Learning by Practicing - Hack & Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics by Nik Alleyne

Author:Nik Alleyne [Alleyne, Nik]
Language: eng
Format: azw3
Published: 2018-12-09T16:00:00+00:00

Log Analysis of Compromised Domain Controller

As Nakia was able to gain some intelligence about what happened from the packet analysis, she figures the logs can assist her in being definitive about what transpired. She first queries the logs for port 4444 and port 49212, using these values as her starting point. The following results were then returned.

2/24/18

10:20:36.000 PM

02/24/2018 07:20:36 PM

LogName=Microsoft-Windows-Sysmon/Operational

SourceName=Microsoft-Windows-Sysmon

EventCode=3

EventType=4

Type=Information

ComputerName=DC.securitynik.lab

User=NOT_TRANSLATED

Sid=S-1-5-18

SidType=0

TaskCategory=Network connection detected (rule: NetworkConnect)

OpCode=Info

RecordNumber=99196

Keywords=None

Message=Network connection detected:

UtcTime: 2018-02-25 03:20:39.863

ProcessGuid: {9B6CFBF5-2AE6-5A92-0000-00102F1B0100}

ProcessId: 1260

Image: C:\Windows\System32\spoolsv.exe

User: NT AUTHORITY\SYSTEM

Protocol: tcp

Initiated: true

SourceIsIpv6: false

SourceIp: 10.0.0.90

SourceHostname: DC.securitynik.lab

SourcePort: 49212

SourcePortName:

DestinationIsIpv6: false

DestinationIp: 10.0.0.102

DestinationHostname:

DestinationPort: 4444

DestinationPortName:

Satisfied that there is evidence of connectivity around 7:20:36 PM, she presses forward. While there are multiple timestamps in the log file, Nakia’s experience tells her 10:20:36.000 PM is the time her log server received the log. However, the timestamp in the log shown as 07:20:36, represents the time the event occurred on the local system. This time is based on its local clock. She knows it is important that she understands, correlates and most importantly ensures the time is properly synchronized when looking at log events.

Note/Go See It Go Get It!

It is critical when working with devices that produces event logs or capturing any data, that the time is properly synchronized across all devices. There are many challenges associated with dealing with time. One of the biggest is using the local clock vs using the Network Time Protocol (NTP). Where possible, you should always use NTP ONLY. Relying on both NTP and local clocks can cause major confusion when correlating your events. Remember, the person with one watch knows the time, the person with multiple watches is never sure what time it is. It is also good to know what timezone the local system’s clock is in, as well as how the times in the logs are stored, and how your tools access the times. Being in different timezones add even further complication and thus your systems should be configured to log in UTC rather than local time.

I believe that it is best to synchronize your internal devices with your Active Directory Primary Domain Controller Emulator (PDCE). Active Directory, which leverages Kerberos, requires time differences between devices be within five minutes. Anything outside of this five minutes can result in failed authentication, among other errors. Since AD via Kerberos already enforces these restrictions, why not take advantage of its’ capabilities?

https://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx

https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

https://tools.ietf.org/html/rfc4120

https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx

In the interest of time (pun intended J), she expands the time window looking for activities which occurred an hour before and an hour after this event. She knows if she finds more events of interest, she can always expand the time window, but it is important that she starts within a reasonable period close to the time she knows the activity or the event of interest occurred. Checking earlier record she sees:

Note:

When performing your cybersecurity investigations, it will more than likely begin with an event of interest (EoI). This EoI would have been triggered on a particular date at a particular time. It could also be the time you are told by your helpdesk or another organization about a potential issue.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.