You are browsing the archive for Compromise Detection.

Santa’s bag full of User Agents

December 20, 2015 in Batch Analysis, Clustering, Compromise Detection, Forensic Analysis, Incident Response, Proxy Logs Analysis

Santa dropped some user agents on the DFIR/RCE community today.

It is similar to other lists shared before:

The list includes over 6K user agents used by samples I sandboxed. There is no guarantee all of them are malicious, so be aware that adding them blindly to some block lists will cause a lot of issues.

If you find any mistakes, please let me know. As mentioned above, this list SHOULD NOT be taken at its face value as there are a lot of ways for it to get contaminated.

Note: the list contains variables (I hope they are self-explanatory :) ):

  • <COMPUTER NAME>
  • <IP>
  • <MAC>
  • <SAMPLE NAME>
  • <USER NAME>

The comprehensive list of IR sources and alerts (work in progress)

December 8, 2015 in Compromise Detection, Incident Response

Having security controls in place is a win only if we can leverage these controls to deliver alerts to us. Once delivered we can classify them as noise, events, near-misses and incidents, and … take it from there.

In today’s post I am making an attempt to create a comprehensive list of alerts that one can retrieve from the various security controls.

This is work in progress. If you find something stupid or missing please send comments via email/twitter and I will amend the list. Thanks.

Note: these are potential sources of alerts; classification, prioritization, severity, etc. is not the scope of this list although I add a lot of examples/hints (all these that are specifically named).

This is because:

  • you need to know which controls are available first
  • then you need to look at the raw data they collect i.e. take a snapshot and analyze it
  • and only then use logic applicable to your organization to determine how to work this huge amount of data

I also do not mention how these alerts need to be set up – whether it is via SIEM, Splunk, manual analysis – it doesn’t matter. Treat is more as a bunch of ideas to cherry-pick from than an ultimate guideline how to secure your org. It’s your job after all :-)

Here it goes…

  • Antivirus software
    • this is IMHO still one of the most important security controls to look at
    • if you don’t handle these as a minimum, you are doing it wrong
    • what helps is analysis of all threats ever detected by creating a matrix representing threat taxonomy and then defining priorities f.ex.
      • alerts from C-level, Senior Management, sysadmins, CERT group, internal pentesting team, and other privileged groups
      • rootkits, known infostealers, hacking tools, etc.,
      • plus alerts from drive C: (indicating infection)
        – all of these are top priority
      • PUA/PUP/adware, stuff on removable devices go at the end, but should not be discarded
      • you can create exclusions/filters for eicar, etc.
    • doing analysis of historical data of AV alerts is very useful; you can immediately spot heavy offenders and try to work with their managers to change the employees’ habits, or business process (f.ex. someone bringing CD/USB from the vendor and sticking it into a production box w/o checking for malware)
    • get to know the AV names that your AV vendor uses for threats of primary interest (even though these will often be very inconsistent)
    • recurring infections on the same system
    • same infections on various systems (potential worm, spam campaign/carpet bombing, outbreak of any sort)
    • prioritize systems where malware was detected, but not removed, especially on C: drive
    • do not forget that detected and removed malware is not equal eradication; imagine a dropper that drops 2 files – one detected and removed by AV, one unknown piece and happily running on the system
  • EDR software
    • this is emerging class of alerts, this pretty much tells you sth is wrong immediately
  • Other HIPS software
  • Whitelisting software
  • Data loss prevention software
  • DNS requests
    • log all of these and keep the history
  • Honeypots
  • Network Intrusion Detection systems
    • ‘First Time Seen’ logic bubbles uncommon events up (any signature seen in the previous day but not seen for the n days prior)
  • Firewall logs
  • DHCP logs
  • Unix logs
    • syslog
    • auth
  • Proxy logs
    • since this is a huge amount of data, review categorization used by vendors; look at all malicious, suspicious traffic
    • do not forget questionable traffic f.ex. porn, warez sites, access to public proxies that may indicate the user wants to bypass controls, etc.
    • also include access to web sites that provide code snippets and programming modules; this is a tough one, especially in a development environment and with ‘stack overflow’ effect where people download and execute quite blindly lots of snippets of code
    • traffic related to IMs; many ppl install unapproved IM clients
    • Tor traffic
    • pay special attention to (often abused) dynamic dns domains (find or build a list; it will never be complete, but it will be worthwhile)
    • pay special attention to “uncategorized” sites if your vendor offers categorization
    • proxy-bypass traffic f.ex. glype
  • Server logs
    • From various servers
      • IIS
      • Apache
      • Nginx
    • Server Web Requests
      • can prioritize file uploads, keywords detected in queries, unusual IPs
      • can whitelist internal pentesting teams boxes, known external vulnerability scanners [external vendors running scans on your systems]
  • Client Web Requests [mainly browser requests, but can be also self-updates, etc.]
    • GET on .exe files (it may sound overwhelming at first, but worth at least analysing it)
    • GET on all archive file types (f.ex. zip, rar, 7z, tar.gz, bzip2, etc.)
    • GET on .pdf files
    • GET on .swf files
    • GET on .jar files
    • GET on .class files
    • Large POST requests (suggesting uploads/exfiltration)
    • Long duration POST requests
    • Large number of requests to the same address
    • Frequent POST requests (f.ex. 1/hour) to the same address
    • Requests that end up with HTTP errors (these may help to find new drive-by patterns, phishing campaigns)
    • Unusual User Agents
    • Access to file hosting portals
      • Dropbox
      • Box
      • Google Drive
      • OneDrive
      • Internal / External solutions for sharing data with customers/internally
    • Access to sensitive systems
      • HR
      • Payroll
      • Databases
      • Backups
  • Business-specific systems
    • Ticketing systems
    • Systems within the scope of PCI DSS
    • Systems processing regular data dump exchanges (f.ex. between client and vendor, conversion of data between two different database systems, etc.)
  • Logs from Custom applications
    • May require enabling of logging/debug logs
  • Successful and unsuccessful logon attempts from any system offering logs really
    • SSH
    • VPN
    • (S)FTP
    • Remote access tools
      • RDP
      • pcAnywhere
      • LogMeIn
      • gotomypc
      • TeamViewer
      • vnc (including various clones)
    • Databases
      • MSSQL
      • Oracle
      • etc.
    • Outlook Web Access
    • Employee Support Pages
  • Email server
    • Emails with subjects including commonly used social engineering keywords
      • dhl
      • fedex
      • paypal
    • All URLs extracted from emails
    • Potentially other metadata
  • Domain Controllers/Windows Event Logs
    • AppLocker logs (in a comment I received the adviser suggested that it is even better malware detector than AV – provided it is configured properly)
    • Creation of user accounts
    • Adding systems to the domain
    • Creation of services associated with remote execution
      • psexec (psexesvc.exe)
    • Creation of all services (analysis may help to whitelist most)
    • Execution of programs (requires sysmon installed)
    • Successful and Unsuccessful Logons
  • Physical controls
    • any access controls (proximity cards, etc.)
  • Systems used for issuing security tokens
  • Local wi-fi access points
  • Mobile phones
  • Other security controls
    • SCCM
      • Regular ‘sweeps’ for presence of
        • single-character and two-character executable file names (p.exe, cc.exe, etc.)
        • executable files including keywords:
          • crack
          • warez
          • keygen
          • hack
          • porn
        • Tor
          • tor.exe
          • vidalia.exe
        • Portable applications
          • typically used to bypass/hide installation
        • Commonly used command line versions of archivers
          • rar.exe
          • 7z.exe
          • pkzip.exe
          • winrar.exe
        • Commonly used tools for hacking
          • nmap.exe
          • psexec.exe
          • mimikatz.exe
          • pwdump.exe
        • P2P applications
          • utorrent.exe

Thank you to everyone who helped to expand this list. Much appreciated!!!