%29+--+-&Submit=Submit HTTP/1.1"

• Investigate logs for SQLi -?cat access.log | grep -E “%27|--|union|select|from|or|@|version|char|varchar|exec"

?

XSS (Reflected):

?

• "GET /dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%281%29%3C%2Fscript%2F HTTP/1.1"
• "GET /dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Elocation.href%3D%27http%3A%2F%2Fmalicioussite.com%27%3C%2Fscript%3E HTTP/1.1"

?

• Investigate a log for XSS-????cat access.log | grep -E "alert|script|onerror|cookie|src|document|%3C|%3E|"

?

LFI:

?

• "GET /dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd HTTP/1.1"

?

• Search for directory traversal-????cat access.log | grep ../

?

Command Injection:

?

• "POST /dvwa/vulnerabilities/exec/?q=1.1.1.1;whoami HTTP/1.1"

ICMP-

?

ICMP can be used for data exfiltration and can transport 65507 bytes of data.

?

• Identify the process related to the ICMP traffic using solutions such as listdlls.exe and process hacker.
• IDS/IPS
• Zeek

DNS-

?

Is the DNS request malicious? Is it querying a TLD or a free domain?

?

Is there a ton of requests from one source IP?

?

Check the age and reputation of the domain:

• https://centralops.net/co/
• https://www.virustotal.com/gui/home/url
• https://ci-www.threatcrowd.org/
• Whois <domain name> | grep -I create

?

How long is the domain? Is there entropy in the name? Is the domain > 72 characters?

*Many CDNs have very long sub/domains

?

C2 Communication / Data Exfiltration-

?

DNS Tunneling-

?

Utilize software solutions like AC Hunter to monitor spikes in DNS queries to a single IP and other beaconing.

?

Check CNAME and TEXT files for nonsense, random, and long subdomains.