Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

SIEM Rules from Event log ID and use cases


 Below are some guidance on rule creation and what event to look for:
Collection - Domain Controller - User Activity - Network Share Accessed
This rule looks for Windows Event ID 5140 which indicates that a network share has been accessed. When on Workstations or Domain controllers, this event can be used to identify access to C$ or Admin$. Common false positives will be IPC$, \Sysvol, \Netlogon.
 
Credential Access - AD - Account Lockout - Service Account
Event ID 4740
 
Defense Evasion - Domain Controller - System Change - Event Logs Cleared
Identifies the deletion of event logs from a windows host or domain controller. This may be performed to destroy evidence of malicious activity on a system.
Event ID 1102
 
Discovery - AD - Account Enumeration - Host
Event ID 4771, 4625,4768
 
Discovery - AD - Kerberoasting
This rule looks for activity on Active Directory indicative of Kerberoasting attacks. Kerberoasting is where an attacker cracks a Kerberos service ticket and rewrites them in order to gain access to a targeted service.
Event ID 4769
 
Execution - Network - Access Attempt - Unicode Domain
Identifies web requests where the website domain contains Unicode characters. Unicode allows the display of foreign characters within the URL bar and can be used to attempt to trick users to go to malicious websites.
URL is : *?xn--.*? Log source : web proxy Server and Firewalls
 
Exfiltration - Email - Auto Forwarding
This rule looks for many emails from a single internal user going to an external email address, indicative of a user forwarding their external mail content to a personal mailbox.
Vendor Msg id is : send , and status is: originating
 
Initial Access - ADFS - Excessive Login Failures
Identifies a large volume of ADFS failures, which may indicate account enumeration, brute-force login activity or a client misconfiguration.
Event ID 1201,1203,1205
 
Initial Access - Remote Access - Login Attempt - Different Geos
Identifies VPN login attempts by the same user across geographically distant locations in a short time period. This may indicate account compromise, especially if the user is not traveling.

 
Lateral Movement - Domain Controller - Login Attempt - Interactive
Identifies a remote interactive login to a domain controller.
Event ID 4624 and Session type is 10,2
 
Persistence - Domain Controller - System Change - Audit Policy Changed
Identifies system audit policy changes on windows hosts. This represents a change to the type of security events logged by the system and may be a pre-attack activity to avoid detection.
Event ID 4719,4905,4912
 
Persistence - Domain Controller - System Change - Domain Policy Changed
Event ID 4739
 
Persistence - Domain Controller - System Change - Multiple Processes Created
Identifies a large number of processes being created in a short time on a monitored windows host. The presence of an abnormal volume of abnormal processes may indicate the host has been compromised or is being misused.
Event ID 4688  Unique value>=10
 
Persistence - Domain Controller - System Change - Scheduled Task
Identifies the creation of new scheduled tasks as well as changes to existing tasks. The creation of new scheduled tasks or the removal of existing ones may be technique to maintain persistence.
Event ID:4698,4699,4700,4701,4702
 
Persistence - Domain Controller - System Change - Service Installed
Identifies the installation of unexpected services on a system. The installation of unexpected services may be an indicator of system compromise or misuse.
Event ID: 7045,4697,601
 
Privilege Escalation - AD - Group Change - Admin
Identifies attempts to change a user's group membership in AD. The high risk associated with delegating certain permissions in AD warrants a high level of scrutiny. For example, the promotion of a domain user to domain admin.
Event ID: 4728,4732,4746,4751,4756,4761
 
Privilege Escalation - ATP - Golden Ticket
This rule looks for Golden Ticket related activity identified by Azure ATP. See here for more details: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external.
Event ID 2009,2013,2027,2032,2022
 
Hunting the Fileless Malware & Powershell Activities:
Event IDs (4104, 4103, and 4688)
 
  • Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands , Hunting these Event ID provides soc operations to record all the obfuscated commands as pipeline execution details under the event ID 4103.It should be enabled to process and get the malicious commands.
  • Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For Example Obfuscated scripts that are decoded and executed at the run time.This gives additional visibility on remote command.
  • If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and Suspicious commands can be observed at the logging level of “warning”.
 
USE CASE: DNS QUERY Objective: The mission of this hunt is to drill down DNS logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible DNS tunneling, domain generation algorithm (DGA) domains, and traffic to risky top-level domains (TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days

Linux Compromises & Access Tools and Where to Find Them

 Linux compromises 


  • Linux systems are 'occasionally' targeted by actors, especially cryptomining and ransomware crews.
  • This process can be similar to Windows machine compromises but some areas are specific to each flavour
  • The below are a brief overview of the exploitation, protection, detection and remediation processes of Linux operating systems.

Exploitation:
    • Same process as windows devices:
    • Exploit external facing service
    • Establish persistence
    • Collect credentials
    • Move laterally
Protection:
    • Similar to Windows:
    • Patch
    • Including applications
    • Cron job with apt / yum update
    • Limit number of admins with sudo powers
    • Application whitelisting (fapolicyd)
    • ACSC also have a Linux hardening worksheet which could be useful (Hardening Linux Workstations and Servers)


Detection:
    • Utilising Logs
    • Weblogs
    • Exploitation attempts
    • Webshells
    • Commandline logging
    • SSH logs
    • Memory images (which I don’t think is a viable way for continuous detection, for incident response more likely)
    • Use Yara rules to search for malware; Volatility plugin

 

Process data:

    • ps -eaf
    • pstree

 

Get service (cron) data:

    • ls -la /etc/cron*
    • Cron jobs redirecting to "> /dev/null" are worth checking out
Remediation:
    • Change passwords
    • Regenerate keys (e.g. In ssh)
    • Remove added users
    • Clean off malware (webshells, scripts, implants)
    • Remove cron jobs
    • Monitor for reconnection attempts (from known malicious IPs)

 

Fantastic Access Tools
    •   Attackers are increasingly using remote access tools to gain and maintain access to the network, through the utilisation of either:
    • Tools already deployed (and obtaining creds)
    • Deploying own software

Generic detection to help find these tools in your org
    • Event 4688 - process names
    • Event 4697 - service creation event (if tool was installed as a service)
    • Sysmon - process names, DNS lookups / network traffic to known RMT domains
    • Firewall logs - connections classified as app
    • Can also manually check with a host using:
    • Wmic /node:<target> process list

 

Tool brief overviews
  • Recent report: Anomali, ‘ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs’
    • DameWare
    • Requires incoming connection from the internet on various ports
    • Connects to IPv6 local host
    • Shodan.io - product:dameware
    • Dwrcs.exe
    • GoToAssist
    • Generates outgoing HTTP/S traffic - look for logmein or gotoassist
    • Gotoassist.exe
    • ConnectWiseControl / ScreenConnect
    • Generates outgoing HTTP/S traffic
    • Screenconnect.clientservice.exe
    • Commonly used for phishing emails with a URL that deploys ScreenConnect directly
Guidance:
    • Keep an eye out for any remote management/access tools
    • Most of them will probably be "legit". If they are, ensure they:
    • Use MFA
    • Turn on logging
    • Manage the users
    • Turn off processes when not in use

------------------------------------------------------------------------------------------
SDBBot
  • SDBBot is a remote access trojan identified by Proofpoint in 2019. The ACSC issued an alert in November last year about increased sightings in attacks targeting healthcare. It's often used to drop ransomware.
  • Initial infection is usually via ISO or Excel email attachments. It sends C&C traffic over port 443 in a plaintext protocol. 


Prevention:
    • Microsoft's Attack Surface Reduction rules
    • Block ISO attachments and downloads 
    • Block non-HTTPS traffic over port 443


'Lo-Tech OT hacking'
  • A general primer on finding and securing 'human-machine interfaces', or HMIs - i.e. dashboards for SCADA/OT equipment.
  • Common exposed HMIs include HVACs, fridges, etc. 
  • Cool Shodan search: https://www.shodan.io/search?query=screenshot.label%3Aics
  • HMIs are easy to find and access. Targeted industrial sabotage is unlikely; most hackers are bored and poking at low-hanging fruit. 
  • This maps with OTORIO's report about the Israeli reservoir 'hack' in December. They concluded that the attackers likely 'did not possess any deep industrial capabilities or knowledge' and targeted the system solely because it was unprotected. 
  • Note:  we calle attacks on these devices 'annoying' but 'unlikely to be dangerous'. An attendee pointed out that a hacked fridge could be catastrophic for a hospital or pharmacy storing temperature-controlled medications.

  • Recommendation is network scanning and searching Shodan for modbus and dnp3, plus other common HMI ports and protocols. 
 
Teamviewer and remote access security
  • In light of the Florida water incident, they added some points about securing remote access/support tools. Nothing too exciting, just 'figure out what tools are in use at your organization' and 'maybe try to secure them?' 
  • Apparently there will be a more detailed brief on this incident later.

Windows Event log for Detection and Best practice



Event log is an important part of cyber investigation we will look into best practice and some important logs that you should look for detection.

Hackers try to hide their presence for as long as possible. Event ID 104 Event Log was Cleared and event ID 1102 Audit Log was Cleared could indicate a problem. Event ID 4719 System audit policy was changed could also show malicious activity. Application crashes can also indicate the presence of a hacker.

 

Table 1 – Application Crashes

 

ID

Level

Event Log

Event Source

App Error

1000

Error

Application

Application Error

App Hang

1002

Error

Application

Application Hang

BSOD

1001

Error

System

Microsoft-Windows-WER- SystemErrorReporting

WER

1001

Informational

Application

Windows Error Reporting

EMET

1 2

Warning Error

Application Application

EMET


Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage

 

ID

Level

Event Log

Event Source

Account Lockouts

4740

Informational

Security

Microsoft-Windows-Security- Auditing

User Added to Privileged Group

4728, 4732, 4756

Informational

Security

Microsoft-Windows-Security- Auditing

Security-Enabled group Modification

4735

Informational

Security

Microsoft-Windows-Security- Auditing

Successful User Account Login

4624

Informational

Security

Microsoft-Windows-Security- Auditing

Failed User Account Login

4625

Informational

Security

Microsoft-Windows-Security- Auditing

Account Login with Explicit Credentials

4648

Informational

Security

Microsoft-Windows-Security- Auditing


High-value assets, like domain controllers, shouldn't be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.

 

 

Best Practices


1.Collect Logs in a Single Place
  • If logs are stored in multiple locations then becomes harder to parse and analyze for any investigation. For example, an organization stores log files of its computers and network in archives for regular inspection of possible threats.
  • If these archives are stored in multiple locations then it is much harder to analyze logs from all locations manually.
 
2.Segment different logs into different files to easily access for researching and reading them
  • This practice means to keep the logs segmented into different categories. For example, keep the Application logs, Security logs, System logs, Network logs in each different segmented archives so that it will be easier to parse through particular logs for threat inspection.

 

3. Regular Log analysis for Potential Threats

  • Organisations should constantly keep tabs on their archived event logs. The routine check helps in identifying undetected short or long-term threats that may harm the data. This check can be done on the weekly or monthly basis. Big corporations which have a large number of collected logs require daily check up to keep their data integrity.

 

4. Archive Logs, Do not Overwrite

  • In Windows OS, the default size of the physical log file is 20 Mb which can be sufficient for a single user.
  • For an organization, the default file size is not enough for log management because the older logs get overwritten by new logs. But this can be overcome by archiving the logs. As the new logs enter the system, the older event logs get archived to a secure location which helps in troubleshooting the system if a problem is encountered.

 

5. Access to limited personnel & accesses should be logged

  • The logs access should be kept limited to authorized personnel only such as the administrator and the log analyst who maintains the integrity of the logs and constantly observe logs for potential threats.

 

6. Regularly upgrade or update log management infrastructure if there is any

  • Log management is not an easy task. It takes the experience with the proper knowledge to manage logs and to find threats that are critical for compromising the system.
  • Most organizations use log management infrastructure and tool which makes it much easier to handle the event logs. The analyst should constantly look for new upgrades and updates of the tool to keep the system safe from new threats and vulnerabilities.

 

7. Use copies of logs for Forensic Investigation

  • Event logs are a great help in a Forensic investigation as each and every event is recorded in the log files.
  • Whenever the investigation is being done using event logs make sure to create multiple copies of the acquired logs for maintaining the integrity of log data. This helps in protecting the original logs.

 

8. Store Multiple Backups

  • Storing multiple backups of logs in a secured place is a great way to protect log data from attackers who can exploit the log infrastructure. If the original log archives are lost or encrypted then backups will help in identifying the root cause of the attack. There are two types of backups:
  • Hot Backup: Backup of most recent logs. (1 to 4 Weeks)
  • Cold Backup: Backup of all logs for a long period of time. (6 to 12 Months)

Insider Threat

 
An Insider can be ANYONE Employee, Contractor, Business Partner, etc. with the right motive and means, and can have a Tactics at their disposal, that will put an organization’s assets at risk. An organization must Think Outside The Box to successfully detect and mitigate the risks posed by Insiders.
 

 
 
Malicious Insiders don’t care about compliance regulations. They just look for security gaps and vulnerabilities within an organization, to achieve their objectives. The impacts from Insider Threat incidents can be very severe, costly and damaging. 
 
Not all incidents by Insiders are malicious. Non-Malicious Insider incidents can be just as damaging as malicious incidents. Given this threat landscape, it is imperative that critical infrastructure entities prioritize and dedicate resources to preempt and/or mitigate insider threat.
 
To help The National Counterintelligence and Security Center (NCSC) issued “Insider Threat Mitigation for U.S. Critical Infrastructure Entities: Guidelines from an Intelligence Perspective. Read on attached document if you interested .  insider threat 
 
Related to this is another whitepaper by Simone (Cy) Genna publish by SANS Title: Information Security Starts with the Employees which you can download from here 
 
 
#cybersecurity #informationsecurity #databreach #datasecurity #intelligence #infrastructure #risk

Commmon Cyber Security Terms

Real life example of Cyber risk response.  This might help you to understand some key concept in cyber world. After all, Cyber Security don't have to be boring, right. Then read on, this might help you smile. 


 

Threat Actors = someone who wants to punch you in the face. 

Threat = the punch being thrown.

Severity = whether you fall down after the punch, and how long it might take for you to stand up again.

Vulnerability = your inability to defend against the punch 

Risk = the likelihood of getting punched in the face  

Acceptable Risk = your willingness to be punched in the face  

Attack Surface = the size and shape of your face 

Impact = broken nose, medical bills, lost time at work
Single loss event = one tooth,
Risk appetite = number of teeth willing to part with,
Compensating control = dentures / Mate who was in the special forces'
Vulnerability Assessment = checking the size and shape of your face
Compliance = how you think this all works until you've been punched in the face
Risk posture = whether you know that talking shit in a pub is likely to get you punched in the face or not.
RTO = how long it takes you to regain consciousness
RPO = how much you forget when you blacked out 

Cyber Risk Insurance = your mates at the pub betting on if you can "talk that kinda shit" and not get punched in the face 

 


Penetration testing / PEN TEST = saying "boo" very loudly to see if you'll protect your face 

Red Team = boxing 

Exploit = the fist 

0day = kick in the groin  

Side channel = your wallet being nicked whilst you are being punched in the face.

APT = a mate who also wants to punch you in the face 

Unhackable = Pissing off professional boxers while bragging about your knowledge of Karate.

Bounty Hunter = someone who promises to wear gloves when they punch you if you promise to pay them based on where they punch you 

Bug Crowd = cage fight organizer.



Security stack /  Blue Team = your mates at the pub with you 

Patch Tuesday = your weekly gym visit

Alert = friend who calls an ambulance.
Investigation
➡️ triage: the EMTs who arrive.
Incident response: the doctors who remediate your punched face.
Digital forensic: documenting your injuries to reconstruct the type of punch in detail.
Threat Intelligence = pointing at a person that has a history of punching people in the face.i e, “Bob’s going to come at you with a right cross” 

Air gap = avoiding the pub by staying at home
DEFCON presentation = all of your friends getting drunk in Las Vegas watching video of you being punched in the face.


Enjoy your day.  credit: it all started from caseyjohnellis @cje twitter account

Thanks  Faysal Hasan  Connect with me in Linked In

Twitter Facebook Favorites More