Learning by Practicing - Hack & Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics by Nik Alleyne
Author:Nik Alleyne [Alleyne, Nik]
Language: eng
Format: azw3
Published: 2018-12-09T16:00:00+00:00
Log Analysis of Compromised Domain Controller
As Nakia was able to gain some intelligence about what happened from the packet analysis, she figures the logs can assist her in being definitive about what transpired. She first queries the logs for port 4444 and port 49212, using these values as her starting point. The following results were then returned.
2/24/18
10:20:36.000 PM
02/24/2018 07:20:36 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=3
EventType=4
Type=Information
ComputerName=DC.securitynik.lab
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Network connection detected (rule: NetworkConnect)
OpCode=Info
RecordNumber=99196
Keywords=None
Message=Network connection detected:
UtcTime: 2018-02-25 03:20:39.863
ProcessGuid: {9B6CFBF5-2AE6-5A92-0000-00102F1B0100}
ProcessId: 1260
Image: C:\Windows\System32\spoolsv.exe
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 10.0.0.90
SourceHostname: DC.securitynik.lab
SourcePort: 49212
SourcePortName:
DestinationIsIpv6: false
DestinationIp: 10.0.0.102
DestinationHostname:
DestinationPort: 4444
DestinationPortName:
Satisfied that there is evidence of connectivity around 7:20:36 PM, she presses forward. While there are multiple timestamps in the log file, Nakia’s experience tells her 10:20:36.000 PM is the time her log server received the log. However, the timestamp in the log shown as 07:20:36, represents the time the event occurred on the local system. This time is based on its local clock. She knows it is important that she understands, correlates and most importantly ensures the time is properly synchronized when looking at log events.
Note/Go See It Go Get It!
It is critical when working with devices that produces event logs or capturing any data, that the time is properly synchronized across all devices. There are many challenges associated with dealing with time. One of the biggest is using the local clock vs using the Network Time Protocol (NTP). Where possible, you should always use NTP ONLY. Relying on both NTP and local clocks can cause major confusion when correlating your events. Remember, the person with one watch knows the time, the person with multiple watches is never sure what time it is. It is also good to know what timezone the local system’s clock is in, as well as how the times in the logs are stored, and how your tools access the times. Being in different timezones add even further complication and thus your systems should be configured to log in UTC rather than local time.
I believe that it is best to synchronize your internal devices with your Active Directory Primary Domain Controller Emulator (PDCE). Active Directory, which leverages Kerberos, requires time differences between devices be within five minutes. Anything outside of this five minutes can result in failed authentication, among other errors. Since AD via Kerberos already enforces these restrictions, why not take advantage of its’ capabilities?
https://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
https://tools.ietf.org/html/rfc4120
https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx
In the interest of time (pun intended J), she expands the time window looking for activities which occurred an hour before and an hour after this event. She knows if she finds more events of interest, she can always expand the time window, but it is important that she starts within a reasonable period close to the time she knows the activity or the event of interest occurred. Checking earlier record she sees:
Note:
When performing your cybersecurity investigations, it will more than likely begin with an event of interest (EoI). This EoI would have been triggered on a particular date at a particular time. It could also be the time you are told by your helpdesk or another organization about a potential issue.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Cryptography | Encryption |
Hacking | Network Security |
Privacy & Online Safety | Security Certifications |
Viruses |
Future Crimes by Marc Goodman(3002)
Mastering Python for Networking and Security by José Manuel Ortega(2951)
Blockchain Basics by Daniel Drescher(2891)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2511)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2483)
Practical Threat Detection Engineering by Megan Roddie & Jason Deyalsingh & Gary J. Katz(2363)
The Art Of Deception by Kevin Mitnick(2298)
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(2217)
The Code Book by Simon Singh(2210)
Machine Learning Security Principles by John Paul Mueller(1918)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(1903)
Wireless Hacking 101 by Karina Astudillo(1849)
DarkMarket by Misha Glenny(1847)
Hands-On AWS Penetration Testing with Kali Linux by Benjamin Caudill & Karl Gilbert(1844)
Applied Network Security by Arthur Salmon & Michael McLafferty & Warun Levesque(1840)
Mobile Forensics Cookbook by Igor Mikhaylov(1814)
Serious Cryptography: A Practical Introduction to Modern Encryption by Aumasson Jean-Philippe(1807)
Solidity Programming Essentials by Ritesh Modi(1797)
Bulletproof Android: Practical Advice for Building Secure Apps (Developer's Library) by Godfrey Nolan(1671)