Найти в Дзене

The Digital Hunt: Tracking LOTL in Your Network - Part I


It advocates for regular system inventory audits to catch adversary behavior that might be missed by event logs due to inadequate logging configurations or activities occurring before logging enhancements are deployed. Organizations are encouraged to enable comprehensive logging for all security-related events, including shell activities, system calls, and audit trails across all platforms, to improve the detection of malicious LOTL activity.
Network Logs
The detection of LOTL techniques through network logs presents unique challenges due to the transient nature of network artifacts and the complexity of distinguishing malicious activity from legitimate behavior. Network defenders must be vigilant and proactive in configuring and setting up logs to capture the necessary data for identifying LOTL activities. Unlike host artifacts, which can often be found unless deliberately deleted by a threat actor, network artifacts are derived from network traffic and are inherently more difficult to detect and capture. Network artifacts are significantly harder to detect than host artifacts because they are largely transient and require proper configuration of logging systems to be captured. Without the right sensors in place to record network traffic, there is no way to observe LOTL activity from a network perspective.
Indicators of LOTL Activity
Detecting LOTL activity involves looking for a collection of possible indicators that, together, paint a picture of the behavior of network traffic.
📌 Reviewing Firewall Logs: Blocked access attempts in firewall logs can signal compromise, especially in a properly segmented network. Network discovery and mapping attempts from within the network can also be indicative of LOTL activity. It is crucial to differentiate between normal network management tool behavior and abnormal traffic patterns.
📌 Investigating Unusual Traffic Patterns: Specific types of traffic should be scrutinized, such as LDAP requests from non-domain joined Linux hosts, SMB requests across different network segments, or database access requests from user workstations that should only be made by frontend servers. Establishing baseline noise levels can help in distinguishing between legitimate applications and malicious requests.
📌 Examining Logs from Network Services on Host Machines: Logs from services like Sysmon and IIS on host machines can provide insights into web server interactions, FTP transactions, and other network activities. These logs can offer valuable context and details that may not be captured by traditional network devices.
📌 Combining Network Traffic Logs with Host-based Logs: This approach allows for the inclusion of additional information such as user account and process details. Discrepancies between the destination and on-network artifacts could indicate malicious traffic.
2 минуты